1 Description: fix for CVE-2013-0200 (insecure temporary files) |
|
2 Origin: vendor, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701185 |
|
3 Original Bug: https://bugzilla.redhat.com/show_bug.cgi?id=902163 |
|
4 |
|
5 ----------------------------------------------------------------------- |
|
6 --- a/prnt/hpps/hppsfilter.c Tue Apr 10 01:32:37 2012 |
|
7 +++ b/prnt/hpps/hppsfilter.c Tue Jan 28 03:25:00 2014 |
|
8 @@ -93,8 +93,11 @@ |
|
9 if (g_savepsfile & SAVE_PS_FILE) |
|
10 { |
|
11 char sfile_name[FILE_NAME_SIZE] = {0}; |
|
12 - sprintf(sfile_name, DBG_PSFILE, szjob_id); |
|
13 - g_fp_outdbgps= fopen(sfile_name, "w"); |
|
14 + int fd; |
|
15 + sprintf(sfile_name, DBG_PSFILE ".XXXXXX", szjob_id); |
|
16 + fd = mkstemp (sfile_name); |
|
17 + if (fd != -1) |
|
18 + g_fp_outdbgps = fdopen(fd, "w"); |
|
19 chmod(sfile_name, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
|
20 } |
|
21 } |
|
22 --- a/prnt/hpcups/SystemServices.cpp Tue Apr 10 01:32:37 2012 |
|
23 +++ b/prnt/hpcups/SystemServices.cpp Tue Jan 28 03:22:40 2014 |
|
24 @@ -36,9 +36,12 @@ |
|
25 m_fp = NULL; |
|
26 if (iLogLevel & SAVE_PCL_FILE) |
|
27 { |
|
28 - char fname[32]; |
|
29 - sprintf(fname, "/tmp/hpcups_job%d.out", job_id); |
|
30 - m_fp = fopen(fname, "w"); |
|
31 + char fname[40]; |
|
32 + int fd; |
|
33 + sprintf(fname, "/tmp/hpcups_job%d.out.XXXXXX", job_id); |
|
34 + fd = mkstemp (fname); |
|
35 + if (fd != -1) |
|
36 + m_fp = fdopen(fd, "w"); |
|
37 chmod(fname, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
|
38 } |
|
39 } |
|
40 --- a/prnt/hpijs/hpijs.cpp Tue Apr 10 01:32:39 2012 |
|
41 +++ b/prnt/hpijs/hpijs.cpp Tue Jan 28 03:20:35 2014 |
|
42 @@ -97,12 +97,13 @@ |
|
43 if (pSS->m_iLogLevel & SAVE_PCL_FILE) |
|
44 { |
|
45 char szFileName[32]; |
|
46 - sprintf (szFileName, "/tmp/hpijs_%d.out", getpid()); |
|
47 - pSS->outfp = fopen (szFileName, "w"); |
|
48 - if (pSS->outfp) |
|
49 - { |
|
50 - chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
|
51 - } |
|
52 + int fd; |
|
53 + sprintf (szFileName, "/tmp/hpijs_%d.out.XXXXXX", getpid()); |
|
54 + fd = mkstemp (szFileName); |
|
55 + if (fd != -1) |
|
56 + pSS->outfp = fdopen (fd, "w"); |
|
57 + if (pSS->outfp) |
|
58 + chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
|
59 } |
|
60 } |
|
61 |
|
62 --- a/prnt/hpcups/HPCupsFilter.cpp Tue Jan 28 03:06:22 2014 |
|
63 +++ b/prnt/hpcups/HPCupsFilter.cpp Tue Jan 28 03:17:49 2014 |
|
64 @@ -650,20 +650,25 @@ |
|
65 |
|
66 if (m_iLogLevel & SAVE_INPUT_RASTERS) |
|
67 { |
|
68 - char szFileName[32]; |
|
69 + char szFileName[44]; |
|
70 memset(szFileName, 0, sizeof(szFileName)); |
|
71 - snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp", current_page_number); |
|
72 + snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp.XXXXXX", current_page_number); |
|
73 if (cups_header.cupsColorSpace == CUPS_CSPACE_RGBW || |
|
74 cups_header.cupsColorSpace == CUPS_CSPACE_RGB) |
|
75 { |
|
76 - cfp = fopen (szFileName, "w"); |
|
77 + int fd = mkstemp (szFileName); |
|
78 + if (fd != -1) |
|
79 + cfp = fdopen (fd, "w"); |
|
80 chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
|
81 } |
|
82 if (cups_header.cupsColorSpace == CUPS_CSPACE_RGBW || |
|
83 cups_header.cupsColorSpace == CUPS_CSPACE_K) |
|
84 { |
|
85 - szFileName[17] = 'k'; |
|
86 - kfp = fopen (szFileName, "w"); |
|
87 + int fd; |
|
88 + snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterk_%d.bmp.XXXXXX", current_page_number); |
|
89 + fd = mkstemp (szFileName); |
|
90 + if (fd != -1) |
|
91 + kfp = fdopen (fd, "w"); |
|
92 chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
|
93 } |
|
94 |
|