[Ada] [Security] Patch for buffer overflow in __gnat_tmp_name()

[Florian Weimer]

dewar@gnat.com (Robert Dewar) writes:

>> I understand your point.  However, honoring the TMPDIR environment
>> variable makes the I/O part of the Ada runtime unsuitable for
>> set-user-ID programs, so this removes a feature, too. ;-)
>
> Well that's very marginal. Just to be clear, this is ONLY used if the
> Ada programmer specifically creates a temporary file. I would think
> that any set-user-ID program that was creating a temporary file (or
> indeed any file) would be very careful about where the file went and
> what its name was, so indeed I think it is a bad idea for a set user
> id program to use the general "create a temp file, I don't care what
> it is called or where it goes" call.

Well, that's why I looked at the run-time library source code a while
ago and discovered the original problem (the /tmp race condition, not
directly linked to the buffer overflow/temporary file redirection
issue).

> I don't think it makes sense to take away this useful (and used, it
> was put there in response to a need not at random :-) feature just
> because an incompetent programmer might misuse it.

The competent programmer argument sounds familiar from quite a few
C vs. Ada discussions. ;-)

Shall I submit a new package, say GNAT.Temporary_Files, which
contains interfaces for setting TMPDIR, and a patch which removes
the buffer overflow?  I see that there is a function called
'__gnat_set_env_value', which uses putenv(), so I assume this is
portable (at least across UNIX).