|
|
|
@ -0,0 +1,82 @@ |
|
|
|
Copied from www.linuxfromscratch.org to ROCK Linux. |
|
|
|
|
|
|
|
Updated By: Bruce Dubbs (bdubbs -aT- linuxfromscratch -DoT- org) |
|
|
|
Date: 2005-12-12 |
|
|
|
Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org) |
|
|
|
Date: 2005-10-08 |
|
|
|
Initial Package Version: 4.8 |
|
|
|
Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch |
|
|
|
Upstream Status: A few patches are floating around in Debian BZ #328365 of which |
|
|
|
upstream hasn't made a full commitment on yet. |
|
|
|
Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local |
|
|
|
users to overwrite arbitrary files via a symlink attack on |
|
|
|
temporary files. |
|
|
|
Update: Changed to not pass a constant string to mktemp(). |
|
|
|
|
|
|
|
diff -Naur texinfo-4.9.orig/util/texindex.c texinfo-4.9/util/texindex.c
|
|
|
|
--- texinfo-4.9.orig/util/texindex.c 2007-07-23 07:11:38.000000000 -0400
|
|
|
|
+++ texinfo-4.9/util/texindex.c 2007-07-23 07:11:49.000000000 -0400
|
|
|
|
@@ -99,6 +99,9 @@
|
|
|
|
/* Directory to use for temporary files. On Unix, it ends with a slash. */ |
|
|
|
char *tempdir; |
|
|
|
|
|
|
|
+/* Basename for temp files inside of tempdir. */
|
|
|
|
+char *tempbase;
|
|
|
|
+
|
|
|
|
/* Number of last temporary file. */ |
|
|
|
int tempcount; |
|
|
|
|
|
|
|
@@ -153,6 +156,7 @@
|
|
|
|
main (int argc, char **argv) |
|
|
|
{ |
|
|
|
int i; |
|
|
|
+ char template[]="txidxXXXXXX";
|
|
|
|
|
|
|
|
tempcount = 0; |
|
|
|
last_deleted_tempcount = 0; |
|
|
|
@@ -190,6 +194,11 @@
|
|
|
|
|
|
|
|
decode_command (argc, argv); |
|
|
|
|
|
|
|
+ /* XXX mkstemp not appropriate, as we need to have somewhat predictable
|
|
|
|
+ * names. But race condition was fixed, see maketempname.
|
|
|
|
+ */
|
|
|
|
+ tempbase = mktemp (template);
|
|
|
|
+
|
|
|
|
/* Process input files completely, one by one. */ |
|
|
|
|
|
|
|
for (i = 0; i < num_infiles; i++) |
|
|
|
@@ -390,21 +399,21 @@
|
|
|
|
static char * |
|
|
|
maketempname (int count) |
|
|
|
{ |
|
|
|
- static char *tempbase = NULL;
|
|
|
|
char tempsuffix[10]; |
|
|
|
-
|
|
|
|
- if (!tempbase)
|
|
|
|
- {
|
|
|
|
- int fd;
|
|
|
|
- tempbase = concat (tempdir, "txidxXXXXXX");
|
|
|
|
-
|
|
|
|
- fd = mkstemp (tempbase);
|
|
|
|
- if (fd == -1)
|
|
|
|
- pfatal_with_name (tempbase);
|
|
|
|
- }
|
|
|
|
+ char *name, *tmp_name;
|
|
|
|
+ int fd;
|
|
|
|
|
|
|
|
sprintf (tempsuffix, ".%d", count); |
|
|
|
- return concat (tempbase, tempsuffix);
|
|
|
|
+ tmp_name = concat (tempdir, tempbase);
|
|
|
|
+ name = concat (tmp_name, tempsuffix);
|
|
|
|
+ free(tmp_name);
|
|
|
|
+
|
|
|
|
+ fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0600);
|
|
|
|
+ if (fd == -1)
|
|
|
|
+ pfatal_with_name (name);
|
|
|
|
+
|
|
|
|
+ close(fd);
|
|
|
|
+ return name;
|
|
|
|
} |
|
|
|
|
|
|
|
|
Stefan Fiedler
17 years ago