source:
patches/texinfo-4.9-tempfile_fix-1.patch@
a063414
Last change on this file since a063414 was d5d259c, checked in by , 17 years ago | |
---|---|
|
|
File size: 2.2 KB |
-
util/texindex.c
Updated By: Bruce Dubbs (bdubbs -aT- linuxfromscratch -DoT- org) Date: 2005-12-12 Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org) Date: 2005-10-08 Initial Package Version: 4.8 Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch Upstream Status: A few patches are floating around in Debian BZ #328365 of which upstream hasn't made a full commitment on yet. Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files. Update: Changed to not pass a constant string to mktemp(). diff -Naur texinfo-4.9.orig/util/texindex.c texinfo-4.9/util/texindex.c
old new 99 99 /* Directory to use for temporary files. On Unix, it ends with a slash. */ 100 100 char *tempdir; 101 101 102 /* Basename for temp files inside of tempdir. */ 103 char *tempbase; 104 102 105 /* Number of last temporary file. */ 103 106 int tempcount; 104 107 … … 153 156 main (int argc, char **argv) 154 157 { 155 158 int i; 159 char template[]="txidxXXXXXX"; 156 160 157 161 tempcount = 0; 158 162 last_deleted_tempcount = 0; … … 190 194 191 195 decode_command (argc, argv); 192 196 197 /* XXX mkstemp not appropriate, as we need to have somewhat predictable 198 * names. But race condition was fixed, see maketempname. 199 */ 200 tempbase = mktemp (template); 201 193 202 /* Process input files completely, one by one. */ 194 203 195 204 for (i = 0; i < num_infiles; i++) … … 390 399 static char * 391 400 maketempname (int count) 392 401 { 393 static char *tempbase = NULL;394 402 char tempsuffix[10]; 395 396 if (!tempbase) 397 { 398 int fd; 399 tempbase = concat (tempdir, "txidxXXXXXX"); 400 401 fd = mkstemp (tempbase); 402 if (fd == -1) 403 pfatal_with_name (tempbase); 404 } 403 char *name, *tmp_name; 404 int fd; 405 405 406 406 sprintf (tempsuffix, ".%d", count); 407 return concat (tempbase, tempsuffix); 407 tmp_name = concat (tempdir, tempbase); 408 name = concat (tmp_name, tempsuffix); 409 free(tmp_name); 410 411 fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0600); 412 if (fd == -1) 413 pfatal_with_name (name); 414 415 close(fd); 416 return name; 408 417 } 409 418 410 419
Note:
See TracBrowser
for help on using the repository browser.