patch-2.5.4 uses mktemp

[Felix Schmitt]

Hi guys,

when i compiled the patch-2.5.4 program, gcc (2.95.3) complained about the
"mktemp" command, which is sort of deprecated (together with "tmpnam" and sort
of "tempnam")
so, i looked at the sources (which luckily are considerably small ...) and
figured out that it is not that trivial to replace mktemp with mkstemp because
the mktemp just returns an unused file name, but mkstemp creates the file
(exclusively) and returns the fd if successful.
in your program, there are several different open commands; some of them
try to create a file with name returned by mktemp non-exclusively. that's no
problem with mkstemp. the other half try to create files w/ name returned by
mktemp exclusively: if you replace mktemp with mkstemp, the file already was
created at the beginning (patch.c, ll 158-161), and thus is not exclusively
createable lateron...
Please tell me what to do:
should i:
-invest my spare time in improving the patch program, because it does make
sense to patch this bug
-just wait for you to issue a new version release
-just keep quiet because you already thought of all this and there is no
security risk at all?

( here's what manpage says:
BUGS
       Never use mktemp(). Some implementations  follow  BSD  4.3
       and  replace XXXXXX by the current process id and a single
       letter,  so  that  at  most  26  different  names  can  be
       returned.   Since  on  the  one hand the names are easy to
       guess, and on the other hand there is a race between test­
       ing  whether  the  name exists and opening the file, every
       use of mktemp() is a security risk.  The race  is  avoided
       by mkstemp(3).
)

Please send me some answer.

Felix Schmitt

PS: linux RULES! :-)

PPS: if i ain't talking about the most recent version, please tell me where to
get it.