Bug#318285: CAN-2005-2240 symlink attack in xpvm.tcl
tag 318285 patch
thanks
Hi,
Here's the CAN-2005-2240 fix for woody and sarge (sid upload is already
in incoming).
Cheers,
Matej
diff -u xpvm-1.2.5/src/xpvm.tcl xpvm-1.2.5/src/xpvm.tcl
--- xpvm-1.2.5/src/xpvm.tcl
+++ xpvm-1.2.5/src/xpvm.tcl
@@ -831,7 +831,7 @@
set tfck [ info exists trace_file ]
-if { $tfck == 0 } { set trace_file "/tmp/xpvm.trace.$user" }
+if { $tfck == 0 } { set trace_file [ file join [ glob ~ ] ".xpvm_trace" ] }
$CTRL.file_entry insert 0 $trace_file
diff -u xpvm-1.2.5/debian/changelog xpvm-1.2.5/debian/changelog
--- xpvm-1.2.5/debian/changelog
+++ xpvm-1.2.5/debian/changelog
@@ -1,3 +1,14 @@
+xpvm (1.2.5-7.2woody1) oldstable-security; urgency=high
+
+ * QA upload.
+ * Use ~/.xpvm_trace instead of /tmp/xpvm.trace.$USER to prevent symlink
+ attacks. (Trace files are meant to be semi-persistent, so this is more
+ in line with user expectations than creating unique temporary files.)
+ [src/xpvm.tcl, src/help/traces.help, debian/xpvm.1, CAN-2005-2240]
+ Closes: #318285.
+
+ -- Matej Vela <vela@debian.org> Sun, 4 Sep 2005 14:44:07 +0200
+
xpvm (1.2.5-7.2) unstable; urgency=low
* NMU
diff -u xpvm-1.2.5/debian/xpvm.1 xpvm-1.2.5/debian/xpvm.1
--- xpvm-1.2.5/debian/xpvm.1
+++ xpvm-1.2.5/debian/xpvm.1
@@ -64,7 +64,7 @@
.BI \-T\ trace
.B xpvm
will normally create and store a trace file in the
-.I /tmp
+user's home
directory. To have the
.I trace
file stored in some other location, use this option.
only in patch2:
unchanged:
--- xpvm-1.2.5.orig/src/help/traces.help
+++ xpvm-1.2.5/src/help/traces.help
@@ -13,7 +13,7 @@
{ to have a valid, writable trace file to work with, and so XPVM }
{ assumes a default trace file name: }
{}
-{ /tmp/xpvm.trace.$(USER) }
+{ ~/.xpvm_trace }
{}
{ On the first execution of XPVM, this trace file will not yet exist, }
{ and so XPVM will proceed to write traces into this file and read }
diff -u xpvm-1.2.5/src/xpvm.tcl xpvm-1.2.5/src/xpvm.tcl
--- xpvm-1.2.5/src/xpvm.tcl
+++ xpvm-1.2.5/src/xpvm.tcl
@@ -831,7 +831,7 @@
set tfck [ info exists trace_file ]
-if { $tfck == 0 } { set trace_file "/tmp/xpvm.trace.$user" }
+if { $tfck == 0 } { set trace_file [ file join [ glob ~ ] ".xpvm_trace" ] }
$CTRL.file_entry insert 0 $trace_file
diff -u xpvm-1.2.5/debian/changelog xpvm-1.2.5/debian/changelog
--- xpvm-1.2.5/debian/changelog
+++ xpvm-1.2.5/debian/changelog
@@ -1,3 +1,14 @@
+xpvm (1.2.5-7.3sarge1) stable-security; urgency=high
+
+ * QA upload.
+ * Use ~/.xpvm_trace instead of /tmp/xpvm.trace.$USER to prevent symlink
+ attacks. (Trace files are meant to be semi-persistent, so this is more
+ in line with user expectations than creating unique temporary files.)
+ [src/xpvm.tcl, src/help/traces.help, debian/xpvm.1, CAN-2005-2240]
+ Closes: #318285.
+
+ -- Matej Vela <vela@debian.org> Sun, 4 Sep 2005 14:44:07 +0200
+
xpvm (1.2.5-7.3) unstable; urgency=low
* Uploading with maintainer set to QA Group
diff -u xpvm-1.2.5/debian/xpvm.1 xpvm-1.2.5/debian/xpvm.1
--- xpvm-1.2.5/debian/xpvm.1
+++ xpvm-1.2.5/debian/xpvm.1
@@ -64,7 +64,7 @@
.BI \-T\ trace
.B xpvm
will normally create and store a trace file in the
-.I /tmp
+user's home
directory. To have the
.I trace
file stored in some other location, use this option.
only in patch2:
unchanged:
--- xpvm-1.2.5.orig/src/help/traces.help
+++ xpvm-1.2.5/src/help/traces.help
@@ -13,7 +13,7 @@
{ to have a valid, writable trace file to work with, and so XPVM }
{ assumes a default trace file name: }
{}
-{ /tmp/xpvm.trace.$(USER) }
+{ ~/.xpvm_trace }
{}
{ On the first execution of XPVM, this trace file will not yet exist, }
{ and so XPVM will proceed to write traces into this file and read }
Reply to: