GNU m4 1.4ppre2 has the following /tmp security problems: tests/mkconfig.sh does `env >/tmp/env', thereby overwriting an arbitrary file owned by the user running the tests which has been symlinked to by an attacker. tests/other-tests/stackovf.test would also be a security risk if it weren't disabled, but it should probably have prominent comments in it not to enable it until its security is fixed. src/builtin.c, function m4_maketemp() uses mktemp() with the usual races; m4 should explicitly create the file using mkstemp(). It would probably be appropriate for the mkstemp() implementations in src/output.c to be made non-static for this purpose; then the mktemp() implementation there could be removed, and the gratuitous insecurity of the mkstemp() implementation in terms of mktemp() fixed by changing O_TRUNC to O_EXCL. -- Joseph S. Myers [EMAIL PROTECTED]
