From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:52518)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jwilk@jwilk.net>) id 1YtdEe-0004DT-5H
	for qemu-devel@nongnu.org; Sat, 16 May 2015 10:38:40 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jwilk@jwilk.net>) id 1YtdEa-0001We-V3
	for qemu-devel@nongnu.org; Sat, 16 May 2015 10:38:40 -0400
Received: from 3.mo3.mail-out.ovh.net ([46.105.44.175]:33549)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jwilk@jwilk.net>) id 1YtdEa-0001WL-P6
	for qemu-devel@nongnu.org; Sat, 16 May 2015 10:38:36 -0400
Received: from mail136.ha.ovh.net (b9.ovh.net [213.186.33.59])
	by mo3.mail-out.ovh.net (Postfix) with SMTP id D721CFF99D0
	for <qemu-devel@nongnu.org>; Sat, 16 May 2015 16:38:34 +0200 (CEST)
Date: Sat, 16 May 2015 16:38:29 +0200
From: Jakub Wilk <jwilk@jwilk.net>
Message-ID: <20150516143829.GA1741@jwilk.net>
References: <55537A9D.70306@redhat.com>
 <555703A7.3090600@msgid.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <555703A7.3090600@msgid.tls.msk.ru>
Subject: Re: [Qemu-devel] [oss-security] QEMU 2.3.0 tmp vulns CVE request
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: oss-security@lists.openwall.com
Cc: qemu-devel@nongnu.org

* Michael Tokarev <mjt@tls.msk.ru>, 2015-05-16, 11:45:
>>./net/slirp.c:
>>    snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
>>             (long)getpid(), instance++);
>
>This one is real, used for -smb argument, to start smbd, making its 
>configuration.  Maybe tmpnam() should be used here.

"Never use this function.  Use mkstemp(3) or tmpfile(3) instead."

-- 
Jakub Wilk