Re: [Xquartz-dev] ah-HAH! the precise problem here is … (Re: I got it working, but still potential problem (Re: Getting bad DISPLAY value during use of 2.6.1-2.6.2 (not with 2.6.0 & before).)

Jeremy Huddleston Sat, 30 Apr 2011 17:01:43 -0700

On Apr 30, 2011, at 10:36, Peter O'Gorman wrote:

>>      # Use mktemp rather than mkdir to avoid possible security issue
>>      # if $dir exists and is a symlink


> I don't understand what this is trying to do, in no case will $dir contain 
> XXXXXX for mktemp to replace with randomness, so in all cases Mac OS X mktemp 
> behaves the same as mkdir ${dir}.

I refer you to the comment in the script.  Using mkdir can lead to a 
man-in-the-middle attack on those sockets.  That issue was specifically 
addressed in XQuartz 2.2.0, three years ago (and also a Leopard update at some 
point... either SecUpdate2008-002 or 10.5.5):

http://xquartz.macosforge.org/trac/wiki/X112.2.0
http://xquartz.macosforge.org/trac/wiki/Releases

--Jeremy


_______________________________________________
Xquartz-dev mailing list
Xquartz-dev@lists.macosforge.org
http://lists.macosforge.org/mailman/listinfo.cgi/xquartz-dev

Re: [Xquartz-dev] ah-HAH! the precise problem here is … (Re: I got it working, but still potential problem (Re: Getting bad DISPLAY value during use of 2.6.1-2.6.2 (not with 2.6.0 & before).)

Reply via email to