texinfo/patches/texinfo-4.8-tempfile_fix-1.patch

Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org)
Date: 2005-10-08
Initial Package Version: 4.8
Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch
Upstream Status: A few patches are floating around in Debian BZ #328365 of which
                 upstream hasn't made a full commitment on yet.
Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local
             users to overwrite arbitrary files via a symlink attack on
             temporary files.

diff -Naur texinfo-4.8.orig/util/texindex.c texinfo-4.8/util/texindex.c
--- texinfo-4.8.orig/util/texindex.c	2004-04-11 17:56:47.000000000 +0000
+++ texinfo-4.8/util/texindex.c	2005-10-08 17:35:12.000000000 +0000
@@ -99,6 +99,9 @@
 /* Directory to use for temporary files.  On Unix, it ends with a slash.  */
 char *tempdir;
 
+/* Basename for temp files inside of tempdir.  */
+char *tempbase;
+
 /* Number of last temporary file.  */
 int tempcount;
 
@@ -190,6 +193,11 @@
 
   decode_command (argc, argv);
 
+  /* XXX mkstemp not appropriate, as we need to have somewhat predictable
+   * names. But race condition was fixed, see maketempname. 
+   */
+  tempbase = mktemp ("txidxXXXXXX");
+
   /* Process input files completely, one by one.  */
 
   for (i = 0; i < num_infiles; i++)
@@ -389,21 +397,21 @@
 static char *
 maketempname (int count)
 {
-  static char *tempbase = NULL;
   char tempsuffix[10];
-
-  if (!tempbase)
-    {
-      int fd;
-      tempbase = concat (tempdir, "txidxXXXXXX");
-
-      fd = mkstemp (tempbase);
-      if (fd == -1)
-        pfatal_with_name (tempbase);
-    }
+  char *name, *tmp_name;
+  int fd;
 
   sprintf (tempsuffix, ".%d", count);
-  return concat (tempbase, tempsuffix);
+  tmp_name = concat (tempdir, tempbase);
+  name = concat (tmp_name, tempsuffix);
+  free(tmp_name);
+
+  fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0600);
+  if (fd == -1)
+    pfatal_with_name (name);
+
+  close(fd);
+  return name;
 }
 
 
1	niro	153	Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org)
2			Date: 2005-10-08
3			Initial Package Version: 4.8
4			Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch
5			Upstream Status: A few patches are floating around in Debian BZ #328365 of which
6			upstream hasn't made a full commitment on yet.
7			Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local
8			users to overwrite arbitrary files via a symlink attack on
9			temporary files.
10
11			diff -Naur texinfo-4.8.orig/util/texindex.c texinfo-4.8/util/texindex.c
12			--- texinfo-4.8.orig/util/texindex.c 2004-04-11 17:56:47.000000000 +0000
13			+++ texinfo-4.8/util/texindex.c 2005-10-08 17:35:12.000000000 +0000
14			@@ -99,6 +99,9 @@
15			/* Directory to use for temporary files. On Unix, it ends with a slash. */
16			char *tempdir;
17
18			+/* Basename for temp files inside of tempdir. */
19			+char *tempbase;
20			+
21			/* Number of last temporary file. */
22			int tempcount;
23
24			@@ -190,6 +193,11 @@
25
26			decode_command (argc, argv);
27
28			+ /* XXX mkstemp not appropriate, as we need to have somewhat predictable
29			+ * names. But race condition was fixed, see maketempname.
30			+ */
31			+ tempbase = mktemp ("txidxXXXXXX");
32			+
33			/* Process input files completely, one by one. */
34
35			for (i = 0; i < num_infiles; i++)
36			@@ -389,21 +397,21 @@
37			static char *
38			maketempname (int count)
39			{
40			- static char *tempbase = NULL;
41			char tempsuffix[10];
42			-
43			- if (!tempbase)
44			- {
45			- int fd;
46			- tempbase = concat (tempdir, "txidxXXXXXX");
47			-
48			- fd = mkstemp (tempbase);
49			- if (fd == -1)
50			- pfatal_with_name (tempbase);
51			- }
52			+ char name, tmp_name;
53			+ int fd;
54
55			sprintf (tempsuffix, ".%d", count);
56			- return concat (tempbase, tempsuffix);
57			+ tmp_name = concat (tempdir, tempbase);
58			+ name = concat (tmp_name, tempsuffix);
59			+ free(tmp_name);
60			+
61			+ fd = open (name, O_CREAT\|O_EXCL\|O_WRONLY, 0600);
62			+ if (fd == -1)
63			+ pfatal_with_name (name);
64			+
65			+ close(fd);
66			+ return name;
67			}
68
69