vdr/vdradmin/debian/patches 02_sectmpfiles.dpatch 00list 02_tmpfiles.dpatch

Thomas Schmidt pkg-vdr-dvb-changes@lists.alioth.debian.org
Wed, 29 Dec 2004 22:45:26 +0000 

Update of /cvsroot/pkg-vdr-dvb/vdr/vdradmin/debian/patches
In directory haydn:/tmp/cvs-serv4144/vdr/vdradmin/debian/patches

Modified Files:
	00list 
Added Files:
	02_sectmpfiles.dpatch 
Removed Files:
	02_tmpfiles.dpatch 
Log Message:
* fix security problem by using File::Temp (closes: #287601)

Index: 00list
===================================================================
RCS file: /cvsroot/pkg-vdr-dvb/vdr/vdradmin/debian/patches/00list,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -d -r1.2 -r1.3
--- 00list	18 Dec 2004 11:48:03 -0000	1.2
+++ 00list	29 Dec 2004 22:45:24 -0000	1.3
@@ -1,2 +1,3 @@
 01_dist-var
-02_tmpfiles
+#02_tmpfiles
+02_sectmpfiles

--- NEW FILE: 02_sectmpfiles.dpatch ---
#! /bin/sh /usr/share/dpatch/dpatch-run
## 02_sectmpfiles.dpatch by Thomas Schmidt <thomas.schmidt@in.stud.tu-ilmenau.de>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Use File::Temp to create temporary files in a secure way

@DPATCH@
diff -urNad vdradmin-0.96/vdradmind.pl /tmp/dpep.HeRpDe/vdradmin-0.96/vdradmind.pl
--- vdradmin-0.96/vdradmind.pl	2004-12-29 12:54:18.000000000 +0100
+++ /tmp/dpep.HeRpDe/vdradmin-0.96/vdradmind.pl	2004-12-29 12:55:06.000000000 +0100
@@ -32,12 +32,15 @@
 	unshift(@INC, $BASENAME . "lib/");
 }
 
+require File::Temp;
+
 use CGI qw(:no_debug);
 use IO::Socket;
 use HTML::Template::Expr();
 use Time::Local qw(timelocal);
 use POSIX ":sys_wait_h", qw(strftime mktime);
 use MIME::Base64();
+use File::Temp();
 
 use strict;
 #use warnings;
@@ -659,7 +662,7 @@
 
 sub GZip {
 	my $content = shift;
-  my $filename = "/tmp/vdradmin." . time();
+  my $filename = new File::Temp("vdradmin-XXXXX", UNLINK => 1);
   open(PIPE, "| gzip -9 - > $filename") || die "cant open pipe to gzip ($!)";
   print PIPE $$content;
   close(PIPE);
@@ -3038,7 +3041,7 @@
 #############################################################################
 sub grab_picture {
 	my $size = $q->param("size");
-	my $file = "/tmp/vdr.jpg";
+	my $file = new File::Temp("vdr-XXXXX", UNLINK => 1, SUFFIX => ".jpg");
 	my $maxwidth = 768;
 	my $maxheight = 576;
 	my($width, $height);

--- 02_tmpfiles.dpatch DELETED ---