http://d.puremagic.com/issues/show_bug.cgi?id=6172

           Summary: rdmd: insecure temporary file creation
           Product: D
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: DMD
        AssignedTo: nobody@puremagic.com
        ReportedBy: edelkind+puremagic@gmail.com


--- Comment #0 from ari edelkind <edelkind+puremagic@gmail.com> 2011-06-17 10:17:34 PDT ---
rdmd will create temporary files in /tmp/.rdmd .  A malicious user could pre-create such a directory and link target files elsewhere.

A more appropriate location for temporary files would be under the user's home directory (e.g. $HOME/.rdmd).  If the user's home directory is unwritable, then /tmp/.rdmd.[random] may be used.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------

http://d.puremagic.com/issues/show_bug.cgi?id=6172


gslopsema+dbugzilla@gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gslopsema+dbugzilla@gmail.c
                   |                            |om


--- Comment #1 from gslopsema+dbugzilla@gmail.com 2011-07-22 13:38:58 PDT ---
Not assigned to me, however a patch which appends a string of random numbers to /tmp/.rdmd can be found at

https://github.com/garslo/tools/commit/c19361441bf6546dfde2c450187c46856dd41965

with pull request

https://github.com/D-Programming-Language/tools/pull/4

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------

http://d.puremagic.com/issues/show_bug.cgi?id=6172


Walter Bright <bugzilla@digitalmars.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |bugzilla@digitalmars.com
         Resolution|                            |WORKSFORME


--- Comment #2 from Walter Bright <bugzilla@digitalmars.com> 2012-04-28 01:44:45 PDT ---
This was pulled and incorporated some time ago.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------

http://d.puremagic.com/issues/show_bug.cgi?id=6172



--- Comment #3 from ari edelkind <edelkind+puremagic@gmail.com> 2012-04-28 05:37:04 PDT ---
Given that I reported this issue nearly a year ago, this isn't the sort of response time that I was hoping for with either a security report or a "critical" bug report.

For future reference, is there another avenue that I should use to report such issues for a more timely acknowledgement, or is this the sort of response time I should expect?

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------

http://d.puremagic.com/issues/show_bug.cgi?id=6172



--- Comment #4 from Andrei Alexandrescu <andrei@metalanguage.com> 2012-04-28 08:26:45 PDT ---
If an issue stops from getting work done, it's always a good idea to substantiate the reason in the bug report. Also, starting a discussion on the topic at http://forum.dlang.org is helpful.

On the face of it this doesn't look like a showstopper. If the matter is absolutely essential, there are many possible workarounds, starting with changing rdmd.d and ending with simply using dmd instead of rdmd for critical work.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------