duplicity-tracker
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Duplicity-tracker] [patch #6285] security fix: eliminate use of mktemp(


From: Peter Schuller
Subject: [Duplicity-tracker] [patch #6285] security fix: eliminate use of mktemp()
Date: Mon, 26 Nov 2007 19:49:02 +0000
User-agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.8.1.8) Gecko/20071030 Firefox/2.0.0.8

URL:
  <http://savannah.nongnu.org/patch/?6285>

                 Summary: security fix: eliminate use of mktemp()
                 Project: duplicity
            Submitted by: scode
            Submitted on: Monday 11/26/2007 at 19:49
                Category: None
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

The attached patch eliminates the use of mktemp(), in favor of  mkdtemp() and
mkstemp().

Two notes:

(1) With the tempfiles, I do an open/close in order to keep the semantics of
passing on filenames to other places. In the case of TempDupPath I wanted to
avoid having to also make changes to the gzip/gpg code (because
filtered_open() passes the filename).

It may be that this is not a big issue, but right now I wanted to fix the
security problem with a minimum of possibility of breakage.

In the case of TempPath, I did it that way just to keep synchronisity with
tempDupPath.

(2) When testing the rsync specific change, I got this doing an incremental
backup after a full:

   Fatal Error: Neither remote nor local manifest is readable.

However, I get this without my changes applied as well, so it does not appear
to be introduced by this patch.


In one case, I did this to avoid having to "cascade" the changes down into
gzip/gpg code, and in the



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Monday 11/26/2007 at 19:49  Name: duplicity_elimmktemp.patch  Size: 2kB
  By: scode

<http://savannah.nongnu.org/patch/download.php?file_id=14488>

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/patch/?6285>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/





reply via email to

[Prev in Thread] Current Thread [Next in Thread]