source:
patches/texinfo-4.8a-tempfile_fix-1.patch@
7030b60
      
      | Last change on this file since 7030b60 was cb1644e3, checked in by , 19 years ago | |
|---|---|
| 
 | |
| File size: 2.2 KB | |
- 
      util/texindex.cUpdated By: Bruce Dubbs (bdubbs -aT- linuxfromscratch -DoT- org) Date: 2005-12-12 Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org) Date: 2005-10-08 Initial Package Version: 4.8 Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch Upstream Status: A few patches are floating around in Debian BZ #328365 of which upstream hasn't made a full commitment on yet. Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files. Update: Changed to not pass a constant string to mktemp(). diff -Naur texinfo-4.8.orig/util/texindex.c texinfo-4.8/util/texindex.cold new 99 99 /* Directory to use for temporary files. On Unix, it ends with a slash. */ 100 100 char *tempdir; 101 101 102 /* Basename for temp files inside of tempdir. */ 103 char *tempbase; 104 102 105 /* Number of last temporary file. */ 103 106 int tempcount; 104 107 … … 153 156 main (int argc, char **argv) 154 157 { 155 158 int i; 159 char template[]="txidxXXXXXX"; 156 160 157 161 tempcount = 0; 158 162 last_deleted_tempcount = 0; … … 190 194 191 195 decode_command (argc, argv); 192 196 197 /* XXX mkstemp not appropriate, as we need to have somewhat predictable 198 * names. But race condition was fixed, see maketempname. 199 */ 200 tempbase = mktemp (template); 201 193 202 /* Process input files completely, one by one. */ 194 203 195 204 for (i = 0; i < num_infiles; i++) … … 389 398 static char * 390 399 maketempname (int count) 391 400 { 392 static char *tempbase = NULL;393 401 char tempsuffix[10]; 394 395 if (!tempbase) 396 { 397 int fd; 398 tempbase = concat (tempdir, "txidxXXXXXX"); 399 400 fd = mkstemp (tempbase); 401 if (fd == -1) 402 pfatal_with_name (tempbase); 403 } 402 char *name, *tmp_name; 403 int fd; 404 404 405 405 sprintf (tempsuffix, ".%d", count); 406 return concat (tempbase, tempsuffix); 406 tmp_name = concat (tempdir, tempbase); 407 name = concat (tmp_name, tempsuffix); 408 free(tmp_name); 409 410 fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0600); 411 if (fd == -1) 412 pfatal_with_name (name); 413 414 close(fd); 415 return name; 407 416 } 408 417 409 418 
  Note:
 See   TracBrowser
 for help on using the repository browser.
    
