Bug#924076: Idea how to solve this

Sat, 23 Mar 2019 12:52:06 -0700 

Hello,
I'm not a C programmer but I guess solving this issue might go along
the following path:

Description: Create a secure directory for the FIFO
 TODO: Put a short summary on the line above and replace this paragraph
 with a longer explanation of this change. Complete the meta-information
 with other relevant fields (see below for details). To make it easier, the
 information below has been extracted from the changelog. Adjust it or drop
 it.
 .
 tvtime (1.0.11-4) unstable; urgency=medium
 .
   * QA upload.
   * Add the missing build dependency on pkg-config.
Author: Helge Kreutzmann <deb...@helgefjell.de>

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: other
Bug-Debian: https://bugs.debian.org/924076
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: 2019-03-23

--- tvtime-1.0.11.orig/src/utils.c
+++ tvtime-1.0.11/src/utils.c
@@ -167,14 +167,19 @@ char *get_tvtime_fifo_filename( uid_t ui
     char *fifodir;
     char *fifo;
 
+    char *fifosdir;
+
+    /* Create a secure private temporary directory */
+    fifosdir = mkdtemp(FIFODIR "tvtimeXXXXXX");
+
     /* Create string for the directory in FIFODIR */
     pwuid = getpwuid( uid );
     if( pwuid ) {
-        if( asprintf( &fifodir, FIFODIR "/.TV-%s", pwuid->pw_name ) < 0 ) {
+        if( asprintf( &fifodir, "%s/.TV-%s", fifosdir, pwuid->pw_name ) < 0 ) {
             return 0;
         }
     } else {
-        if( asprintf( &fifodir, FIFODIR "/.TV-%u", uid ) < 0 ) {
+        if( asprintf( &fifodir, "%s/.TV-%u", fifosdir, uid ) < 0 ) {
             return 0;
         }
     }


This code segfaults, does not contain error checks but hopefully
someone with real C knowledge can make it work (and prevent tvtime
from being removed).

Greetings

            Helge
-- 
      Dr. Helge Kreutzmann                     deb...@helgefjell.de
           Dipl.-Phys.                   http://www.helgefjell.de/debian.php
        64bit GNU powered                     gpg signed mail preferred
           Help keep free software "libre": http://www.ffii.de/

Attachment: signature.asc
Description: Digital signature

Reply via email to