https://bugzilla.redhat.com/show_bug.cgi?id=1586295 --- Comment #16 from Vít Ondruch <vondruch@xxxxxxxxxx> --- (In reply to Pavel Valena from comment #12) > (In reply to Jun Aruga from comment #10) > > How about using mkstemp instead of mktemp? Though I am not confident for > > that? or asking security guys? > > > > https://www.owasp.org/index.php/Insecure_Temporary_File > > > Finally, mkstemp() is a reasonably safe way to create temporary files. > > In case you consider the implementation insecure, I think it's imperative to > contact upstream and solve the issue with them. Fedora is no such place and > in the end this needs to be resolved upstream anyway. If the mktemp is implemented as is described in the man(3) mktemp and the rails application is running in multiple processes, there can happen race condition IMO. In theory, this could be also exploited by TOCTOU. But the risk is rather low IMO, therefore I think it would be nice to raise this concern upstream, have link to the upstream issue somewhere in the .spec file and move on. If this was be real concern, then every user of bootstrap would be vulnerable and upstream needs to fix it anyway. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx/message/X5LDE3JVDDK7WUP7EY3V6VIMX6TQTY4W/
