From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID,
	WEIRD_PORT autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,f868292008c639ce
X-Google-Attributes: gid103376,public
From: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>
Subject: Re: C vs. Ada - strings
Date: 2000/05/09
Message-ID: <tgaehz23ia.fsf@mercury.rus.uni-stuttgart.de>#1/1
X-Deja-AN: 621131272
Sender: rusfw@mercury.rus.uni-stuttgart.de
References: <390F0D93.F835FAD9@ftw.rsc.raytheon.com>
 <wccg0s066nn.fsf@world.std.com> <8es4ad$3d6$1@nnrp1.deja.com>
 <wcc7lda9qzc.fsf@world.std.com> <8esjc3$lp1$1@nnrp1.deja.com>
 <87og6lv6ix.fsf@deneb.cygnus.argh.org> <3913A2E6.DC1BB384@online.no>
 <87hfcct911.fsf@deneb.cygnus.argh.org> <8f2nsf$7eo$1@nnrp1.deja.com>
Organization: Comp.Center (RUS), U of Stuttgart, FRG
Content-Type: text/plain; charset=us-ascii
User-Agent: Gnus/5.0804 (Gnus v5.8.4) Emacs/20.5
Mime-Version: 1.0
Newsgroups: comp.lang.ada
Date: 2000-05-09T00:00:00+00:00
List-Id: <comp.lang.ada>

Robert Dewar <robert_dewar@my-deja.com> writes:

[Don't use tmpfile()]

> Now there's FUD if I ever saw it!

Certainly it is, but it is appropriate in this case, I think.

For example, the GNU/Linux implementation of tmpfile() had a race
condition which permitted every local user to open the temporary file,
and this bug was not fixed until GNU libc 2.0.6 (and it is still there
in libc4/libc5).  This bug is very hard to spot on a running system
(unless someone is actually exploiting it or you have a system call
logger), and obviously, nobody looked at the source code.

> To the extent that this is an effective argument, it can
> presumably be used for all xxxx :-)

The temporary file generation functions are very critical, many
security breaches (by local users) are due to insecure temporary
files.  The problem is very subtle, and you can tell a broken
implementation from a correct one only by looking at the source code
or at a verbose system call trace.  In fact, I believe that tmpfile()
is implemented wrong on a number of additional platforms, but I
couldn't check because I neither have source code nor a system call
tracer for these platforms!

-- 
Florian Weimer 	                  Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898
http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0xC06EC3B5