Re: devscripts lenny update (#507482)
On Fri, 2009-01-09 at 07:53 +0100, Luk Claes wrote:
> Adam D. Barratt wrote:
> > Hi,
> >
> > The devscripts package in lenny has an insecure temporary directory
> > issue when signing files which are copied from a remote machine; see
> > #507482.
> >
> > Would fixing this be suitable for a(nother) lenny update for the
> > package? I've attached a minimal debdiff.
>
> Please upload.
Thanks.
Whilst doing some final testing, I noticed that the patch had a couple
of issues (repeating messages if aborting with signed files which needed
copying back to a remote host and not including the directory component
of the temporary directory in the messages).
As the changes were very small, I guessed they would be ok but have
attached an updated debdiff for confirmation.
Regards,
Adam
diff -adNru devscripts-2.10.35lenny1/scripts/debsign.sh devscripts-2.10.35lenny2/scripts/debsign.sh
--- devscripts-2.10.35lenny1/scripts/debsign.sh 2008-12-12 18:26:10.000000000 +0000
+++ devscripts-2.10.35lenny2/scripts/debsign.sh 2009-01-09 15:20:23.000000000 +0000
@@ -40,6 +40,7 @@
PRECIOUS_FILES=0
PROGNAME=`basename $0`
MODIFIED_CONF_MSG='Default settings modified by devscripts configuration files:'
+TEMP_DIR=
# --- Functions
@@ -108,10 +109,11 @@
}
cleanup_tmpdir () {
+ trap 0
if [ "$PRECIOUS_FILES" -gt 0 ]; then
echo "$PROGNAME: aborting with $PRECIOUS_FILES signed files in `pwd`" >&2
else
- cd ..; rm -rf debsign.$$
+ cd ..; rm -rf $TEMP_DIR
fi
}
@@ -338,9 +340,9 @@
if [ -n "$remotehost" ]
then
cd ${TMPDIR:-/tmp}
- mkdir debsign.$$ || { echo "$PROGNAME: Can't mkdir!" >&2; exit 1; }
+ TEMP_DIR="$(mktemp -d "debsign.XXXXXXX")" || { echo "$PROGNAME: Can't make temporary dir!" >&2; exit 1; }
trap "cleanup_tmpdir" 0 1 2 3 7 10 13 15
- cd debsign.$$
+ cd $TEMP_DIR
remotechanges=$changes
remotedsc=$dsc
Reply to: