Your message dated Fri, 15 Aug 2008 15:47:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#495193: fixed in mktemp 1.5-9
has caused the Debian Bug report #495193,
regarding mktemp generated string partly not random
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
495193: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495193
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: mktemp
Version: 1.5-2
Severity: grave
Tags: security
There's a problem with the randomness of mktemp. The
string includes a number which includes somewhat
the current process ID (based on the current PID). Worse:
Subsequent calls just seem to increase the number
by one:
[EMAIL PROTECTED]:~|0% cat /etc/debian_version
4.0
[EMAIL PROTECTED]:~|0% ps
PID TTY TIME CMD
32342 pts/2 00:00:00 zsh
32366 pts/2 00:00:00 ps
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32367
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32368
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32369
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32370
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32371
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/-zsh.32342.32372
[EMAIL PROTECTED]:~|0%
If you specify more "X" you will get letters included
-- the amount seems to depend on the length of the PPID --
but as far as the numbers are concerned, it shows
the same behaviour.
This is the way it should be (Opensuse):
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/zsh.6802.WawJF
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/zsh.6802.53xOG
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
/tmp/zsh.6802.HCmhP
[EMAIL PROTECTED]:~|0% mktemp /tmp/$0.$$.XXXXX
I suggest you use
a) a mixture of letters and numbers for mktemp (more letters, since
1 out of 26 has higher degree of randomness than 1 out of 10).
b) don't include a fixed ratio or position of letters/numbers
c) neither base the numbers or also letters on PIDs or any other
predictable values. Use /dev/(u)random or similar.
This also applies to Debian Lenny.
Cheers,
Dirk
--
Dirk Wetter @ Dr. Wetter IT Consulting http://drwetter.org
Beratung IT-Sicherheit + Open Source
Key fingerprint = 2AD6 BE0F 9863 C82D 21B3 64E5 C967 34D8 11B7 C62F
-
Found core file older than 7 days: /usr/share/man/man5/core.5.gz
--- End Message ---
--- Begin Message ---
Source: mktemp
Source-Version: 1.5-9
We believe that the bug you reported is fixed in the latest version of
mktemp, which is due to be installed in the Debian FTP archive:
mktemp_1.5-9.diff.gz
to pool/main/m/mktemp/mktemp_1.5-9.diff.gz
mktemp_1.5-9.dsc
to pool/main/m/mktemp/mktemp_1.5-9.dsc
mktemp_1.5-9_i386.deb
to pool/main/m/mktemp/mktemp_1.5-9_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Clint Adams <[EMAIL PROTECTED]> (supplier of updated mktemp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 15 Aug 2008 11:24:23 -0400
Source: mktemp
Binary: mktemp
Architecture: source i386
Version: 1.5-9
Distribution: unstable
Urgency: high
Maintainer: Clint Adams <[EMAIL PROTECTED]>
Changed-By: Clint Adams <[EMAIL PROTECTED]>
Description:
mktemp - tool for creating temporary files
Closes: 495193
Changes:
mktemp (1.5-9) unstable; urgency=high
.
* Upstream patch to remove pid from name generation. closes: #495193.
Checksums-Sha1:
d1899ed9dfaffdd4a30017822d19f6de3681ae16 894 mktemp_1.5-9.dsc
53b36afd26bf980b9cb168d2c87cad0a150e6ab9 23823 mktemp_1.5-9.diff.gz
de0f8e189280e6ed62bf2b091bb18e4c61c20a1e 10760 mktemp_1.5-9_i386.deb
Checksums-Sha256:
f9f887e31fa2dce9ccad85a055959cb900b5ffee6d3d6027112f58ef3d930946 894
mktemp_1.5-9.dsc
a483dfd8c4a9d19162adbbcbbd2f7bfa85a8d0591a270a85777e6107dd4aaa94 23823
mktemp_1.5-9.diff.gz
bac403ad3f95a51a75a6de42c4bc3e0439b3337a384aec03dc203c7cbedcc5fd 10760
mktemp_1.5-9_i386.deb
Files:
624d320c5fb11aa8e12ba5eecd94eec1 894 utils required mktemp_1.5-9.dsc
7fadb594f8c3804cd94fd51d00967056 23823 utils required mktemp_1.5-9.diff.gz
b57ccd8dc5b842418b5345384f97015d 10760 utils required mktemp_1.5-9_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Debian!
iD8DBQFIpaEU5m0u66uWM3ARAmqKAKDLCf1x1CEiZQnn/1pKFesVjA0suQCgunTx
SlHnHN1XmoZ15XPnHtKwfoM=
=yloN
-----END PGP SIGNATURE-----
--- End Message ---
