tags 496359 confirmed patch
thanks
Dmitry E. Oboukhov wrote:
> Package: citadel-server
> Severity: grave
>
> Hi, maintainer!
>
> In some packages I've discovered scripts with errors which may be used
> by a user for damaging important system files or user's files.
This can indeed be used for symlink attacks during postinst phase,
attached patch fixes it.
Cheers,
Moritz
diff -Naur citadel-7.37.orig/migrate_aliases.sh citadel-7.37/migrate_aliases.sh
--- citadel-7.37.orig/migrate_aliases.sh 2008-06-19 21:16:58.000000000 +0200
+++ citadel-7.37/migrate_aliases.sh 2008-08-26 22:55:45.000000000 +0200
@@ -4,6 +4,8 @@
exit
fi
+TMPFILE=`mktemp`
+
CITALIAS=$1
if test -f /etc/aliases; then
cat /etc/aliases | \
@@ -12,12 +14,12 @@
grep -v ^root: | \
grep -v ^# | \
sed -e "s;:root;,room_aide;" \
- -e "s;:;,;" >/tmp/aliases
+ -e "s;:;,;" > $TMPFILE
- NLINES=`cat /tmp/aliases|wc -l`
+ NLINES=`cat $TMPFILE |wc -l`
for ((i=1; i <= $NLINES; i++)); do
- ALIAS=`head -n $i /tmp/aliases |tail -n 1`
+ ALIAS=`head -n $i $TMPFILE |tail -n 1`
ORG=`echo $ALIAS|sed "s;,.*;;"`
if grep "$ORG" "$CITALIAS"; then
echo "Ignoring Alias $ORG as its alreday there"
