Package: mozilla-devscripts Version: 0.35 Severity: important Tags: security patch
xpi-repack uses a subdirectory of /tmp with a predictable name. Malicious local user could exploit this flaw to cause denial of service, or, if they win the race, to tamper with the unpacked xpi.
Patch attached. -- Jakub Wilk
diff --git a/xpi-repack b/xpi-repack --- a/xpi-repack +++ b/xpi-repack @@ -18,6 +18,7 @@ import os import subprocess import sys +import tempfile # error codes COMMAND_LINE_SYNTAX_ERROR = 1 @@ -35,10 +36,9 @@ def repack_xpi(package, upstream_version, xpi_file, verbose): # extract xpi file - tmp_dir = "/tmp" + tmp_dir = tempfile.mkdtemp(prefix='xpi-repack.') extract_dir = package + "-" + upstream_version full_extract_dir = os.path.join(tmp_dir, extract_dir) - remove_recursive(full_extract_dir) subprocess.check_call(["xpi-unpack", xpi_file, full_extract_dir]) # check, if source 3.0 (quilt) format is used @@ -59,7 +59,7 @@ subprocess.check_call(cmd) # remove temporary directory - remove_recursive(full_extract_dir) + remove_recursive(tmp_dir) def get_source_package_name(script_name): if not os.path.isfile("debian/control"):
_______________________________________________ Pkg-mozext-maintainers mailing list Pkg-mozext-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mozext-maintainers