Wolfgang Frisch

Please find attached a patch that fixes the remaining issue. wxFileName::CreateTempFileName() uses the secure mkstemp() function internally. commit 27f353b38817a90370d8908f8b71c28c3915f848 (HEAD -> fix_predictable_rng_tmp) Author: Wolfgang Frisch <wolfgang.frisch@suse.com> Date: Mon Jan 13 14:12:47 2025 +0100 Generate secure temporary paths in DisplayImage() srand(time(NULL)) is easy to predict because time() has a granularity of just one second. Instead use wxWidgets' CreateTempFileName() function....

P.S. Though the behaviour you describe should in theory have occurred, in practice the file failed to be overwritten. Did it actually happen in tumbleweed? Files are only overwritten when /proc/sys/fs/protected_symlinks is 0, which is not the default on most distros. If it's set to 1 the bug only prevents 4Pane from displaying SVG previews.

Hi David, thanks for the fix. Unfortunately there's still a problem: srand(time(NULL)); makes the generated values very easy to predict, because time(NULL) has a granularity of just one second. I suggest mkstemp() which generates secure /tmp file names, or, if you really want to do it manually, consider C++ STL random functions (for example std::random_device and std::mt19937). The issue was reproducible on openSUSE Tumbleweed. I have not tried other distros. All the best, Wolfgang

predictable /tmp paths in PreviewPopup::DisplayImage()