[PATCH 1/2] Hardening installation of GNU tar

Steffen Moeller moeller at debian.org
Thu Mar 19 16:27:22 UTC 2009


 * already existing / left over data.tar.gz file is removed
 * ( )s removed so an error will not remain unnoticed
---
 install.sh |   19 ++++++++++++++-----
 1 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/install.sh b/install.sh
index 3129466..896accc 100755
--- a/install.sh
+++ b/install.sh
@@ -464,7 +464,7 @@ action_testing () {
 	fi
 	echo " * microSD card device: $SD_DEVICE present"
 
-	for intern_binary in wget ping fdisk mount umount mkfs.$SD_PART1_FS mkfs.$SD_PART2_FS mkswap gunzip dd sed rdate ar; do
+	for intern_binary in wget ping fdisk mount umount mkfs.$SD_PART1_FS mkfs.$SD_PART2_FS mkswap gunzip dd sed rdate ar pwd; do
 		if ! which $intern_binary > /dev/null; then
 			echo "E: Could not find $intern_binary binary"
 			exit 1
@@ -478,11 +478,20 @@ action_testing () {
 		echo "W: tar does not support gzip archives"
 		echo "Downloading tar package"
 		wget $TAR_PACKAGE -O /tmp/tar.deb
-		( cd /tmp && ar -x tar.deb data.tar.gz )
+		cwd=`pwd`
+		cd /tmp
+		if [ -f data.tar.gz ]; then
+			if [ -n "$VERBOSE" ]; then
+				echo "I: removing previous /tmp/data.tar.gz"
+			fi
+			rm -f data.tar.gz
+		fi
+		ar -x tar.deb data.tar.gz
 		mkdir -p /usr/local
-		gunzip -c /tmp/data.tar.gz | tar -x -C /usr/local/
-		rm -f /tmp/data.tar.gz
-		rm -f /tmp/tar.deb
+		gunzip -c data.tar.gz | tar -x -C /usr/local/
+		rm -f data.tar.gz
+		rm -f tar.deb
+		cd "$cwd"
 	fi
 
 	if [ "$SD_PART1_FS" = "vfat" ]; then
-- 
1.6.2.1


--------------070904030008000308040809
Content-Type: text/x-diff;
 name="0002-tar-TAR_APPLICATION.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="0002-tar-TAR_APPLICATION.patch"



More information about the pkg-fso-maint mailing list