Comment 27 for bug 12030

Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 10:24:20 +0100
From: Martin Pitt <email address hidden>
To: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>,
 <email address hidden>
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)

--+g7M9IMkV8truYOl
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Javier!

Javier Fern=E1ndez-Sanguino Pe=F1a [2005-01-19 9:08 +0100]:
> > * added a new patch (stolen from Ubuntu) which modifies vimspell.sh =
and
> > tcltags.sh so they use mktemp instead of insecure $$ construction =
to
> > create temporary files (CAN-2005-0069) (closes: #289560)
>=20
> A few comments and questions regarding this entry:
>=20
> - the scripts seem to be ancient and no longer supported by either their=
=20
> authors nor vim maintainer and have been removed upstream.

Maybe, but still we ship them in our stable release, so we must fix
it.

> - I understand that Ubuntu's patch might be simpler, but I actually wrote=
=20
> the patch based on what's done in vim's tcltutor script. There were some=
=20
> reasons I wrote it which have been disregarded (mostly compatibility=20
> reasons for things that don't have mktemp/tempfile)
> (I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #29112=
5)

I read your patch, but I deliberately wrote my own very simple
version, because:

- I wanted to avoid the tempfile race in any case, so if mktemp is not
  available, the script should rather fail than be vulnerable. mktemp
  is shipped in a required package, so we can assume it is there.

- A security update must be as simple and unintrusive as possible. I
  do not care about the widest possible upstream portability in
  security updates, the solution only needs to work on the platforms
  we support.

> - no credit is given to me, which I would have appreciated

I credited you in the announcement [1] since you found the bug.
However, since I did not take your patch, but wrote my own, I did not
credit you for the patch (so if it's broken, it is seen as my fault
and not yours :-) ).

[1] http://www.ubuntulinux.org/support/documentation/usn/usn-61-1

> - Ubuntu's patch for tcltags will remove the temporary file *twice* (once
> on exit, once after the trap is called) as the last line of the script has
> not been removed (rm $tmp_tagfile) as I did in my patch.

Right, thanks for that hint. It would be nice to fix that in Sid and
our development release.

Have a nice day!

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--+g7M9IMkV8truYOl
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB7idEDecnbV4Fd/IRAnJzAKCPbzOma8Nv/Q6r9r5lx7VAOfrqyQCgm2Xd
LX6jAxEVuHe9lnudfadSGCA=
=Bzyo
-----END PGP SIGNATURE-----

--+g7M9IMkV8truYOl--