Hi, attached is an updated patch. It's as well archived on: http://people.debian.org/~nion/nmu-diff/wyrd-1.4.3b-3_1.4.3b-3.1.patch
The problem with the first patch was that if you press help
the second time you get Sys_error("Bad file descriptor").
The reason is that the original code only operates on the
filename, opens it and thus always assigning a new file
descriptor which gets closed afterwards. So after changing
this to the global file descriptor to make sure that the
file doesn't change in the meantime (race) the file
descriptor was closed after calling help the first time.
Fixed this by moving the close part to the file removal on
Quit and flushing the output after writing the content.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
diff -u wyrd-1.4.3b/debian/patches/00list wyrd-1.4.3b/debian/patches/00list
--- wyrd-1.4.3b/debian/patches/00list
+++ wyrd-1.4.3b/debian/patches/00list
@@ -1,0 +2 @@
+02-CVE-2008-0806
diff -u wyrd-1.4.3b/debian/changelog wyrd-1.4.3b/debian/changelog
--- wyrd-1.4.3b/debian/changelog
+++ wyrd-1.4.3b/debian/changelog
@@ -1,3 +1,12 @@
+wyrd (1.4.3b-3.1) unstable; urgency=high
+
+ * Non-maintainer upload by security team.
+ * This update addresses the following issue:
+ CVE-2008-0806: insecure temporary file creation that
+ could lead to symlink attacks and thus data loss (Closes: #466382).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Tue, 19 Feb 2008 22:28:12 +0100
+
wyrd (1.4.3b-3) unstable; urgency=low
* Fixed debian/watch file.
only in patch2:
unchanged:
--- wyrd-1.4.3b.orig/debian/patches/02-CVE-2008-0806.dpatch
+++ wyrd-1.4.3b/debian/patches/02-CVE-2008-0806.dpatch
@@ -0,0 +1,46 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 02-CVE-2008-0806.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad wyrd-1.4.3b~/interface_main.ml wyrd-1.4.3b/interface_main.ml
+--- wyrd-1.4.3b~/interface_main.ml 2007-08-20 03:24:26.000000000 +0200
++++ wyrd-1.4.3b/interface_main.ml 2008-02-20 19:51:39.000000000 +0100
+@@ -1066,9 +1066,9 @@
+ in
+ Hashtbl.iter find_binding Rcfile.table_commandstr_command;
+ let sorted_list = List.fast_sort Pervasives.compare !bindings in
+- let out_channel = open_out Rcfile.tmpfile in
++ let out_channel = Rcfile.tmpfd in
+ List.iter (output_string out_channel) sorted_list;
+- close_out out_channel;
++ flush out_channel;
+ def_prog_mode ();
+ endwin ();
+ let _ = Unix.system ("less " ^ Rcfile.tmpfile) in
+@@ -1786,8 +1786,9 @@
+ let i = draw_msg iface in
+ handle_refresh i reminders
+ |Rcfile.Quit ->
+- let new_iface = {iface with run_wyrd = false} in
+- (new_iface, reminders)
++ let out_channel = Rcfile.tmpfd in
++ close_out out_channel;Sys.remove Rcfile.tmpfile;let new_iface = {iface with run_wyrd = false} in
++ (new_iface, reminders)
+ with Not_found ->
+ let _ = beep () in
+ draw_error iface "key is not bound." false;
+diff -urNad wyrd-1.4.3b~/rcfile.ml wyrd-1.4.3b/rcfile.ml
+--- wyrd-1.4.3b~/rcfile.ml 2007-08-20 03:24:26.000000000 +0200
++++ wyrd-1.4.3b/rcfile.ml 2008-02-20 19:51:19.000000000 +0100
+@@ -136,7 +136,7 @@
+ (* Final hash table that maps from object to color_pair index *)
+ let object_palette = Hashtbl.create 20
+
+-let tmpfile = "/tmp/wyrd-tmp." ^ (string_of_int (Unix.getuid ()))
++let tmpfile,tmpfd = Filename.open_temp_file "wyrd" "-temp"
+
+
+ (* Turn colors on and off *)
pgp9ewzGUZes5.pgp
Description: PGP signature
