Javier Fernández-Sanguino Peña [2005-01-19 9:08 +0100]:
> > * added a new patch (stolen from Ubuntu) which modifies vimspell.sh and
> > tcltags.sh so they use mktemp instead of insecure $$ construction to
> > create temporary files (CAN-2005-0069) (closes: #289560)
>
> A few comments and questions regarding this entry:
>
> - the scripts seem to be ancient and no longer supported by either their
> authors nor vim maintainer and have been removed upstream.
Maybe, but still we ship them in our stable release, so we must fix
it.
> - I understand that Ubuntu's patch might be simpler, but I actually wrote
> the patch based on what's done in vim's tcltutor script. There were some
> reasons I wrote it which have been disregarded (mostly compatibility
> reasons for things that don't have mktemp/tempfile)
> (I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #291125)
I read your patch, but I deliberately wrote my own very simple
version, because:
- I wanted to avoid the tempfile race in any case, so if mktemp is not
available, the script should rather fail than be vulnerable. mktemp
is shipped in a required package, so we can assume it is there.
- A security update must be as simple and unintrusive as possible. I
do not care about the widest possible upstream portability in
security updates, the solution only needs to work on the platforms
we support.
> - no credit is given to me, which I would have appreciated
I credited you in the announcement [1] since you found the bug.
However, since I did not take your patch, but wrote my own, I did not
credit you for the patch (so if it's broken, it is seen as my fault
and not yours :-) ).
> - Ubuntu's patch for tcltags will remove the temporary file *twice* (once
> on exit, once after the trap is called) as the last line of the script has
> not been removed (rm $tmp_tagfile) as I did in my patch.
Right, thanks for that hint. It would be nice to fix that in Sid and
our development release.
Hi Javier!
Javier Fernández-Sanguino Peña [2005-01-19 9:08 +0100]:
> > * added a new patch (stolen from Ubuntu) which modifies vimspell.sh and
> > tcltags.sh so they use mktemp instead of insecure $$ construction to
> > create temporary files (CAN-2005-0069) (closes: #289560)
>
> A few comments and questions regarding this entry:
>
> - the scripts seem to be ancient and no longer supported by either their
> authors nor vim maintainer and have been removed upstream.
Maybe, but still we ship them in our stable release, so we must fix
it.
> - I understand that Ubuntu's patch might be simpler, but I actually wrote
> the patch based on what's done in vim's tcltutor script. There were some
> reasons I wrote it which have been disregarded (mostly compatibility
> reasons for things that don't have mktemp/tempfile)
> (I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #291125)
I read your patch, but I deliberately wrote my own very simple
version, because:
- I wanted to avoid the tempfile race in any case, so if mktemp is not
available, the script should rather fail than be vulnerable. mktemp
is shipped in a required package, so we can assume it is there.
- A security update must be as simple and unintrusive as possible. I
do not care about the widest possible upstream portability in
security updates, the solution only needs to work on the platforms
we support.
> - no credit is given to me, which I would have appreciated
I credited you in the announcement [1] since you found the bug.
However, since I did not take your patch, but wrote my own, I did not
credit you for the patch (so if it's broken, it is seen as my fault
and not yours :-) ).
[1] http:// www.ubuntulinux .org/support/ documentation/ usn/usn- 61-1
> - Ubuntu's patch for tcltags will remove the temporary file *twice* (once
> on exit, once after the trap is called) as the last line of the script has
> not been removed (rm $tmp_tagfile) as I did in my patch.
Right, thanks for that hint. It would be nice to fix that in Sid and
our development release.
Have a nice day!
Martin
-- www.piware. de www.ubuntulinux .org www.debian. org
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://