source: patches/texinfo-4.8a-tempfile_fix-1.patch@ de85b1a

clfs-1.2 clfs-2.1 clfs-3.0.0-systemd clfs-3.0.0-sysvinit systemd sysvinit
Last change on this file since de85b1a was cb1644e3, checked in by Jim Gifford <clfs@…>, 18 years ago

Added: texinfo-4.8a-tempfile_fix-1.patch

  • Property mode set to 100644
File size: 2.2 KB
  • util/texindex.c

    Updated By: Bruce Dubbs (bdubbs -aT- linuxfromscratch -DoT- org)
    Date: 2005-12-12
    Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org)
    Date: 2005-10-08
    Initial Package Version: 4.8
    Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch
    Upstream Status: A few patches are floating around in Debian BZ #328365 of which
                     upstream hasn't made a full commitment on yet.
    Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local
                 users to overwrite arbitrary files via a symlink attack on
                 temporary files.
    Update: Changed to not pass a constant string to mktemp().
    
    diff -Naur texinfo-4.8.orig/util/texindex.c texinfo-4.8/util/texindex.c
    old new  
    9999/* Directory to use for temporary files.  On Unix, it ends with a slash.  */
    100100char *tempdir;
    101101
     102/* Basename for temp files inside of tempdir.  */
     103char *tempbase;
     104
    102105/* Number of last temporary file.  */
    103106int tempcount;
    104107
     
    153156main (int argc, char **argv)
    154157{
    155158  int i;
     159  char template[]="txidxXXXXXX";
    156160
    157161  tempcount = 0;
    158162  last_deleted_tempcount = 0;
     
    190194
    191195  decode_command (argc, argv);
    192196
     197  /* XXX mkstemp not appropriate, as we need to have somewhat predictable
     198   * names. But race condition was fixed, see maketempname.
     199   */
     200  tempbase = mktemp (template);
     201
    193202  /* Process input files completely, one by one.  */
    194203
    195204  for (i = 0; i < num_infiles; i++)
     
    389398static char *
    390399maketempname (int count)
    391400{
    392   static char *tempbase = NULL;
    393401  char tempsuffix[10];
    394 
    395   if (!tempbase)
    396     {
    397       int fd;
    398       tempbase = concat (tempdir, "txidxXXXXXX");
    399 
    400       fd = mkstemp (tempbase);
    401       if (fd == -1)
    402         pfatal_with_name (tempbase);
    403     }
     402  char *name, *tmp_name;
     403  int fd;
    404404
    405405  sprintf (tempsuffix, ".%d", count);
    406   return concat (tempbase, tempsuffix);
     406  tmp_name = concat (tempdir, tempbase);
     407  name = concat (tmp_name, tempsuffix);
     408  free(tmp_name);
     409
     410  fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0600);
     411  if (fd == -1)
     412    pfatal_with_name (name);
     413
     414  close(fd);
     415  return name;
    407416}
    408417
    409418
Note: See TracBrowser for help on using the repository browser.