From c71c95b401a49a69281af562062375c85592074d Mon Sep 17 00:00:00 2001
From: "Eric S. Raymond" <esr@thyrsus.com>
Date: Mon, 12 Mar 2001 04:54:10 +0000
Subject: Security fix.

svn path=/trunk/; revision=3240
---
 NEWS                    | 4 ++++
 fetchmail-features.html | 6 +++---
 fetchmailconf           | 6 +++---
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/NEWS b/NEWS
index 405ef9b4..09755591 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@
 
 (The `lines' figures total .c, .h, .l, and .y files under version control.)
 
+* Fix insecure tempfile creation bug in fetchmailconf, thanks 
+  to Colin Phipps <cph@cph.demon.co.uk>
+* Documentation refresh.
+
 fetchmail-5.7.3 (Sun Mar 11 17:01:56 EST 2001), 20323 lines:
 
 * Incorporate SA_LEN patch from Red Hat.
diff --git a/fetchmail-features.html b/fetchmail-features.html
index ba2ca2c0..355eb4f7 100644
--- a/fetchmail-features.html
+++ b/fetchmail-features.html
@@ -10,7 +10,7 @@
 <table width="100%" cellpadding=0><tr>
 <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a>
 <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a>
-<td width="30%" align=right>$Date: 2001/03/07 16:15:19 $
+<td width="30%" align=right>$Date: 2001/03/12 04:54:10 $
 </table>
 <HR>
 
@@ -23,7 +23,7 @@ open port 25.
 
 <LI>Support for AUTH=CRAM-MD5 under POP3, a la RFC2195.
 
-<LI>Support for ODMR (On-Demand Mail Relay), RFC 2645.
+<LI>Support for ODMR (On-Demand Mail Relay), RFC 2645 (untested).
 
 <LI>It's now easy to deliver mail to a local LMTP socket.
 
@@ -243,7 +243,7 @@ get-mail, gwpop, pimp-1.0, pop-perl5-1.2, popc, popmail-1.6 and upop.
 <table width="100%" cellpadding=0><tr>
 <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a>
 <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a>
-<td width="30%" align=right>$Date: 2001/03/07 16:15:19 $
+<td width="30%" align=right>$Date: 2001/03/12 04:54:10 $
 </table>
 
 <P><ADDRESS>Eric S. Raymond <A HREF="mailto:esr@thyrsus.com">&lt;esr@snark.thyrsus.com&gt;</A></ADDRESS>
diff --git a/fetchmailconf b/fetchmailconf
index 7181de34..c935e4f6 100755
--- a/fetchmailconf
+++ b/fetchmailconf
@@ -4,11 +4,11 @@
 # by Eric S. Raymond, <esr@snark.thyrsus.com>.
 # Requires Python with Tkinter, and the following OS-dependent services:
 #	posix, posixpath, socket
-version = "1.34"
+version = "1.35"
 
 from Tkinter import *
 from Dialog import *
-import sys, time, os, string, socket, getopt
+import sys, time, os, string, socket, getopt, tempfile
 
 #
 # Define the data structures the GUIs will be tossing around
@@ -1923,7 +1923,7 @@ gUSiYASJpMEHhilJTEnhAlGoQqYAZQ1AiqEMZ0jDGtqQImhwwA13yMMevoQAGvGhEAWHGMOAAAA7
     # Read the existing configuration.  We set the umask to 077 to make sure
     # that group & other read/write permissions are shut off -- we wouldn't
     # want crackers to snoop password information out of the tempfile.
-    tmpfile = "/tmp/fetchmailconf." + `os.getpid()`
+    tmpfile = tempfile.mktemp()
     if rcfile:
         cmd = "umask 077; fetchmail -f " + rcfile + " --configdump --nosyslog >" + tmpfile
     else:
-- 
cgit v1.2.3