Package: mozilla-devscripts
Version: 0.35
Severity: important
Tags: security patch
xpi-repack uses a subdirectory of /tmp with a predictable name.
Malicious local user could exploit this flaw to cause denial of service,
or, if they win the race, to tamper with the unpacked xpi.
Patch attached.
--
Jakub Wilk
diff --git a/xpi-repack b/xpi-repack
--- a/xpi-repack
+++ b/xpi-repack
@@ -18,6 +18,7 @@
import os
import subprocess
import sys
+import tempfile
# error codes
COMMAND_LINE_SYNTAX_ERROR = 1
@@ -35,10 +36,9 @@
def repack_xpi(package, upstream_version, xpi_file, verbose):
# extract xpi file
- tmp_dir = "/tmp"
+ tmp_dir = tempfile.mkdtemp(prefix='xpi-repack.')
extract_dir = package + "-" + upstream_version
full_extract_dir = os.path.join(tmp_dir, extract_dir)
- remove_recursive(full_extract_dir)
subprocess.check_call(["xpi-unpack", xpi_file, full_extract_dir])
# check, if source 3.0 (quilt) format is used
@@ -59,7 +59,7 @@
subprocess.check_call(cmd)
# remove temporary directory
- remove_recursive(full_extract_dir)
+ remove_recursive(tmp_dir)
def get_source_package_name(script_name):
if not os.path.isfile("debian/control"):