Index: agent/mibgroup/examples/ucdDemoPublic.c
===================================================================
--- agent/mibgroup/examples/ucdDemoPublic.c.orig
+++ agent/mibgroup/examples/ucdDemoPublic.c
@@ -219,7 +219,11 @@ write_ucdDemoPublicString(int action,
     }
     if (action == COMMIT) {
         if (var_val_len != 0) {
-            strcpy(publicString, var_val);
+            strncpy(publicString, var_val, sizeof(publicString)-1);
+            /* XXX thomas: just some sanity checks */
+            if(strlen(var_val) > sizeof(publicString)-1 || strlen(var_val) != var_val_len)
+                publicString[sizeof(publicString)-1] = '\0';
+            else
             publicString[var_val_len] = '\0';
         } else
             publicString[0] = '\0';
Index: agent/mibgroup/mibII/system_mib.c
===================================================================
--- agent/mibgroup/mibII/system_mib.c.orig
+++ agent/mibgroup/mibII/system_mib.c
@@ -126,7 +126,7 @@ system_parse_config_sysloc(const char *t
     char            tmpbuf[1024];
 
     if (strlen(cptr) >= sizeof(sysLocation)) {
-        snprintf(tmpbuf, 1024,
+        snprintf(tmpbuf, sizeof(tmpbuf),
                  "syslocation token too long (must be < %lu):\n\t%s",
                  (unsigned long)sizeof(sysLocation), cptr);
         config_perror(tmpbuf);
@@ -173,7 +173,7 @@ system_parse_config_syscon(const char *t
     char            tmpbuf[1024];
 
     if (strlen(cptr) >= sizeof(sysContact)) {
-        snprintf(tmpbuf, 1024,
+        snprintf(tmpbuf, sizeof(tmpbuf),
                  "syscontact token too long (must be < %lu):\n\t%s",
                  (unsigned long)sizeof(sysContact), cptr);
         config_perror(tmpbuf);
@@ -220,7 +220,7 @@ system_parse_config_sysname(const char *
     char            tmpbuf[1024];
 
     if (strlen(cptr) >= sizeof(sysName)) {
-        snprintf(tmpbuf, 1024,
+        snprintf(tmpbuf, sizeof(tmpbuf),
                  "sysname token too long (must be < %lu):\n\t%s",
                  (unsigned long)sizeof(sysName), cptr);
         config_perror(tmpbuf);
Index: agent/mibgroup/mibII/var_route.c
===================================================================
--- agent/mibgroup/mibII/var_route.c.orig
+++ agent/mibgroup/mibII/var_route.c
@@ -1378,7 +1378,7 @@ Route_Scan_Reload(void)
     /*
      *  Sort it!
      */
-    qsort((char *) rthead, rtsize, sizeof(rthead[0]), qsort_compare);
+    qsort((char *) rthead, rtsize, sizeof(rthead[0]), (int (*) (const void*, const void*)) qsort_compare);
 }
 #endif
 #endif
Index: agent/mibgroup/util_funcs.c
===================================================================
--- agent/mibgroup/util_funcs.c.orig
+++ agent/mibgroup/util_funcs.c
@@ -139,6 +139,10 @@ make_tempfile(void)
     }
 #endif
     if (fd >= 0) {
+        if(fchmod(fd, 0600) != 0) {
+            close(fd);
+            return NULL;
+        }
         close(fd);
         DEBUGMSGTL(("make_tempfile", "temp file created: %s\n", name));
         return name;
Index: agent/auto_nlist.c
===================================================================
--- agent/auto_nlist.c.orig
+++ agent/auto_nlist.c
@@ -64,6 +64,7 @@ auto_nlist_value(const char *string)
         it->nl[0].n_name = (char *) malloc(strlen(string) + 2);
 #if defined(aix4) || defined(aix5)
         strcpy(it->nl[0].n_name, string);
+        it->nl[0].n_name[strlen(string)+1] = '\0';
 #else
         sprintf(it->nl[0].n_name, "_%s", string);
 #endif
@@ -72,6 +73,7 @@ auto_nlist_value(const char *string)
 #if !(defined(aix4) || defined(aix5))
         if (it->nl[0].n_type == 0) {
             strcpy(it->nl[0].n_name, string);
+            it->nl[0].n_name[strlen(string)+1] = '\0';
             init_nlist(it->nl);
         }
 #endif
Index: apps/snmptest.c
===================================================================
--- apps/snmptest.c.orig
+++ apps/snmptest.c
@@ -456,6 +456,7 @@ input_variable(netsnmp_variable_list * v
                     goto getValue;
                 }
                 memcpy(vp->val.string, buf, strlen(buf) - 1);
+                vp->val.string[sizeof(vp->val.string)-1] = 0;
                 vp->val_len = strlen(buf) - 1;
             } else if (ch == 'x') {
                 size_t          buf_len = 256;
Index: apps/snmptrapd_handlers.c
===================================================================
--- apps/snmptrapd_handlers.c.orig
+++ apps/snmptrapd_handlers.c
@@ -24,6 +24,9 @@
 #include <sys/wait.h>
 #endif
 
