[fdo][FDO140][New] tempnam security risk in FdoCommonFile.cpp
Mateusz Loskot
mateusz at loskot.net
Mon Aug 28 18:41:42 EDT 2006
You can view the artifact detail at the following URL:
https://fdo.osgeo.org/servlets/Scarab/id/FDO140
Type
Defect
Artifact ID
FDO140 (tempnam security risk in FdoCommonFile.cpp)
Reported by
Mateusz Loskot
mloskot (mateusz at loskot.net)
New artifact details:
---------------------------------------------------------
- Defect Severity set to new value
Medium
- Summary set to new value
tempnam security risk in FdoCommonFile.cpp
- Platform set to new value
All
- Artifact created
- Subcomponent set to new value
UTILITIES
- Artifact Status set to new value
Unconfirmed
- Operating system set to new value
Linux
- Component set to new value
FDO
- Description set to new value
In file fdocore/trunk/Utilities/Common/Src/FdoCommonFile.cpp,
line 837, tempnam() function is used.
This function introduces well-known security risk and it's recommended to use mkstemp() instead.
For more details, see security considerations of tempnam manual page.
Here is also some discussion of tempnam() usage in cstring utility, but Eric Raymond gives generally applicable explanation of the issue:
http://www.securityfocus.com/bid/9391/info
AFAIK, it applies to systems with symbolic links support.
---------------------------------------------------------
This message was automatically generated by Project Tracker.
More information about the Fdo_issues
mailing list