Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:13.2:Update
conky
fix-CVE-2011-3616.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fix-CVE-2011-3616.patch of Package conky
Description: Fix CVE-2011-3616; avoid rewriting an arbitrary user file The getSkillname function in the eve module in Conky 1.8.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on /tmp/.cesf. Although this has been patched in upstream git, the latest stable Conky releases (including 1.9.0) have not been patched upstream and thus still seem to be vulnerable. Origin: upstream, http://git.omp.am/?p=conky.git;a=patch;h=70b6f35a846f7b85bd11e66c1f23feee6b369688 Bug: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3616 Bug: http://sourceforge.net/support/tracker.php?aid=3524945 Bug-Debian: http://bugs.debian.org/612033 Bug-Ubuntu: https://launchpad.net/bugs/607309 --- a/src/eve.c +++ b/src/eve.c @@ -251,19 +251,6 @@ } } -static int file_exists(const char *filename) -{ - struct stat fi; - - if ((stat(filename, &fi)) == 0) { - if (fi.st_size > 0) - return 1; - else - return 0; - } else - return 0; -} - static void writeSkilltree(char *content, const char *filename) { FILE *fp = fopen(filename, "w"); @@ -279,13 +266,12 @@ xmlDocPtr doc = 0; xmlNodePtr root = 0; - if (!file_exists(file)) { - skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE); - writeSkilltree(skilltree, file); - free(skilltree); - } + skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE); + writeSkilltree(skilltree, file); + free(skilltree); doc = xmlReadFile(file, NULL, 0); + unlink(file); if (!doc) return NULL; @@ -336,7 +322,7 @@ static char *eve(char *userid, char *apikey, char *charid) { Character *chr = NULL; - const char *skillfile = "/tmp/.cesf"; + char skillfile[] = "/tmp/.cesfXXXXXX"; int i = 0; char *output = 0; char *timel = 0; @@ -344,6 +330,7 @@ char *content = 0; time_t now = 0; char *error = 0; + int tmp_fd, old_umask; for (i = 0; i < MAXCHARS; i++) { @@ -396,6 +383,14 @@ output = (char *)malloc(200 * sizeof(char)); timel = formatTime(&chr->ends); + old_umask = umask(0066); + tmp_fd = mkstemp(skillfile); + umask(old_umask); + if (tmp_fd == -1) { + error = strdup("Cannot create temporary file"); + return error; + } + close(tmp_fd); skill = getSkillname(skillfile, chr->skill); chr->skillname = strdup(skill);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor