Bug#565341: Fix for CVE-2009-1962 misses one hunk

Peter Volkov Thu, 14 Jan 2010 13:35:48 -0800

Package: xfig
Version: 1:3.2.5.b-1
X-Debbugs-CC: bvsm...@lbl.gov

Hello. Both patch found in Debian and fix in xfig.3.2.5b miss hunk for
u_print.c:


sprintf(tmp_fig_file, "%s/%s%06d", TMPDIR, "xfig-fig", getpid());

(noticed by Tomas Hoger:
    https://bugzilla.redhat.com/show_bug.cgi?id=505257#c1)

and thus insecure use of temporary files is still possible. I failed to
find fix and thus I've recreated it from scratch:

http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-gfx/xfig/files/xfig-3.2.5b-mkstemp.patch?rev=1.1&view=markup

Please, check patch and if it's correct apply both in Debian and upstream.

Thanks,
-- 
Peter.




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#565341: Fix for CVE-2009-1962 misses one hunk

Reply via email to