update for jumpnbump in Etch

To: debian-release@lists.debian.org
Subject: update for jumpnbump in Etch
From: Ansgar Burchardt <ansgar@2008.43-1.org>
Date: Wed, 1 Oct 2008 17:01:46 +0200
Message-id: <20081001150146.GA4863@gokuraku.43-1.org>
Mail-followup-to: Ansgar Burchardt <ansgar@2008.43-1.org>, debian-release@lists.debian.org

Hi,

jumpnbump handles files in /tmp in an unsecure manner, allowing overwrite of
files via a symlink attack (see #500611).

The security team said the update is probably more suited for a stable point
update, not an upload to security.debian.org.

I prepared an update for Etch and tested it in a stable chroot.  I couldn't
test sound tough (doesn't seem to work in my chroot at all), but it is
almost the same fix as for unstable.

I attached an interdiff for the proposed update.

Regards,
Ansgar

-- 
pgp: 0xF1F477C0    2BE4 CE2A E9CB 27D3 29F4  502E 53B1 6D9C F1F4 77C0

diff -u jumpnbump-1.50/debian/control jumpnbump-1.50/debian/control
--- jumpnbump-1.50/debian/control
+++ jumpnbump-1.50/debian/control
@@ -1,7 +1,8 @@
 Source: jumpnbump
 Section: games
 Priority: optional
-Maintainer: Francois Marier <francois@debian.org>
+Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
+Uploaders: Francois Marier <francois@debian.org>, Ansgar Burchardt <ansgar@43-1.org>
 Build-Depends: debhelper (>> 4), libsdl1.2-dev (>= 1.2.2-3.1), libsdl-mixer1.2-dev (>= 1.2.0-1.1), libsdl-net1.2-dev (>= 1.2.0-5.1)
 Standards-Version: 3.7.2
 
diff -u jumpnbump-1.50/debian/changelog jumpnbump-1.50/debian/changelog
--- jumpnbump-1.50/debian/changelog
+++ jumpnbump-1.50/debian/changelog
@@ -1,3 +1,12 @@
+jumpnbump (1.50-6etch1) stable; urgency=high
+
+  * Update for etch to address a security issue.
+  * Fix insecure handling of /tmp (Closes: #500611)
+  * Set Maintainer to Debian Games Team, add Francois Marier and
+    myself as Uploaders (same as in unstable)
+
+ -- Ansgar Burchardt <ansgar@43-1.org>  Wed, 01 Oct 2008 16:50:05 +0200
+
 jumpnbump (1.50-6) unstable; urgency=low
 
   * Add the AI keyboard shortcuts to the manpage (closes: #369498)
diff -u jumpnbump-1.50/jumpnbump_menu/jumpnbump_menu.py jumpnbump-1.50/jumpnbump_menu/jumpnbump_menu.py
--- jumpnbump-1.50/jumpnbump_menu/jumpnbump_menu.py
+++ jumpnbump-1.50/jumpnbump_menu/jumpnbump_menu.py
@@ -13,6 +13,8 @@
 import gtk.gdk
 import gobject
 import os
+import tempfile
+import shutil
 
 RESOURCE_DIR='/usr/share/games/jumpnbump'
 BINARY_DIR='/usr/games'
@@ -80,15 +82,19 @@
     model, iter = treeview.get_selection().get_selected()
     global choosen_level
     choosen_level = '%s/%s' % (RESOURCE_DIR, model.get_value (iter, 0))
+    unpackdir = None
     try:
-        os.chdir  ('/tmp')
+        unpackdir = tempfile.mkdtemp ("", "jumpnbump-menu-")
+        os.chdir  (unpackdir)
         os.spawnlp (os.P_WAIT, 'jumpnbump-unpack', 'jumpnbump', choosen_level)
         os.spawnlp (os.P_WAIT, 'convert', 'convert', '-scale', '50%', 'level.pcx', 'level_scaled.pcx')
         os.spawnlp (os.P_WAIT, 'convert', 'convert', 'level_scaled.pcx', 'level.png')
+        image.set_from_file ('level.png')
     except Exception, err:
         print err
+    if unpackdir != None:
+        shutil.rmtree (unpackdir)
 
-    image.set_from_file ('/tmp/level.png')
     image.show()
 
 def about (widget):
only in patch2:
unchanged:
--- jumpnbump-1.50.orig/modify/jnbunpack.c
+++ jumpnbump-1.50/modify/jnbunpack.c
@@ -23,6 +23,7 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
 
+#include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <fcntl.h>
@@ -83,8 +84,13 @@
 	memset(filename, 0, sizeof(filename));
 	strncpy(filename, datafile[i].filename, 12);
 	printf("Extracting %s ", filename);
+	fflush(stdout);
 
-	outfd = open(filename, O_RDWR | O_CREAT | O_BINARY, 0644);
+	if (unlink(filename) == -1 && errno != ENOENT) {
+	    perror("cannot unlink file");
+	    exit(1);
+	}
+	outfd = open(filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0644);
 	if (!outfd) {
 	    perror("cant open file");
 	    exit(1);
only in patch2:
unchanged:
--- jumpnbump-1.50.orig/sdl/sound.c
+++ jumpnbump-1.50/sdl/sound.c
@@ -23,6 +23,8 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
 
+#include <stdlib.h>
+#include <string.h>
 #include "globals.h"
 #include <limits.h>
 #ifndef _MSC_VER
@@ -463,11 +465,8 @@
 {
 #ifndef NO_SDL_MIXER
 	FILE *tmp;
-# if ((defined _MSC_VER) || (defined __MINGW32__))
-	char filename[] = "jnb.tmpmusic.mod";
-# else
-	char filename[] = "/tmp/jnb.tmpmusic.mod";
-# endif
+	int tmp_fd;
+	char* filename;
 	unsigned char *fp;
 	int len;
 
@@ -506,15 +505,24 @@
 		return 0;
 	}
 
-	tmp = fopen(filename, "wb");
-	if (tmp) {
-        fwrite(fp, len, 1, tmp);
-		fflush(tmp);
-		fclose(tmp);
+	filename = strdup("/tmp/jumpnbump.mod.XXXXXX");
+	tmp_fd = mkstemp(filename);
+	if (tmp_fd == -1) {
+		free(filename);
+		return 0;
+	}
+	tmp = fdopen(tmp_fd, "wb");
+	if (!tmp) {
+		free(filename);
+		return 0;
 	}
+	fwrite(fp, len, 1, tmp);
+	fflush(tmp);
+	fclose(tmp);
 
 	current_music = Mix_LoadMUS(filename);
 	unlink(filename);
+	free(filename);
 	if (current_music == NULL) {
 		fprintf(stderr, "Couldn't load music: %s\n", SDL_GetError());
 		return 0;

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: update for jumpnbump in Etch
  - From: Neil McGovern <neilm@debian.org>

Prev by Date: Re: irqbalance update in etch?
Next by Date: Please let apt-show-versions 0.15 into testing
Previous by thread: Re: approval for planned upload of nagios-plugins 1.4.12-4
Next by thread: Re: update for jumpnbump in Etch
Index(es):
- Date
- Thread