Description: fix insecure temporary file handling . From upstream changelog entry: . foomaticrip.c, renderer.c: SECURITY FIX: Use the mktemp shell command/mkstemp() function to create the debug log file and the renderer input data file (both files only generated when foomatic-rip is un in debug mode) with file names with an unpredictable part. The names are /tmp/foomatic-rip-XXXXXX.log and /tmp/foomatic-rip-YYYYYY.ps where the XXXXXX and YYYYYY are replaced by random strings. Thanks to Tim Waugh from Red Hat for for the patch (bug #936, CVE-2011-2924). Acked-by: Till Kamppeter Author: Tim Waugh Origin: upstream, http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic/foomatic-filters/revision/256 Bug-CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2924 Last-Update: 2012-03-06 --- a/foomaticrip.c +++ b/foomaticrip.c @@ -1173,9 +1173,13 @@ if (arglist_remove_flag(arglist, "--debug")) debug = 1; - if (debug) - logh = fopen(LOG_FILE ".log", "w"); /* insecure, use for debugging only */ - else if (quiet && !verbose) + if (debug) { + int fd = mkstemp (LOG_FILE "-XXXXXX.log"); + if (fd != -1) + logh = fdopen(fd, "w"); + else + logh = stderr; + } else if (quiet && !verbose) logh = NULL; /* Quiet mode, do not log */ else logh = stderr; /* Default: log to stderr */ @@ -1585,11 +1589,6 @@ /* TODO tbd */ } - /* In debug mode save the data supposed to be fed into the - renderer also into a file, reset the file here */ - if (debug) - run_system_process("reset-file", "> " LOG_FILE ".ps"); - filename = strtok_r(filelist->data, " ", &p); while (filename) { _log("\n================================================\n\n" --- a/renderer.c +++ b/renderer.c @@ -434,7 +434,7 @@ } /* Save the data supposed to be fed into the renderer also into a file*/ - dstrprepend(commandline, "tee -a " LOG_FILE ".ps | ( "); + dstrprepend(commandline, "tee $(mktemp " LOG_FILE "-XXXXXX.ps) | ( "); dstrcat(commandline, ")"); }