From nobody@FreeBSD.org  Mon Nov  2 22:18:02 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C24FC106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  2 Nov 2009 22:18:02 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 983848FC0C
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  2 Nov 2009 22:18:02 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id nA2MI2JP080218
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 2 Nov 2009 22:18:02 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id nA2MI1Sp080217;
	Mon, 2 Nov 2009 22:18:01 GMT
	(envelope-from nobody)
Message-Id: <200911022218.nA2MI1Sp080217@www.freebsd.org>
Date: Mon, 2 Nov 2009 22:18:01 GMT
From: Jeremy Huddleston <jeremyhu@apple.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: mktemp buffer overrun
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         140228
>Category:       bin
>Synopsis:       [patch] mktemp(3) buffer overrun
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    jh
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 02 22:20:02 UTC 2009
>Closed-Date:    Fri Mar 19 12:40:20 UTC 2010
>Last-Modified:  Fri Mar 19 12:40:20 UTC 2010
>Originator:     Jeremy Huddleston
>Release:        8.0
>Organization:
Apple
>Environment:
FreeBSD freebsd.apple.com 8.0-CURRENT-200809 FreeBSD 8.0-CURRENT-200809 #0: Sun Sep  7 22:13:46 UTC 2008     root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
memcpy in mktemp.c does not ensure that destination is large enough.
>How-To-Repeat:
mktemp '/tmp/foo_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX!
 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
Segmentation fault: 11 (core dumped)
>Fix:
I will provide a patch after testing.

>Release-Note:
>Audit-Trail:

From: Jeremy Huddleston <jeremyhu@apple.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/140228: mktemp(1) buffer overrun
Date: Mon, 2 Nov 2009 16:20:36 -0800

 --Apple-Mail-10--272437935
 Content-Transfer-Encoding: quoted-printable
 Content-Type: text/plain;
 	charset=us-ascii
 
 Index: mktemp.c
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- mktemp.c	(revision 47164)
 +++ mktemp.c	(working copy)
 @@ -132,7 +132,7 @@
  	start =3D trv + 1;
 =20
  	/* save first combination of random characters */
 -	memcpy(carrybuf, start, suffp - start);
 +	memcpy(carrybuf, start, MAXPATHLEN < suffp - start ? MAXPATHLEN =
 : suffp - start);
 =20
  	/*
  	 * check the target directory.
 
 
 --Apple-Mail-10--272437935
 Content-Disposition: attachment;
 	filename=smime.p7s
 Content-Type: application/pkcs7-signature;
 	name=smime.p7s
 Content-Transfer-Encoding: base64
 
