This patch fixes insecure tmpfile usage as mentioned in #209927. It is
essentially the debian patch mentioned in that bug report.

diff -u wml-2.0.11/wml_contrib/wmg.cgi wml-2.0.11/wml_contrib/wmg.cgi
--- wml-2.0.11/wml_contrib/wmg.cgi
+++ wml-2.0.11/wml_contrib/wmg.cgi
@@ -366,14 +366,7 @@
         ($w, $h, $t) = Image::Size::imgsize(\$contents);
         if ($w*$h == 1) {
             #   read image into GD
-            $tmpfile = "/tmp/pe.tmp.$$";
-            unlink($tmpfile);
-            open(TMP, ">$tmpfile");
-            print TMP $contents;
-            close(TMP);
-            open(TMP, "<$tmpfile");
-            $tmpimg = newFromGif GD::Image(TMP);
-            close(TMP);
+            $tmpimg = newFromGifData GD::Image($contents);
             unlink($tmpfile);
             if ($tmpimg->transparent != -1) {
                 my $im = new GD::Image($w, $h);
diff -u wml-2.0.11/wml_backend/p1_ipp/ipp.src wml-2.0.11/wml_backend/p1_ipp/ipp.src
--- wml-2.0.11/wml_backend/p1_ipp/ipp.src	2005-12-01 18:50:13.000000000 +0100
+++ wml-2.0.11/wml_backend/p1_ipp/ipp.src	2008-02-29 16:06:15.000000000 +0100
@@ -17,6 +17,7 @@
 use Getopt::Long 2.13;
 use IO::Handle 1.15;
 use IO::File 1.06;
+use File::Temp qw/ mkdtemp /;
 
 #
 #   help functions
@@ -564,8 +565,8 @@
 #
 #   process the pre-loaded include files
 #
-$tmpdir = $ENV{'TMPDIR'} || '/tmp';
-$tmpfile = $tmpdir . "/ipp.$$.tmp";
+my $tmpldir = ($ENV{'TMPDIR'} || '/tmp') . '/ipp.XXXXXX';
+$tmpdir = mkdtemp($tmpldir) or die "Unable to create temporary directory: $!\n";$tmpfile = $tmpdir . "/ipp.$$.tmp";
 unlink($tmpfile);
 $tmp = new IO::File;
 $tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!");
--- wml-2.0.11.orig/wml_backend/p3_eperl/eperl_sys.c
+++ wml-2.0.11/wml_backend/p3_eperl/eperl_sys.c
@@ -211,13 +211,20 @@
 {
     char ca[1024];
     char *cp, *tmpdir;
+	char tmpfile[] = "eperl_sourceXXXXXX";
     int i;
+	int fd = -1;
 
     tmpdir = getenv ("TMPDIR");
     if (tmpdir == (char *) NULL)
         tmpdir="/tmp";
 
-    snprintf(ca, sizeof(ca), "%s/%s.%d.tmp%d", tmpdir, id, (int)getpid(), mytmpfilecnt++);
+	snprintf(ca, sizeof(ca), "%s/%s", tmpdir, tmpfile);
+	if ((fd = mkstemp(ca)) == -1) {
+		perror("Cannot create tmpfile");
+		return NULL;
+	}
+	close(fd);
     ca[sizeof(ca)-1] = NUL;
     cp = strdup(ca);
     for (i = 0; mytmpfiles[i] != NULL; i++)