tag 344029 patch thanks Attached is the patch for the NMU that I am preparing; I will upload it to a delay queue sometime tomorrow (assuming it checks out when I've had more sleep.)
Don Armstrong -- "A one-question geek test. If you get the joke, you're a geek: Seen on a California license plate on a VW Beetle: 'FEATURE'..." -- Joshua D. Wachs - Natural Intelligence, Inc. http://www.donarmstrong.com http://rzlab.ucr.edu
diff -u libmail-audit-perl-2.1/Audit.pm libmail-audit-perl-2.1/Audit.pm --- libmail-audit-perl-2.1/Audit.pm +++ libmail-audit-perl-2.1/Audit.pm @@ -4,7 +4,13 @@ my $logging; my $loglevel=3; -my $logfile = "/tmp/".getpwuid($>)."-audit.log"; +my $logfile; +if (exists $ENV{HOME} and defined $ENV{HOME} and -d $ENV{HOME}) { + $logfile = "$ENV{HOME}/.mail_audit.log" +} +else { + (undef,$logfile) = tempfile("mail_audit.log-XXXXX",TMPDIR=>1); +} # ---------------------------------------------------------- # no user-modifiable parts below this line. @@ -18,6 +24,7 @@ use vars qw($VERSION @ISA @EXPORT @EXPORT_OK $ASSUME_MSGPREFIX); # @ISA will depend on whether the message is MIME; if it is, we'll be MIME::Entity. if not, we'll be Mail::Internet. use Fcntl ':flock'; +use File::Temp qw(tempfile); $ASSUME_MSGPREFIX = 0; diff -u libmail-audit-perl-2.1/debian/changelog libmail-audit-perl-2.1/debian/changelog --- libmail-audit-perl-2.1/debian/changelog +++ libmail-audit-perl-2.1/debian/changelog @@ -1,3 +1,13 @@ +libmail-audit-perl (2.1-5.1) unstable; urgency=high + + * NMU + * [SECURITY] Fix insecure tempfile creation with trivially guessable + filename (Closes: #344029) + * [SECURITY] Fix analogous insecure tempdir creation with trivially + guessable directory name + + -- Don Armstrong <[EMAIL PROTECTED]> Wed, 4 Jan 2006 01:51:30 -0800 + libmail-audit-perl (2.1-5) unstable; urgency=low * Add missing dependency on libmail-listdetector-perl (Closes: #29364) only in patch2: unchanged: --- libmail-audit-perl-2.1.orig/Audit/MimeEntity.pm +++ libmail-audit-perl-2.1/Audit/MimeEntity.pm @@ -4,6 +4,7 @@ use strict; use File::Path; +use File::Temp qw(tempdir) use MIME::Parser; use MIME::Entity; use Mail::Audit::MailInternet; @@ -12,10 +13,12 @@ $VERSION = '2.0'; -$MIME_PARSER_TMPDIR = "/tmp/".getpwuid($>)."-mailaudit"; - my $parser = MIME::Parser->new(); +# Create a tempdir using File::Temp::tempdir, have it be destroyed at +# END{} time. +$MIME_PARSER_TMPDIR = tempdir(CLEANUP => 1); + my @to_rmdir; sub autotype_new { @@ -23,8 +26,6 @@ my $mailinternet = shift; $parser->ignore_errors(1); - mkdir ($MIME_PARSER_TMPDIR, 0777); - if (! -d $MIME_PARSER_TMPDIR) { $MIME_PARSER_TMPDIR = "/tmp" } $parser->output_under($MIME_PARSER_TMPDIR); # todo: add eval error trapping. if there's a problem, return Mail::Audit::MailInternet as a fallback.