Annotation of /trunk/texinfo/patches/texinfo-4.8-tempfile_fix-1.patch
Parent Directory | Revision Log
Revision 153 -
(hide annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 1997 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 1997 byte(s)
-import
1 | niro | 153 | Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org) |
2 | Date: 2005-10-08 | ||
3 | Initial Package Version: 4.8 | ||
4 | Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch | ||
5 | Upstream Status: A few patches are floating around in Debian BZ #328365 of which | ||
6 | upstream hasn't made a full commitment on yet. | ||
7 | Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local | ||
8 | users to overwrite arbitrary files via a symlink attack on | ||
9 | temporary files. | ||
10 | |||
11 | diff -Naur texinfo-4.8.orig/util/texindex.c texinfo-4.8/util/texindex.c | ||
12 | --- texinfo-4.8.orig/util/texindex.c 2004-04-11 17:56:47.000000000 +0000 | ||
13 | +++ texinfo-4.8/util/texindex.c 2005-10-08 17:35:12.000000000 +0000 | ||
14 | @@ -99,6 +99,9 @@ | ||
15 | /* Directory to use for temporary files. On Unix, it ends with a slash. */ | ||
16 | char *tempdir; | ||
17 | |||
18 | +/* Basename for temp files inside of tempdir. */ | ||
19 | +char *tempbase; | ||
20 | + | ||
21 | /* Number of last temporary file. */ | ||
22 | int tempcount; | ||
23 | |||
24 | @@ -190,6 +193,11 @@ | ||
25 | |||
26 | decode_command (argc, argv); | ||
27 | |||
28 | + /* XXX mkstemp not appropriate, as we need to have somewhat predictable | ||
29 | + * names. But race condition was fixed, see maketempname. | ||
30 | + */ | ||
31 | + tempbase = mktemp ("txidxXXXXXX"); | ||
32 | + | ||
33 | /* Process input files completely, one by one. */ | ||
34 | |||
35 | for (i = 0; i < num_infiles; i++) | ||
36 | @@ -389,21 +397,21 @@ | ||
37 | static char * | ||
38 | maketempname (int count) | ||
39 | { | ||
40 | - static char *tempbase = NULL; | ||
41 | char tempsuffix[10]; | ||
42 | - | ||
43 | - if (!tempbase) | ||
44 | - { | ||
45 | - int fd; | ||
46 | - tempbase = concat (tempdir, "txidxXXXXXX"); | ||
47 | - | ||
48 | - fd = mkstemp (tempbase); | ||
49 | - if (fd == -1) | ||
50 | - pfatal_with_name (tempbase); | ||
51 | - } | ||
52 | + char *name, *tmp_name; | ||
53 | + int fd; | ||
54 | |||
55 | sprintf (tempsuffix, ".%d", count); | ||
56 | - return concat (tempbase, tempsuffix); | ||
57 | + tmp_name = concat (tempdir, tempbase); | ||
58 | + name = concat (tmp_name, tempsuffix); | ||
59 | + free(tmp_name); | ||
60 | + | ||
61 | + fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0600); | ||
62 | + if (fd == -1) | ||
63 | + pfatal_with_name (name); | ||
64 | + | ||
65 | + close(fd); | ||
66 | + return name; | ||
67 | } | ||
68 | |||
69 |