-Updated By: Bruce Dubbs (bdubbs -aT- linuxfromscratch -DoT- org)
-Date: 2005-12-12
-Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org)
-Date: 2005-10-08
-Initial Package Version: 4.8
-Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch
-Upstream Status: A few patches are floating around in Debian BZ #328365 of which
- upstream hasn't made a full commitment on yet.
-Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local
- users to overwrite arbitrary files via a symlink attack on
- temporary files.
-Update: Changed to not pass a constant string to mktemp().
-
-diff -Naur texinfo-4.8.orig/util/texindex.c texinfo-4.8/util/texindex.c
---- texinfo-4.8.orig/util/texindex.c 2005-12-11 23:29:08.000000000 -0600
-+++ texinfo-4.8/util/texindex.c 2005-12-11 23:33:31.000000000 -0600
-@@ -99,6 +99,9 @@
- /* Directory to use for temporary files. On Unix, it ends with a slash. */
- char *tempdir;
-
-+/* Basename for temp files inside of tempdir. */
-+char *tempbase;
-+
- /* Number of last temporary file. */
- int tempcount;
-
-@@ -153,6 +156,7 @@
- main (int argc, char **argv)
- {
- int i;
-+ char template[]="txidxXXXXXX";
-
- tempcount = 0;
- last_deleted_tempcount = 0;
-@@ -190,6 +194,11 @@
-
- decode_command (argc, argv);
-
-+ /* XXX mkstemp not appropriate, as we need to have somewhat predictable
-+ * names. But race condition was fixed, see maketempname.
-+ */
-+ tempbase = mktemp (template);
-+
- /* Process input files completely, one by one. */
-
- for (i = 0; i < num_infiles; i++)
-@@ -389,21 +398,21 @@
- static char *
- maketempname (int count)
- {
-- static char *tempbase = NULL;
- char tempsuffix[10];
--
-- if (!tempbase)
-- {
-- int fd;
-- tempbase = concat (tempdir, "txidxXXXXXX");
--
-- fd = mkstemp (tempbase);
-- if (fd == -1)
-- pfatal_with_name (tempbase);
-- }
-+ char *name, *tmp_name;
-+ int fd;
-
- sprintf (tempsuffix, ".%d", count);
-- return concat (tempbase, tempsuffix);
-+ tmp_name = concat (tempdir, tempbase);
-+ name = concat (tmp_name, tempsuffix);
-+ free(tmp_name);
-+
-+ fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0600);
-+ if (fd == -1)
-+ pfatal_with_name (name);
-+
-+ close(fd);
-+ return name;
- }
-
-