Bug#756565: lives: Numerous insecure temporary files used in smogrify

salsaman salsaman+lives at gmail.com
Fri Sep 23 09:55:24 UTC 2016


On Thu, Sep 22, 2016 at 7:56 PM, James Cowgill <jcowgill at debian.org> wrote:


>
> Thinking about this some more, there is a slight race condition here if
> the user deletes the file after the checks, but before it's written. I
> think the best fix would break the smogrify API unfortunately. One
> alternative is to use to use open(2)'s O_CREATE | O_EXCL flags, but this
> will only work if the file does not exist beforehand.
>


Actually I just had a much simpler idea. Since we are only interested in
getting the value, I can alter this function so that the value is written
to stdout instead of to /tmp.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20160923/bb48afba/attachment-0001.html>


More information about the pkg-multimedia-maintainers mailing list