patch-2.5.4 mktemp fix

Archaic archaic at indy.rr.com
Sat Jan 17 19:42:58 PST 2004


On Thu, Jan 15, 2004 at 11:02:21PM -0500, Robert Connolly wrote:
> 
> patch-2.5.9 isn't officially on gnu.org. Some vendors have it, I don't
> know where they got it from. The buffer overflow in patch-2.5.4 is
> well know, I guess its not taken seriously because patch isn't
> critical in any way. The question is, why hasn't GNU released
> patch-2.5.9. Also, the mktemp vulnerability is not fixed in 2.5.9. It
> might be being use legitemately, but I don't know of any disadvantage
> to using mkstemp instead.

Perhaps we should do as LFS in matters such as this and patch an
officially released package? That way, crazy stuff that distros do to
sources don't leave us scratching our heads wondering why some things
seem borked.

-- 
Archaic

See, when the GOVERNMENT spends money, it creates jobs; whereas when the
money is left in the hands of TAXPAYERS, God only knows what they do
with it.  Bake it into pies, probably.  Anything to avoid creating jobs.

- Dave Barry




More information about the hlfs-dev mailing list