Package: po4a Version: 0.29-1 Severity: grave Tags: security patch If you run po4a-gettextize on contents that do not get converted to PO files due to some issue, the script will dump its results in /tmp/gettextization.failed.po.
The script uses a file in the /tmp diretory but does not try to prevent a symlink attack. A malicious user could create a symlink named liked that in the temporary directory and pointing to one of the user's files so that when a user runs po4-gettextize (and fails) the file the symlink pointed to would get overwritten. The fix is, IMHO, simple: just dump the results in the local directory, don't use /tmp at all (it is, after all, unnecesary). The attached patch to /usr/share/perl5/Locale/Po4a/Po.pm fixes this issue. Regards Javier
--- Po.pm.orig 2007-06-16 02:10:41.000000000 +0200
+++ Po.pm 2007-06-16 02:10:55.000000000 +0200
@@ -451,14 +451,14 @@
# Make sure both type are the same
#
if ($typeorig ne $typetrans){
- $pores->write("/tmp/gettextization.failed.po");
+ $pores->write("gettextization.failed.po");
die wrap_msg(dgettext("po4a",
"po4a gettextization: Structure disparity between original and translated files:\n".
"msgid (at %s) is of type '%s' while\n".
"msgstr (at %s) is of type '%s'.\n".
"Original text: %s\n".
"Translated text: %s\n".
- "(result so far dumped to /tmp/gettextization.failed.po)")."%s",
+ "(result so far dumped to gettextization.failed.po)")."%s",
$reforig, $typeorig, $reftrans, $typetrans, $orig, $trans,$toobad);
}
signature.asc
Description: Digital signature
