diff options
-rw-r--r-- | debian/patches/CVE-2011-2924.patch | 61 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 62 insertions, 0 deletions
diff --git a/debian/patches/CVE-2011-2924.patch b/debian/patches/CVE-2011-2924.patch new file mode 100644 index 0000000..1bc879c --- /dev/null +++ b/debian/patches/CVE-2011-2924.patch @@ -0,0 +1,61 @@ +Description: fix insecure temporary file handling + . + From upstream changelog entry: + . + foomaticrip.c, renderer.c: SECURITY FIX: Use the mktemp shell + command/mkstemp() function to create the debug log file and the + renderer input data file (both files only generated when + foomatic-rip is un in debug mode) with file names with an + unpredictable part. The names are /tmp/foomatic-rip-XXXXXX.log and + /tmp/foomatic-rip-YYYYYY.ps where the XXXXXX and YYYYYY are + replaced by random strings. Thanks to Tim Waugh from Red Hat for + for the patch (bug #936, CVE-2011-2924). + +Acked-by: Till Kamppeter <till.kamppeter@gmail.com> +Author: Tim Waugh <twaugh@redhat.com> +Origin: upstream, http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic/foomatic-filters/revision/256 +Bug-CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2924 +Last-Update: 2012-03-06 + +--- a/foomaticrip.c ++++ b/foomaticrip.c +@@ -1173,9 +1173,13 @@ + if (arglist_remove_flag(arglist, "--debug")) + debug = 1; + +- if (debug) +- logh = fopen(LOG_FILE ".log", "w"); /* insecure, use for debugging only */ +- else if (quiet && !verbose) ++ if (debug) { ++ int fd = mkstemp (LOG_FILE "-XXXXXX.log"); ++ if (fd != -1) ++ logh = fdopen(fd, "w"); ++ else ++ logh = stderr; ++ } else if (quiet && !verbose) + logh = NULL; /* Quiet mode, do not log */ + else + logh = stderr; /* Default: log to stderr */ +@@ -1585,11 +1589,6 @@ + /* TODO tbd */ + } + +- /* In debug mode save the data supposed to be fed into the +- renderer also into a file, reset the file here */ +- if (debug) +- run_system_process("reset-file", "> " LOG_FILE ".ps"); +- + filename = strtok_r(filelist->data, " ", &p); + while (filename) { + _log("\n================================================\n\n" +--- a/renderer.c ++++ b/renderer.c +@@ -434,7 +434,7 @@ + } + + /* Save the data supposed to be fed into the renderer also into a file*/ +- dstrprepend(commandline, "tee -a " LOG_FILE ".ps | ( "); ++ dstrprepend(commandline, "tee $(mktemp " LOG_FILE "-XXXXXX.ps) | ( "); + dstrcat(commandline, ")"); + } + diff --git a/debian/patches/series b/debian/patches/series index 691965c..afbfc23 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ strncpy-tochar-use-isempty.patch unhtmlify-segfault.patch CVE-2011-2964.patch +CVE-2011-2924.patch |