|
1 Description: fix for CVE-2013-0200 (insecure temporary files) |
|
2 Origin: vendor, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701185 |
|
3 Original Bug: https://bugzilla.redhat.com/show_bug.cgi?id=902163 |
|
4 |
|
5 ----------------------------------------------------------------------- |
|
6 --- a/prnt/hpcups/SystemServices.cpp Tue Apr 10 01:32:37 2012 |
|
7 +++ b/prnt/hpcups/SystemServices.cpp Tue Jan 28 03:22:40 2014 |
|
8 @@ -36,9 +36,12 @@ |
|
9 m_fp = NULL; |
|
10 if (iLogLevel & SAVE_PCL_FILE) |
|
11 { |
|
12 - char fname[32]; |
|
13 - sprintf(fname, "/tmp/hpcups_job%d.out", job_id); |
|
14 - m_fp = fopen(fname, "w"); |
|
15 + char fname[40]; |
|
16 + int fd; |
|
17 + sprintf(fname, "/tmp/hpcups_job%d.out.XXXXXX", job_id); |
|
18 + fd = mkstemp (fname); |
|
19 + if (fd != -1) |
|
20 + m_fp = fdopen(fd, "w"); |
|
21 chmod(fname, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
|
22 } |
|
23 } |
|
24 --- a/prnt/hpijs/hpijs.cpp Tue Apr 10 01:32:39 2012 |
|
25 +++ b/prnt/hpijs/hpijs.cpp Tue Jan 28 03:20:35 2014 |
|
26 @@ -97,12 +97,13 @@ |
|
27 if (pSS->m_iLogLevel & SAVE_PCL_FILE) |
|
28 { |
|
29 char szFileName[32]; |
|
30 - sprintf (szFileName, "/tmp/hpijs_%d.out", getpid()); |
|
31 - pSS->outfp = fopen (szFileName, "w"); |
|
32 - if (pSS->outfp) |
|
33 - { |
|
34 - chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
|
35 - } |
|
36 + int fd; |
|
37 + sprintf (szFileName, "/tmp/hpijs_%d.out.XXXXXX", getpid()); |
|
38 + fd = mkstemp (szFileName); |
|
39 + if (fd != -1) |
|
40 + pSS->outfp = fdopen (fd, "w"); |
|
41 + if (pSS->outfp) |
|
42 + chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
|
43 } |
|
44 } |
|
45 |
|
46 --- a/prnt/hpcups/HPCupsFilter.cpp Tue Jan 28 03:06:22 2014 |
|
47 +++ b/prnt/hpcups/HPCupsFilter.cpp Tue Jan 28 03:17:49 2014 |
|
48 @@ -602,20 +602,25 @@ |
|
49 |
|
50 if (m_iLogLevel & SAVE_INPUT_RASTERS) |
|
51 { |
|
52 - char szFileName[32]; |
|
53 + char szFileName[44]; |
|
54 memset(szFileName, 0, sizeof(szFileName)); |
|
55 - snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp", current_page_number); |
|
56 + snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterc_%d.bmp.XXXXXX", current_page_number); |
|
57 if (cups_header.cupsColorSpace == CUPS_CSPACE_RGBW || |
|
58 cups_header.cupsColorSpace == CUPS_CSPACE_RGB) |
|
59 { |
|
60 - cfp = fopen (szFileName, "w"); |
|
61 + int fd = mkstemp (szFileName); |
|
62 + if (fd != -1) |
|
63 + cfp = fdopen (fd, "w"); |
|
64 chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
|
65 } |
|
66 if (cups_header.cupsColorSpace == CUPS_CSPACE_RGBW || |
|
67 cups_header.cupsColorSpace == CUPS_CSPACE_K) |
|
68 { |
|
69 - szFileName[17] = 'k'; |
|
70 - kfp = fopen (szFileName, "w"); |
|
71 + int fd; |
|
72 + snprintf (szFileName, sizeof(szFileName), "/tmp/hpcupsfilterk_%d.bmp.XXXXXX", current_page_number); |
|
73 + fd = mkstemp (szFileName); |
|
74 + if (fd != -1) |
|
75 + kfp = fdopen (fd, "w"); |
|
76 chmod (szFileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
|
77 } |
|
78 WriteBMPHeader (cfp, cups_header.cupsWidth, cups_header.cupsHeight, COLOR_RASTER); |