summaryrefslogtreecommitdiff
path: root/network/uudeview/patches/037_CVE-2008-2266_symlink.diff
diff options
context:
space:
mode:
Diffstat (limited to 'network/uudeview/patches/037_CVE-2008-2266_symlink.diff')
-rw-r--r--network/uudeview/patches/037_CVE-2008-2266_symlink.diff182
1 files changed, 182 insertions, 0 deletions
diff --git a/network/uudeview/patches/037_CVE-2008-2266_symlink.diff b/network/uudeview/patches/037_CVE-2008-2266_symlink.diff
new file mode 100644
index 0000000000..7a74e4792c
--- /dev/null
+++ b/network/uudeview/patches/037_CVE-2008-2266_symlink.diff
@@ -0,0 +1,182 @@
+Description: Fixed a classical tempfile symlink attack vulnerability in libuu.
+ See Version: 0.5.20-3.1.
+Author: Nico Golde <nion@debian.org>
+Bug-Debian: http://bugs.debian.org/480972
+
+--- a/uulib/uunconc.c
++++ b/uulib/uunconc.c
+@@ -1311,6 +1311,11 @@ UUDecode (uulist *data)
+ char *mode, *ntmp;
+ uufile *iter;
+ size_t bytes;
++#ifdef HAVE_MKSTEMP
++ int tmpfd;
++ const char *tmpprefix = "uuXXXXXX";
++ char *tmpdir = NULL;
++#endif /* HAVE_MKSTEMP */
+
+ if (data == NULL || data->thisfile == NULL)
+ return UURET_ILLVAL;
+@@ -1329,13 +1334,35 @@ UUDecode (uulist *data)
+ else
+ mode = "wbx"; /* otherwise in binary */
+
++#ifdef HAVE_MKSTEMP
++ if ((getuid()==geteuid()) && (getgid()==getegid())) {
++ tmpdir=getenv("TMPDIR");
++ }
++
++ if (!tmpdir) {
++ tmpdir = "/tmp";
++ }
++ data->binfile = malloc(strlen(tmpdir)+strlen(tmpprefix)+2);
++
++ if (!data->binfile) {
++#else
+ if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
++#endif /* HAVE_MKSTEMP */
+ UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
+ uustring (S_NO_TEMP_NAME));
+ return UURET_NOMEM;
+ }
+
++#ifdef HAVE_MKSTEMP
++ strcpy(data->binfile, tmpdir);
++ strcat(data->binfile, "/");
++ strcat(data->binfile, tmpprefix);
++
++ if ((tmpfd = mkstemp(data->binfile)) == -1 ||
++ (dataout = fdopen(tmpfd, mode)) == NULL) {
++#else
+ if ((dataout = fopen (data->binfile, mode)) == NULL) {
++#endif /* HAVE_MKSTEMP */
+ /*
+ * we couldn't create a temporary file. Usually this means that TMP
+ * and TEMP aren't set
+@@ -1343,6 +1370,12 @@ UUDecode (uulist *data)
+ UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
+ uustring (S_WR_ERR_TARGET),
+ data->binfile, strerror (uu_errno = errno));
++#ifdef HAVE_MKSTEMP
++ if (tmpfd != -1) {
++ unlink(data->binfile);
++ close(tmpfd);
++ }
++#endif /* HAVE_MKSTEMP */
+ _FP_free (data->binfile);
+ data->binfile = NULL;
+ uu_errno = errno;
+@@ -1499,7 +1532,13 @@ UUDecode (uulist *data)
+ */
+
+ if (data->uudet == BH_ENCODED && data->binfile) {
++#ifdef HAVE_MKSTEMP
++ ntmp = malloc(strlen(tmpdir)+strlen(tmpprefix)+2);
++
++ if (ntmp == NULL) {
++#else