 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIITbjCCAz8w
 ggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0
 ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcx
 KDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0
 ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxA
 dGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpB
 MSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUg
 UGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
 xKY8VXNV+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7d
 yfArhVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/
 p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDow
 OKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3Js
 MAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgw
 DQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A
 9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYI
 Tq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8wggM/MIICqKADAgECAgENMA0GCSqGSIb3
 DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlD
 YXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0
 aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwg
 Q0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3
 MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENv
 bnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElz
 c3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f
 6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYk
 KhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGj
 gZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRo
 YXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0R
 BCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM
 0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZ
 GwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC3CEZ
 Nd4ksdMdRv9dX2VPMIIGcDCCBdmgAwIBAgIQKF0Nr8sW2fhCBNsoUjwm8zANBgkqhkiG9w0BAQUF
 ADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEs
 MCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDkwNTA0MDUy
 OTE0WhcNMTAwNTA0MDUyOTE0WjCCAnAxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIx
 JDAiBgkqhkiG9w0BCQEWFWplcmVteWh1QGJlcmtlbGV5LmVkdTErMCkGCSqGSIb3DQEJARYcamVy
 ZW15aHVAdWNsaW5rLmJlcmtlbGV5LmVkdTEsMCoGCSqGSIb3DQEJARYdamVyZW15aHVAdWNsaW5r
 NC5iZXJrZWxleS5lZHUxJzAlBgkqhkiG9w0BCQEWGGplcmVteWh1QGNzLmJlcmtlbGV5LmVkdTEp
 MCcGCSqGSIb3DQEJARYaamVyZW15QHVwZS5jcy5iZXJrZWxleS5lZHUxKTAnBgkqhkiG9w0BCQEW
 GmplcmVteWh1QGVlY3MuYmVya2VsZXkuZWR1MScwJQYJKoZIhvcNAQkBFhhqZXJlbXlodUBmcmVl
 ZGVza3RvcC5vcmcxJDAiBgkqhkiG9w0BCQEWFWplcmVteWh1QG1hY3BvcnRzLm9yZzElMCMGCSqG
 SIb3DQEJARYWamVyZW15QG91dGVyc3F1YXJlLm9yZzEgMB4GCSqGSIb3DQEJARYRamVyZW15aHVk
 QG1hYy5jb20xIzAhBgkqhkiG9w0BCQEWFGplcmVteUBodWRzY2FiaW4uY29tMSEwHwYJKoZIhvcN
 AQkBFhJqZXJlbXlodUBhcHBsZS5jb20xJTAjBgkqhkiG9w0BCQEWFmplcmVteUBvdXRlcnNxdWFy
 ZS5jb20xJTAjBgkqhkiG9w0BCQEWFnBheXBhbEBvdXRlcnNxdWFyZS5jb20xHzAdBgkqhkiG9w0B
 CQEWEGplcmVteWh1ZEBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwVnJ8
 XrKgByWkhJhQDk7Kj45PnZYRXJNQfcTyBQsqSqfUh13Limf2qJTxpw8Mdq/SuNkO3ZjLkaYGPB4+
 8uaHdDqGEanq2wf4qKV4dyFEQO92mRQRxLijfBS4CunlSYzHuPd6g5osI0BVpFbNRswqOXWbHd1z
 XRVvRqpvYKQJFWLf3dqXU3zZO2nv4sabnovbNCKEO6HrxQeawFfwxL20adsK5F1ejK1VRSEsTzd7
 BjNs8QTWC4qZKrrNuaPJLVt4LDbRXIqOggrZaOkggIBIIdXubjOrrpR41PvcvibfvYLUpo3bdX5e
 tWH/VU/ywIS3oIc4d+VtOL/O3YdCpX0FAgMBAAGjggGRMIIBjTCCAXsGA1UdEQSCAXIwggFugRVq
 ZXJlbXlodUBiZXJrZWxleS5lZHWBHGplcmVteWh1QHVjbGluay5iZXJrZWxleS5lZHWBHWplcmVt
 eWh1QHVjbGluazQuYmVya2VsZXkuZWR1gRhqZXJlbXlodUBjcy5iZXJrZWxleS5lZHWBGmplcmVt
 eUB1cGUuY3MuYmVya2VsZXkuZWR1gRpqZXJlbXlodUBlZWNzLmJlcmtlbGV5LmVkdYEYamVyZW15
 aHVAZnJlZWRlc2t0b3Aub3JngRVqZXJlbXlodUBtYWNwb3J0cy5vcmeBFmplcmVteUBvdXRlcnNx
 dWFyZS5vcmeBEWplcmVteWh1ZEBtYWMuY29tgRRqZXJlbXlAaHVkc2NhYmluLmNvbYESamVyZW15
