183 lines
4.8 KiB
Diff
183 lines
4.8 KiB
Diff
Description: Fixed a classical tempfile symlink attack vulnerability in libuu.
|
|
See Version: 0.5.20-3.1.
|
|
Author: Nico Golde <nion@debian.org>
|
|
Bug-Debian: http://bugs.debian.org/480972
|
|
|
|
--- a/uulib/uunconc.c
|
|
+++ b/uulib/uunconc.c
|
|
@@ -1311,6 +1311,11 @@ UUDecode (uulist *data)
|
|
char *mode, *ntmp;
|
|
uufile *iter;
|
|
size_t bytes;
|
|
+#ifdef HAVE_MKSTEMP
|
|
+ int tmpfd;
|
|
+ const char *tmpprefix = "uuXXXXXX";
|
|
+ char *tmpdir = NULL;
|
|
+#endif /* HAVE_MKSTEMP */
|
|
|
|
if (data == NULL || data->thisfile == NULL)
|
|
return UURET_ILLVAL;
|
|
@@ -1329,13 +1334,35 @@ UUDecode (uulist *data)
|
|
else
|
|
mode = "wbx"; /* otherwise in binary */
|
|
|
|
+#ifdef HAVE_MKSTEMP
|
|
+ if ((getuid()==geteuid()) && (getgid()==getegid())) {
|
|
+ tmpdir=getenv("TMPDIR");
|
|
+ }
|
|
+
|
|
+ if (!tmpdir) {
|
|
+ tmpdir = "/tmp";
|
|
+ }
|
|
+ data->binfile = malloc(strlen(tmpdir)+strlen(tmpprefix)+2);
|
|
+
|
|
+ if (!data->binfile) {
|
|
+#else
|
|
if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
|
|
+#endif /* HAVE_MKSTEMP */
|
|
UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
|
|
uustring (S_NO_TEMP_NAME));
|
|
return UURET_NOMEM;
|
|
}
|
|
|
|
+#ifdef HAVE_MKSTEMP
|
|
+ strcpy(data->binfile, tmpdir);
|
|
+ strcat(data->binfile, "/");
|
|
+ strcat(data->binfile, tmpprefix);
|
|
+
|
|
+ if ((tmpfd = mkstemp(data->binfile)) == -1 ||
|
|
+ (dataout = fdopen(tmpfd, mode)) == NULL) {
|
|
+#else
|
|
if ((dataout = fopen (data->binfile, mode)) == NULL) {
|
|
+#endif /* HAVE_MKSTEMP */
|
|
/*
|
|
* we couldn't create a temporary file. Usually this means that TMP
|
|
* and TEMP aren't set
|
|
@@ -1343,6 +1370,12 @@ UUDecode (uulist *data)
|
|
UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
|
|
uustring (S_WR_ERR_TARGET),
|
|
data->binfile, strerror (uu_errno = errno));
|
|
+#ifdef HAVE_MKSTEMP
|
|
+ if (tmpfd != -1) {
|
|
+ unlink(data->binfile);
|
|
+ close(tmpfd);
|
|
+ }
|
|
+#endif /* HAVE_MKSTEMP */
|
|
_FP_free (data->binfile);
|
|
data->binfile = NULL;
|
|
uu_errno = errno;
|
|
@@ -1499,7 +1532,13 @@ UUDecode (uulist *data)
|
|
*/
|
|
|
|
if (data->uudet == BH_ENCODED && data->binfile) {
|
|
+#ifdef HAVE_MKSTEMP
|
|
+ ntmp = malloc(strlen(tmpdir)+strlen(tmpprefix)+2);
|
|
+
|
|
+ if (ntmp == NULL) {
|
|
+#else
|
|
if ((ntmp = tempnam (NULL, "uu")) == NULL) {
|
|
+#endif /* HAVE_MKSTEMP */
|
|
UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
|
|
uustring (S_NO_TEMP_NAME));
|
|
progress.action = 0;
|
|
@@ -1513,15 +1552,31 @@ UUDecode (uulist *data)
|
|
free (ntmp);
|
|
return UURET_IOERR;
