]>
Commit | Line | Data |
---|---|---|
1 | Updated By: Bruce Dubbs (bdubbs -aT- linuxfromscratch -DoT- org) | |
2 | Date: 2005-12-12 | |
3 | Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org) | |
4 | Date: 2005-10-08 | |
5 | Initial Package Version: 4.8 | |
6 | Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch | |
7 | Upstream Status: A few patches are floating around in Debian BZ #328365 of which | |
8 | upstream hasn't made a full commitment on yet. | |
9 | Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local | |
10 | users to overwrite arbitrary files via a symlink attack on | |
11 | temporary files. | |
12 | Update: Changed to not pass a constant string to mktemp(). | |
13 | ||
14 | diff -Naur texinfo-4.8.orig/util/texindex.c texinfo-4.8/util/texindex.c | |
15 | --- texinfo-4.8.orig/util/texindex.c 2005-12-11 23:29:08.000000000 -0600 | |
16 | +++ texinfo-4.8/util/texindex.c 2005-12-11 23:33:31.000000000 -0600 | |
17 | @@ -99,6 +99,9 @@ | |
18 | /* Directory to use for temporary files. On Unix, it ends with a slash. */ | |
19 | char *tempdir; | |
20 | ||
21 | +/* Basename for temp files inside of tempdir. */ | |
22 | +char *tempbase; | |
23 | + | |
24 | /* Number of last temporary file. */ | |
25 | int tempcount; | |
26 | ||
27 | @@ -153,6 +156,7 @@ | |
28 | main (int argc, char **argv) | |
29 | { | |
30 | int i; | |
31 | + char template[]="txidxXXXXXX"; | |
32 | ||
33 | tempcount = 0; | |
34 | last_deleted_tempcount = 0; | |
35 | @@ -190,6 +194,11 @@ | |
36 | ||
37 | decode_command (argc, argv); | |
38 | ||
39 | + /* XXX mkstemp not appropriate, as we need to have somewhat predictable | |
40 | + * names. But race condition was fixed, see maketempname. | |
41 | + */ | |
42 | + tempbase = mktemp (template); | |
43 | + | |
44 | /* Process input files completely, one by one. */ | |
45 | ||
46 | for (i = 0; i < num_infiles; i++) | |
47 | @@ -389,21 +398,21 @@ | |
48 | static char * | |
49 | maketempname (int count) | |
50 | { | |
51 | - static char *tempbase = NULL; | |
52 | char tempsuffix[10]; | |
53 | - | |
54 | - if (!tempbase) | |
55 | - { | |
56 | - int fd; | |
57 | - tempbase = concat (tempdir, "txidxXXXXXX"); | |
58 | - | |
59 | - fd = mkstemp (tempbase); | |
60 | - if (fd == -1) | |
61 | - pfatal_with_name (tempbase); | |
62 | - } | |
63 | + char *name, *tmp_name; | |
64 | + int fd; | |
65 | ||
66 | sprintf (tempsuffix, ".%d", count); | |
67 | - return concat (tempbase, tempsuffix); | |
68 | + tmp_name = concat (tempdir, tempbase); | |
69 | + name = concat (tmp_name, tempsuffix); | |
70 | + free(tmp_name); | |
71 | + | |
72 | + fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0600); | |
73 | + if (fd == -1) | |
74 | + pfatal_with_name (name); | |
75 | + | |
76 | + close(fd); | |
77 | + return name; | |
78 | } | |
79 | ||
80 |