src/patches/texinfo-4.8-tempfile_fix-2.patch

   1 Updated By: Bruce Dubbs (bdubbs -aT- linuxfromscratch -DoT- org)
   2 Date: 2005-12-12
   3 Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org)
   4 Date: 2005-10-08
   5 Initial Package Version: 4.8
   6 Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch
   7 Upstream Status: A few patches are floating around in Debian BZ #328365 of which
   8                  upstream hasn't made a full commitment on yet.
   9 Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local
  10              users to overwrite arbitrary files via a symlink attack on
  11              temporary files.
  12 Update: Changed to not pass a constant string to mktemp().
  13
  14 diff -Naur texinfo-4.8.orig/util/texindex.c texinfo-4.8/util/texindex.c
  15 --- texinfo-4.8.orig/util/texindex.c    2005-12-11 23:29:08.000000000 -0600
  16 +++ texinfo-4.8/util/texindex.c 2005-12-11 23:33:31.000000000 -0600
  17 @@ -99,6 +99,9 @@
  18  /* Directory to use for temporary files.  On Unix, it ends with a slash.  */
  19  char *tempdir;
  20
  21 +/* Basename for temp files inside of tempdir.  */
  22 +char *tempbase;
  23 +
  24  /* Number of last temporary file.  */
  25  int tempcount;
  26
  27 @@ -153,6 +156,7 @@
  28  main (int argc, char **argv)
  29  {
  30    int i;
  31 +  char template[]="txidxXXXXXX";
  32
  33    tempcount = 0;
  34    last_deleted_tempcount = 0;
  35 @@ -190,6 +194,11 @@
  36
  37    decode_command (argc, argv);
  38
  39 +  /* XXX mkstemp not appropriate, as we need to have somewhat predictable
  40 +   * names. But race condition was fixed, see maketempname.
  41 +   */
  42 +  tempbase = mktemp (template);
  43 +
  44    /* Process input files completely, one by one.  */
  45
  46    for (i = 0; i < num_infiles; i++)
  47 @@ -389,21 +398,21 @@
  48  static char *
  49  maketempname (int count)
  50  {
  51 -  static char *tempbase = NULL;
  52    char tempsuffix[10];
  53 -
  54 -  if (!tempbase)
  55 -    {
  56 -      int fd;
  57 -      tempbase = concat (tempdir, "txidxXXXXXX");
  58 -
  59 -      fd = mkstemp (tempbase);
  60 -      if (fd == -1)
  61 -        pfatal_with_name (tempbase);
  62 -    }
  63 +  char *name, *tmp_name;
  64 +  int fd;
  65
  66    sprintf (tempsuffix, ".%d", count);
  67 -  return concat (tempbase, tempsuffix);
  68 +  tmp_name = concat (tempdir, tempbase);
  69 +  name = concat (tmp_name, tempsuffix);
  70 +  free(tmp_name);
  71 +
  72 +  fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0600);
  73 +  if (fd == -1)
  74 +    pfatal_with_name (name);
  75 +
  76 +  close(fd);
  77 +  return name;
  78  }
  79
  80