libguile-2.2.2 uses tmpnam

guile-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

libguile-2.2.2 uses tmpnam

From:	Jeffrey Walton
Subject:	libguile-2.2.2 uses tmpnam
Date:	Sat, 21 Oct 2017 05:05:35 -0400

My apologies for writing about this. I found one previous thread that
mentioned it, but it was working a clock_t problem. Cf.,
https://lists.gnu.org/archive/html/bug-guile/2011-05/msg00024.html

I'm seeing the following when compiling libguile-2.2.2 from sources.
The use of tmpnam caught my eye because I have not seen that warning
in years. I thought it went extinct in the early 2000's.

At this point it time its probably best to use an equivalent function
with better security properties. If an equivalent function with better
security properties is not feasible, then I would prefer to remove it
all together. Its 2017 and any program calling tmpnam is defective.

I'm happy to configure libguile to remove tmpnam and break other
libraries. I don't believe its a configuration option at the moment.
`./configure --help | egrep 'tmpnam|insecure'` returns 0 hits.

I regularly configured OpenSSL with no-ssl2 and no-ssl3 years before
OpenSSL made it a default. I was always able to manage without the
broken protocols. I promise most users will not miss it.

If interested, I'm building GnuTLS from sources, including its
dependencies. GnuTLS is high integrity software. Supply chain
management kind of dictates it should not be calling a module that
provides or uses tmpnam.

Jeff

**************************************************


$ make V=1
...

.libs/libguile_2.2_la-net_db.o .libs/libguile_2.2_la-socket.o
.libs/libguile_2.2_la-regex-posix.o  -Wl,--whole-archive
../lib/.libs/libgnu.a -Wl,--no-whole-archive  -Wl,-rpath
-Wl,/usr/local/lib -lgc -lffi -L/usr/local/lib
/usr/local/lib/libunistring.so /usr/local/lib/libiconv.so
/usr/local/lib/libgmp.so /usr/lib/x86_64-linux-gnu/libltdl.so -lcrypt
-ldl -lpthread -lm  -m64 -march=native -Wl,-z -Wl,relro
-Wl,--version-script=./libguile.map -m64 -Wl,-rpath -Wl,/usr/local/lib
  -Wl,-soname -Wl,libguile-2.2.so.1 -o .libs/libguile-2.2.so.1.2.0
.libs/libguile_2.2_la-posix.o: In function `scm_tmpnam':
posix.c:(.text+0x2003): warning: the use of `tmpnam' is dangerous,
better use `mkstemp'
libtool: link: (cd ".libs" && rm -f "libguile-2.2.so.1" && ln -s
"libguile-2.2.so.1.2.0" "libguile-2.2.so.1")
libtool: link: (cd ".libs" && rm -f "libguile-2.2.so" && ln -s
"libguile-2.2.so.1.2.0" "libguile-2.2.so")

[Prev in Thread]

Current Thread

[Next in Thread]

libguile-2.2.2 uses tmpnam, Jeffrey Walton <=
- Re: libguile-2.2.2 uses tmpnam, Jeffrey Walton, 2017/10/24
  - Re: libguile-2.2.2 uses tmpnam, Roel Janssen, 2017/10/24
  - Re: libguile-2.2.2 uses tmpnam, Matt Wette, 2017/10/24

Prev by Date: Reduce/Reduce conflict errors
Next by Date: Re: Reduce/Reduce conflict errors
Previous by thread: Reduce/Reduce conflict errors
Next by thread: Re: libguile-2.2.2 uses tmpnam
Index(es):
- Date
- Thread