patch-2.5.4 mktemp fix

Radosław Krahl ptasz3k at o2.pl
Thu Jan 15 21:46:05 PST 2004


Would you be so kind and give me url where i can find sources for
patch-2.5.9? My modem likes to break connections, and often i have not got
enough time to search for needed things. That's also the reason why i've got
to use windows -- under linux my modem disconnects right after getting
connected :(. So, if you would give me this url, i can fix 2.5.9 too.

> The buffer overflow in patch-2.5.4 is well know, I guess its not taken
> seriously because patch isn't critical in any way.

Hmmm... Patching kernel source tree (or anything else) as root (many people
do it this way, i bet) against patch from unknown/spoofed source can result
in suid root sh executable somewhere in /tmp? I am quite green in security
matters, but i can imagine something like that. :)

> Also, the mktemp vulnerability is not fixed in 2.5.9. It might be being
> use legitemately, but I don't know of any disadvantage to using mkstemp
> instead.

Changing mktemp to mkstemp in patch in a *clean-and-nice* way can be hard
thing. Maybe they're so lazy as I am ;).

Regards
Radek 'ptaszek' Krahl








More information about the hlfs-dev mailing list