Date: Tue, 6 Jun 2000 12:40:03 -0700 (PDT) From: mi@privatelabs.com To: freebsd-ports@FreeBSD.org Subject: Re: ports/19047: net/arpwatch patched to use tmpfile() instead of m ktemp() Message-ID: <200006061940.MAA42560@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/19047; it has been noted by GNATS. From: mi@privatelabs.com To: Ade Lovett <ade@lovett.com> Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: ports/19047: net/arpwatch patched to use tmpfile() instead of m ktemp() Date: Tue, 6 Jun 2000 15:33:39 -0400 (EDT) On 6 Jun, Ade Lovett wrote: = On Tue, Jun 06, 2000 at 01:52:48PM -0400, mi@privatelabs.com wrote: = > On FreeBSD (and OpenBSD and NetBSD) this is NOT TRUE, and we all = > know it. = = Irrelevant. You're assuming that the code reflects the reality in the = manual page. There is an explicit reference to using mkstemp() in the = tmpfile() manual page. So, you suggest I trust one part of the man page, but not the other? mkstemp can also be implemented poorly for that matter. = > My patch removes a potential security issue in the BSD port of the = > arpwatch software. Please proof otherwise. = = Your patch replaces a known security issue with a possible security = issue, whereas it could be trivially rewritten to remove the security = issue. It could be. But the way I wrote it, it is perfectly fine for all of the OSes involved. I'm afraid, you only jumped to this discussion to "teach me" to use fdopen (you are welcome to classify this "attack" any way you want). You do not seem to care about the security/tripwire patch I submitted recently, for example -- in your not too humble opionion it suffers the same flaws. = > tmpfile() is just as well defined and, on FreeBSD, secure. I also = > happened to like it better then mkstemp(). = > = > It is sad, that you let your emotions blind you. If there will be = > someone to knock some sense into you, by, for example, overriding = > the authority you remind "us'all" about, I'll certainly applaud that = > person. = = Ad hominem attacks are rarely useful. Yours has been noted for future = reference. Yeah, yeah... I'm sorry, but this will probably be my last response on this subject. -mi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006061940.MAA42560>