Debian
vim package

Bug #12030
Comment #26

Comment 26 for bug 12030

Revision history for this message

In Debian Bug tracker #289560, Martin Pitt (pitti) wrote on 2005-01-19: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)

#26

Hi Javier!

Javier Fernández-Sanguino Peña [2005-01-19 9:08 +0100]:
> > * added a new patch (stolen from Ubuntu) which modifies vimspell.sh and
> > tcltags.sh so they use mktemp instead of insecure $$ construction to
> > create temporary files (CAN-2005-0069) (closes: #289560)
>
> A few comments and questions regarding this entry:
>
> - the scripts seem to be ancient and no longer supported by either their
> authors nor vim maintainer and have been removed upstream.

Maybe, but still we ship them in our stable release, so we must fix
it.

> - I understand that Ubuntu's patch might be simpler, but I actually wrote
> the patch based on what's done in vim's tcltutor script. There were some
> reasons I wrote it which have been disregarded (mostly compatibility
> reasons for things that don't have mktemp/tempfile)
> (I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #291125)

I read your patch, but I deliberately wrote my own very simple
version, because:

- I wanted to avoid the tempfile race in any case, so if mktemp is not
available, the script should rather fail than be vulnerable. mktemp
is shipped in a required package, so we can assume it is there.

- A security update must be as simple and unintrusive as possible. I
  do not care about the widest possible upstream portability in
  security updates, the solution only needs to work on the platforms
  we support.

> - no credit is given to me, which I would have appreciated

I credited you in the announcement [1] since you found the bug.
However, since I did not take your patch, but wrote my own, I did not
credit you for the patch (so if it's broken, it is seen as my fault
and not yours :-) ).

[1] http://www.ubuntulinux.org/support/documentation/usn/usn-61-1

> - Ubuntu's patch for tcltags will remove the temporary file *twice* (once
> on exit, once after the trap is called) as the last line of the script has
> not been removed (rm $tmp_tagfile) as I did in my patch.

Right, thanks for that hint. It would be nice to fix that in Sid and
our development release.

Have a nice day!

Martin

--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

Hi Javier!

Javier Fernández-Sanguino Peña [2005-01-19  9:08 +0100]:
> >    * added a new patch (stolen from Ubuntu) which modifies vimspell.sh and
> >      tcltags.sh so they use mktemp instead of insecure $$ construction to
> >      create temporary files (CAN-2005-0069) (closes: #289560)
> 
> A few comments and questions regarding this entry:
> 
> - the scripts seem to be ancient and no longer supported by either their 
> authors nor vim maintainer and have been removed upstream.

Maybe, but still we ship them in our stable release, so we must fix
it.

> - I understand that Ubuntu's patch might be simpler, but I actually wrote 
> the patch based on what's done in vim's tcltutor script. There were some 
> reasons I wrote it which have been disregarded (mostly compatibility 
> reasons for things that don't have mktemp/tempfile)
> (I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #291125)