[Dune] [#912] Dune on MinGW

Dune flyspray at dune-project.org
Fri Aug 19 20:32:29 CEST 2011


THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

The following task has a new comment added:

FS#912 - Dune on MinGW
User who did this - Elias Pipping (pipping)

----------
> The reason for the warning is the obvious fact, that the time between creation of the filename and the actual opening the of the file might coincide with an other process generating the same file name.

That's the harmless scenario. Another scenario is one in which an attacker creates the file of that name before the program does. `tmpnam` is a common generator of CVEs as a web search will reveal; see e.g.

  https://bugzilla.redhat.com/show_bug.cgi?id=461477

and

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449149

The manpage tmpnam(3) has nothing good to say about this function (std::tmpnam and tmpnam in c are the same function):

BUGS
       Never use this function.  Use mkstemp(3) or tmpfile(3) instead.

One solution for the lack of mkstemp on mingw would be importing it from gnulib.

  http://www.gnu.org/software/gnulib/manual/html_node/mkstemp.html
----------

More information can be found at the following URL:
http://www.dune-project.org/flyspray/index.php?do=details&task_id=912#comment2647

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.




More information about the Dune mailing list