 aHVAYXBwbGUuY29tgRZqZXJlbXlAb3V0ZXJzcXVhcmUuY29tgRZwYXlwYWxAb3V0ZXJzcXVhcmUu
 Y29tgRBqZXJlbXlodWRAbWUuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAMtx6
 voXn2w2+kaevSb7REuy5TBAQNzwlcwLiaC44HMVhwQGEYG544mBabCqY2+MtLbEn2RDQGHArtuCA
 Tv9liObLp6UPNKo+8Bcd3edN0dlFSeb0wFPVt71e05dGeyIoBxIrM4ix2BON/SHcGsgt3n1DRXen
 JLYVV809vRtHQpowggZwMIIF2aADAgECAhBfIA3CIvCJAyf8rsNvgxtuMA0GCSqGSIb3DQEBBQUA
 MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSww
 KgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wOTA5MTQyMTM2
 MjdaFw0xMDA5MTQyMTM2MjdaMIICcDEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEk
 MCIGCSqGSIb3DQEJARYVamVyZW15aHVAYmVya2VsZXkuZWR1MSswKQYJKoZIhvcNAQkBFhxqZXJl
 bXlodUB1Y2xpbmsuYmVya2VsZXkuZWR1MSwwKgYJKoZIhvcNAQkBFh1qZXJlbXlodUB1Y2xpbms0
 LmJlcmtlbGV5LmVkdTEnMCUGCSqGSIb3DQEJARYYamVyZW15aHVAY3MuYmVya2VsZXkuZWR1MSkw
 JwYJKoZIhvcNAQkBFhpqZXJlbXlAdXBlLmNzLmJlcmtlbGV5LmVkdTEpMCcGCSqGSIb3DQEJARYa
 amVyZW15aHVAZWVjcy5iZXJrZWxleS5lZHUxJzAlBgkqhkiG9w0BCQEWGGplcmVteWh1QGZyZWVk
 ZXNrdG9wLm9yZzEkMCIGCSqGSIb3DQEJARYVamVyZW15aHVAbWFjcG9ydHMub3JnMSUwIwYJKoZI
 hvcNAQkBFhZqZXJlbXlAb3V0ZXJzcXVhcmUub3JnMSAwHgYJKoZIhvcNAQkBFhFqZXJlbXlodWRA
 bWFjLmNvbTEjMCEGCSqGSIb3DQEJARYUamVyZW15QGh1ZHNjYWJpbi5jb20xITAfBgkqhkiG9w0B
 CQEWEmplcmVteWh1QGFwcGxlLmNvbTElMCMGCSqGSIb3DQEJARYWamVyZW15QG91dGVyc3F1YXJl
 LmNvbTElMCMGCSqGSIb3DQEJARYWcGF5cGFsQG91dGVyc3F1YXJlLmNvbTEfMB0GCSqGSIb3DQEJ
 ARYQamVyZW15aHVkQG1lLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL+c2RGH
 leO3G25PQEPEVsV3H/cWDewBCnMbqV0zgEg3hMyoRUG3aRUgH4gWbhVNkx/5t0A+mLQQWNnktg2J
 ku4MJJhHmarkxQAwITyamyO+37GHFl2d7oe5J7CFwg3Evf/2Lli0mfglfDHBy5YN9yURbSMVRaDV
 WGHhpYkqTwGXG2Bpai7oqdOlB0hDcRGE4Fv5aurxAuxyIohZMuxhZBzDfmidKsOUTnsz+NCUFIXK
 cMLYWwvH4XOBC4l0SU523phMyEW0OPas38EWd2NMCYaO1URA944+cS68DUvCqrrRzGmixY03PcaV
 uJ/+KA3L2u9esq8vt8s5m8aW8MWQWIkCAwEAAaOCAZEwggGNMIIBewYDVR0RBIIBcjCCAW6BFWpl
 cmVteWh1QGJlcmtlbGV5LmVkdYEcamVyZW15aHVAdWNsaW5rLmJlcmtlbGV5LmVkdYEdamVyZW15
 aHVAdWNsaW5rNC5iZXJrZWxleS5lZHWBGGplcmVteWh1QGNzLmJlcmtlbGV5LmVkdYEaamVyZW15
 QHVwZS5jcy5iZXJrZWxleS5lZHWBGmplcmVteWh1QGVlY3MuYmVya2VsZXkuZWR1gRhqZXJlbXlo
 dUBmcmVlZGVza3RvcC5vcmeBFWplcmVteWh1QG1hY3BvcnRzLm9yZ4EWamVyZW15QG91dGVyc3F1
 YXJlLm9yZ4ERamVyZW15aHVkQG1hYy5jb22BFGplcmVteUBodWRzY2FiaW4uY29tgRJqZXJlbXlo
 dUBhcHBsZS5jb22BFmplcmVteUBvdXRlcnNxdWFyZS5jb22BFnBheXBhbEBvdXRlcnNxdWFyZS5j
 b22BEGplcmVteWh1ZEBtZS5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQBAga5a
 Jmkyd0TMiY0icyR7j5soyooiP4q9+Iu6lG+s/S+7vF5sDadCq+Y7US091MNT4LmbQehwwhi4jUWy
 EZ+KP9dhfWMqi51rZDbhWxAqAoKmgWgoQ9UsA4LqaC1wWlrM/DtzZ7+L5ZZ+MWlr94fDNL8qU3+y
 3ZfiXgpWBV1x1zGCAxAwggMMAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD
 b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJ
 c3N1aW5nIENBAhBfIA3CIvCJAyf8rsNvgxtuMAkGBSsOAwIaBQCgggFvMBgGCSqGSIb3DQEJAzEL
 BgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA5MTEwMzAwMjAzNlowIwYJKoZIhvcNAQkEMRYE
 FGUKnuwBQFqL7A4A+NI83+fLZxzUMIGFBgkrBgEEAYI3EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUw
 IwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy
 c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQKF0Nr8sW2fhCBNsoUjwm8zCBhwYLKoZIhvcNAQkQ
 AgsxeKB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBM
 dGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQKF0Nr8sW
 2fhCBNsoUjwm8zANBgkqhkiG9w0BAQEFAASCAQBw1R490yx48JLxe+ltwhREbLTgBHWs5PFDAAF0
 7KlejOIXf/qlhdeVs9Y1wUPELpNbmJu2lF/SIBPRCrPWR12wlZTgyxgxnKi1wRbGyzG8i7OQMvVG
 1jd/f5gDe7cy3QJxVLaxyB3D33CLyRdkon+a/j9+Q6ybej6lEyLeBK59/IKf25w73VF6cEooikEj
 vvmtLLtRZXnfw6B1gyjtvn1k1HcQAAzphd/BQhq3mpCdsRASWfHDDv9CdDaRl/qKmHHCCLDnKb/n
 k7SScPyNeIse2jlG+uFB0ysbD9eY+z5iX/XZTSkKDOTUYyUVUK1XRTGcShZXElsrDU2ndWzXeLCx
 AAAAAAAA
 
