source: patches/texinfo-4.8-tempfile_fix-2.patch@ 51f1397

clfs-1.2 clfs-2.1 clfs-3.0.0-systemd clfs-3.0.0-sysvinit systemd sysvinit
Last change on this file since 51f1397 was 69cde8d, checked in by Jim Gifford <clfs@…>, 19 years ago

Added: All patches needed for the book.

  • Property mode set to 100644
File size: 2.2 KB
RevLine 
[69cde8d]1Updated By: Bruce Dubbs (bdubbs -aT- linuxfromscratch -DoT- org)
2Date: 2005-12-12
3Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org)
4Date: 2005-10-08
5Initial Package Version: 4.8
6Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch
7Upstream Status: A few patches are floating around in Debian BZ #328365 of which
8 upstream hasn't made a full commitment on yet.
9Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local
10 users to overwrite arbitrary files via a symlink attack on
11 temporary files.
12Update: Changed to not pass a constant string to mktemp().
13
14diff -Naur texinfo-4.8.orig/util/texindex.c texinfo-4.8/util/texindex.c
15--- texinfo-4.8.orig/util/texindex.c 2005-12-11 23:29:08.000000000 -0600
16+++ texinfo-4.8/util/texindex.c 2005-12-11 23:33:31.000000000 -0600
17@@ -99,6 +99,9 @@
18 /* Directory to use for temporary files. On Unix, it ends with a slash. */
19 char *tempdir;
20
21+/* Basename for temp files inside of tempdir. */
22+char *tempbase;
23+
24 /* Number of last temporary file. */
25 int tempcount;
26
27@@ -153,6 +156,7 @@
28 main (int argc, char **argv)
29 {
30 int i;
31+ char template[]="txidxXXXXXX";
32
33 tempcount = 0;
34 last_deleted_tempcount = 0;
35@@ -190,6 +194,11 @@
36
37 decode_command (argc, argv);
38
39+ /* XXX mkstemp not appropriate, as we need to have somewhat predictable
40+ * names. But race condition was fixed, see maketempname.
41+ */
42+ tempbase = mktemp (template);
43+
44 /* Process input files completely, one by one. */
45
46 for (i = 0; i < num_infiles; i++)
47@@ -389,21 +398,21 @@
48 static char *
49 maketempname (int count)
50 {
51- static char *tempbase = NULL;
52 char tempsuffix[10];
53-
54- if (!tempbase)
55- {
56- int fd;
57- tempbase = concat (tempdir, "txidxXXXXXX");
58-
59- fd = mkstemp (tempbase);
60- if (fd == -1)
61- pfatal_with_name (tempbase);
62- }
63+ char *name, *tmp_name;
64+ int fd;
65
66 sprintf (tempsuffix, ".%d", count);
67- return concat (tempbase, tempsuffix);
68+ tmp_name = concat (tempdir, tempbase);
69+ name = concat (tmp_name, tempsuffix);
70+ free(tmp_name);
71+
72+ fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0600);
73+ if (fd == -1)
74+ pfatal_with_name (name);
75+
76+ close(fd);
77+ return name;
78 }
79
80
Note: See TracBrowser for help on using the repository browser.