The compiler complained about usage of the unsafe tmpnam() function in
ssl_unix.c. This patch changes this to make use of the safe mkstmp().
In the FAQ I see that it is claimed that this part of the code is not
executed on Linux, in particular. If this is the case, I am surprised
this part of the code is not in a removed in a #ifdef block.
The problem gets even a bit more complicated when other programs
linking in the the library statically also comes with the same compiler
warnings.
The code is, from a code perspective, available in the library in binary
form. In this perspective, it might be a possibility that this code is
executed by some software packages.
This was also the only place in the code where I could find tmpnam()
used in the c-client-2007e library.
kind regards,
David Sommerseth
--- a/src/osdep/unix/ssl_unix.c 2008-06-04 20:18:34.000000000 +0200
+++ b/src/osdep/unix/ssl_unix.c 2009-06-02 13:19:00.000000000 +0200
@@ -98,7 +98,9 @@
struct stat sbuf;
/* if system doesn't have /dev/urandom */
if (stat ("/dev/urandom",&sbuf)) {
- while ((fd = open (tmpnam (tmp),O_WRONLY|O_CREAT|O_EXCL,0600)) < 0)
+ strncpy (tmp, "tmpXXXXXX\0", MAILTMPLEN-1);
+ mkstmp (tmp);
+ while ((fd = open (tmp, O_WRONLY|O_CREAT|O_EXCL,0600)) < 0)
sleep (1);
unlink (tmp); /* don't need the file */
fstat (fd,&sbuf); /* get information about the file */
_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman2.u.washington.edu/mailman/listinfo/imap-uw
