Opened 17 years ago

Closed 16 years ago

#69 closed defect (fixed)

bzdiff tempfile patch is bad

Reported by: alexander@… Owned by: clfs-commits@…
Priority: major Milestone: CLFS Sysroot 1.0.0
Component: BOOK Version: CLFS Sysroot 1.0.0
Keywords: security Cc:


Without "tempfile", bzdiff creates files in /tmp with predictable names (because PIDs are not random). This allows for a symlink-based attack. Also, the "tempfile" program is installed anyway. Please remove the patch.

Change History (5)

comment:1 Changed 17 years ago by chris@…

The idea is to remove the reference to tempfile because it is deprecated, and hopefully be able to remove the tempfile patch from the book. Actually, I am the one who originally suggested changing bzdiff, but my original idea was to do what was done in LFS - to simply use a sed to replace the tempfile reference with mktemp.

comment:2 Changed 17 years ago by Joe Ciccone

From what I can tell the tempfile patch can be replaced with this sed:

sed -i "/tmp=/s/\`.*\`/\`mktemp\`/" bzdiff

which changes this line:

tmp=`tempfile -d /tmp -p bz` || {


tmp=`mktemp` || {

comment:3 Changed 17 years ago by chris@…

Yeah, I think that's what we should do.

comment:4 Changed 17 years ago by Jim Gifford

This patch of mine was accepted upstream.

This removes tempfile and uses the same method that is used in gzip.

comment:5 Changed 16 years ago by Joe Ciccone

Resolution: fixed
Status: newclosed

Closing this ticket as fixed. Jim's patch has been included in bzip2-1.0.4.

Note: See TracTickets for help on using tickets.