[libxml-dt-perl] 01/03: add patch fixing insecure usage of temporary files

[Damyan Ivanov]

This is an automated email from the git hooks/post-receive script.

dmn pushed a commit to branch master
in repository libxml-dt-perl.

commit 2165a4402d13e340bd16e5c644c467d67a629a42
Author: Damyan Ivanov <dmn at debian.org>
Date:   Thu Jul 31 18:49:37 2014 +0000

    add patch fixing insecure usage of temporary files
    
    Thanks to Steve Kemp. Closes: #756566
---
 debian/patches/insecure-tmp.patch | 60 +++++++++++++++++++++++++++++++++++++++
 debian/patches/series             |  1 +
 2 files changed, 61 insertions(+)

diff --git a/debian/patches/insecure-tmp.patch b/debian/patches/insecure-tmp.patch
new file mode 100644
index 0000000..40fafbf
--- /dev/null
+++ b/debian/patches/insecure-tmp.patch
@@ -0,0 +1,60 @@
+Description: Insecure use of temporary files
+ replaces hardcoded '/tmp/_xml_$$' usage with File::Temp
+Author: Damyan Ivanov <dmn at debian.org>
+Bug-Debian: https://bugs.debian.org/756566
+
+--- a/mkdtskel
++++ b/mkdtskel
+@@ -1,6 +1,7 @@
+ #!/usr/bin/perl -s
+ use XML::DT;
+ use XML::DTDParser "ParseDTDFile";
++use File::Temp;
+ 
+ our ($dtd, $html, $lines);
+ 
+@@ -15,8 +16,8 @@ if ($dtd) {
+ else {
+     if ($lines) {
+         ## XXX - fixme, using head/xmllint is not a good idea
+-        system("head -$lines $filename | xmllint --recover - > /tmp/_xml_$$");
+-        $filename = "/tmp/_xml_$$";
++        $filename = File::Temp->new( UNLINK => 0 )->filename;
++        system("head -$lines $filename | xmllint --recover - > $filename");
+     }
+ 
+     if ($html) {
+@@ -25,7 +26,7 @@ else {
+     else {
+         mkdtskel($filename, @ARGV);
+     }
+-    unlink("/tmp/_xml_$$") if $lines;
++    unlink($filename) if $lines;
+ }
+ 
+ __END__
+--- a/mkxmltype
++++ b/mkxmltype
+@@ -1,6 +1,7 @@
+ #!/usr/bin/perl -w -s
+ use XML::DT;
+ use Data::Dumper;
++use File::Temp;
+ use Term::ReadLine;
+ #use locale;
+ 
+@@ -50,11 +51,11 @@ sub mkxmltypes {
+ 
+   for my $fname (@files){
+     if($lines){
+-      system("head -$lines $fname | xmllint --recover - > /tmp/_xml_$$");
+-      $fname = "/tmp/_xml_$$";
++      $fname = File::Temp->new( UNLINK => 0 )->filename;
++      system("head -$lines $fname | xmllint --recover - > $fname");
+     }
+     dt($fname,%handler); 
+-    unlink("/tmp/_xml_$$") if $lines;
++    unlink($fname) if $lines;
+   }
+ 
+   print "# ", join(" ",keys %root)," ...",  scalar(localtime(time)) ,"\n";
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..b711819
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+insecure-tmp.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libxml-dt-perl.git