Package: mgdiff Version: 1.0-27 Priority: minor Tags: security While doing a source code audit looking for security bugs I've found that the viewpatch script (distributed by mgdiff in /usr/share/doc/mgdiff/ and thus, not provided as a binary) does not use /tmp safely and can, consequentely, be used to conduct symlink attacks.
Attached is a patch fixing that issue. Regards Javier
diff -Nru mgdiff-1.0-27/debian/changelog mgdiff-1.0/debian/changelog
--- mgdiff-1.0-27/debian/changelog 2005-10-22 15:24:06.000000000 +0200
+++ mgdiff-1.0/debian/changelog 2005-10-22 15:15:30.000000000 +0200
@@ -1,3 +1,9 @@
+mgdiff (1.0-28) unstable; urgency=low
+
+ * Fixed viewpatch to prevent temporary symlink attacks.
+
+ -- Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]> Sat, 22 Oct 2005
15:15:20 +0200
+
mgdiff (1.0-27) unstable; urgency=low
* updated Paul Serices rmgdiff shell and awk scripts to 1.8.1, available
diff -Nru mgdiff-1.0-27/debian/viewpatch mgdiff-1.0/debian/viewpatch
--- mgdiff-1.0-27/debian/viewpatch 2005-10-22 15:24:06.000000000 +0200
+++ mgdiff-1.0/debian/viewpatch 2005-10-22 15:14:32.000000000 +0200
@@ -11,17 +11,23 @@
# over many unices.
#
-HOST=`hostname`;
-PID=$$;
-USER=`whoami`;
+FNAME=`tempfile` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+trap " [ -f \"$FNAME\" ] && /bin/rm -f -- \"$FNAME\"" 0 1 2 3 13 15
-FNAME=/tmp/$HOST-$USER-$PID;
ORIG=$1
PATCH=$2
shift 2
+if [ -z "$ORIG" ] || [ ! -e "$ORIG" ] ; then
+ echo "$0: original file '$ORIG' does not exist"
+fi
+if [ -z "$PATCH" ] || [ ! -e "$PATCH" ] ; then
+ echo "$0: original file '$ORIG' does not exist"
+fi
+
+
cp $ORIG $FNAME;
if patch $* $FNAME < $PATCH; then mgdiff $ORIG $FNAME; fi
-rm -f $FNAME
+exit 0
signature.asc
Description: Digital signature