 --Apple-Mail-10--272437935--

From: Maxim Konovalov <maxim@macomnet.ru>
To: Jeremy Huddleston <jeremyhu@apple.com>
Cc: bug-followup@freebsd.org
Subject: Re: bin/140228: mktemp(1) buffer overrun
Date: Tue, 3 Nov 2009 15:41:54 +0300 (MSK)

 Hello,
 
 According to
 http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.bin/mktemp/mktemp.c?rev=1.5
 there is no such code in FreeBSD.
 
 What version of mktemp.c do you use?
 
 -- 
 Maxim Konovalov

From: Jeremy Huddleston <jeremyhu@apple.com>
To: Maxim Konovalov <maxim@macomnet.ru>
Cc: bug-followup@freebsd.org
Subject: Re: bin/140228: mktemp(1) buffer overrun
Date: Tue, 3 Nov 2009 08:53:56 -0800

 --Apple-Mail-6--212837767
 Content-Transfer-Encoding: quoted-printable
 Content-Type: text/plain;
 	charset=us-ascii
 
 revision 1.5 is 12 years old.  I suggest you update whatever you used to =
 find it as the current source.
 
 This is against version 1.31 of mktemp.c :
 
 =
 http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/stdio/mktemp.c?only_wit=
 h_tag=3DMAIN
 =
 http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libc/stdio/mktemp=
 .c?rev=3D1.31
 
 On Nov 3, 2009, at 04:41, Maxim Konovalov wrote:
 
 > Hello,
 >=20
 > According to
 > =
 http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.bin/mktemp/mktemp.c?rev=3D1.=
 5
 > there is no such code in FreeBSD.
 >=20
 > What version of mktemp.c do you use?
 >=20
 > --=20
 > Maxim Konovalov
 
 
 --Apple-Mail-6--212837767
 Content-Disposition: attachment;
 	filename=smime.p7s
 Content-Type: application/pkcs7-signature;
 	name=smime.p7s
 Content-Transfer-Encoding: base64
 
