Package: pmake
Version: 1.111-1, 1.111-2
Severity: serious
Tags: security fixed-upstream patch
/usr/share/mk/bsd.lib.mk and /usr/share/mk/bsd.prog.mk create temporary
files insecurely, with predictable names (/tmp/_depend<PID>), and
without using $TMPDIR.
To reproduce, run the depend target in a BSD package like csh:
/tmp/csh-20070713$ pmake -dx depend 2>&1 | grep /tmp/_depend
+ TMP=/tmp/_depend7338
+ mv /tmp/_depend7338 .depend
This applies to both lenny and squeeze. Upstream is not affected as the
code was eliminated back in 2003:
<http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.lib.mk#rev1.240>
<http://cvsweb.netbsd.org/bsdweb.cgi/src/share/mk/bsd.prog.mk#rev1.193>
Patch to use mktemp(1):
--- pmake-1.111/mk/bsd.lib.mk~
+++ pmake-1.111/mk/bsd.lib.mk
@@ -291,7 +291,7 @@
.if defined(SRCS)
afterdepend: .depend
- @(TMP=/tmp/_depend$$$$; \
+ @(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \
sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.po \1.so \1.ln:/' \
< .depend > $$TMP; \
mv $$TMP .depend)
--- pmake-1.111/mk/bsd.prog.mk~
+++ pmake-1.111/mk/bsd.prog.mk
@@ -124,7 +124,7 @@
.if defined(SRCS)
afterdepend: .depend
- @(TMP=/tmp/_depend$$$$; \
+ @(TMP=`mktemp -t _dependXXXXXXXXXX` || exit $$?; \
sed -e 's/^\([^\.]*\).o[ ]*:/\1.o \1.ln:/' \
< .depend > $$TMP; \
mv $$TMP .depend)
Thanks,
Matej
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
