bug-bison
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bison (Re: Owl packages with dangerous "tmp" functions)

From: Solar Designer
Subject: bison (Re: Owl packages with dangerous "tmp" functions)
Date: Thu, 4 Jan 2001 12:36:02 +0300
User-agent: Mutt/1.2.5i 
Hi,

Quoting my own post to vendor-sec,

> +             bison

> A plus means that I've already commited a patch for Owl and done some
> testing on it.  I'll be posting the patches here as appropriate.

> Greg said that they didn't look into bison "due to time and manpower
> constraints"; well, so I decided to take it and will post the patch.

I am now attaching the patch against bison-1.28.  The configure
script in bison already has a check for mkstemp(3), which I'm using
in the patch, so it should be sufficient to add #ifdef HAVE_MKSTEMP
as appropriate to make this patch portable.  Of course, it would be
better to also include a safe version of the code for systems which
don't have mkstemp.  (Perhaps, tryopen() could be changed to support
"x" for O_EXCL/fdopen such that this will allow for no worse a DoS.)

-- 
/sd

Attachment: bison-1.28-owl-tmp.diff
Description: Text document

reply via email to
[Prev in Thread] Current Thread [Next in Thread]