 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIITbjCCAz8w
 ggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0
 ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcx
 KDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0
 ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxA
 dGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpB
 MSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUg
 UGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
 xKY8VXNV+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7d
 yfArhVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/
 p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDow
 OKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3Js
 MAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgw
 DQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A
 9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYI
 Tq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8wggM/MIICqKADAgECAgENMA0GCSqGSIb3
 DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlD
 YXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0
 aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwg
 Q0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3
 MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENv
 bnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElz
 c3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f
 6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYk
 KhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGj
 gZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRo
 YXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0R
 BCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM
 0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZ
 GwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC3CEZ
 Nd4ksdMdRv9dX2VPMIIGcDCCBdmgAwIBAgIQKF0Nr8sW2fhCBNsoUjwm8zANBgkqhkiG9w0BAQUF
 ADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEs
 MCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDkwNTA0MDUy
 OTE0WhcNMTAwNTA0MDUyOTE0WjCCAnAxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIx
 JDAiBgkqhkiG9w0BCQEWFWplcmVteWh1QGJlcmtlbGV5LmVkdTErMCkGCSqGSIb3DQEJARYcamVy
 ZW15aHVAdWNsaW5rLmJlcmtlbGV5LmVkdTEsMCoGCSqGSIb3DQEJARYdamVyZW15aHVAdWNsaW5r
 NC5iZXJrZWxleS5lZHUxJzAlBgkqhkiG9w0BCQEWGGplcmVteWh1QGNzLmJlcmtlbGV5LmVkdTEp
 MCcGCSqGSIb3DQEJARYaamVyZW15QHVwZS5jcy5iZXJrZWxleS5lZHUxKTAnBgkqhkiG9w0BCQEW
 GmplcmVteWh1QGVlY3MuYmVya2VsZXkuZWR1MScwJQYJKoZIhvcNAQkBFhhqZXJlbXlodUBmcmVl
 ZGVza3RvcC5vcmcxJDAiBgkqhkiG9w0BCQEWFWplcmVteWh1QG1hY3BvcnRzLm9yZzElMCMGCSqG
 SIb3DQEJARYWamVyZW15QG91dGVyc3F1YXJlLm9yZzEgMB4GCSqGSIb3DQEJARYRamVyZW15aHVk
 QG1hYy5jb20xIzAhBgkqhkiG9w0BCQEWFGplcmVteUBodWRzY2FiaW4uY29tMSEwHwYJKoZIhvcN
 AQkBFhJqZXJlbXlodUBhcHBsZS5jb20xJTAjBgkqhkiG9w0BCQEWFmplcmVteUBvdXRlcnNxdWFy
 ZS5jb20xJTAjBgkqhkiG9w0BCQEWFnBheXBhbEBvdXRlcnNxdWFyZS5jb20xHzAdBgkqhkiG9w0B
 CQEWEGplcmVteWh1ZEBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwVnJ8
 XrKgByWkhJhQDk7Kj45PnZYRXJNQfcTyBQsqSqfUh13Limf2qJTxpw8Mdq/SuNkO3ZjLkaYGPB4+
 8uaHdDqGEanq2wf4qKV4dyFEQO92mRQRxLijfBS4CunlSYzHuPd6g5osI0BVpFbNRswqOXWbHd1z
 XRVvRqpvYKQJFWLf3dqXU3zZO2nv4sabnovbNCKEO6HrxQeawFfwxL20adsK5F1ejK1VRSEsTzd7
 BjNs8QTWC4qZKrrNuaPJLVt4LDbRXIqOggrZaOkggIBIIdXubjOrrpR41PvcvibfvYLUpo3bdX5e
 tWH/VU/ywIS3oIc4d+VtOL/O3YdCpX0FAgMBAAGjggGRMIIBjTCCAXsGA1UdEQSCAXIwggFugRVq
 ZXJlbXlodUBiZXJrZWxleS5lZHWBHGplcmVteWh1QHVjbGluay5iZXJrZWxleS5lZHWBHWplcmVt
 eWh1QHVjbGluazQuYmVya2VsZXkuZWR1gRhqZXJlbXlodUBjcy5iZXJrZWxleS5lZHWBGmplcmVt
 eUB1cGUuY3MuYmVya2VsZXkuZWR1gRpqZXJlbXlodUBlZWNzLmJlcmtlbGV5LmVkdYEYamVyZW15
 aHVAZnJlZWRlc2t0b3Aub3JngRVqZXJlbXlodUBtYWNwb3J0cy5vcmeBFmplcmVteUBvdXRlcnNx
 dWFyZS5vcmeBEWplcmVteWh1ZEBtYWMuY29tgRRqZXJlbXlAaHVkc2NhYmluLmNvbYESamVyZW15
