Bug#612035: Ping: Bug#612035: [Pkg-phototools-devel] Bug#612035: vulnerability: rewrite arbitrary user file

2012-02-03 Thread Daniel Friesel 
Hi,

On Thu, Jan 19, 2012 at 12:47:06PM +, Jonathan Wiltshire wrote:
 On Fri, Jul 08, 2011 at 08:06:17PM +0200, Julien Cristau wrote:
  [...]
  ick.  mkdtemp(3), please.
 Any news on this?

the attached patches (created against the unpatched 1.3.4.dfsg.1-1 / 1.8-1
packages) use mkdtemp for the fix.

I removed the --cache 0 wget argument because my system's wget does not support
it anymore, if the wget in oldstable still has it it's safe to put that back in.

--Daniel
diff --git a/src/imlib.c b/src/imlib.c
index fc4dcf0..1d06628 100644
--- a/src/imlib.c
+++ b/src/imlib.c
@@ -263,7 +263,7 @@ feh_http_load_image(char *url)
char *newurl = NULL;
char randnum[20];
int rnum;
-   char *path = NULL;
+   static char *path = NULL;
 
D_ENTER(4);
 
@@ -274,11 +274,16 @@ feh_http_load_image(char *url)
   else
  path = ;
}
-   else
-  path = /tmp/;
+   else {
+  path = estrdup(/tmp/feh_XX);
+	if (mkdtemp(path) == NULL)
+		eprintf(Failed to create temporary directory);
+	path = estrjoin(, path, /, NULL);
+	opt.tmp_path = path;
+   }
 
basename = strrchr(url, '/') + 1;
-   tmpname = feh_unique_filename(path, basename);
+   tmpname = estrjoin(, path, basename, NULL);
 
if (opt.wget_timestamp)
{
@@ -288,7 +293,7 @@ feh_http_load_image(char *url)
   ppid = getpid();
   snprintf(cppid, sizeof(cppid), %06ld, (long)ppid);
   tmpname_timestamper =
- estrjoin(, /tmp/feh_, cppid, _, basename, NULL);
+ estrjoin(, path, cppid, _, basename, NULL);
}
 
if (opt.wget_timestamp)
@@ -548,7 +553,7 @@ feh_http_load_image(char *url)
  }
  else
  {
-execlp(wget, wget, --cache, 0, newurl, -O, tmpname,
+execlp(wget, wget, newurl, -O, tmpname,
quiet, (char*) NULL);
  }
  eprintf(url: exec failed: wget:);
diff --git a/src/main.c b/src/main.c
index 745fdf9..4fbe600 100644
--- a/src/main.c
+++ b/src/main.c
@@ -215,5 +215,8 @@ feh_clean_exit(void)
if (opt.filelistfile)
   feh_write_filelist(filelist, opt.filelistfile);
 
+	if (opt.tmp_path  !opt.keep_http)
+		rmdir(opt.tmp_path);
+
D_RETURN_(4);
 }
diff --git a/src/options.c b/src/options.c
index d9d803d..7fd46b0 100644
--- a/src/options.c
+++ b/src/options.c
@@ -55,6 +55,7 @@ init_parse_options(int argc, char **argv)
opt.thumb_h = 60;
opt.menu_font = estrdup(DEFAULT_MENU_FONT);
opt.font = estrdup(DEFAULT_FONT);
+   opt.tmp_path = NULL;
opt.menu_bg = estrdup(PREFIX /share/feh/images/menubg_default.png);
opt.menu_style = estrdup(PREFIX /share/feh/fonts/menu.style);
opt.menu_border = 4;
diff --git a/src/options.h b/src/options.h
index 0101885..f365da8 100644
--- a/src/options.h
+++ b/src/options.h
@@ -89,6 +89,8 @@ struct __fehoptions
char *menu_style;
char *caption_path;
 
+   char *tmp_path;
+
gib_style *menu_style_l;
 
unsigned char next_button;
diff --git a/src/imlib.c b/src/imlib.c
index 69c6e50..ea88754 100644
--- a/src/imlib.c
+++ b/src/imlib.c
@@ -232,15 +232,20 @@ char *feh_http_load_image(char *url)
 {
 	char *tmpname;
 	char *basename;
-	char *path = NULL;
+	static char *path = NULL;
 
 	if (opt.keep_http) {
 		if (opt.output_dir)
 			path = opt.output_dir;
 		else
 			path = ;
-	} else
-		path = /tmp/;
+	} else {
+		path = estrdup(/tmp/feh_XX);
+		if (mkdtemp(path) == NULL)
+			eprintf(Failed to create temporary directory:);
+		path = estrjoin(NULL, path, /, NULL);
+		opt.tmp_path = path;
+	}
 
 	basename = strrchr(url, '/') + 1;
 	tmpname = feh_unique_filename(path, basename);
diff --git a/src/main.c b/src/main.c
index ce46879..9588863 100644
--- a/src/main.c
+++ b/src/main.c
@@ -190,5 +190,8 @@ void feh_clean_exit(void)
 	if (opt.filelistfile)
 		feh_write_filelist(filelist, opt.filelistfile);
 
+	if (opt.tmp_path  !opt.keep_http)
+		rmdir(opt.tmp_path);
+
 	return;
 }
diff --git a/src/options.c b/src/options.c
index 5962ca1..5f928ed 100644
--- a/src/options.c
+++ b/src/options.c
@@ -56,6 +56,7 @@ void init_parse_options(int argc, char **argv)
 	opt.thumb_redraw = 10;
 	opt.menu_font = estrdup(DEFAULT_MENU_FONT);
 	opt.font = NULL;
+	opt.tmp_path = NULL;
 	opt.image_bg = estrdup(default);
 	opt.menu_bg = estrdup(PREFIX /share/feh/images/menubg_default.png);
 	opt.menu_style = estrdup(PREFIX /share/feh/fonts/menu.style);
diff --git a/src/options.h b/src/options.h
index be20687..2cb174e 100644
--- a/src/options.h
+++ b/src/options.h
@@ -88,6 +88,8 @@ struct __fehoptions {
 	char *caption_path;
 	char *start_list_at;
 
+	char *tmp_path;
+
 	gib_style *menu_style_l;
 
 	unsigned char pan_button;


signature.asc
Description: Digital signature

Bug#612035: Ping: Bug#612035: [Pkg-phototools-devel] Bug#612035: vulnerability: rewrite arbitrary user file

2012-01-19 Thread Jonathan Wiltshire 
On Fri, Jul 08, 2011 at 08:06:17PM +0200, Julien Cristau wrote:
 On Fri, Jul  8, 2011 at 16:08:17 +0200, Andreas Tille wrote:
 
  @@ -275,7 +278,21 @@
path = ;
  }
  else
  -  path = /tmp/;
  +  snprintf(cppid, sizeof(cppid), %06ld, (long) getpid());
  +
  +   while ((path == NULL)  (i  )) {
  +   snprintf(num, sizeof(num), %06ld, i++);
  +
  +   path = estrjoin(, /tmp/feh, _, cppid, _, num, /, 
  NULL);
  +   if (mkdir(path, 0700) == -1) {
  +   free(path);
  +   path = NULL;
  +   } else
  +   opt.tmp_path = path;
  +   }
  +   if (path == NULL)
  +   weprintf(Failed to create temporary directory:);
  +
   
  basename = strrchr(url, '/') + 1;
  tmpname = feh_unique_filename(path, basename);
 
 ick.  mkdtemp(3), please.
 

Hi,

Any news on this?



-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org