Hi, The attached file is the diff for my aptoncd 0.1-1.2 NMU. The associated changelog entry is:
aptoncd (0.1-1.2) unstable; urgency=medium * Non-maintainer upload. * Replace usage of hard-coded and predictable temporary directory names to prevent against symlink-based attacks. Based on a patch by Marcos Marado. (Closes: #496390) Regards, -- Chris Lamb, UK [EMAIL PROTECTED] GPG: 0x634F9A20
diff -Nru aptoncd-0.1/aptoncd.py aptoncd-0.1/aptoncd.py --- aptoncd-0.1/aptoncd.py 2007-05-01 21:04:19.000000000 +0100 +++ aptoncd-0.1/aptoncd.py 2008-09-09 01:50:39.000000000 +0100 @@ -18,6 +18,7 @@ import RepDownload import webbrowser import sys +import tempfile from mediaInfo import mediaInfo from optparse import OptionParser import msg @@ -77,7 +78,7 @@ isofile = filename[0] if os.path.isfile(isofile): - fromPath = "/tmp/aptoncd-mnt-image/" + fromPath = tempfile.mkdtemp() utils.mkdir(fromPath,True) command = "gksu --desktop /usr/share/applications/aptoncd.desktop 'mount -o loop %s %s'" % (isofile.replace(' ','\ '), fromPath.replace(' ','\ ')) diff -Nru aptoncd-0.1/config.py aptoncd-0.1/config.py --- aptoncd-0.1/config.py 2007-05-01 21:04:19.000000000 +0100 +++ aptoncd-0.1/config.py 2008-09-09 01:50:39.000000000 +0100 @@ -51,9 +51,10 @@ LOCAL_APT_FOLDER = "/var/cache/apt/archives/" -TMP_PATH = "/tmp/aptoncd/" -if not os.path.isdir(TMP_PATH): - os.makedirs(TMP_PATH) +# Don't create un-used temporary directory. +#TMP_PATH = "/tmp/aptoncd/" +#if not os.path.isdir(TMP_PATH): +# os.makedirs(TMP_PATH) # -- write config -- def write(filename): diff -Nru aptoncd-0.1/CreateAptOncd.py aptoncd-0.1/CreateAptOncd.py --- aptoncd-0.1/CreateAptOncd.py 2007-05-01 21:04:19.000000000 +0100 +++ aptoncd-0.1/CreateAptOncd.py 2008-09-09 01:50:39.000000000 +0100 @@ -38,6 +38,7 @@ import utils import msg import gzip +import tempfile #from mediaInfo import mediaInfo import mediaInfo from mediaInfo import aptDiskInfo @@ -484,9 +485,9 @@ config.write(config.CONFIG_FILE) metaPackActive = self.ckbtnMetaPackage.get_active() - tmpdir = "/tmp/aptoncd-c/" - tmpmetapackageDir = tmpdir +"metapackage/" - tmppackages = tmpdir + "packages/" + tmpdir = tempfile.mkdtemp() + tmpmetapackageDir = os.path.join(tmpdir, "metapackage") + tmppackages = os.path.join(tmpdir, "packages") self.util.mkdir(tmpdir,True) diff -Nru aptoncd-0.1/debian/changelog aptoncd-0.1/debian/changelog --- aptoncd-0.1/debian/changelog 2008-09-09 01:50:39.000000000 +0100 +++ aptoncd-0.1/debian/changelog 2008-09-09 01:50:39.000000000 +0100 @@ -1,3 +1,12 @@ +aptoncd (0.1-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * Replace usage of hard-coded and predictable temporary directory names to + prevent against symlink-based attacks. Based on a patch by Marcos Marado. + (Closes: #496390) + + -- Chris Lamb <[EMAIL PROTECTED]> Tue, 09 Sep 2008 01:01:52 +0100 + aptoncd (0.1-1.1) unstable; urgency=low * Non-maintainer upload. diff -Nru aptoncd-0.1/xmlfile.py aptoncd-0.1/xmlfile.py --- aptoncd-0.1/xmlfile.py 2007-05-01 21:04:19.000000000 +0100 +++ aptoncd-0.1/xmlfile.py 2008-09-09 01:50:39.000000000 +0100 @@ -24,11 +24,14 @@ import xml.dom.minidom import string +import tempfile import utils (BOLVAL, METHOD, HOST, DISTRIBUTION, VERSION, SECTION, ARCHITECTURE, PATH, MEDIA) = range(9) +TEMPDIR = tempfile.mkdtemp() + class XMLFile: def node_text(self, node): text = '' @@ -67,7 +70,7 @@ aFile.write(' <version>%s</version>\n' % util.codename) aFile.write(' <section>main</section>\n') aFile.write(' <arch>%s</arch>\n' % util.architecture) - aFile.write(' <path>/tmp/aptoncd</path>\n') + aFile.write(' <path>%s</path>\n' % TEMPDIR) aFile.write(' <media>CD</media>\n') aFile.write(' </settings>\n') aFile.write('</download>\n') @@ -81,7 +84,7 @@ version = util.codename section = 'main' arch = util.architecture - path = '/tmp/aptoncd' + path = TEMPDIR media = 'CD' try: node_text = self.parse(file)
signature.asc
Description: PGP signature