[Xquartz-dev] ah-HAH! the precise problem here is … (Re: I got it working, but still potential problem (Re: Getting bad DISPLAY value during use of 2.6.1-2.6.2 (not with 2.6.0 & before).)
Jeremy Huddleston
jeremyhu at apple.com
Sat Apr 30 17:01:37 PDT 2011
On Apr 30, 2011, at 10:36, Peter O'Gorman wrote:
>> # Use mktemp rather than mkdir to avoid possible security issue
>> # if $dir exists and is a symlink
> I don't understand what this is trying to do, in no case will $dir contain XXXXXX for mktemp to replace with randomness, so in all cases Mac OS X mktemp behaves the same as mkdir ${dir}.
I refer you to the comment in the script. Using mkdir can lead to a man-in-the-middle attack on those sockets. That issue was specifically addressed in XQuartz 2.2.0, three years ago (and also a Leopard update at some point... either SecUpdate2008-002 or 10.5.5):
http://xquartz.macosforge.org/trac/wiki/X112.2.0
http://xquartz.macosforge.org/trac/wiki/Releases
--Jeremy
More information about the Xquartz-dev
mailing list