Marc Espie and Christian Weisgerber of the OpenBSD project reported that jas_stream_tmpfile() function used by jasper to create temporary files uses tmpnam C library function to create temporary names. Usage of tmpnam function may result in races in temporary file creation. OpenBSD jasper library patches: http://www.openbsd.org/cgi-bin/cvsweb/ports/graphics/jasper/patches/
Created attachment 316078 [details] OpenBSD patch
Even though tmpnam is used in jas_stream_tmpfile, subsequent open is called with O_CREAT | O_EXCL flags. Therefore, this can not be used to overwrite / create new files via symlink attack. Attacker may possibly be able to create a file with the name returned by tmpnam before open is called, but open will fail in such case and that failure is handled gracefully by jasper. At worst, this can result in a DoS attack against an application using jasper. An attacker needs to win a race (not trivial), and the same result can be achieved via easier ways (fill /tmp partition), which are not prevented by mkstemp usage. Therefore, this will not be treated as a security issue. As for netpbm, which contains copy (part of) of the jasper code, it uses mkstemp in the recent versions (such as those shipped in Red Hat Enterprise Linux 5 and current Fedora versions).