--- nedit-5.4/source/file.c.security	2003-09-28 16:18:12.000000000 +0200
+++ nedit-5.4/source/file.c	2004-03-17 15:25:31.000000000 +0100
@@ -1218,7 +1218,7 @@
 */
 void PrintString(const char *string, int length, Widget parent, const char *jobName)
 {
-    char tmpFileName[L_tmpnam];    /* L_tmpnam defined in stdio.h */
+    char *tmpFileName=strdup("/tmp/neditXXXXXX");
     FILE *fp;
     int fd;
 
@@ -1229,14 +1229,10 @@
 	    1. Create a filename
 	    2. Open the file with the O_CREAT|O_EXCL flags
 	So all an attacker can do is a DoS on the print function. */
-    tmpnam(tmpFileName);
+    fd = mkstemp(tmpFileName);
 
     /* open the temporary file */
-#ifdef VMS
-    if ((fp = fopen(tmpFileName, "w", "rfm = stmlf")) == NULL)
-#else
-    if ((fd = open(tmpFileName, O_CREAT|O_EXCL|O_WRONLY, S_IRUSR | S_IWUSR)) < 0 || (fp = fdopen(fd, "w")) == NULL)
-#endif /* VMS */
+    if ((fp = fdopen(fd, "w")) == NULL)
     {
         DialogF(DF_WARN, parent, 1, "Error while Printing",
                 "Unable to write file for printing:\n%s", "Dismiss",
@@ -1250,7 +1246,7 @@
     
     /* write to the file */
 #ifdef IBM_FWRITE_BUG
-    write(fileno(fp), string, length);
+    write(fd, string, length);
 #else
     fwrite(string, sizeof(char), length, fp);
 #endif
@@ -1260,6 +1256,7 @@
                 "%s not printed:\n%s", "Dismiss", jobName, errorString());
         fclose(fp); /* should call close(fd) in turn! */
         remove(tmpFileName);
+	free(tmpFileName);
         return;
     }
     
@@ -1270,6 +1267,7 @@
                 "Error closing temp. print file:\n%s", "Dismiss",
                 errorString());
         remove(tmpFileName);
+	free(tmpFileName);
         return;
     }
 
@@ -1281,6 +1279,7 @@
     PrintFile(parent, tmpFileName, jobName);
     remove(tmpFileName);
 #endif /*VMS*/
+    free(tmpFileName);
     return;
 }