Hi Javier! Javier Fernández-Sanguino Peña [2005-01-19 9:08 +0100]: > > * added a new patch (stolen from Ubuntu) which modifies vimspell.sh and > > tcltags.sh so they use mktemp instead of insecure $$ construction to > > create temporary files (CAN-2005-0069) (closes: #289560) > > A few comments and questions regarding this entry: > > - the scripts seem to be ancient and no longer supported by either their > authors nor vim maintainer and have been removed upstream.
Maybe, but still we ship them in our stable release, so we must fix it. > - I understand that Ubuntu's patch might be simpler, but I actually wrote > the patch based on what's done in vim's tcltutor script. There were some > reasons I wrote it which have been disregarded (mostly compatibility > reasons for things that don't have mktemp/tempfile) > (I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #291125) I read your patch, but I deliberately wrote my own very simple version, because: - I wanted to avoid the tempfile race in any case, so if mktemp is not available, the script should rather fail than be vulnerable. mktemp is shipped in a required package, so we can assume it is there. - A security update must be as simple and unintrusive as possible. I do not care about the widest possible upstream portability in security updates, the solution only needs to work on the platforms we support. > - no credit is given to me, which I would have appreciated I credited you in the announcement [1] since you found the bug. However, since I did not take your patch, but wrote my own, I did not credit you for the patch (so if it's broken, it is seen as my fault and not yours :-) ). [1] http://www.ubuntulinux.org/support/documentation/usn/usn-61-1 > - Ubuntu's patch for tcltags will remove the temporary file *twice* (once > on exit, once after the trap is called) as the last line of the script has > not been removed (rm $tmp_tagfile) as I did in my patch. Right, thanks for that hint. It would be nice to fix that in Sid and our development release. Have a nice day! Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian GNU/Linux Developer http://www.debian.org
signature.asc
Description: Digital signature
