r1298 - trunk/texinfo

randy at linuxfromscratch.org randy at linuxfromscratch.org
Mon Dec 12 06:35:41 PST 2005


Author: randy
Date: 2005-12-12 07:35:41 -0700 (Mon, 12 Dec 2005)
New Revision: 1298

Added:
   trunk/texinfo/texinfo-4.8-tempfile_fix-2.patch
Log:
Added updated Texinfo tempfile patch

Added: trunk/texinfo/texinfo-4.8-tempfile_fix-2.patch
===================================================================
--- trunk/texinfo/texinfo-4.8-tempfile_fix-2.patch	2005-12-11 02:32:40 UTC (rev 1297)
+++ trunk/texinfo/texinfo-4.8-tempfile_fix-2.patch	2005-12-12 14:35:41 UTC (rev 1298)
@@ -0,0 +1,80 @@
+Updated By: Bruce Dubbs (bdubbs -aT- linuxfromscratch -DoT- org)
+Date: 2005-12-12
+Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org)
+Date: 2005-10-08
+Initial Package Version: 4.8
+Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch
+Upstream Status: A few patches are floating around in Debian BZ #328365 of which
+                 upstream hasn't made a full commitment on yet.
+Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local
+             users to overwrite arbitrary files via a symlink attack on
+             temporary files.
+Update: Changed to not pass a constant string to mktemp().
+
+diff -Naur texinfo-4.8.orig/util/texindex.c texinfo-4.8/util/texindex.c
+--- texinfo-4.8.orig/util/texindex.c	2005-12-11 23:29:08.000000000 -0600
++++ texinfo-4.8/util/texindex.c	2005-12-11 23:33:31.000000000 -0600
+@@ -99,6 +99,9 @@
+ /* Directory to use for temporary files.  On Unix, it ends with a slash.  */
+ char *tempdir;
+ 
++/* Basename for temp files inside of tempdir.  */
++char *tempbase;
++
+ /* Number of last temporary file.  */
+ int tempcount;
+ 
+@@ -153,6 +156,7 @@
+ main (int argc, char **argv)
+ {
+   int i;
++  char template[]="txidxXXXXXX";
+ 
+   tempcount = 0;
+   last_deleted_tempcount = 0;
+@@ -190,6 +194,11 @@
+ 
+   decode_command (argc, argv);
+ 
++  /* XXX mkstemp not appropriate, as we need to have somewhat predictable
++   * names. But race condition was fixed, see maketempname. 
++   */
++  tempbase = mktemp (template);
++
+   /* Process input files completely, one by one.  */
+ 
+   for (i = 0; i < num_infiles; i++)
+@@ -389,21 +398,21 @@
+ static char *
+ maketempname (int count)
+ {
+-  static char *tempbase = NULL;
+   char tempsuffix[10];
+-
+-  if (!tempbase)
+-    {
+-      int fd;
+-      tempbase = concat (tempdir, "txidxXXXXXX");
+-
+-      fd = mkstemp (tempbase);
+-      if (fd == -1)
+-        pfatal_with_name (tempbase);
+-    }
++  char *name, *tmp_name;
++  int fd;
+ 
+   sprintf (tempsuffix, ".%d", count);
+-  return concat (tempbase, tempsuffix);
++  tmp_name = concat (tempdir, tempbase);
++  name = concat (tmp_name, tempsuffix);
++  free(tmp_name);
++
++  fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0600);
++  if (fd == -1)
++    pfatal_with_name (name);
++
++  close(fd);
++  return name;
+ }
+ 
+




More information about the patches mailing list