+ if ((ntmp = tempnam (NULL, "uu")) == NULL) {
++#endif /* HAVE_MKSTEMP */
+ UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
+ uustring (S_NO_TEMP_NAME));
+ progress.action = 0;
+@@ -1513,15 +1552,31 @@ UUDecode (uulist *data)
+ free (ntmp);
+ return UURET_IOERR;
+ }
++
++#ifdef HAVE_MKSTEMP
++ strcpy(ntmp, tmpdir);
++ strcat(ntmp, "/");
++ strcat(ntmp, tmpprefix);
++ if ((tmpfd = mkstemp(ntmp)) == -1 ||
++ (dataout = fdopen(tmpfd, "wb")) == NULL) {
++#else
+ if ((dataout = fopen (ntmp, "wb")) == NULL) {
++#endif /* HAVE_MKSTEMP */
+ UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
+ uustring (S_NOT_OPEN_TARGET),
+ ntmp, strerror (uu_errno = errno));
+ progress.action = 0;
+ fclose (datain);
++#ifdef HAVE_MKSTEMP
++ if (tmpfd != -1) {
++ unlink(ntmp);
++ close(tmpfd);
++ }
++#endif /* HAVE_MKSTEMP */
+ free (ntmp);
+ return UURET_IOERR;
+ }
++
+ /*
+ * read fork lengths. remember they're in Motorola format
+ */
+--- a/uulib/configure.in
++++ b/uulib/configure.in
+@@ -41,6 +41,7 @@ AC_CHECK_HEADERS(io.h sys/time.h)
+ AC_CHECK_FUNCS(gettimeofday)
+
+ AC_CHECK_FUNC(tempnam,,AC_DEFINE(tempnam,_FP_tempnam))
++AC_CHECK_FUNCS([mkstemp])
+
+ #
+ # strerror might be internally defined. this would cause a
+--- a/unix/uudeview.c
++++ b/unix/uudeview.c
+@@ -443,18 +443,45 @@ proc_stdin (void)
+ FILE *target;
+ size_t bytes;
+ int res;
++#ifdef HAVE_MKSTEMP
++ int tmpfd;
++ const char *tmpprefix = "uuXXXXXX";
++ char *tmpdir = NULL;
++#endif /* HAVE_MKSTEMP */
+
+ if (stdinput) {
+ fprintf (stderr, "proc_stdin: cannot process stdin twice\n");
+ return 0;
+ }
+
++#ifdef HAVE_MKSTEMP
++ if ((getuid()==geteuid()) && (getgid()==getegid())) {
++ tmpdir=getenv("TMPDIR");
++ }
++
++ if (!tmpdir) {
++ tmpdir = "/tmp";
++ }
++ stdfile = malloc(strlen(tmpdir)+strlen(tmpprefix)+2);
++
++ if (!stdfile) {
++#else
+ if ((stdfile = tempnam (NULL, "uu")) == NULL) {
++#endif
+ fprintf (stderr, "proc_stdin: cannot get temporary file\n");
+ return 0;
+ }
+
++#ifdef HAVE_MKSTEMP
++ strcpy(stdfile, tmpdir);
++ strcat(stdfile, "/");
++ strcat(stdfile, tmpprefix);
++
++ if ((tmpfd = mkstemp(stdfile)) == -1 ||
++ (target = fdopen(tmpfd, "wbx")) == NULL) {
++#else
+ if ((target = fopen (stdfile, "wbx")) == NULL) {
++#endif
+ fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n",
+ stdfile, strerror (errno));
+ _FP_free (stdfile);
+--- a/configure.in
++++ b/configure.in
+@@ -510,6 +510,7 @@ AC_CHECK_HEADERS(io.h sys/time.h)
+ AC_CHECK_FUNCS(getcwd popen gettimeofday isatty)
+
+ AC_CHECK_FUNC(tempnam,,AC_DEFINE(tempnam,_FP_tempnam))
++AC_CHECK_FUNCS([mkstemp])
+
+ #
+ # strerror might be internally defined. this would cause a
generated by cgit v1.2.3 (git 2.26.2) at 2024-11-14 22:04:54 +0000