call-to-mktemp

[awissu]

Hello!
I to build package and OBS output gave me the following warning:

libbml1.x86_64: W: call-to-mktemp /usr/lib64/libbml.so.1.1.0
This executable calls mktemp. As advised by the manpage (mktemp(3)), this
function should be avoided. Some implementations are deeply insecure, and
there is a race condition between the time of check and time of use (TOCTOU).
See http://capec.mitre.org/data/definitions/29.html for details, and contact
upstream to have this issue fixed.

https://pmbs.links2linux.de/package/live_build_log/home:awissu:branches:Extra/buzztrax/Factory/x86_64

Thank you for the attention.

[ensonic]

Thanks for the heads-up. This code is experimental and I've disabled it from the release again in commit
4dcd077.

I have to research how to to socket IPC without using a filename for the socket. SImply replacing mktemp with mkstemp would not work. The issue you point out here is not as simple as it sounds, if I would use a fixed filename, I would still have the same security issue, but just not get a warning for it. And using a file-deskriptor would not work as the socket api needs a filename - I have some ideas here that I need to try though (e.g. http://stackoverflow.com/questions/1188757/getting-filename-from-file-descriptor-in-c).

[ensonic]

Can you retry the build? If you build from git, you probably want to use --enable-deprecated in configure.

[awissu]

Ok. Fixed.

[ensonic]

Thanks for confirming. So the 0.9 builds fine now and we just keep this open for the issue in the subject, right?

[awissu]

You can close the question.