Package: mozilla-firefox Version: 1.0+dfsg.1-4 Priority: normal Tags: patch security
The run-mozilla.sh script provided at /usr/lib/mozilla creates temporary files when running with 'debugging' enabled in an unsafe way. Please see the attached patch for a proposed fix. I'm not setting this as a higher priority since that code is not intented for end users, and the broken code only is executed if debugging is enabled. Something which, probably, only a few users will do. Regards Javier
--- run-mozilla.sh.orig 2005-02-08 01:52:35.000000000 +0100
+++ run-mozilla.sh 2005-02-08 01:54:27.000000000 +0100
@@ -249,16 +249,18 @@
fi
if [ -x "$debugger" ]
then
- echo "set args ${1+"$@"}" > /tmp/mozargs$$
+ tmpfile=`mktemp -t` || { echo "Cannot create temporary file" >&2; exit
1; }
+ trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 0 1 2 3 13 15
+ echo "set args ${1+"$@"}" > $tmpfile
# If you are not using ddd, gdb and know of a way to convey the arguments
# over to the prog then add that here- Gagan Saksena 03/15/00
case `basename $debugger` in
- gdb) echo "$debugger $prog -x /tmp/mozargs$$"
- $debugger "$prog" -x /tmp/mozargs$$
+ gdb) echo "$debugger $prog -x $tmpfile"
+ $debugger "$prog" -x $tmpfile
exitcode=$?
;;
- ddd) echo "$debugger --debugger \"gdb -x /tmp/mozargs$$\" $prog"
- $debugger --debugger "gdb -x /tmp/mozargs$$" "$prog"
+ ddd) echo "$debugger --debugger \"gdb -x $tmpfile\" $prog"
+ $debugger --debugger "gdb -x $tmpfile" "$prog"
exitcode=$?
;;
*) echo "$debugger $prog ${1+"$@"}"
@@ -266,7 +268,6 @@
exitcode=$?
;;
esac
- /bin/rm /tmp/mozargs$$
else
echo "Could not find a debugger on your system."
fi
signature.asc
Description: Digital signature
