The compiler complained about usage of the unsafe tmpnam() function in ssl_unix.c. This patch changes this to make use of the safe mkstmp().
In the FAQ I see that it is claimed that this part of the code is not executed on Linux, in particular. If this is the case, I am surprised this part of the code is not in a removed in a #ifdef block. The problem gets even a bit more complicated when other programs linking in the the library statically also comes with the same compiler warnings. The code is, from a code perspective, available in the library in binary form. In this perspective, it might be a possibility that this code is executed by some software packages. This was also the only place in the code where I could find tmpnam() used in the c-client-2007e library. kind regards, David Sommerseth --- a/src/osdep/unix/ssl_unix.c 2008-06-04 20:18:34.000000000 +0200 +++ b/src/osdep/unix/ssl_unix.c 2009-06-02 13:19:00.000000000 +0200 @@ -98,7 +98,9 @@ struct stat sbuf; /* if system doesn't have /dev/urandom */ if (stat ("/dev/urandom",&sbuf)) { - while ((fd = open (tmpnam (tmp),O_WRONLY|O_CREAT|O_EXCL,0600)) < 0) + strncpy (tmp, "tmpXXXXXX\0", MAILTMPLEN-1); + mkstmp (tmp); + while ((fd = open (tmp, O_WRONLY|O_CREAT|O_EXCL,0600)) < 0) sleep (1); unlink (tmp); /* don't need the file */ fstat (fd,&sbuf); /* get information about the file */ _______________________________________________ Imap-uw mailing list Imap-uw@u.washington.edu http://mailman2.u.washington.edu/mailman/listinfo/imap-uw