Mktemp is not in the book

Erika Pacholleck pchllck at nexgo.de
Fri Jan 31 04:46:27 PST 2003


[30.01.2003] jsmaby at virgo.umeche.maine.edu <-- :
> > Looks like we either:
> > a) accept a security risk,
> > b) continue to have some LFS installed stuff that doesn't work,
> > c) patch a version of tempfile and mktemp ourselves to use mkstemp
> > d) continue scrounging to find a good version of both tempfile and/or
> >    mktemp
> 
> The correct thing to do is to patch bzdiff and friends to not rely
> on an insecure program.

The only one from the whole bzip2 package which uses tempfile is
bzdiff, and that is a shell script. The other ones have either
everything we have or are just links.

So, even at the risk that I will hear masses of shoutings about
insecurity, this is my bzdiff part how I patch bzip2:

=======================================================
diff -Naur bzip2-1.0.2/bzdiff bzip2-1.0.2.rune/bzdiff
--- bzip2-1.0.2/bzdiff	2001-12-30 03:12:35.000000000 +0100
+++ bzip2-1.0.2.rune/bzdiff	2003-01-31 11:25:38.000000000 +0100
@@ -37,10 +37,15 @@
 	echo "Usage: $prog [${comp}_options] file [file]"
 	exit 1
 fi
-tmp=`tempfile -d /tmp -p bz` || {
-      echo 'cannot create a temporary file' >&2
-      exit 1
-}
+# --de ein einzigartiges (unsere PID) Arbeitsverzeichnis reicht (EP)
+# --en it is enough to create a unique working dir with our PID (EP)
+mkdir -m 700 /tmp/$$ 2>/dev/null
+if [ $? = 0 ]; then
+	tmp=/tmp/$$
+else
+	echo "cannot create a temporary directory /tmp/$$" >&2
+	exit 1
+fi
 set $FILES
 if test $# -eq 1; then
 	FILE=`echo "$1" | sed 's/.bz2$//'`
@@ -53,10 +58,16 @@
                 case "$2" in
 	        *.bz2)
 			F=`echo "$2" | sed 's|.*/||;s|.bz2$||'`
-                        bzip2 -cdfq "$2" > $tmp
-                        bzip2 -cdfq "$1" | $comp $OPTIONS - $tmp
+                        # --de ins Arbeitsverzeichnis die entpackte ohne .bz2
+                        # --en into the working dir the unpacked without .bz2
+                        bzip2 -cdfq "$2" > $tmp/"${2%.bz2}"
+                        # --de und den Vergleich auch mit dieser entpackten
+                        # --en and compare with that unpacked one
+						bzip2 -cdfq "$1" | $comp $OPTIONS - $tmp/"${2%.bz2}"
                         STAT="$?"
-			/bin/rm -f $tmp;;
+			# --de unser Arbeitsverzeichnis löschen
+			# --en delete our working directory
+			/bin/rm -rf $tmp;;
 
                 *)      bzip2 -cdfq "$1" | $comp $OPTIONS - "$2"
                         STAT="$?";;
==================================================================

-- 
Erika ...---...: pacholleck at nexgo dot de
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-dev' in the subject header of the message



More information about the lfs-dev mailing list