[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev LYUtils and mktemp, and string2.h warnings (glibc 2.2)
|
From: |
David Woolley |
|
Subject: |
Re: lynx-dev LYUtils and mktemp, and string2.h warnings (glibc 2.2) |
|
Date: |
Sat, 23 Dec 2000 09:32:50 +0000 (GMT) |
> LYUtils.o: In function `LYOpenTemp':
> LYUtils.o(.text+0x7b83): the use of `mktemp' is dangerous, better use
> `mkstemp'
I didn't know you could get the linker to generate such messages,
but this will be an indication that the file names are predictable and
someone who already had access to the machine by other means might be
able to replace one in such a way as to make the Lynx user overwrite
something he had permission for but the attacker did not.
This sort of attack has been discussed in the past. I believe one of
the protections is not to use the public temporary files directory.
; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden