Comment 1 for bug 173210

Revision history for this message
Cesare Tirabassi (norsetto) wrote :

The security patch 2007-2030 (see for instance http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2030) seems to be quite badly conceived.
It mixes two things:

- makes sure that some buffers are zero-terminated
- introduces a new fopen for temporary files which includes the O_CREAT and O_EXCL flags

the problem with this latter is that the temporary file is already created with mkstemp, so this new call just make the program exit with an error and makes it totally unusable.
Since this fix doesn't seem to be needed at all (mkstemp already open the temporary file with these flags, and it uses mode 0600 since glibc 2.0.7) shouldn't we simply remove this part of the fix?