On Sun, Jun 15, 2014 at 08:51:23AM +0100, Pat Thoyts wrote:
> David Aguilar <davvid@xxxxxxxxx> writes:
> >--- a/gitk
> >+++ b/gitk
> >@@ -3502,7 +3502,8 @@ proc gitknewtmpdir {} {
> > } else {
> > set tmpdir $gitdir
> > }
> >- set gitktmpdir [file join $tmpdir [format ".gitk-tmp.%s" [pid]]]
> >+ set gitktmpformat [file join $tmpdir ".gitk-tmp.XXXXXX"]
> >+ set gitktmpdir [exec mktemp -d $gitktmpformat]
> > if {[catch {file mkdir $gitktmpdir} err]} {
> > error_popup "[mc "Error creating temporary directory %s:" $gitktmpdir] $err"
> > unset gitktmpdir
>
> This is a problem on Windows where we will not have mktemp. In Tcl 8.6
> the file command acquired a "file tempfile" command to help with this
> kind of issue (https://www.tcl.tk/man/tcl8.6/TclCmd/file.htm#M39) but
> for older versions we should probably stick with the existing pattern at
> least on Windows.
The existing pattern is a security bug on Unix systems. MITRE (CWE-377)
tells me that it is a vulnerability on Windows as well, so you'd
probably want to come up with a better solution than the existing
pattern.
You also probably want to request a CVE for this, which the Red Hat and
Debian security teams can do for you if you like. Distributions will
likely want to issue security advisories for this.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Attachment:
signature.asc
Description: Digital signature