Oops - I changed it to mktemp and tested it.
Afterwards, I compiled it for linux, and it suggested I change it to
mkstemp, which I did, but I didn't test it much.
I'll change it back to mktemp.
Matthias
----- Original Message -----
From: "Bruno De Fraine" <[EMAIL PROTECTED]>
To: "Matthias Wandel" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, November 04, 2008 5:13 AM
Subject: Re: Bug#503645: jhead: CVE-2008-4640, CVE-2008-4641 command
injection via filename and insecure file handling
Hello Matthias,
On 3-nov-08, at 16:04, Matthias Wandel wrote:
Ok, I have integrated this patch, plus a temp file patch that was
submitted,
and uploaded it as the head rev copy on the website. The head rev
version
number has been changed to 2.85.
I have made sure it works under Windows, and done some quick checks
under
Linux.
Let me know if its good for you.
I have some problems with the mkstemp on line 352 of jhead.c: this will
open/create the temp file and return the file descriptor.
- In case of a mistaken command string that involves "&o" but does not
create an output file (such as "echo &i &o"), jhead will no longer detect
that no output file is created, and blindly delete the input file
(possible data loss)
- Shouldn't you close the file descriptor returned by mkstemp?
- Previously, the temp output file was normally never present when the
command is run, now it is always present. This might break some commands
strings that previously worked, when commands are used that don't
overwrite existing files.
(In summary, I think this change should be tested before going in a
stable Debian release.)
line 379 of jhead.c seems a debug line that should be removed.
Regards,
Bruno
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
