[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cvs: temporary file handling fixes

From: Derek Robert Price
Subject: Re: cvs: temporary file handling fixes
Date: Fri, 23 May 2003 10:57:15 -0400
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02

Solar Designer wrote:


We've recently officially added CVS 1.11.5 to Openwall GNU/*/Linux.
One of the things this required is a review of CVS code for possible
unsafe temporary file handling and making the corresponding fixes.
Our patches are available via:

cvs -d :pserver:anoncvs:anoncvs@anoncvs.owl.openwall.com:/cvs co 

Of course, the worst were the scripts under contrib/ and our fixes to
them require Todd Miller's mktemp (1.3.1 or newer) most of the time
(but not always, so that some may be applied to the official CVS even
if requiring mktemp is decided to be unacceptable).  There're
intentionally no fallbacks to not be fail-open.

Also note the patch which makes CVS use vitmp, our wrapper around
the VIM editor.  Without it, the uses of vi by CVS are unsafe at
least with VIM 6.1.386 (the VIM 6.1 patchlevel we're at currently)
when $TMPDIR is set to a directory that VIM doesn't recognize as a
temporary file one.  It may be easily seen with strace how, without
vitmp, a temporary file is unlinked and then re-created under the
same name and without the use of O_EXCL.  vitmp is in the public
domain and may be had via:

cvs -d :pserver:anoncvs:anoncvs@anoncvs.owl.openwall.com:/cvs co 

At first glance, these fixes are mostly either misguided or already incorporated in, at least, the 1.12 feature branch. The fixes that might be usable are going to need at least ChangeLog entries to accompany them, some may need more documentation or tests in sanity.sh, and all will need to have their purposes explained more fully to be accepted. Please see the HACKING file in the top level of the CVS source distribution for more on how to submit patches. Please note in particular that they should be sent to the <bug-cvs@gnu.org> mailing list and not directly to me.

Finally, fixes to the diff/* library code, unless its only purpose is CVS integration, should be sent to the GNU diffutils project. The home page is located at <http://www.gnu.org/software/diffutils/> and their bug report mailing list is <bug-gnu-utils@gnu.org>. After the GNU diffutils project has incorporated a needed fix, please then notify us that it would be a good idea to import the new version of the diffutils library into CVS and why.

Thank you for your time,



Email: derek@ximbiot.com

Get CVS support at <http://ximbiot.com>!
Tar is not a plaything.
Tar is not a plaything.
Tar is not a plaything...

         - Bart Simpson on chalkboard, _The Simpsons_

reply via email to

[Prev in Thread] Current Thread [Next in Thread]