 aHVAYXBwbGUuY29tgRZqZXJlbXlAb3V0ZXJzcXVhcmUuY29tgRZwYXlwYWxAb3V0ZXJzcXVhcmUu
 Y29tgRBqZXJlbXlodWRAbWUuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAMtx6
 voXn2w2+kaevSb7REuy5TBAQNzwlcwLiaC44HMVhwQGEYG544mBabCqY2+MtLbEn2RDQGHArtuCA
 Tv9liObLp6UPNKo+8Bcd3edN0dlFSeb0wFPVt71e05dGeyIoBxIrM4ix2BON/SHcGsgt3n1DRXen
 JLYVV809vRtHQpowggZwMIIF2aADAgECAhBfIA3CIvCJAyf8rsNvgxtuMA0GCSqGSIb3DQEBBQUA
 MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSww
 KgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wOTA5MTQyMTM2
 MjdaFw0xMDA5MTQyMTM2MjdaMIICcDEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEk
 MCIGCSqGSIb3DQEJARYVamVyZW15aHVAYmVya2VsZXkuZWR1MSswKQYJKoZIhvcNAQkBFhxqZXJl
 bXlodUB1Y2xpbmsuYmVya2VsZXkuZWR1MSwwKgYJKoZIhvcNAQkBFh1qZXJlbXlodUB1Y2xpbms0
 LmJlcmtlbGV5LmVkdTEnMCUGCSqGSIb3DQEJARYYamVyZW15aHVAY3MuYmVya2VsZXkuZWR1MSkw
 JwYJKoZIhvcNAQkBFhpqZXJlbXlAdXBlLmNzLmJlcmtlbGV5LmVkdTEpMCcGCSqGSIb3DQEJARYa
 amVyZW15aHVAZWVjcy5iZXJrZWxleS5lZHUxJzAlBgkqhkiG9w0BCQEWGGplcmVteWh1QGZyZWVk
 ZXNrdG9wLm9yZzEkMCIGCSqGSIb3DQEJARYVamVyZW15aHVAbWFjcG9ydHMub3JnMSUwIwYJKoZI
 hvcNAQkBFhZqZXJlbXlAb3V0ZXJzcXVhcmUub3JnMSAwHgYJKoZIhvcNAQkBFhFqZXJlbXlodWRA
 bWFjLmNvbTEjMCEGCSqGSIb3DQEJARYUamVyZW15QGh1ZHNjYWJpbi5jb20xITAfBgkqhkiG9w0B
 CQEWEmplcmVteWh1QGFwcGxlLmNvbTElMCMGCSqGSIb3DQEJARYWamVyZW15QG91dGVyc3F1YXJl
 LmNvbTElMCMGCSqGSIb3DQEJARYWcGF5cGFsQG91dGVyc3F1YXJlLmNvbTEfMB0GCSqGSIb3DQEJ
 ARYQamVyZW15aHVkQG1lLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL+c2RGH
 leO3G25PQEPEVsV3H/cWDewBCnMbqV0zgEg3hMyoRUG3aRUgH4gWbhVNkx/5t0A+mLQQWNnktg2J
 ku4MJJhHmarkxQAwITyamyO+37GHFl2d7oe5J7CFwg3Evf/2Lli0mfglfDHBy5YN9yURbSMVRaDV
 WGHhpYkqTwGXG2Bpai7oqdOlB0hDcRGE4Fv5aurxAuxyIohZMuxhZBzDfmidKsOUTnsz+NCUFIXK
 cMLYWwvH4XOBC4l0SU523phMyEW0OPas38EWd2NMCYaO1URA944+cS68DUvCqrrRzGmixY03PcaV
 uJ/+KA3L2u9esq8vt8s5m8aW8MWQWIkCAwEAAaOCAZEwggGNMIIBewYDVR0RBIIBcjCCAW6BFWpl
 cmVteWh1QGJlcmtlbGV5LmVkdYEcamVyZW15aHVAdWNsaW5rLmJlcmtlbGV5LmVkdYEdamVyZW15
 aHVAdWNsaW5rNC5iZXJrZWxleS5lZHWBGGplcmVteWh1QGNzLmJlcmtlbGV5LmVkdYEaamVyZW15
 QHVwZS5jcy5iZXJrZWxleS5lZHWBGmplcmVteWh1QGVlY3MuYmVya2VsZXkuZWR1gRhqZXJlbXlo
 dUBmcmVlZGVza3RvcC5vcmeBFWplcmVteWh1QG1hY3BvcnRzLm9yZ4EWamVyZW15QG91dGVyc3F1
 YXJlLm9yZ4ERamVyZW15aHVkQG1hYy5jb22BFGplcmVteUBodWRzY2FiaW4uY29tgRJqZXJlbXlo
 dUBhcHBsZS5jb22BFmplcmVteUBvdXRlcnNxdWFyZS5jb22BFnBheXBhbEBvdXRlcnNxdWFyZS5j
 b22BEGplcmVteWh1ZEBtZS5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQBAga5a
 Jmkyd0TMiY0icyR7j5soyooiP4q9+Iu6lG+s/S+7vF5sDadCq+Y7US091MNT4LmbQehwwhi4jUWy
 EZ+KP9dhfWMqi51rZDbhWxAqAoKmgWgoQ9UsA4LqaC1wWlrM/DtzZ7+L5ZZ+MWlr94fDNL8qU3+y
 3ZfiXgpWBV1x1zGCAxAwggMMAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD
 b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJ
 c3N1aW5nIENBAhBfIA3CIvCJAyf8rsNvgxtuMAkGBSsOAwIaBQCgggFvMBgGCSqGSIb3DQEJAzEL
 BgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA5MTEwMzE2NTM1NlowIwYJKoZIhvcNAQkEMRYE
 FKaXwhNZQvhXFyt2CqN16kRtAnIUMIGFBgkrBgEEAYI3EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUw
 IwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy
 c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQKF0Nr8sW2fhCBNsoUjwm8zCBhwYLKoZIhvcNAQkQ
 AgsxeKB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBM
 dGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQKF0Nr8sW
 2fhCBNsoUjwm8zANBgkqhkiG9w0BAQEFAASCAQBO9r6sRu5DwFdzuIFGR32mZuuzCpa+Kw/Kr4dg
 5pCBPjEqANGqk7AZKela8E/5AEz0MaVBrhLO/Bc1FnqXhh2gbzx+oWk2XC7OBoph/tVDr6/gX0MS
 nMJxhk06ufXGudyJ4SmHJc9ryCn72XHzPY6YCFMoGXLUocl8KyOXj+NhKR6W+pVEvJnSpJKvutZr
 /F1Sf27KUw/l1rpNrFc5y3ebVOln1UKfEKVRfIJ7LA65kqziDmVgmk5XN0+t3T5RdcxHKpBn2oFD
 1Hl8Y9FcnWtkwvSDB0wuROZZeVWC24Sj8/KVQcm4xGrJXyBpdewftsTFOIiUaBPLnRmF5FO2lNXf
 AAAAAAAA
 
