Javier Fern=E1ndez-Sanguino Pe=F1a [2005-01-19 9:08 +0100]:
> > * added a new patch (stolen from Ubuntu) which modifies vimspell.sh =
and
> > tcltags.sh so they use mktemp instead of insecure $$ construction =
to
> > create temporary files (CAN-2005-0069) (closes: #289560)
>=20
> A few comments and questions regarding this entry:
>=20
> - the scripts seem to be ancient and no longer supported by either their=
=20
> authors nor vim maintainer and have been removed upstream.
Maybe, but still we ship them in our stable release, so we must fix
it.
> - I understand that Ubuntu's patch might be simpler, but I actually wrote=
=20
> the patch based on what's done in vim's tcltutor script. There were some=
=20
> reasons I wrote it which have been disregarded (mostly compatibility=20
> reasons for things that don't have mktemp/tempfile)
> (I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #29112=
5)
I read your patch, but I deliberately wrote my own very simple
version, because:
- I wanted to avoid the tempfile race in any case, so if mktemp is not
available, the script should rather fail than be vulnerable. mktemp
is shipped in a required package, so we can assume it is there.
- A security update must be as simple and unintrusive as possible. I
do not care about the widest possible upstream portability in
security updates, the solution only needs to work on the platforms
we support.
> - no credit is given to me, which I would have appreciated
I credited you in the announcement [1] since you found the bug.
However, since I did not take your patch, but wrote my own, I did not
credit you for the patch (so if it's broken, it is seen as my fault
and not yours :-) ).
> - Ubuntu's patch for tcltags will remove the temporary file *twice* (once
> on exit, once after the trap is called) as the last line of the script has
> not been removed (rm $tmp_tagfile) as I did in my patch.
Right, thanks for that hint. It would be nice to fix that in Sid and
our development release.
Message-ID: <email address hidden> 1?Q?Fern= E1ndez- Sanguino_ Pe=F1a? = <email address hidden>,
Date: Wed, 19 Jan 2005 10:24:20 +0100
From: Martin Pitt <email address hidden>
To: Javier =?iso-8859-
<email address hidden>
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)
--+g7M9IMkV8truYOl Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
Hi Javier!
Javier Fern=E1ndez- Sanguino Pe=F1a [2005-01-19 9:08 +0100]:
> > * added a new patch (stolen from Ubuntu) which modifies vimspell.sh =
and
> > tcltags.sh so they use mktemp instead of insecure $$ construction =
to
> > create temporary files (CAN-2005-0069) (closes: #289560)
>=20
> A few comments and questions regarding this entry:
>=20
> - the scripts seem to be ancient and no longer supported by either their=
=20
> authors nor vim maintainer and have been removed upstream.
Maybe, but still we ship them in our stable release, so we must fix
it.
> - I understand that Ubuntu's patch might be simpler, but I actually wrote=
=20
> the patch based on what's done in vim's tcltutor script. There were some=
=20
> reasons I wrote it which have been disregarded (mostly compatibility=20
> reasons for things that don't have mktemp/tempfile)
> (I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #29112=
5)
I read your patch, but I deliberately wrote my own very simple
version, because:
- I wanted to avoid the tempfile race in any case, so if mktemp is not
available, the script should rather fail than be vulnerable. mktemp
is shipped in a required package, so we can assume it is there.
- A security update must be as simple and unintrusive as possible. I
do not care about the widest possible upstream portability in
security updates, the solution only needs to work on the platforms
we support.
> - no credit is given to me, which I would have appreciated
I credited you in the announcement [1] since you found the bug.
However, since I did not take your patch, but wrote my own, I did not
credit you for the patch (so if it's broken, it is seen as my fault
and not yours :-) ).
[1] http:// www.ubuntulinux .org/support/ documentation/ usn/usn- 61-1
> - Ubuntu's patch for tcltags will remove the temporary file *twice* (once
> on exit, once after the trap is called) as the last line of the script has
> not been removed (rm $tmp_tagfile) as I did in my patch.
Right, thanks for that hint. It would be nice to fix that in Sid and
our development release.
Have a nice day!
Martin
--=20 www.piware. de www.ubuntulinux .org www.debian. org
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
--+g7M9IMkV8truYOl pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
nbV4Fd/ IRAnJzAKCPbzOma 8Nv/Q6r9r5lx7VA OfrqyQCgm2Xd dfadSGCA=
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB7idEDec
LX6jAxEVuHe9lnu
=Bzyo
-----END PGP SIGNATURE-----
--+g7M9IMkV8tru YOl--