[libxml-dt-perl] 01/03: add patch fixing insecure usage of temporary files
Damyan Ivanov
dmn at moszumanska.debian.org
Thu Jul 31 18:55:33 UTC 2014
This is an automated email from the git hooks/post-receive script.
dmn pushed a commit to branch master
in repository libxml-dt-perl.
commit 2165a4402d13e340bd16e5c644c467d67a629a42
Author: Damyan Ivanov <dmn at debian.org>
Date: Thu Jul 31 18:49:37 2014 +0000
add patch fixing insecure usage of temporary files
Thanks to Steve Kemp. Closes: #756566
---
debian/patches/insecure-tmp.patch | 60 +++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 61 insertions(+)
diff --git a/debian/patches/insecure-tmp.patch b/debian/patches/insecure-tmp.patch
new file mode 100644
index 0000000..40fafbf
--- /dev/null
+++ b/debian/patches/insecure-tmp.patch
@@ -0,0 +1,60 @@
+Description: Insecure use of temporary files
+ replaces hardcoded '/tmp/_xml_$$' usage with File::Temp
+Author: Damyan Ivanov <dmn at debian.org>
+Bug-Debian: https://bugs.debian.org/756566
+
+--- a/mkdtskel
++++ b/mkdtskel
+@@ -1,6 +1,7 @@
+ #!/usr/bin/perl -s
+ use XML::DT;
+ use XML::DTDParser "ParseDTDFile";
++use File::Temp;
+
+ our ($dtd, $html, $lines);
+
+@@ -15,8 +16,8 @@ if ($dtd) {
+ else {
+ if ($lines) {
+ ## XXX - fixme, using head/xmllint is not a good idea
+- system("head -$lines $filename | xmllint --recover - > /tmp/_xml_$$");
+- $filename = "/tmp/_xml_$$";
++ $filename = File::Temp->new( UNLINK => 0 )->filename;
++ system("head -$lines $filename | xmllint --recover - > $filename");
+ }
+
+ if ($html) {
+@@ -25,7 +26,7 @@ else {
+ else {
+ mkdtskel($filename, @ARGV);
+ }
+- unlink("/tmp/_xml_$$") if $lines;
++ unlink($filename) if $lines;
+ }
+
+ __END__
+--- a/mkxmltype
++++ b/mkxmltype
+@@ -1,6 +1,7 @@
+ #!/usr/bin/perl -w -s
+ use XML::DT;
+ use Data::Dumper;
++use File::Temp;
+ use Term::ReadLine;
+ #use locale;
+
+@@ -50,11 +51,11 @@ sub mkxmltypes {
+
+ for my $fname (@files){
+ if($lines){
+- system("head -$lines $fname | xmllint --recover - > /tmp/_xml_$$");
+- $fname = "/tmp/_xml_$$";
++ $fname = File::Temp->new( UNLINK => 0 )->filename;
++ system("head -$lines $fname | xmllint --recover - > $fname");
+ }
+ dt($fname,%handler);
+- unlink("/tmp/_xml_$$") if $lines;
++ unlink($fname) if $lines;
+ }
+
+ print "# ", join(" ",keys %root)," ...", scalar(localtime(time)) ,"\n";
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..b711819
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+insecure-tmp.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libxml-dt-perl.git
More information about the Pkg-perl-cvs-commits
mailing list