Bug#287651: [GRASS5] [bug #2877] (grass) Insecure tempfile creation

2005-02-02 Thread Hamish 
> I'll try to get a CVS package squared away tomorrow.

I have just reverted that init.sh $TMPDIR change now, so it should be
all set for a fresh checkout, AFAICT.


> Best to do it as quickly as possible I think.

Yes, I hadn't been keeping up with the Debian Weekly News & the sarge
release appears to be much closer than I thought it was.



Hamish


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#287651: [GRASS5] [bug #2877] (grass) Insecure tempfile creation

2005-02-02 Thread Steve Halasz 
On Thu, 2005-02-03 at 12:55 +1300, Hamish wrote:
> Hi, for those playing along at home, time for a status update:
> 
> 
> r.terraflow is the only module in GRASS 6.0 CVS which hasn't been fixed
> for this bug yet (end user set-able but uses "/var/tmp" as default).
> 
> You can make a GRASS package without the r.terraflow module by doing:
> ./configure --without-cxx
> 
> this has no repercussions on the rest of the package.
> 
> 
> Hopefully we can have a GRASS 6beta2 release soon with r.terraflow fixed
> and a new debian package made from that. If you don't want to wait, pull
> from CVS and do --without-cxx.

Hamish,

You rock! I'll try to get a CVS package squared away tomorrow. Best to
do it as quickly as possible I think.

Thanks,
Steve



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#287651: [GRASS5] [bug #2877] (grass) Insecure tempfile creation

2005-02-02 Thread Hamish 
Hi, for those playing along at home, time for a status update:


r.terraflow is the only module in GRASS 6.0 CVS which hasn't been fixed
for this bug yet (end user set-able but uses "/var/tmp" as default).

You can make a GRASS package without the r.terraflow module by doing:
./configure --without-cxx

this has no repercussions on the rest of the package.


Hopefully we can have a GRASS 6beta2 release soon with r.terraflow fixed
and a new debian package made from that. If you don't want to wait, pull
from CVS and do --without-cxx.

see the pkg-grass mailing list at Alioth for more info.
  http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-general



best,
Hamish


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#287651: [GRASS5] [bug #2877] (grass) Insecure tempfile creation

2005-01-30 Thread Hamish 
[cc bug lists to archive the link]

> This page describes a way to create a secure tmp directory where you
> can create tmp files without worrying about their names:
> 
> http://www.linuxsecurity.com/content/view/115462/151/#mozTocId316364
..
> > Maybe someone can help me with this one:
> > lib/db/stubs/BUILD.PROTO


Thanks, but as I can't find anything that actually uses that script I'm
just going to remove it if no one objects.


That leaves r.terraflow as the only one left (I think); I'm waiting for
an update from the module's author.



Hamish


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#287651: [GRASS5] [bug #2877] (grass) Insecure tempfile creation

2005-01-19 Thread Glynn Clements 

Hamish wrote:

> Just an update re. less-insecure tempfiles ..
> 
> In the upstream GRASS 5.7 CVS[*] pretty much everything in the scripts/
> directory now uses g.tempfile. C modules are next. I am not sure what to
> do with the init scripts & libs where the GRASS tempfile fn's may not be
> available..

Re-write g.tempfile so that it doesn't rely upon GRASS having been
initialised, i.e. just use tempnam() or similar rather than relying
upon G_getenv() etc.

The only code which really needs to use G_tempfile() is code which
creates files within the GRASS database (e.g. G_open_cell_new() etc),
as the files have to reside on the same filesystem as the rest of the
database.

Everything else can use $TMPDIR.

-- 
Glynn Clements <[EMAIL PROTECTED]>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#287651: [GRASS5] [bug #2877] (grass) Insecure tempfile creation

2005-01-17 Thread Hamish 
[thanks for the 5.0.3 patch Marga]


Just an update re. less-insecure tempfiles ..

In the upstream GRASS 5.7 CVS[*] pretty much everything in the scripts/
directory now uses g.tempfile. C modules are next. I am not sure what to
do with the init scripts & libs where the GRASS tempfile fn's may not be
available..

These fixes are not in Steve Halasz's grass 6.0beta1 grass package[**],
I'm not sure when 6beta2 will be but maybe Steve & co. are willing to
backport these changes to 6beta1 and push for that to get into Sarge.

[*]  http://freegis.org/cgi-bin/viewcvs.cgi/grass51/
[**] http://pkg-grass.alioth.debian.org/cgi-bin/wiki.pl



a number of the instances on the offender list were actually commented 
out, etc. 

still to look at:

lib/db/stubs/BUILD.PROTO
lib/db/dbmi_driver/mk_dbstubs_h.sh
lib/gis/unix_socks.c
lib/gis/gislib.dox
lib/gis/win32_pipes.c
lib/init/init.sh
lib/init/make_location_epsg_g57.sh

raster/r.terraflow/description.html
raster/r.terraflow/main.cc



regards,
Hamish


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]