This patch fixes a security issue in scrollkeeper. It will be integrated into the next release. --- cl/src/get-cl.c 2002/02/25 08:23:14 1.18 +++ cl/src/get-cl.c 2002/09/22 07:13:59 1.19 @@ -27,6 +27,7 @@ #include #include #include +#include /* cycles through five temporary filenames of the form /tmp/scrollkeeper-templfile.x, where x is number from 0 to 4 and returns the first one that does not exist or the @@ -35,7 +36,7 @@ static char *get_next_free_temp_file_path(char outputprefs) { char path[PATHLEN], *filename; - int i, num; + int i, num, fd; struct stat buf; time_t prev; @@ -82,6 +83,17 @@ check_ptr(filename, "scrollkeeper-get-cl"); snprintf(filename, PATHLEN, "/tmp/scrollkeeper-tempfile.%d", num); + unlink(filename); + + fd = open(filename, O_RDWR | O_CREAT | O_EXCL | O_TRUNC | O_NONBLOCK, + S_IRWXU | S_IRGRP | S_IROTH); + + if (fd < 0) { + fprintf (stderr, _("scrollkeeper-get-cl: Cannot open temp file: %s\n"), filename); + exit (EXIT_FAILURE); + } + close(fd); + return filename; } --- libs/extract.c 2002/03/16 19:08:48 1.12 +++ libs/extract.c 2002/09/22 07:14:01 1.14 @@ -43,16 +43,16 @@ int i; int returnval = 1; FILE *fid; + struct stat buf; #ifndef SOLARIS char line[1024], *start, *end; int num; FILE *res_fid; char *doctype; char command[1024]; - pid_t pid; char temp1[PATHLEN], temp2[PATHLEN], errors[PATHLEN]; + int temp1_fd, temp2_fd, errors_fd; #endif - struct stat buf; if (input_file == NULL || stylesheets == NULL || @@ -69,11 +69,23 @@ #ifdef SOLARIS doc = docbParseFile(input_file, NULL); #else - pid = getpid(); - - snprintf(temp1, PATHLEN, "/var/tmp/scrollkeeper-extract-1-%ld.xml", (long)pid); - snprintf(temp2, PATHLEN, "/var/tmp/scrollkeeper-extract-2-%ld.xml", (long)pid); - snprintf(errors, PATHLEN, "/var/tmp/scrollkeeper-extract-errors-%ld", (long)pid); + snprintf(temp1, PATHLEN, SCROLLKEEPER_STATEDIR "/tmp/scrollkeeper-extract-1.xml.XXXXXX"); + snprintf(temp2, PATHLEN, SCROLLKEEPER_STATEDIR "/tmp/scrollkeeper-extract-2.xml.XXXXXX"); + snprintf(errors, PATHLEN, SCROLLKEEPER_STATEDIR "/tmp/scrollkeeper-extract-errors.XXXXXX"); + + temp1_fd = mkstemp(temp1); + printf ("%s\n", temp1); + if (temp1_fd == -1) { + sk_message(outputprefs, SKOUT_DEFAULT, SKOUT_QUIET, "(apply_stylesheets)", _("Cannot create temporary file: %s : %s\n"),temp1, strerror(errno)); + return 0; + } + + errors_fd = mkstemp(errors); + if (errors_fd == -1) { + sk_message(outputprefs, SKOUT_DEFAULT, SKOUT_QUIET, "(apply_stylesheets)", _("Cannot create temporary file: %s : %s\n"),errors, strerror(errno)); + return 0; + } + close(errors_fd); snprintf(command, 1024, "sgml2xml -xlower -f%s %s > %s", errors, input_file, temp1); system(command); @@ -83,6 +95,7 @@ fid = fopen(input_file, "r"); if (fid == NULL) { sk_message(outputprefs, SKOUT_DEFAULT, SKOUT_QUIET, "(apply_stylesheets)", _("Cannot read file: %s : %s\n"),input_file, strerror(errno)); + close(temp1_fd); return 0; } @@ -106,14 +119,25 @@ } if (doctype == NULL) { + close(temp1_fd); unlink(temp1); return 0; } - - fid = fopen(temp1, "r"); - res_fid = fopen(temp2, "w"); + + temp2_fd = mkstemp(temp2); + if (temp2_fd == -1) { + close(temp1_fd); + unlink(temp1); + sk_message(outputprefs, SKOUT_DEFAULT, SKOUT_QUIET, "(apply_stylesheets)", _("Cannot create temporary file: %s : %s\n"),temp2, strerror(errno)); + return 0; + } + + fid = fdopen(temp1_fd, "r"); + res_fid = fdopen(temp2_fd, "w"); if (fid == NULL || res_fid == NULL) { + close(temp1_fd); unlink(temp1); + close(temp2_fd); unlink(temp2); return 0; } --- libs/Makefile.in.orig Wed Oct 9 12:36:43 2002 +++ libs/Makefile.in Wed Oct 9 12:37:05 2002 @@ -130,7 +130,8 @@ INCLUDES = \ $(XML_CFLAGS) \ $(XSLT_CFLAGS) \ - $(HOST_TYPE) + $(HOST_TYPE) \ + -DSCROLLKEEPER_STATEDIR=\""$(localstatedir)"\" libscrollkeeper_la_SOURCES = \