Return-Path: Delivered-To: apmail-apache-bugdb-archive@apache.org Received: (qmail 29821 invoked by uid 500); 9 Oct 2000 00:20:01 -0000 Mailing-List: contact apache-bugdb-help@apache.org; run by ezmlm Precedence: bulk Reply-To: apache-bugdb@apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list apache-bugdb@apache.org Received: (qmail 29797 invoked by uid 501); 9 Oct 2000 00:20:00 -0000 Resent-Date: 9 Oct 2000 00:20:00 -0000 Resent-Message-ID: <20001009002000.29796.qmail@locus.apache.org> Resent-From: gnats-admin@bugz.apache.org (GNATS Management) Resent-To: apache-bugdb@apache.org Resent-Cc: apache-bugdb@apache.org Resent-Reply-To: gnats-admin@bugz.apache.org, cahagn_o@epita.fr Received: (qmail 28844 invoked by uid 501); 9 Oct 2000 00:14:05 -0000 Message-Id: <20001009001405.28843.qmail@locus.apache.org> Date: 9 Oct 2000 00:14:05 -0000 From: Olivier Cahagne Reply-To: cahagn_o@epita.fr To: submit@bugz.apache.org X-Send-Pr-Version: 3.110 Subject: build/6640: tmpnam() possibly used unsafely, consider using mkstemp() >Number: 6640 >Category: build >Synopsis: tmpnam() possibly used unsafely, consider using mkstemp() >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: apache >Arrival-Date: Sun Oct 08 17:20:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: cahagn_o@epita.fr >Release: 1.3.13-dev >Organization: apache >Environment: NetBSD 1.3.3 x86 gcc 2.7.2.2 >Description: When compiling latest Apache snapshot 20001008221200, I get the following warnings: htpasswd.o: warning: tmpnam() possibly used unsafely, consider using mkstemp() htdigest.o: warning: tmpnam() possibly used unsafely, consider using mkstemp() Is it a possible security flaw ? I remember PHP fixed this "bug" with their own PHP recently. This is on NetBSD 1.3.3 x86 with gcc 2.7.2.2, here's my configure line: ./configure --sbindir=/usr/www/etc/httpd/sbin \ --prefix=/usr/www/etc/httpd \ --enable-suexec \ --suexec-safepath="/bin:/usr/bin:/usr/www/bin/php:/usr/www/web/b in:/usr/www/web/bin/error" \ --suexec-logfile=/usr/www/etc/httpd/logs/cgi.log \ --suexec-caller=~ \ --suexec-userdir=www \ --suexec-docroot=/usr/www/web \ --suexec-uidmin=100 \ --suexec-gidmin=100 >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]