Date: Wed, 10 May 2000 16:31:16 -0400 From: foo <foo@BLACKLISTED.INTRANOVA.NET> Subject: Possible symlink problems with Netscape 4.73 To: BUGTRAQ@SECURITYFOCUS.COM It appears that Netscape 4.73 (and earlier versions) incorrectly creates a temporary file in '/tmp' when importing certificates: ... open("/tmp/tmp3919AA5000A07DC", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 25 fchmod(25, 0600) = 0 fstat(25, {st_mode=0,st_size=0, ...}) = 0 ... Netscape doesn't try to stat()/lstat() the file beforehand, although it wouldn't help much since open() uses O_TRUNC without O_EXCL(which is the problem in itself). I sent a small note about this to Netscape a number of months ago and have not received a reply. (am I possibly missing something here?, *shrug*) Not a big bug, but a bug nonetheless =)