tag 318285 patch thanks Hi,
Here's the CAN-2005-2240 fix for woody and sarge (sid upload is already in incoming). Cheers, Matej
diff -u xpvm-1.2.5/src/xpvm.tcl xpvm-1.2.5/src/xpvm.tcl --- xpvm-1.2.5/src/xpvm.tcl +++ xpvm-1.2.5/src/xpvm.tcl @@ -831,7 +831,7 @@ set tfck [ info exists trace_file ] -if { $tfck == 0 } { set trace_file "/tmp/xpvm.trace.$user" } +if { $tfck == 0 } { set trace_file [ file join [ glob ~ ] ".xpvm_trace" ] } $CTRL.file_entry insert 0 $trace_file diff -u xpvm-1.2.5/debian/changelog xpvm-1.2.5/debian/changelog --- xpvm-1.2.5/debian/changelog +++ xpvm-1.2.5/debian/changelog @@ -1,3 +1,14 @@ +xpvm (1.2.5-7.2woody1) oldstable-security; urgency=high + + * QA upload. + * Use ~/.xpvm_trace instead of /tmp/xpvm.trace.$USER to prevent symlink + attacks. (Trace files are meant to be semi-persistent, so this is more + in line with user expectations than creating unique temporary files.) + [src/xpvm.tcl, src/help/traces.help, debian/xpvm.1, CAN-2005-2240] + Closes: #318285. + + -- Matej Vela <[EMAIL PROTECTED]> Sun, 4 Sep 2005 14:44:07 +0200 + xpvm (1.2.5-7.2) unstable; urgency=low * NMU diff -u xpvm-1.2.5/debian/xpvm.1 xpvm-1.2.5/debian/xpvm.1 --- xpvm-1.2.5/debian/xpvm.1 +++ xpvm-1.2.5/debian/xpvm.1 @@ -64,7 +64,7 @@ .BI \-T\ trace .B xpvm will normally create and store a trace file in the -.I /tmp +user's home directory. To have the .I trace file stored in some other location, use this option. only in patch2: unchanged: --- xpvm-1.2.5.orig/src/help/traces.help +++ xpvm-1.2.5/src/help/traces.help @@ -13,7 +13,7 @@ { to have a valid, writable trace file to work with, and so XPVM } { assumes a default trace file name: } {} -{ /tmp/xpvm.trace.$(USER) } +{ ~/.xpvm_trace } {} { On the first execution of XPVM, this trace file will not yet exist, } { and so XPVM will proceed to write traces into this file and read }
diff -u xpvm-1.2.5/src/xpvm.tcl xpvm-1.2.5/src/xpvm.tcl --- xpvm-1.2.5/src/xpvm.tcl +++ xpvm-1.2.5/src/xpvm.tcl @@ -831,7 +831,7 @@ set tfck [ info exists trace_file ] -if { $tfck == 0 } { set trace_file "/tmp/xpvm.trace.$user" } +if { $tfck == 0 } { set trace_file [ file join [ glob ~ ] ".xpvm_trace" ] } $CTRL.file_entry insert 0 $trace_file diff -u xpvm-1.2.5/debian/changelog xpvm-1.2.5/debian/changelog --- xpvm-1.2.5/debian/changelog +++ xpvm-1.2.5/debian/changelog @@ -1,3 +1,14 @@ +xpvm (1.2.5-7.3sarge1) stable-security; urgency=high + + * QA upload. + * Use ~/.xpvm_trace instead of /tmp/xpvm.trace.$USER to prevent symlink + attacks. (Trace files are meant to be semi-persistent, so this is more + in line with user expectations than creating unique temporary files.) + [src/xpvm.tcl, src/help/traces.help, debian/xpvm.1, CAN-2005-2240] + Closes: #318285. + + -- Matej Vela <[EMAIL PROTECTED]> Sun, 4 Sep 2005 14:44:07 +0200 + xpvm (1.2.5-7.3) unstable; urgency=low * Uploading with maintainer set to QA Group diff -u xpvm-1.2.5/debian/xpvm.1 xpvm-1.2.5/debian/xpvm.1 --- xpvm-1.2.5/debian/xpvm.1 +++ xpvm-1.2.5/debian/xpvm.1 @@ -64,7 +64,7 @@ .BI \-T\ trace .B xpvm will normally create and store a trace file in the -.I /tmp +user's home directory. To have the .I trace file stored in some other location, use this option. only in patch2: unchanged: --- xpvm-1.2.5.orig/src/help/traces.help +++ xpvm-1.2.5/src/help/traces.help @@ -13,7 +13,7 @@ { to have a valid, writable trace file to work with, and so XPVM } { assumes a default trace file name: } {} -{ /tmp/xpvm.trace.$(USER) } +{ ~/.xpvm_trace } {} { On the first execution of XPVM, this trace file will not yet exist, } { and so XPVM will proceed to write traces into this file and read }