aboutsummaryrefslogtreecommitdiffstats
path: root/chapter06/ed-inst.xml
diff options
context:
space:
mode:
Diffstat (limited to 'chapter06/ed-inst.xml')
-rw-r--r--chapter06/ed-inst.xml13
1 files changed, 6 insertions, 7 deletions
diff --git a/chapter06/ed-inst.xml b/chapter06/ed-inst.xml
index 093273360..fa2e62e03 100644
--- a/chapter06/ed-inst.xml
+++ b/chapter06/ed-inst.xml
@@ -8,13 +8,12 @@ because it can be used by the patch program if you encounter an ed-based patch
file. This happens rarely because diff-based patches are preferred these
days.</para></note>
-<para>This package requires its patch to be applied before you can
-install it. This patch fixes a symlink vulnerability in
-<userinput>ed</userinput>. The <userinput>ed</userinput> executable
-creates files in <filename class="directory">/tmp</filename> with
-predictable names. By using various symlink attacks, it is possible
-to have ed write to files it should not, change the permissions of
-files, etc.</para>
+<para>Ed uses mktemp to create temporary files in <filename
+class="directory">/tmp</filename>, but this function has a security
+vulnerability (see section on Temporary Files in
+<ulink url="http://en.tldp.org/HOWTO/Secure-Programs-HOWTO/avoid-race.html"/>).
+This patch makes Ed use mkstemp instead, which is the recommended way to
+create temporary files.</para>
<para>Apply the patch:</para>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-01-08 03:44:38 +0000