I happened to notice that configure.in writes semi-predictable filenames into /tmp, which is bad for all the usual reasons.
Created attachment 41680 [details] [review] configure.in: use AC_TRY_COMPILE to avoid a symlink attack in /tmp during compilation
Created attachment 41681 [details] [review] Fix the check for -Wfloat-equal
Created attachment 41682 [details] [review] cmake/cross-compile.sh: use mktemp(1) to avoid a symlink attack in /tmp
These should probably go to 1.2 too. I haven't done the CVE-number dance since these only apply when compiling dbus, not when using it (and cmake/cross-compile.sh isn't used by default).
15:14 < wjt> smcv: tmp looks fine 15:15 < wjt> smcv: as does trivia Fixed in git for 1.4.4 or 1.5.0.
... and in the 1.2 branch for 1.2.28 (only the AC_TRY_COMPILE patch there).
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.