On Mon, Aug 01, 2011 at 03:52:01PM +0100, Jonathan Wiltshire wrote: > Please consider in advance the attached patch. Happily, atop has the same > version in all suites, so it can simply be applied to all of them. The > unstable NMU is currently lurking in a delayed queue. sorry, here it is :) -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
diff --git a/acctproc.c b/acctproc.c index 067ace8..3b71c42 100644 --- a/acctproc.c +++ b/acctproc.c @@ -126,7 +126,7 @@ static const char rcsid[] = "$Id: acctproc.c,v 1.26 2008/03/06 08:37:25 gerlof E #include "photoproc.h" #include "acctproc.h" -#define ACCTDIR "/tmp/atop.d" +#define ACCTDIR "/var/run/atop" #define ACCTFILE "atop.acct" #define ACCTENV "ATOPACCT" @@ -331,7 +331,7 @@ acctswon(void) if (semctl(semid, 1, GETVAL, 0) == SEMTOTAL) { /* - ** create a new separate directory below /tmp + ** create a new separate directory below /var/run ** for the accounting file; ** if this directory exists (e.g. previous atop-run killed) ** it will be cleaned and newly created diff --git a/debian/changelog b/debian/changelog index e33c0c1..b890434 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +atop (1.23-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Fix CVE-2011-XXXX: Insecure use of a temporary files rawlog.c and + acctproc.c (Closes: #622794) + + -- Jonathan Wiltshire <jmw@debian.org> Mon, 01 Aug 2011 15:35:16 +0100 + atop (1.23-1) unstable; urgency=low * fixed typo (Closes: #467447) diff --git a/rawlog.c b/rawlog.c index 31f93a2..086d93c 100644 --- a/rawlog.c +++ b/rawlog.c @@ -477,18 +477,18 @@ rawread(unsigned int begintime, unsigned int endtime) */ fprintf(stderr, "Decompressing logfile ....\n"); - snprintf(tmpname2, sizeof tmpname2, "/tmp/atopwrk%d", getpid()); - snprintf(command, sizeof command, "gunzip -c %s > %s", - tmpname1, tmpname2); - system (command); + snprintf(tmpname2, sizeof tmpname2, "/tmp/atopwrkXXXXXX"); - if ( (rawfd = open(tmpname2, O_RDONLY)) == -1) + if ( (rawfd = mkstemp(tmpname2)) == -1) { fprintf(stderr, "%s - ", rawname); perror("open decompressed raw file"); cleanstop(7); } + snprintf(command, sizeof command, "gunzip -c %s > %s", + tmpname1, tmpname2); + system (command); unlink(tmpname2); }
Attachment:
signature.asc
Description: Digital signature