Contents of /trunk/texinfo/patches/texinfo-4.8-tempfile_fix-1.patch
Parent Directory | Revision Log
Revision 153 -
(show annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 1997 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 1997 byte(s)
-import
1 | Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org) |
2 | Date: 2005-10-08 |
3 | Initial Package Version: 4.8 |
4 | Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch |
5 | Upstream Status: A few patches are floating around in Debian BZ #328365 of which |
6 | upstream hasn't made a full commitment on yet. |
7 | Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local |
8 | users to overwrite arbitrary files via a symlink attack on |
9 | temporary files. |
10 | |
11 | diff -Naur texinfo-4.8.orig/util/texindex.c texinfo-4.8/util/texindex.c |
12 | --- texinfo-4.8.orig/util/texindex.c 2004-04-11 17:56:47.000000000 +0000 |
13 | +++ texinfo-4.8/util/texindex.c 2005-10-08 17:35:12.000000000 +0000 |
14 | @@ -99,6 +99,9 @@ |
15 | /* Directory to use for temporary files. On Unix, it ends with a slash. */ |
16 | char *tempdir; |
17 | |
18 | +/* Basename for temp files inside of tempdir. */ |
19 | +char *tempbase; |
20 | + |
21 | /* Number of last temporary file. */ |
22 | int tempcount; |
23 | |
24 | @@ -190,6 +193,11 @@ |
25 | |
26 | decode_command (argc, argv); |
27 | |
28 | + /* XXX mkstemp not appropriate, as we need to have somewhat predictable |
29 | + * names. But race condition was fixed, see maketempname. |
30 | + */ |
31 | + tempbase = mktemp ("txidxXXXXXX"); |
32 | + |
33 | /* Process input files completely, one by one. */ |
34 | |
35 | for (i = 0; i < num_infiles; i++) |
36 | @@ -389,21 +397,21 @@ |
37 | static char * |
38 | maketempname (int count) |
39 | { |
40 | - static char *tempbase = NULL; |
41 | char tempsuffix[10]; |
42 | - |
43 | - if (!tempbase) |
44 | - { |
45 | - int fd; |
46 | - tempbase = concat (tempdir, "txidxXXXXXX"); |
47 | - |
48 | - fd = mkstemp (tempbase); |
49 | - if (fd == -1) |
50 | - pfatal_with_name (tempbase); |
51 | - } |
52 | + char *name, *tmp_name; |
53 | + int fd; |
54 | |
55 | sprintf (tempsuffix, ".%d", count); |
56 | - return concat (tempbase, tempsuffix); |
57 | + tmp_name = concat (tempdir, tempbase); |
58 | + name = concat (tmp_name, tempsuffix); |
59 | + free(tmp_name); |
60 | + |
61 | + fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0600); |
62 | + if (fd == -1) |
63 | + pfatal_with_name (name); |
64 | + |
65 | + close(fd); |
66 | + return name; |
67 | } |
68 | |
69 |