| [69cde8d] | 1 | Updated By: Bruce Dubbs (bdubbs -aT- linuxfromscratch -DoT- org)
|
|---|
| 2 | Date: 2005-12-12
|
|---|
| 3 | Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org)
|
|---|
| 4 | Date: 2005-10-08
|
|---|
| 5 | Initial Package Version: 4.8
|
|---|
| 6 | Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch
|
|---|
| 7 | Upstream Status: A few patches are floating around in Debian BZ #328365 of which
|
|---|
| 8 | upstream hasn't made a full commitment on yet.
|
|---|
| 9 | Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local
|
|---|
| 10 | users to overwrite arbitrary files via a symlink attack on
|
|---|
| 11 | temporary files.
|
|---|
| 12 | Update: Changed to not pass a constant string to mktemp().
|
|---|
| 13 |
|
|---|
| 14 | diff -Naur texinfo-4.8.orig/util/texindex.c texinfo-4.8/util/texindex.c
|
|---|
| 15 | --- texinfo-4.8.orig/util/texindex.c 2005-12-11 23:29:08.000000000 -0600
|
|---|
| 16 | +++ texinfo-4.8/util/texindex.c 2005-12-11 23:33:31.000000000 -0600
|
|---|
| 17 | @@ -99,6 +99,9 @@
|
|---|
| 18 | /* Directory to use for temporary files. On Unix, it ends with a slash. */
|
|---|
| 19 | char *tempdir;
|
|---|
| 20 |
|
|---|
| 21 | +/* Basename for temp files inside of tempdir. */
|
|---|
| 22 | +char *tempbase;
|
|---|
| 23 | +
|
|---|
| 24 | /* Number of last temporary file. */
|
|---|
| 25 | int tempcount;
|
|---|
| 26 |
|
|---|
| 27 | @@ -153,6 +156,7 @@
|
|---|
| 28 | main (int argc, char **argv)
|
|---|
| 29 | {
|
|---|
| 30 | int i;
|
|---|
| 31 | + char template[]="txidxXXXXXX";
|
|---|
| 32 |
|
|---|
| 33 | tempcount = 0;
|
|---|
| 34 | last_deleted_tempcount = 0;
|
|---|
| 35 | @@ -190,6 +194,11 @@
|
|---|
| 36 |
|
|---|
| 37 | decode_command (argc, argv);
|
|---|
| 38 |
|
|---|
| 39 | + /* XXX mkstemp not appropriate, as we need to have somewhat predictable
|
|---|
| 40 | + * names. But race condition was fixed, see maketempname.
|
|---|
| 41 | + */
|
|---|
| 42 | + tempbase = mktemp (template);
|
|---|
| 43 | +
|
|---|
| 44 | /* Process input files completely, one by one. */
|
|---|
| 45 |
|
|---|
| 46 | for (i = 0; i < num_infiles; i++)
|
|---|
| 47 | @@ -389,21 +398,21 @@
|
|---|
| 48 | static char *
|
|---|
| 49 | maketempname (int count)
|
|---|
| 50 | {
|
|---|
| 51 | - static char *tempbase = NULL;
|
|---|
| 52 | char tempsuffix[10];
|
|---|
| 53 | -
|
|---|
| 54 | - if (!tempbase)
|
|---|
| 55 | - {
|
|---|
| 56 | - int fd;
|
|---|
| 57 | - tempbase = concat (tempdir, "txidxXXXXXX");
|
|---|
| 58 | -
|
|---|
| 59 | - fd = mkstemp (tempbase);
|
|---|
| 60 | - if (fd == -1)
|
|---|
| 61 | - pfatal_with_name (tempbase);
|
|---|
| 62 | - }
|
|---|
| 63 | + char *name, *tmp_name;
|
|---|
| 64 | + int fd;
|
|---|
| 65 |
|
|---|
| 66 | sprintf (tempsuffix, ".%d", count);
|
|---|
| 67 | - return concat (tempbase, tempsuffix);
|
|---|
| 68 | + tmp_name = concat (tempdir, tempbase);
|
|---|
| 69 | + name = concat (tmp_name, tempsuffix);
|
|---|
| 70 | + free(tmp_name);
|
|---|
| 71 | +
|
|---|
| 72 | + fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0600);
|
|---|
| 73 | + if (fd == -1)
|
|---|
| 74 | + pfatal_with_name (name);
|
|---|
| 75 | +
|
|---|
| 76 | + close(fd);
|
|---|
| 77 | + return name;
|
|---|
| 78 | }
|
|---|
| 79 |
|
|---|
| 80 |
|
|---|
