- makes sure that some buffers are zero-terminated
- introduces a new fopen for temporary files which includes the O_CREAT and O_EXCL flags
the problem with this latter is that the temporary file is already created with mkstemp, so this new call just make the program exit with an error and makes it totally unusable.
Since this fix doesn't seem to be needed at all (mkstemp already open the temporary file with these flags, and it uses mode 0600 since glibc 2.0.7) shouldn't we simply remove this part of the fix?
The security patch 2007-2030 (see for instance http:// nvd.nist. gov/nvd. cfm?cvename= CVE-2007- 2030) seems to be quite badly conceived.
It mixes two things:
- makes sure that some buffers are zero-terminated
- introduces a new fopen for temporary files which includes the O_CREAT and O_EXCL flags
the problem with this latter is that the temporary file is already created with mkstemp, so this new call just make the program exit with an error and makes it totally unusable.
Since this fix doesn't seem to be needed at all (mkstemp already open the temporary file with these flags, and it uses mode 0600 since glibc 2.0.7) shouldn't we simply remove this part of the fix?