 --Apple-Mail-6--212837767--

From: Maxim Konovalov <maxim@macomnet.ru>
To: Jeremy Huddleston <jeremyhu@apple.com>
Cc: bug-followup@freebsd.org
Subject: Re: bin/140228: mktemp(1) buffer overrun
Date: Wed, 4 Nov 2009 08:43:00 +0300 (MSK)

 On Tue, 3 Nov 2009, 08:53-0800, Jeremy Huddleston wrote:
 
 > revision 1.5 is 12 years old.  I suggest you update whatever you
 > used to find it as the current source.
 >
 We are speaking about different mktemp.c.  Mine from usr.bin/mktemp/.
 
 > This is against version 1.31 of mktemp.c :
 >
 > http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/stdio/mktemp.c?only_with_tag=MAIN
 > http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libc/stdio/mktemp.c?rev=1.31
 >
 Yep, I see now.
 
 -- 
 Maxim Konovalov

From: Jilles Tjoelker <jilles@stack.nl>
To: bug-followup@FreeBSD.org, jeremyhu@apple.com
Cc:  
Subject: Re: bin/140228: [patch] mktemp(1) buffer overrun
Date: Fri, 6 Nov 2009 19:05:48 +0100

 It seems more reasonable to have _gettemp() check the length of its
 input string, and fail with ENAMETOOLONG if it is longer than
 MAXPATHLEN. Your patch relies on the kernel to reject names longer than
 MAXPATHLEN with ENAMETOOLONG to avoid it reading past the end of
 carrybuf (in obscure cases).
 
 -- 
 Jilles Tjoelker
Responsible-Changed-From-To: freebsd-bugs->jh 
Responsible-Changed-By: jh 
Responsible-Changed-When: Sun Feb 28 08:18:39 UTC 2010 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=140228 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/140228: commit references a PR
Date: Sun, 28 Feb 2010 13:31:42 +0000 (UTC)

 Author: jh
 Date: Sun Feb 28 13:31:29 2010
 New Revision: 204447
 URL: http://svn.freebsd.org/changeset/base/204447
 
 Log:
   In _gettemp(), check that the length of the path doesn't exceed
   MAXPATHLEN. Otherwise the path name (or part of it) may not fit to
   carrybuf causing a buffer overflow.
   
   PR:		bin/140228
   Suggested by:	jilles
 
 Modified:
   head/lib/libc/stdio/mktemp.c
 
 Modified: head/lib/libc/stdio/mktemp.c
 ==============================================================================
 --- head/lib/libc/stdio/mktemp.c	Sun Feb 28 11:27:03 2010	(r204446)
 +++ head/lib/libc/stdio/mktemp.c	Sun Feb 28 13:31:29 2010	(r204447)
 @@ -116,6 +116,10 @@ _gettemp(path, doopen, domkdir, slen)
  
  	for (trv = path; *trv != '\0'; ++trv)
  		;
 +	if (trv - path >= MAXPATHLEN) {
 +		errno = ENAMETOOLONG;
 +		return (0);
 +	}
  	trv -= slen;
  	suffp = trv;
  	--trv;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: jh 
State-Changed-When: Sun Feb 28 13:45:56 UTC 2010 
State-Changed-Why:  
Patched in head (r204447). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=140228 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/140228: commit references a PR
Date: Fri, 12 Mar 2010 06:57:04 +0000 (UTC)

 Author: jh
 Date: Fri Mar 12 06:56:51 2010
 New Revision: 205070
 URL: http://svn.freebsd.org/changeset/base/205070
 
 Log:
   MFC r204447:
   
   In _gettemp(), check that the length of the path doesn't exceed
   MAXPATHLEN. Otherwise the path name (or part of it) may not fit to
   carrybuf causing a buffer overflow.
   