+#include <sys/stat.h>
+#include <fcntl.h>
+
 #include <net-snmp/config_api.h>
 #include <net-snmp/output_api.h>
 #include <net-snmp/mib_api.h>
@@ -840,10 +843,11 @@ do_external(char *cmd, struct hostent *h
 #else
         char            command_buf[128];
         char            file_buf[L_tmpnam];
+        int             win_fd;
 
         tmpnam(file_buf);
-        file = fopen(file_buf, "w");
-        if (!file) {
+        win_fd = open(file_buf, O_RDWR | O_CREAT | O_EXCL, 0600);
+        if (win_fd  < 0 || (file = fdopen(win_fd, "w")) == NULL)
             fprintf(stderr, "fopen: %s: %s\n", file_buf, strerror(errno));
         } else {
             send_handler_data(file, host, pdu, transport);
Index: snmplib/parse.c
===================================================================
--- snmplib/parse.c.orig
+++ snmplib/parse.c
@@ -4187,7 +4187,7 @@ static struct node *
 parse(FILE * fp, struct node *root)
 {
     char            token[MAXTOKEN];
-    char            name[MAXTOKEN];
+    char            name[MAXTOKEN+1];
     int             type = LABEL;
     int             lasttype = LABEL;
 
@@ -4279,7 +4279,8 @@ parse(FILE * fp, struct node *root)
         case ENDOFFILE:
             continue;
         default:
-            strcpy(name, token);
+            strncpy(name, token, sizeof(name));
+            name[sizeof(name)-1] = '\0';
             type = get_token(fp, token, MAXTOKEN);
             nnp = NULL;
             if (type == MACRO) {
@@ -4296,7 +4297,8 @@ parse(FILE * fp, struct node *root)
                 print_error(name, "is a reserved word", lasttype);
             continue;           /* see if we can parse the rest of the file */
         }
-        strcpy(name, token);
+        strncpy(name, token, sizeof(name));
+        name[sizeof(name)-1] = '\0';
         type = get_token(fp, token, MAXTOKEN);
         nnp = NULL;
 
Index: snmplib/tools.c
===================================================================
--- snmplib/tools.c.orig
+++ snmplib/tools.c
@@ -695,7 +695,7 @@ dump_snmpEngineID(const u_char * estring
         /*
          * s += snprintf(s, remaining_len+3, "\"%s\"", esp); 
          */
-        s += sprintf(s, "\"%s\"", esp);
+        s += sprintf(s, "\"%.*s\"", sizeof(buf)-strlen(buf)-3, esp);
         goto dump_snmpEngineID_quit;
         break;
      /*NOTREACHED*/ case 5:    /* Octets. */
Index: testing/TESTCONF.sh
===================================================================
--- testing/TESTCONF.sh.orig
+++ testing/TESTCONF.sh
@@ -77,8 +77,8 @@ if [ "x$SNMP_TMPDIR" = "x" -a "x$SNMP_HE
     fi
     SNMP_TMP_PERSISTENTDIR=$SNMP_TMPDIR/persist
     export SNMP_TMP_PERSISTENTDIR
-    mkdir $SNMP_TMPDIR
-    mkdir $SNMP_TMP_PERSISTENTDIR
+    mkdir -m 0700 $SNMP_TMPDIR
+    mkdir -m 0700 $SNMP_TMP_PERSISTENTDIR
 fi
 
 if [ "x$SNMP_SAVE_TMPDIR" = "x" ]; then
Index: testing/eval_suite.sh
===================================================================
--- testing/eval_suite.sh.orig
+++ testing/eval_suite.sh
@@ -79,7 +79,11 @@ exit 0
 PROGRAM=
 ARGUMENTS="$*"
 
-TMPFILE=/tmp/eval_suite.sh$$
+umask 0077     # just to be on the save side
+TMPDIR=/tmp/ucd-snmpd-eval-dir.$$
+/bin/rm -rf $TMPDIR
+/bin/mkdir -m 0700 $TMPDIR || exit -1
+TMPFILE=$TMPDIR/eval_suite.sh$$
 
 TESTLISTFILE=eval_testlist
 
@@ -205,6 +209,7 @@ done  # endwhile
 # Cleanup, exit.
 #
 rm -f $TMPFILE
+rm -rf $TMPDIR
 
 exit $TESTFAILURE