Add patch to fix CVE-2011-2924.

"foomatic-rip (debug mode) insecure temporary file use in renderer command
line by processing PostScript data"

- Backport debian/patches/CVE-2011-2924.patch from upstream.
- Add DEP-3 headers.

Signed-off-by: Didier Raboud <odyx@debian.org>

2 files changed, 62 insertions, 0 deletions

diff --git a/debian/patches/CVE-2011-2924.patch b/debian/patches/CVE-2011-2924.patch
new file mode 100644
index 0000000..1bc879c
--- /dev/null
+++ b/debian/patches/CVE-2011-2924.patch
@@ -0,0 +1,61 @@
+Description: fix insecure temporary file handling
+ .
+ From upstream changelog entry:
+ .
+ foomaticrip.c, renderer.c: SECURITY FIX: Use the mktemp shell
+ command/mkstemp() function to create the debug log file and the
+ renderer input data file (both files only generated when
+ foomatic-rip is un in debug mode) with file names with an
+ unpredictable part. The names are /tmp/foomatic-rip-XXXXXX.log and
+ /tmp/foomatic-rip-YYYYYY.ps where the XXXXXX and YYYYYY are
+ replaced by random strings. Thanks to Tim Waugh from Red Hat for
+ for the patch (bug #936, CVE-2011-2924).
+
+Acked-by: Till Kamppeter <till.kamppeter@gmail.com>
+Author: Tim Waugh <twaugh@redhat.com>
+Origin: upstream, http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic/foomatic-filters/revision/256
+Bug-CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2924
+Last-Update: 2012-03-06
+
+--- a/foomaticrip.c
++++ b/foomaticrip.c
+@@ -1173,9 +1173,13 @@
+     if (arglist_remove_flag(arglist, "--debug"))
+         debug = 1;
+ 
+-    if (debug)
+-        logh = fopen(LOG_FILE ".log", "w"); /* insecure, use for debugging only */
+-    else if (quiet && !verbose)
++    if (debug) {
++	int fd = mkstemp (LOG_FILE "-XXXXXX.log");
++	if (fd != -1)
++	    logh = fdopen(fd, "w");
++	else
++	    logh = stderr;
++    } else if (quiet && !verbose)
+         logh = NULL; /* Quiet mode, do not log */
+     else
+         logh = stderr; /* Default: log to stderr */
+@@ -1585,11 +1589,6 @@
+         /* TODO tbd */
+     }
+ 
+-    /* In debug mode save the data supposed to be fed into the
+-       renderer also into a file, reset the file here */
+-    if (debug)
+-        run_system_process("reset-file", "> " LOG_FILE ".ps");
+-
+     filename = strtok_r(filelist->data, " ", &p);
+     while (filename) {
+         _log("\n================================================\n\n"
+--- a/renderer.c
++++ b/renderer.c
+@@ -434,7 +434,7 @@
+         }
+ 
+         /* Save the data supposed to be fed into the renderer also into a file*/
+-        dstrprepend(commandline, "tee -a " LOG_FILE ".ps | ( ");
++        dstrprepend(commandline, "tee $(mktemp " LOG_FILE "-XXXXXX.ps) | ( ");
+         dstrcat(commandline, ")");
+     }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 691965c..afbfc23 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 strncpy-tochar-use-isempty.patch
 unhtmlify-segfault.patch
 CVE-2011-2964.patch
+CVE-2011-2924.patch