Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 154789 Details for
Bug 224193
net-nntp/nzbget <0.4.0 uulib Insecure Temporary File Creation (CVE-2008-2266)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
uulib-CVE-2008-2266.patch
uulib-CVE-2008-2266.patch (text/plain), 3.12 KB, created by
Robert Buchholz (RETIRED)
on 2008-05-30 05:59:48 UTC
(
hide
)
Description:
uulib-CVE-2008-2266.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2008-05-30 05:59:48 UTC
Size:
3.12 KB
patch
obsolete
>Index: nzbget-0.2.3/uulib/uunconc.c >=================================================================== >--- nzbget-0.2.3.orig/uulib/uunconc.c >+++ nzbget-0.2.3/uulib/uunconc.c >@@ -1311,6 +1311,11 @@ UUDecode (uulist *data) > char *mode, *ntmp; > uufile *iter; > size_t bytes; >+#ifdef HAVE_MKSTEMP >+ int tmpfd; >+ const char *tmpprefix = "uuXXXXXX"; >+ char *tmpdir = NULL; >+#endif /* HAVE_MKSTEMP */ > > if (data == NULL || data->thisfile == NULL) > return UURET_ILLVAL; >@@ -1329,13 +1334,35 @@ UUDecode (uulist *data) > else > mode = "wb"; /* otherwise in binary */ > >+#ifdef HAVE_MKSTEMP >+ if ((getuid()==geteuid()) && (getgid()==getegid())) { >+ tmpdir=getenv("TMPDIR"); >+ } >+ >+ if (!tmpdir) { >+ tmpdir = "/tmp"; >+ } >+ data->binfile = malloc(strlen(tmpdir)+strlen(tmpprefix)+2); >+ >+ if (!data->binfile) { >+#else > if ((data->binfile = tempnam (NULL, "uu")) == NULL) { >+#endif /* HAVE_MKSTEMP */ > UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, > uustring (S_NO_TEMP_NAME)); > return UURET_NOMEM; > } > >+#ifdef HAVE_MKSTEMP >+ strcpy(data->binfile, tmpdir); >+ strcat(data->binfile, "/"); >+ strcat(data->binfile, tmpprefix); >+ >+ if ((tmpfd = mkstemp(data->binfile)) == -1 || >+ (dataout = fdopen(tmpfd, mode)) == NULL) { >+#else > if ((dataout = fopen (data->binfile, mode)) == NULL) { >+#endif /* HAVE_MKSTEMP */ > /* > * we couldn't create a temporary file. Usually this means that TMP > * and TEMP aren't set >@@ -1343,11 +1370,18 @@ UUDecode (uulist *data) > UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, > uustring (S_WR_ERR_TARGET), > data->binfile, strerror (uu_errno = errno)); >+#ifdef HAVE_MKSTEMP >+ if (tmpfd != -1) { >+ unlink(data->binfile); >+ close(tmpfd); >+ } >+#endif /* HAVE_MKSTEMP */ > _FP_free (data->binfile); > data->binfile = NULL; > uu_errno = errno; > return UURET_IOERR; > } >+ > /* > * we don't have begin lines in Base64 or plain text files. > */ >@@ -1496,7 +1530,13 @@ UUDecode (uulist *data) > */ > > if (data->uudet == BH_ENCODED && data->binfile) { >+#ifdef HAVE_MKSTEMP >+ ntmp = malloc(strlen(tmpdir)+strlen(tmpprefix)+2); >+ >+ if (ntmp == NULL) { >+#else > if ((ntmp = tempnam (NULL, "uu")) == NULL) { >+#endif /* HAVE_MKSTEMP */ > UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, > uustring (S_NO_TEMP_NAME)); > progress.action = 0; >@@ -1510,15 +1550,31 @@ UUDecode (uulist *data) > free (ntmp); > return UURET_IOERR; > } >+ >+#ifdef HAVE_MKSTEMP >+ strcpy(ntmp, tmpdir); >+ strcat(ntmp, "/"); >+ strcat(ntmp, tmpprefix); >+ if ((tmpfd = mkstemp(ntmp)) == -1 || >+ (dataout = fdopen(tmpfd, "wb")) == NULL) { >+#else > if ((dataout = fopen (ntmp, "wb")) == NULL) { >+#endif /* HAVE_MKSTEMP */ > UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, > uustring (S_NOT_OPEN_TARGET), > ntmp, strerror (uu_errno = errno)); > progress.action = 0; > fclose (datain); >+#ifdef HAVE_MKSTEMP >+ if (tmpfd != -1) { >+ unlink(ntmp); >+ close(tmpfd); >+ } >+#endif /* HAVE_MKSTEMP */ > free (ntmp); > return UURET_IOERR; > } >+ > /* > * read fork lengths. remember they're in Motorola format > */
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 224193
: 154789