Date: Wed, 15 Dec 2004 13:00:54 +0100 From: Matthias Andree <matthias.andree@gmx.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: petef@FreeBSD.org Subject: ports/75104: [PATCH] devel/cscope: security fix CAN-2004-0996 Message-ID: <E1CeXpu-0007vL-7y@libertas.emma.line.org> Resent-Message-ID: <200412151210.iBFCARWB006257@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 75104 >Category: ports >Synopsis: [PATCH] devel/cscope: security fix CAN-2004-0996 >Confidential: no >Severity: critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Dec 15 12:10:27 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Matthias Andree >Release: FreeBSD 4.11-PRERELEASE i386 >Organization: >Environment: System: FreeBSD libertas.emma.line.org 4.11-PRERELEASE FreeBSD 4.11-PRERELEASE #12: Tue Dec 14 15:31:18 CET 2004 >Description: (1) Apply patch (sans version bump) from cscope CVS as files/patch-ac, http://cvs.sourceforge.net/viewcvs.py/cscope/cscope/src/main.c?r1=1.33&r2=1.34&sortby=date&diff_format=u to fix CAN-2004-0996 "main.c in cscope 15-4 and 15-5 creates temporary files with predictable filenames, which allows local users to overwrite arbitrary files via a symlink attack." http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0996 http://www.vuxml.org/freebsd/a7bfd423-484f-11d9-a9e7-0001020eed82.html http://www.freebsd.org/ports/portaudit/a7bfd423-484f-11d9-a9e7-0001020eed82.html (2) Bump portrevision. Added file(s): - files/patch-ac Port maintainer (petef@FreeBSD.org) is cc'd. Generated with FreeBSD Port Tools 0.63 >How-To-Repeat: >Fix: --- cscope-15.5_1.patch begins here --- diff -ruN --exclude=CVS /usr/ports/devel/cscope/Makefile /root/ports/devel/cscope/Makefile --- /usr/ports/devel/cscope/Makefile Wed Oct 29 12:42:25 2003 +++ /root/ports/devel/cscope/Makefile Wed Dec 15 12:42:17 2004 @@ -8,6 +8,7 @@ PORTNAME= cscope PORTVERSION= 15.5 +PORTREVISION= 1 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} diff -ruN --exclude=CVS /usr/ports/devel/cscope/files/patch-ac /root/ports/devel/cscope/files/patch-ac --- /usr/ports/devel/cscope/files/patch-ac Thu Jan 1 01:00:00 1970 +++ /root/ports/devel/cscope/files/patch-ac Wed Dec 15 12:45:20 2004 @@ -0,0 +1,52 @@ +=================================================================== +RCS file: /cvsroot/cscope/cscope/src/main.c,v +retrieving revision 1.33 +retrieving revision 1.34 +diff -u -r1.33 -r1.34 +--- src/main.c 2004/04/30 15:31:43 1.33 ++++ src/main.c 2004/12/06 14:56:43 1.34 +@@ -101,6 +101,7 @@ + #endif + char temp1[PATHLEN + 1]; /* temporary file name */ + char temp2[PATHLEN + 1]; /* temporary file name */ ++char tempdirpv[PATHLEN +1]; /* private temp directory */ + long totalterms; /* total inverted index terms */ + BOOL trun_syms; /* truncate symbols to 8 characters */ + char tempstring[8192]; /* use this as a buffer, instead of 'yytext', +@@ -131,6 +132,7 @@ + int c, i; + pid_t pid; + struct stat stat_buf; ++ mode_t orig_umask; + + yyin = stdin; + yyout = stdout; +@@ -330,9 +332,18 @@ + } + + /* create the temporary file names */ ++ orig_umask = umask(S_IRWXG|S_IRWXO); + pid = getpid(); +- (void) sprintf(temp1, "%s/cscope%d.1", tmpdir, pid); +- (void) sprintf(temp2, "%s/cscope%d.2", tmpdir, pid); ++ (void) sprintf(tempdirpv, "%s/cscope.%d", tmpdir, pid); ++ if(mkdir(tempdirpv,S_IRWXU)) ++ { ++ fprintf(stderr, "cscope: Could not create private temp dir %s\n",tempdirpv); ++ myexit(1); ++ } ++ umask(orig_umask); ++ ++ (void) sprintf(temp1, "%s/cscope.1", tempdirpv, pid); ++ (void) sprintf(temp2, "%s/cscope.2", tempdirpv, pid); + + /* if running in the foreground */ + if (signal(SIGINT, SIG_IGN) != SIG_IGN) { +@@ -834,6 +845,7 @@ + if (temp1[0] != '\0') { + (void) unlink(temp1); + (void) unlink(temp2); ++ (void) rmdir(tempdirpv); + } + /* restore the terminal to its original mode */ + if (incurses == YES) { --- cscope-15.5_1.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1CeXpu-0007vL-7y>