File gnash-CVE-2011-4328.diff of Package gnash

From 8fc19a890ee787d26200dc1b8b5546e3bb15ac7b Mon Sep 17 00:00:00 2001
From: Gabriele Giacone <1o5g4r8o@gmail.com>
Date: Thu, 01 Dec 2011 00:59:15 +0000
Subject: CVE-2011-4328 fix. mkstemps and boost::iostreams. See bug #34903

---
---
 plugin/npapi/Makefile.am |    1 
 plugin/npapi/plugin.cpp  |   48 +++++++++++++++++++++++++++++++++--------------
 2 files changed, 35 insertions(+), 14 deletions(-)

--- a/plugin/npapi/Makefile.am
+++ b/plugin/npapi/Makefile.am
@@ -70,6 +70,7 @@ libgnashplugin_la_SOURCES  = plugin.cpp
 
 libgnashplugin_la_LIBADD   = \
 	$(GLIB_LIBS) \
+	-lboost_iostreams \
 	$(NULL)
 
 # Scriptable plugin support
--- a/plugin/npapi/plugin.cpp
+++ b/plugin/npapi/plugin.cpp
@@ -75,6 +75,8 @@
 
 #include <boost/tokenizer.hpp>
 #include <boost/algorithm/string/join.hpp>
+#include <boost/iostreams/device/file_descriptor.hpp>
+#include <boost/iostreams/stream.hpp>
 #include <boost/format.hpp>
 #include <sys/param.h>
 #include <csignal>
@@ -132,6 +134,17 @@ getPluginDescription()
     return desc;
 }
 
+boost::iostreams::file_descriptor_sink getfdsink(char mkstemplate[]);
+
+boost::iostreams::file_descriptor_sink
+getfdsink(char mksTemplate[])
+{
+  int suffix = std::string(mksTemplate).size() - std::string(mksTemplate).find("XXXXXX") - 6;
+  int fd = mkstemps (mksTemplate, suffix);
+  boost::iostreams::file_descriptor_sink fdsink(fd, boost::iostreams::close_handle);
+  return fdsink;
+}
+
 //
 // general initialization and shutdown
 //
@@ -919,16 +932,17 @@ create_standalone_launcher(const std::st
         return;
     }
 
-    std::ofstream saLauncher;
-
-    std::stringstream ss;
-    static int debugno = 0;
-    debugno = (debugno + 1) % 10;
-    ss << "/tmp/gnash-debug-" << debugno << ".sh";
-    saLauncher.open(ss.str().c_str(), std::ios::out | std::ios::trunc);
+    char debugname[] = "/tmp/gnash-debug-XXXXXX.sh";
+    boost::iostreams::file_descriptor_sink fdsink = getfdsink(debugname);
+    if (fdsink.handle() == -1) {
+        gnash::log_error("Failed to create sink: %s", debugname);
+        return;
+    }
+    boost::iostreams::stream<boost::iostreams::file_descriptor_sink>
+        saLauncher (fdsink);
 
     if (!saLauncher) {
-        gnash::log_error("Failed to open new file for standalone launcher: " + ss.str());
+        gnash::log_error("Failed to open new file for standalone launcher: %s", debugname);
         return;
     }
 
@@ -951,6 +965,7 @@ create_standalone_launcher(const std::st
                << std::endl;
 
     saLauncher.close();
+    fdsink.close();
 #endif
 }
 
@@ -996,15 +1011,20 @@ nsPluginInstance::getCmdLine(int hostfd,
         std::string ncookie (cookie, length);
         if (cookie) {
             gnash::log_debug("The Cookie for %s is %s", url, ncookie);
-            std::ofstream cookiefile;
-            std::stringstream ss;
-            ss << "/tmp/gnash-cookies." << getpid(); 
-            
-            cookiefile.open(ss.str().c_str(), std::ios::out | std::ios::trunc);
+            char cookiename[] = "/tmp/gnash-cookies.XXXXXX";
+            boost::iostreams::file_descriptor_sink fdsink = getfdsink(cookiename);
+            if (fdsink.handle() == -1) {
+                gnash::log_error("Failed to create sink: %s", cookiename);
+                return arg_vec;
+            }
+            boost::iostreams::stream<boost::iostreams::file_descriptor_sink>
+                cookiefile (fdsink);
+
             cookiefile << "Set-Cookie: " << ncookie << std::endl;
             cookiefile.close();
+            fdsink.close();
             
-            if (setenv("GNASH_COOKIES_IN", ss.str().c_str(), 1) < 0) {
+            if (setenv("GNASH_COOKIES_IN", cookiename, 1) < 0) {
                 gnash::log_error(
                     "Couldn't set environment variable GNASH_COOKIES_IN to %s",
                     ncookie);
openSUSE Build Service is sponsored by