Modify

#1280 new defect

RPMLint issue call-to-mktemp

Reported by: anonymous Owned by:
Priority: minor Milestone:
Component: BitlBee Version: Unspecified
Keywords: mktemp Cc:
IRC client+version: Client-independent Operating System: Linux
OS version/distro: openSUSE

Description

I get this warning when doing builds for lates 3.5 release.

[   41s] ... removing all built rpms
[   41s]     (order: reverse bitlbee bitlbee-devel bitlbee-debuginfo bitlbee-debugsource bitlbee-doc)
[   41s] Failed to connect to bus: No such file or directory
[   42s]
[   42s] RPMLINT report:
[   42s] ===============
[   42s] bitlbee.x86_64: W: call-to-mktemp /usr/sbin/bitlbee
[   42s] This executable calls mktemp. As advised by the manpage (mktemp(3)), this
[   42s] function should be avoided. Some implementations are deeply insecure, and
[   42s] there is a race condition between the time of check and time of use (TOCTOU).
[   42s] See http://capec.mitre.org/data/definitions/29.html for details, and contact
[   42s] upstream to have this issue fixed.
[   42s]
[   42s] bitlbee.x86_64: I: binary-or-shlib-calls-gethostbyname /usr/sbin/bitlbee
[   42s] The binary calls gethostbyname(). Please port the code to use getaddrinfo().
[   42s]
[   42s] 4 packages and 0 specfiles checked; 0 errors, 1 warnings.

Also maybe gethostbyname() -> getaddrinfo() should be taken care

Attachments (0)

Change History (3)

comment:1 Changed at 2017-01-24T16:11:38Z by dx

What's wrong with gethostbyname?

comment:2 in reply to:  1 Changed at 2017-01-24T16:23:26Z by dx

Replying to dx:

What's wrong with gethostbyname?

Answering my own question: ipv4 only, apparently.

It's currently only used by the socks4 code (not socks5 or anything else). Meh.

comment:3 Changed at 2022-11-21T07:35:37Z by Thaodan

mktemp is also used in purple/ft.c

Modify Ticket

Action
as new The ticket will remain with no owner.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.