   PR:		bin/140228
 
 Modified:
   stable/8/lib/libc/stdio/mktemp.c
 Directory Properties:
   stable/8/lib/libc/   (props changed)
   stable/8/lib/libc/stdtime/   (props changed)
 
 Modified: stable/8/lib/libc/stdio/mktemp.c
 ==============================================================================
 --- stable/8/lib/libc/stdio/mktemp.c	Fri Mar 12 06:31:19 2010	(r205069)
 +++ stable/8/lib/libc/stdio/mktemp.c	Fri Mar 12 06:56:51 2010	(r205070)
 @@ -116,6 +116,10 @@ _gettemp(path, doopen, domkdir, slen)
  
  	for (trv = path; *trv != '\0'; ++trv)
  		;
 +	if (trv - path >= MAXPATHLEN) {
 +		errno = ENAMETOOLONG;
 +		return (0);
 +	}
  	trv -= slen;
  	suffp = trv;
  	--trv;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/140228: commit references a PR
Date: Fri, 19 Mar 2010 12:05:11 +0000 (UTC)

 Author: jh
 Date: Fri Mar 19 12:04:56 2010
 New Revision: 205330
 URL: http://svn.freebsd.org/changeset/base/205330
 
 Log:
   MFC r204447:
   
   In _gettemp(), check that the length of the path doesn't exceed
   MAXPATHLEN. Otherwise the path name (or part of it) may not fit to
   carrybuf causing a buffer overflow.
   
   PR:		bin/140228
 
 Modified:
   stable/7/lib/libc/stdio/mktemp.c
 Directory Properties:
   stable/7/lib/libc/   (props changed)
   stable/7/lib/libc/stdtime/   (props changed)
 
 Modified: stable/7/lib/libc/stdio/mktemp.c
 ==============================================================================
 --- stable/7/lib/libc/stdio/mktemp.c	Fri Mar 19 11:59:02 2010	(r205329)
 +++ stable/7/lib/libc/stdio/mktemp.c	Fri Mar 19 12:04:56 2010	(r205330)
 @@ -116,6 +116,10 @@ _gettemp(path, doopen, domkdir, slen)
  
  	for (trv = path; *trv != '\0'; ++trv)
  		;
 +	if (trv - path >= MAXPATHLEN) {
 +		errno = ENAMETOOLONG;
 +		return (0);
 +	}
  	trv -= slen;
  	suffp = trv;
  	--trv;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/140228: commit references a PR
Date: Fri, 19 Mar 2010 12:07:42 +0000 (UTC)

 Author: jh
 Date: Fri Mar 19 12:07:28 2010
 New Revision: 205331
 URL: http://svn.freebsd.org/changeset/base/205331
 
 Log:
   MFC r204447:
   
   In _gettemp(), check that the length of the path doesn't exceed
   MAXPATHLEN. Otherwise the path name (or part of it) may not fit to
   carrybuf causing a buffer overflow.
   
   PR:		bin/140228
 
 Modified:
   stable/6/lib/libc/stdio/mktemp.c
 Directory Properties:
   stable/6/lib/libc/   (props changed)
 
 Modified: stable/6/lib/libc/stdio/mktemp.c
 ==============================================================================
 --- stable/6/lib/libc/stdio/mktemp.c	Fri Mar 19 12:04:56 2010	(r205330)
 +++ stable/6/lib/libc/stdio/mktemp.c	Fri Mar 19 12:07:28 2010	(r205331)
 @@ -120,6 +120,10 @@ _gettemp(path, doopen, domkdir, slen)
  
  	for (trv = path; *trv != '\0'; ++trv)
  		;
 +	if (trv - path >= MAXPATHLEN) {
 +		errno = ENAMETOOLONG;
 +		return (0);
 +	}
  	trv -= slen;
  	suffp = trv;
  	--trv;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: jh 
State-Changed-When: Fri Mar 19 12:40:18 UTC 2010 
State-Changed-Why:  
Fixed in head, stable/8, stable/7 and stable/6. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=140228 
>Unformatted:
