Hi, The attached file is the diff for my aptoncd 0.1-1.2 NMU. The associated changelog entry is:
aptoncd (0.1-1.2) unstable; urgency=medium
* Non-maintainer upload.
* Replace usage of hard-coded and predictable temporary directory names to
prevent against symlink-based attacks. Based on a patch by Marcos
Marado. (Closes: #496390)
Regards,
--
Chris Lamb, UK [EMAIL PROTECTED]
GPG: 0x634F9A20
diff -Nru aptoncd-0.1/aptoncd.py aptoncd-0.1/aptoncd.py
--- aptoncd-0.1/aptoncd.py 2007-05-01 21:04:19.000000000 +0100
+++ aptoncd-0.1/aptoncd.py 2008-09-09 01:50:39.000000000 +0100
@@ -18,6 +18,7 @@
import RepDownload
import webbrowser
import sys
+import tempfile
from mediaInfo import mediaInfo
from optparse import OptionParser
import msg
@@ -77,7 +78,7 @@
isofile = filename[0]
if os.path.isfile(isofile):
- fromPath = "/tmp/aptoncd-mnt-image/"
+ fromPath = tempfile.mkdtemp()
utils.mkdir(fromPath,True)
command = "gksu --desktop
/usr/share/applications/aptoncd.desktop 'mount -o loop %s %s'" %
(isofile.replace(' ','\ '), fromPath.replace(' ','\ '))
diff -Nru aptoncd-0.1/config.py aptoncd-0.1/config.py
--- aptoncd-0.1/config.py 2007-05-01 21:04:19.000000000 +0100
+++ aptoncd-0.1/config.py 2008-09-09 01:50:39.000000000 +0100
@@ -51,9 +51,10 @@
LOCAL_APT_FOLDER = "/var/cache/apt/archives/"
-TMP_PATH = "/tmp/aptoncd/"
-if not os.path.isdir(TMP_PATH):
- os.makedirs(TMP_PATH)
+# Don't create un-used temporary directory.
+#TMP_PATH = "/tmp/aptoncd/"
+#if not os.path.isdir(TMP_PATH):
+# os.makedirs(TMP_PATH)
# -- write config --
def write(filename):
diff -Nru aptoncd-0.1/CreateAptOncd.py aptoncd-0.1/CreateAptOncd.py
--- aptoncd-0.1/CreateAptOncd.py 2007-05-01 21:04:19.000000000 +0100
+++ aptoncd-0.1/CreateAptOncd.py 2008-09-09 01:50:39.000000000 +0100
@@ -38,6 +38,7 @@
import utils
import msg
import gzip
+import tempfile
#from mediaInfo import mediaInfo
import mediaInfo
from mediaInfo import aptDiskInfo
@@ -484,9 +485,9 @@
config.write(config.CONFIG_FILE)
metaPackActive = self.ckbtnMetaPackage.get_active()
- tmpdir = "/tmp/aptoncd-c/"
- tmpmetapackageDir = tmpdir +"metapackage/"
- tmppackages = tmpdir + "packages/"
+ tmpdir = tempfile.mkdtemp()
+ tmpmetapackageDir = os.path.join(tmpdir, "metapackage")
+ tmppackages = os.path.join(tmpdir, "packages")
self.util.mkdir(tmpdir,True)
diff -Nru aptoncd-0.1/debian/changelog aptoncd-0.1/debian/changelog
--- aptoncd-0.1/debian/changelog 2008-09-09 01:50:39.000000000 +0100
+++ aptoncd-0.1/debian/changelog 2008-09-09 01:50:39.000000000 +0100
@@ -1,3 +1,12 @@
+aptoncd (0.1-1.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Replace usage of hard-coded and predictable temporary directory names to
+ prevent against symlink-based attacks. Based on a patch by Marcos Marado.
+ (Closes: #496390)
+
+ -- Chris Lamb <[EMAIL PROTECTED]> Tue, 09 Sep 2008 01:01:52 +0100
+
aptoncd (0.1-1.1) unstable; urgency=low
* Non-maintainer upload.
diff -Nru aptoncd-0.1/xmlfile.py aptoncd-0.1/xmlfile.py
--- aptoncd-0.1/xmlfile.py 2007-05-01 21:04:19.000000000 +0100
+++ aptoncd-0.1/xmlfile.py 2008-09-09 01:50:39.000000000 +0100
@@ -24,11 +24,14 @@
import xml.dom.minidom
import string
+import tempfile
import utils
(BOLVAL, METHOD, HOST, DISTRIBUTION, VERSION, SECTION, ARCHITECTURE, PATH,
MEDIA) = range(9)
+TEMPDIR = tempfile.mkdtemp()
+
class XMLFile:
def node_text(self, node):
text = ''
@@ -67,7 +70,7 @@
aFile.write(' <version>%s</version>\n' % util.codename)
aFile.write(' <section>main</section>\n')
aFile.write(' <arch>%s</arch>\n' % util.architecture)
- aFile.write(' <path>/tmp/aptoncd</path>\n')
+ aFile.write(' <path>%s</path>\n' % TEMPDIR)
aFile.write(' <media>CD</media>\n')
aFile.write(' </settings>\n')
aFile.write('</download>\n')
@@ -81,7 +84,7 @@
version = util.codename
section = 'main'
arch = util.architecture
- path = '/tmp/aptoncd'
+ path = TEMPDIR
media = 'CD'
try:
node_text = self.parse(file)
signature.asc
Description: PGP signature
