Updated By: Bruce Dubbs (bdubbs -aT- linuxfromscratch -DoT- org)
Date: 2005-12-12
Submitted By: Archaic (archaic -aT- linuxfromscratch -DoT- org)
Date: 2005-10-08
Initial Package Version: 4.8
Origin: http://gentoo.kems.net/gentoo-portage/sys-apps/texinfo/files/texinfo-4.8-tempfile.patch
Upstream Status: A few patches are floating around in Debian BZ #328365 of which
                 upstream hasn't made a full commitment on yet.
Description: (CAN-2005-3011) texindex in texinfo 4.8 and earlier allows local
             users to overwrite arbitrary files via a symlink attack on
             temporary files.
Update: Changed to not pass a constant string to mktemp().

diff -Naur texinfo-4.8.orig/util/texindex.c texinfo-4.8/util/texindex.c
--- texinfo-4.8.orig/util/texindex.c	2005-12-11 23:29:08.000000000 -0600
+++ texinfo-4.8/util/texindex.c	2005-12-11 23:33:31.000000000 -0600
@@ -99,6 +99,9 @@
 /* Directory to use for temporary files.  On Unix, it ends with a slash.  */
 char *tempdir;
 
+/* Basename for temp files inside of tempdir.  */
+char *tempbase;
+
 /* Number of last temporary file.  */
 int tempcount;
 
@@ -153,6 +156,7 @@
 main (int argc, char **argv)
 {
   int i;
+  char template[]="txidxXXXXXX";
 
   tempcount = 0;
   last_deleted_tempcount = 0;
@@ -190,6 +194,11 @@
 
   decode_command (argc, argv);
 
+  /* XXX mkstemp not appropriate, as we need to have somewhat predictable
+   * names. But race condition was fixed, see maketempname. 
+   */
+  tempbase = mktemp (template);
+
   /* Process input files completely, one by one.  */
 
   for (i = 0; i < num_infiles; i++)
@@ -389,21 +398,21 @@
 static char *
 maketempname (int count)
 {
-  static char *tempbase = NULL;
   char tempsuffix[10];
-
-  if (!tempbase)
-    {
-      int fd;
-      tempbase = concat (tempdir, "txidxXXXXXX");
-
-      fd = mkstemp (tempbase);
-      if (fd == -1)
-        pfatal_with_name (tempbase);
-    }
+  char *name, *tmp_name;
+  int fd;
 
   sprintf (tempsuffix, ".%d", count);
-  return concat (tempbase, tempsuffix);
+  tmp_name = concat (tempdir, tempbase);
+  name = concat (tmp_name, tempsuffix);
+  free(tmp_name);
+
+  fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0600);
+  if (fd == -1)
+    pfatal_with_name (name);
+
+  close(fd);
+  return name;
 }