Attachment #44698 for bug #71595




cscope (15.3-1woody2) stable-security; urgency=high

  * Non-maintainer upload by the Security Team
  * Applied adjusted patch by Gerardo Di Giacomo to fix insecure temporary
    file creation [src/main.c, CAN-2004-0996]

 -- Martin Schulze <joey@infodrom.org>  Wed, 24 Nov 2004 20:42:14 +0100

cscope (15.3-1) unstable; urgency=low

  * New upstream release.  (Thanks to GOTO Masanori for the notification).
++ cscope-15.3/src/main.c

	}

	/* create the temporary file names */
	do {
		char *tempfile = tempnam(tmpdir, "cscope1");
		if (!tempfile) {
			fprintf (stderr, "Can't create tempfile\n");
			exit(1);
		}
		if (strlen(tempfile) >= sizeof(temp1)) {
			fprintf (stderr, "TMPDIR path is too long\n");
			exit(1);
		}
		strncpy (temp1, tempfile, sizeof (temp1));
		free (tempfile);
	} while (open (temp1, O_CREAT|O_EXCL|O_WRONLY, S_IREAD|S_IWRITE) < 0);
	do {
		char *tempfile = tempnam(tmpdir, "cscope2");
		if (!tempfile) {
			fprintf (stderr, "Can't create tempfile\n");
			exit(1);
		}
		if (strlen(tempfile) >= sizeof(temp2)) {
			fprintf (stderr, "TMPDIR path is too long\n");
			exit(1);
		}
		strncpy (temp2, tempfile, sizeof (temp2));
		free (tempfile);
	} while (open (temp2, O_CREAT|O_EXCL|O_WRONLY, S_IREAD|S_IWRITE) < 0);

	/* if running in the foreground */
	if (signal(SIGINT, SIG_IGN) != SIG_IGN) {

Return to bug 71595

Lines 1-3 Link Here

(-)cscope-15.3/debian/changelog (-4 / +35 lines)
		1	cscope (15.3-1woody2) stable-security; urgency=high
		2
		3	* Non-maintainer upload by the Security Team
		4	* Applied adjusted patch by Gerardo Di Giacomo to fix insecure temporary
		5	file creation [src/main.c, CAN-2004-0996]
		6
		7	-- Martin Schulze <joey@infodrom.org> Wed, 24 Nov 2004 20:42:14 +0100
		8
1	cscope (15.3-1) unstable; urgency=low	9	cscope (15.3-1) unstable; urgency=low
2		10
3	* New upstream release. (Thanks to GOTO Masanori for the notification).	11	* New upstream release. (Thanks to GOTO Masanori for the notification).
4	-- cscope-15.3.orig/src/main.c	12	++ cscope-15.3/src/main.c
Lines 336-344 Link Here
336	}	336	}
337		337
338	/* create the temporary file names */	338	/* create the temporary file names */
339	pid = getpid();	339	do {
340	(void) sprintf(temp1, "%s/cscope%d.1", tmpdir, pid);	340	char *tempfile = tempnam(tmpdir, "cscope1");
341	(void) sprintf(temp2, "%s/cscope%d.2", tmpdir, pid);	341	if (!tempfile) {
		342	fprintf (stderr, "Can't create tempfile\n");
		343	exit(1);
		344	}
		345	if (strlen(tempfile) >= sizeof(temp1)) {
		346	fprintf (stderr, "TMPDIR path is too long\n");
		347	exit(1);
		348	}
		349	strncpy (temp1, tempfile, sizeof (temp1));
		350	free (tempfile);
		351	} while (open (temp1, O_CREAT\|O_EXCL\|O_WRONLY, S_IREAD\|S_IWRITE) < 0);
		352	do {
		353	char *tempfile = tempnam(tmpdir, "cscope2");
		354	if (!tempfile) {
		355	fprintf (stderr, "Can't create tempfile\n");
		356	exit(1);
		357	}
		358	if (strlen(tempfile) >= sizeof(temp2)) {
		359	fprintf (stderr, "TMPDIR path is too long\n");
		360	exit(1);
		361	}
		362	strncpy (temp2, tempfile, sizeof (temp2));
		363	free (tempfile);
		364	} while (open (temp2, O_CREAT\|O_EXCL\|O_WRONLY, S_IREAD\|S_IWRITE) < 0);
342		365
343	/* if running in the foreground */	366	/* if running in the foreground */
344	if (signal(SIGINT, SIG_IGN) != SIG_IGN) {	367	if (signal(SIGINT, SIG_IGN) != SIG_IGN) {