Bug#463907: intent to NMU

Thu, 07 Feb 2008 05:46:50 -0800 

Hi,
attached is a patch that fixes the mentioned issues.

It will be also archived on:
http://people.debian.org/~nion/nmu-diff/wml-2.0.11-3_2.0.11-3.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u wml-2.0.11/debian/changelog wml-2.0.11/debian/changelog
--- wml-2.0.11/debian/changelog
+++ wml-2.0.11/debian/changelog
@@ -1,3 +1,11 @@
+wml (2.0.11-3.1) unstable; urgency=high
+
+  * Non-maintainer upload by security team.
+  * Fix insecure temporary file creations leading to
+    possible symlink attacks (Closes: #463907).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Thu, 07 Feb 2008 12:01:43 +0100
+
 wml (2.0.11-3) unstable; urgency=low
 
   [ Luk Claes ]
diff -u wml-2.0.11/wml_contrib/wmg.cgi wml-2.0.11/wml_contrib/wmg.cgi
--- wml-2.0.11/wml_contrib/wmg.cgi
+++ wml-2.0.11/wml_contrib/wmg.cgi
@@ -366,14 +366,14 @@
         ($w, $h, $t) = Image::Size::imgsize(\$contents);
         if ($w*$h == 1) {
             #   read image into GD
-            $tmpfile = "/tmp/pe.tmp.$$";
+            $tmpfile = mkstemp("/tmp/pe.tmpXXXXXX") or die "Unable to create temporary file$!\n";
             unlink($tmpfile);
-            open(TMP, ">$tmpfile");
+            open(TMP, ">$tmpfile") || error("cannot write into $tmpfile: $!");
             print TMP $contents;
-            close(TMP);
-            open(TMP, "<$tmpfile");
+            close(TMP) || error("cannot close $tmpfile: $!");
+            open(TMP, "<$tmpfile") || error("cannot write into $tmpfile: $!");
             $tmpimg = newFromGif GD::Image(TMP);
-            close(TMP);
+            close(TMP) || error("cannot close $tmpfile: $!");
             unlink($tmpfile);
             if ($tmpimg->transparent != -1) {
                 my $im = new GD::Image($w, $h);
diff -u wml-2.0.11/wml_backend/p1_ipp/ipp.src wml-2.0.11/wml_backend/p1_ipp/ipp.src
--- wml-2.0.11/wml_backend/p1_ipp/ipp.src
+++ wml-2.0.11/wml_backend/p1_ipp/ipp.src
@@ -566,6 +566,8 @@
 #   process the pre-loaded include files
 #
 $tmpdir = $ENV{'TMPDIR'} || '/tmp';
+my $tmpldir = ($ENV{'TMPDIR'} || '/tmp') . '/ipp.XXXXXX';
+$tmpdir = mkdtemp($tmpldir) or die "Unable to create temporary directory: $!\n";
 $tmpfile = $tmpdir . "/ipp.$$.tmp";
 unlink($tmpfile);
 $tmp = new IO::File;
only in patch2:
unchanged:
--- wml-2.0.11.orig/wml_backend/p3_eperl/eperl_sys.c
+++ wml-2.0.11/wml_backend/p3_eperl/eperl_sys.c
@@ -211,13 +211,20 @@
 {
     char ca[1024];
     char *cp, *tmpdir;
+    char tmpfile[]="eperl_sourceXXXXXX";
     int i;
+    int fd=-1;
 
     tmpdir = getenv ("TMPDIR");
     if (tmpdir == (char *) NULL)
         tmpdir="/tmp";
 
-    snprintf(ca, sizeof(ca), "%s/%s.%d.tmp%d", tmpdir, id, (int)getpid(), mytmpfilecnt++);
+    snprintf(ca, sizeof(ca), "%s/%s", tmpdir, tmpfile);
+    if((fd = mkstemp(tmpfile)) == -1){
+        perror("can not create tmpfile");
+        return NULL;
+    }
+    close(fd);
     ca[sizeof(ca)-1] = NUL;
     cp = strdup(ca);
     for (i = 0; mytmpfiles[i] != NULL; i++)

Attachment: pgpTJh93kf8wN.pgp
Description: PGP signature

Reply via email to