Author: randy Date: 2005-12-12 07:35:41 -0700 (Mon, 12 Dec 2005) New Revision: 1298
Added: trunk/texinfo/texinfo-4.8-tempfile_fix-2.patch Log: Added updated Texinfo tempfile patch Added: trunk/texinfo/texinfo-4.8-tempfile_fix-2.patch =================================================================== --- trunk/texinfo/texinfo-4.8-tempfile_fix-2.patch 2005-12-11 02:32:40 UTC (rev 1297) +++ trunk/texinfo/texinfo-4.8-tempfile_fix-2.patch 2005-12-12 14:35:41 UTC (rev 1298) @@ -0,0 +1,80 @@ +Updated By: Bruce Dubbs (bdubbs -aT- linuxfromscratch -DoT- org) +Date: 2005-12-12 +Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org) +Date: 2005-10-08 +Initial Package Version: 4.8 +Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch +Upstream Status: A few patches are floating around in Debian BZ #328365 of which + upstream hasn't made a full commitment on yet. +Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local + users to overwrite arbitrary files via a symlink attack on + temporary files. +Update: Changed to not pass a constant string to mktemp(). + +diff -Naur texinfo-4.8.orig/util/texindex.c texinfo-4.8/util/texindex.c +--- texinfo-4.8.orig/util/texindex.c 2005-12-11 23:29:08.000000000 -0600 ++++ texinfo-4.8/util/texindex.c 2005-12-11 23:33:31.000000000 -0600 +@@ -99,6 +99,9 @@ + /* Directory to use for temporary files. On Unix, it ends with a slash. */ + char *tempdir; + ++/* Basename for temp files inside of tempdir. */ ++char *tempbase; ++ + /* Number of last temporary file. */ + int tempcount; + +@@ -153,6 +156,7 @@ + main (int argc, char **argv) + { + int i; ++ char template[]="txidxXXXXXX"; + + tempcount = 0; + last_deleted_tempcount = 0; +@@ -190,6 +194,11 @@ + + decode_command (argc, argv); + ++ /* XXX mkstemp not appropriate, as we need to have somewhat predictable ++ * names. But race condition was fixed, see maketempname. ++ */ ++ tempbase = mktemp (template); ++ + /* Process input files completely, one by one. */ + + for (i = 0; i < num_infiles; i++) +@@ -389,21 +398,21 @@ + static char * + maketempname (int count) + { +- static char *tempbase = NULL; + char tempsuffix[10]; +- +- if (!tempbase) +- { +- int fd; +- tempbase = concat (tempdir, "txidxXXXXXX"); +- +- fd = mkstemp (tempbase); +- if (fd == -1) +- pfatal_with_name (tempbase); +- } ++ char *name, *tmp_name; ++ int fd; + + sprintf (tempsuffix, ".%d", count); +- return concat (tempbase, tempsuffix); ++ tmp_name = concat (tempdir, tempbase); ++ name = concat (tmp_name, tempsuffix); ++ free(tmp_name); ++ ++ fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0600); ++ if (fd == -1) ++ pfatal_with_name (name); ++ ++ close(fd); ++ return name; + } + + -- http://linuxfromscratch.org/mailman/listinfo/patches FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
