diff options
| author | Pete Fritchman <petef@FreeBSD.org> | 2004-12-15 16:37:44 +0000 |
|---|---|---|
| committer | Pete Fritchman <petef@FreeBSD.org> | 2004-12-15 16:37:44 +0000 |
| commit | 92370b46b1f19ebc3bde62cb12946818dd298643 (patch) | |
| tree | 3dd3ebda52525677e9a1f8c292dd6dffb45dc1c9 /devel/cscope | |
| parent | af37cb977682a641155cf45040065d7ed3f7a7b9 (diff) | |
| download | ports-92370b46b1f19ebc3bde62cb12946818dd298643.tar.gz ports-92370b46b1f19ebc3bde62cb12946818dd298643.zip | |
Fix CAN-2004-0996 vulnerability & bump PORTREVISION:
main.c in cscope 15-4 and 15-5 creates temporary files with
predictable filenames, which allows local users to overwrite
arbitrary files via a symlink attack.
PR: 75104
Submitted by: Matthias Andree <matthias.andree@gmx.de>
Notes
Notes:
svn path=/head/; revision=124134
Diffstat (limited to 'devel/cscope')
| -rw-r--r-- | devel/cscope/Makefile | 1 | ||||
| -rw-r--r-- | devel/cscope/files/patch-src::main.c | 52 |
2 files changed, 53 insertions, 0 deletions
diff --git a/devel/cscope/Makefile b/devel/cscope/Makefile index 1bb824889235..cb78262b6ede 100644 --- a/devel/cscope/Makefile +++ b/devel/cscope/Makefile @@ -8,6 +8,7 @@ PORTNAME= cscope PORTVERSION= 15.5 +PORTREVISION= 1 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} diff --git a/devel/cscope/files/patch-src::main.c b/devel/cscope/files/patch-src::main.c new file mode 100644 index 000000000000..fedddf1bd6b6 --- /dev/null +++ b/devel/cscope/files/patch-src::main.c @@ -0,0 +1,52 @@ +=================================================================== +RCS file: /cvsroot/cscope/cscope/src/main.c,v +retrieving revision 1.33 +retrieving revision 1.34 +diff -u -r1.33 -r1.34 +--- src/main.c 2004/04/30 15:31:43 1.33 ++++ src/main.c 2004/12/06 14:56:43 1.34 +@@ -101,6 +101,7 @@ + #endif + char temp1[PATHLEN + 1]; /* temporary file name */ + char temp2[PATHLEN + 1]; /* temporary file name */ ++char tempdirpv[PATHLEN +1]; /* private temp directory */ + long totalterms; /* total inverted index terms */ + BOOL trun_syms; /* truncate symbols to 8 characters */ + char tempstring[8192]; /* use this as a buffer, instead of 'yytext', +@@ -131,6 +132,7 @@ + int c, i; + pid_t pid; + struct stat stat_buf; ++ mode_t orig_umask; + + yyin = stdin; + yyout = stdout; +@@ -330,9 +332,18 @@ + } + + /* create the temporary file names */ ++ orig_umask = umask(S_IRWXG|S_IRWXO); + pid = getpid(); +- (void) sprintf(temp1, "%s/cscope%d.1", tmpdir, pid); +- (void) sprintf(temp2, "%s/cscope%d.2", tmpdir, pid); ++ (void) sprintf(tempdirpv, "%s/cscope.%d", tmpdir, pid); ++ if(mkdir(tempdirpv,S_IRWXU)) ++ { ++ fprintf(stderr, "cscope: Could not create private temp dir %s\n",tempdirpv); ++ myexit(1); ++ } ++ umask(orig_umask); ++ ++ (void) sprintf(temp1, "%s/cscope.1", tempdirpv, pid); ++ (void) sprintf(temp2, "%s/cscope.2", tempdirpv, pid); + + /* if running in the foreground */ + if (signal(SIGINT, SIG_IGN) != SIG_IGN) { +@@ -834,6 +845,7 @@ + if (temp1[0] != '\0') { + (void) unlink(temp1); + (void) unlink(temp2); ++ (void) rmdir(tempdirpv); + } + /* restore the terminal to its original mode */ + if (incurses == YES) { |