|
|
}
|
|
+
|
|
+#ifdef HAVE_MKSTEMP
|
|
+ strcpy(ntmp, tmpdir);
|
|
+ strcat(ntmp, "/");
|
|
+ strcat(ntmp, tmpprefix);
|
|
+ if ((tmpfd = mkstemp(ntmp)) == -1 ||
|
|
+ (dataout = fdopen(tmpfd, "wb")) == NULL) {
|
|
+#else
|
|
if ((dataout = fopen (ntmp, "wb")) == NULL) {
|
|
+#endif /* HAVE_MKSTEMP */
|
|
UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
|
|
uustring (S_NOT_OPEN_TARGET),
|
|
ntmp, strerror (uu_errno = errno));
|
|
progress.action = 0;
|
|
fclose (datain);
|
|
+#ifdef HAVE_MKSTEMP
|
|
+ if (tmpfd != -1) {
|
|
+ unlink(ntmp);
|
|
+ close(tmpfd);
|
|
+ }
|
|
+#endif /* HAVE_MKSTEMP */
|
|
free (ntmp);
|
|
return UURET_IOERR;
|
|
}
|
|
+
|
|
/*
|
|
* read fork lengths. remember they're in Motorola format
|
|
*/
|
|
--- a/uulib/configure.in
|
|
+++ b/uulib/configure.in
|
|
@@ -41,6 +41,7 @@ AC_CHECK_HEADERS(io.h sys/time.h)
|
|
AC_CHECK_FUNCS(gettimeofday)
|
|
|
|
AC_CHECK_FUNC(tempnam,,AC_DEFINE(tempnam,_FP_tempnam))
|
|
+AC_CHECK_FUNCS([mkstemp])
|
|
|
|
#
|
|
# strerror might be internally defined. this would cause a
|
|
--- a/unix/uudeview.c
|
|
+++ b/unix/uudeview.c
|
|
@@ -443,18 +443,45 @@ proc_stdin (void)
|
|
FILE *target;
|
|
size_t bytes;
|
|
int res;
|
|
+#ifdef HAVE_MKSTEMP
|
|
+ int tmpfd;
|
|
+ const char *tmpprefix = "uuXXXXXX";
|
|
+ char *tmpdir = NULL;
|
|
+#endif /* HAVE_MKSTEMP */
|
|
|
|
if (stdinput) {
|
|
fprintf (stderr, "proc_stdin: cannot process stdin twice\n");
|
|
return 0;
|
|
}
|
|
|
|
+#ifdef HAVE_MKSTEMP
|
|
+ if ((getuid()==geteuid()) && (getgid()==getegid())) {
|
|
+ tmpdir=getenv("TMPDIR");
|
|
+ }
|
|
+
|
|
+ if (!tmpdir) {
|
|
+ tmpdir = "/tmp";
|
|
+ }
|
|
+ stdfile = malloc(strlen(tmpdir)+strlen(tmpprefix)+2);
|
|
+
|
|
+ if (!stdfile) {
|
|
+#else
|
|
if ((stdfile = tempnam (NULL, "uu")) == NULL) {
|
|
+#endif
|
|
fprintf (stderr, "proc_stdin: cannot get temporary file\n");
|
|
return 0;
|
|
}
|
|
|
|
+#ifdef HAVE_MKSTEMP
|
|
+ strcpy(stdfile, tmpdir);
|
|
+ strcat(stdfile, "/");
|
|
+ strcat(stdfile, tmpprefix);
|
|
+
|
|
+ if ((tmpfd = mkstemp(stdfile)) == -1 ||
|
|
+ (target = fdopen(tmpfd, "wbx")) == NULL) {
|
|
+#else
|
|
if ((target = fopen (stdfile, "wbx")) == NULL) {
|
|
+#endif
|
|
fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n",
|
|
stdfile, strerror (errno));
|
|
_FP_free (stdfile);
|
|
--- a/configure.in
|
|
+++ b/configure.in
|
|
@@ -510,6 +510,7 @@ AC_CHECK_HEADERS(io.h sys/time.h)
|
|
AC_CHECK_FUNCS(getcwd popen gettimeofday isatty)
|
|
|
|
AC_CHECK_FUNC(tempnam,,AC_DEFINE(tempnam,_FP_tempnam))
|
|
+AC_CHECK_FUNCS([mkstemp])
|
|
|
|
#
|
|
# strerror might be internally defined. this would cause a
|