SOURCES: texinfo-CVE-2005-3011.patch (NEW) - added -CVE-2005-3011....
twittner
twittner at pld-linux.org
Mon Apr 10 22:47:41 CEST 2006
Author: twittner Date: Mon Apr 10 20:47:41 2006 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- added -CVE-2005-3011.patch (from FreeBSD) against insecure
tmpfiles creation
---- Files affected:
SOURCES:
texinfo-CVE-2005-3011.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/texinfo-CVE-2005-3011.patch
diff -u /dev/null SOURCES/texinfo-CVE-2005-3011.patch:1.1
--- /dev/null Mon Apr 10 22:47:41 2006
+++ SOURCES/texinfo-CVE-2005-3011.patch Mon Apr 10 22:47:36 2006
@@ -0,0 +1,98 @@
+ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:01.texindex.asc
+
+Index: contrib/texinfo/util/texindex.c
+===================================================================
+RCS file: /home/ncvs/src/contrib/texinfo/util/texindex.c,v
+retrieving revision 1.1.1.8
+diff -u -p -I__FBSDID -r1.1.1.8 texindex.c
+--- contrib/texinfo/util/texindex.c 23 May 2005 10:46:22 -0000 1.1.1.8
++++ contrib/texinfo/util/texindex.c 8 Jan 2006 23:31:32 -0000
+@@ -384,17 +384,33 @@ For more information about these matters
+ usage (1);
+ }
+
++static char **tv;
++static int tv_alloc;
++static int tv_used;
++
++static int
++findtempname (char *tempname)
++{
++ int i;
++
++ for (i = 0; i < tv_used; i++)
++ if (strcmp (tv[i], tempname) == 0)
++ return (1);
++ return (0);
++}
++
+ /* Return a name for temporary file COUNT. */
+
+ static char *
+ maketempname (int count)
+ {
+ static char *tempbase = NULL;
++ char *tempname;
+ char tempsuffix[10];
++ int fd;
+
+ if (!tempbase)
+ {
+- int fd;
+ tempbase = concat (tempdir, "txidxXXXXXX");
+
+ fd = mkstemp (tempbase);
+@@ -403,7 +419,52 @@ maketempname (int count)
+ }
+
+ sprintf (tempsuffix, ".%d", count);
+- return concat (tempbase, tempsuffix);
++ tempname = concat (tempbase, tempsuffix);
++ /*
++ * The open logic becomes a bit convoluted. If open(2) fails due to EEXIST,
++ * it's likely because somebody attempted to race us, or because we have
++ * already created this file.
++ */
++ fd = open (tempname, O_CREAT|O_EXCL|O_WRONLY, 0600);
++ if (fd == -1)
++ {
++ /*
++ * If errno is not EEXIST, then open failed for some other reason, so
++ * we should terminate. If errno == EEXIST AND we didn't create this
++ * file, terminate. Otherwise, it's safe to say that errno == EEXIST
++ * because we already created it, in this event, we can just return.
++ */
++ if (errno != EEXIST ||
++ (errno == EEXIST && findtempname (tempname) == 0))
++ pfatal_with_name (tempname);
++ return (tempname);
++ }
++ else if (fd > 0)
++ {
++ close (fd);
++ }
++ if (tv == NULL)
++ {
++ tv_alloc = 16;
++ tv = calloc (tv_alloc, sizeof (char *));
++ if (tv == NULL)
++ {
++ fprintf (stderr, "calloc failed\n");
++ exit (1);
++ }
++ }
++ else if (tv_used == tv_alloc)
++ {
++ tv_alloc += 4;
++ tv = realloc (tv, tv_alloc * sizeof (char *));
++ if (tv == NULL)
++ {
++ fprintf (stderr, "realloc failed");
++ exit (1);
++ }
++ }
++ tv[tv_used++] = strdup (tempname);
++ return tempname;
+ }
+
+
================================================================
More information about the pld-cvs-commit
mailing list