I guess IBM and Gradient had their chance to fix this bug, since I
reported it back in december 1996 (no typo, more than a year ago).
IIRC, HP-UX had (and may still have) this bug too.
Some complaints:
to IBM: I guess it's time to review the APAR process wrt security.
Having a security related bug hanging around for more than a
year at low priority is definitely a bad thing.
to IBM-ERS: I've submitted a Cc of my original bug report to
ers-tech@vnet.ibm.com but I never got any feedback.
Granted, you don't want to us to send any reports via
email, but this "small planet" isn't small enough to let me
call you via phone for free.
to DFN-CERT: Where have you been? No tracking seen despite my Cc.
Thanks to Troy Bollinger (troy@austin.ibm.com) for pointing out some
other insecurely created temporary files.
Regards,
Joerg