| [69cde8d] | 1 | Updated By: Bruce Dubbs (bdubbs -aT- linuxfromscratch -DoT- org) |
|---|
| 2 | Date: 2005-12-12 |
|---|
| 3 | Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org) |
|---|
| 4 | Date: 2005-10-08 |
|---|
| 5 | Initial Package Version: 4.8 |
|---|
| 6 | Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch |
|---|
| 7 | Upstream Status: A few patches are floating around in Debian BZ #328365 of which |
|---|
| 8 | upstream hasn't made a full commitment on yet. |
|---|
| 9 | Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local |
|---|
| 10 | users to overwrite arbitrary files via a symlink attack on |
|---|
| 11 | temporary files. |
|---|
| 12 | Update: Changed to not pass a constant string to mktemp(). |
|---|
| 13 | |
|---|
| [d5d259c] | 14 | diff -Naur texinfo-4.9.orig/util/texindex.c texinfo-4.9/util/texindex.c |
|---|
| 15 | --- texinfo-4.9.orig/util/texindex.c 2007-07-23 07:11:38.000000000 -0400 |
|---|
| 16 | +++ texinfo-4.9/util/texindex.c 2007-07-23 07:11:49.000000000 -0400 |
|---|
| [69cde8d] | 17 | @@ -99,6 +99,9 @@ |
|---|
| 18 | /* Directory to use for temporary files. On Unix, it ends with a slash. */ |
|---|
| 19 | char *tempdir; |
|---|
| 20 | |
|---|
| 21 | +/* Basename for temp files inside of tempdir. */ |
|---|
| 22 | +char *tempbase; |
|---|
| 23 | + |
|---|
| 24 | /* Number of last temporary file. */ |
|---|
| 25 | int tempcount; |
|---|
| 26 | |
|---|
| 27 | @@ -153,6 +156,7 @@ |
|---|
| 28 | main (int argc, char **argv) |
|---|
| 29 | { |
|---|
| 30 | int i; |
|---|
| 31 | + char template[]="txidxXXXXXX"; |
|---|
| 32 | |
|---|
| 33 | tempcount = 0; |
|---|
| 34 | last_deleted_tempcount = 0; |
|---|
| 35 | @@ -190,6 +194,11 @@ |
|---|
| 36 | |
|---|
| 37 | decode_command (argc, argv); |
|---|
| 38 | |
|---|
| 39 | + /* XXX mkstemp not appropriate, as we need to have somewhat predictable |
|---|
| 40 | + * names. But race condition was fixed, see maketempname. |
|---|
| 41 | + */ |
|---|
| 42 | + tempbase = mktemp (template); |
|---|
| 43 | + |
|---|
| 44 | /* Process input files completely, one by one. */ |
|---|
| 45 | |
|---|
| 46 | for (i = 0; i < num_infiles; i++) |
|---|
| [d5d259c] | 47 | @@ -390,21 +399,21 @@ |
|---|
| [69cde8d] | 48 | static char * |
|---|
| 49 | maketempname (int count) |
|---|
| 50 | { |
|---|
| 51 | - static char *tempbase = NULL; |
|---|
| 52 | char tempsuffix[10]; |
|---|
| 53 | - |
|---|
| 54 | - if (!tempbase) |
|---|
| 55 | - { |
|---|
| 56 | - int fd; |
|---|
| 57 | - tempbase = concat (tempdir, "txidxXXXXXX"); |
|---|
| 58 | - |
|---|
| 59 | - fd = mkstemp (tempbase); |
|---|
| 60 | - if (fd == -1) |
|---|
| 61 | - pfatal_with_name (tempbase); |
|---|
| 62 | - } |
|---|
| 63 | + char *name, *tmp_name; |
|---|
| 64 | + int fd; |
|---|
| 65 | |
|---|
| 66 | sprintf (tempsuffix, ".%d", count); |
|---|
| 67 | - return concat (tempbase, tempsuffix); |
|---|
| 68 | + tmp_name = concat (tempdir, tempbase); |
|---|
| 69 | + name = concat (tmp_name, tempsuffix); |
|---|
| 70 | + free(tmp_name); |
|---|
| 71 | + |
|---|
| 72 | + fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0600); |
|---|
| 73 | + if (fd == -1) |
|---|
| 74 | + pfatal_with_name (name); |
|---|
| 75 | + |
|---|
| 76 | + close(fd); |
|---|
| 77 | + return name; |
|---|
| 78 | } |
|---|
| 79 | |
|---|
| [d5d259c] | 80 | |
|---|
