File gnash-CVE-2011-4328.diff of Package gnash
From 8fc19a890ee787d26200dc1b8b5546e3bb15ac7b Mon Sep 17 00:00:00 2001
From: Gabriele Giacone <1o5g4r8o@gmail.com>
Date: Thu, 01 Dec 2011 00:59:15 +0000
Subject: CVE-2011-4328 fix. mkstemps and boost::iostreams. See bug #34903
---
---
plugin/npapi/Makefile.am | 1
plugin/npapi/plugin.cpp | 48 +++++++++++++++++++++++++++++++++--------------
2 files changed, 35 insertions(+), 14 deletions(-)
--- a/plugin/npapi/Makefile.am
+++ b/plugin/npapi/Makefile.am
@@ -70,6 +70,7 @@ libgnashplugin_la_SOURCES = plugin.cpp
libgnashplugin_la_LIBADD = \
$(GLIB_LIBS) \
+ -lboost_iostreams \
$(NULL)
# Scriptable plugin support
--- a/plugin/npapi/plugin.cpp
+++ b/plugin/npapi/plugin.cpp
@@ -75,6 +75,8 @@
#include <boost/tokenizer.hpp>
#include <boost/algorithm/string/join.hpp>
+#include <boost/iostreams/device/file_descriptor.hpp>
+#include <boost/iostreams/stream.hpp>
#include <boost/format.hpp>
#include <sys/param.h>
#include <csignal>
@@ -132,6 +134,17 @@ getPluginDescription()
return desc;
}
+boost::iostreams::file_descriptor_sink getfdsink(char mkstemplate[]);
+
+boost::iostreams::file_descriptor_sink
+getfdsink(char mksTemplate[])
+{
+ int suffix = std::string(mksTemplate).size() - std::string(mksTemplate).find("XXXXXX") - 6;
+ int fd = mkstemps (mksTemplate, suffix);
+ boost::iostreams::file_descriptor_sink fdsink(fd, boost::iostreams::close_handle);
+ return fdsink;
+}
+
//
// general initialization and shutdown
//
@@ -919,16 +932,17 @@ create_standalone_launcher(const std::st
return;
}
- std::ofstream saLauncher;
-
- std::stringstream ss;
- static int debugno = 0;
- debugno = (debugno + 1) % 10;
- ss << "/tmp/gnash-debug-" << debugno << ".sh";
- saLauncher.open(ss.str().c_str(), std::ios::out | std::ios::trunc);
+ char debugname[] = "/tmp/gnash-debug-XXXXXX.sh";
+ boost::iostreams::file_descriptor_sink fdsink = getfdsink(debugname);
+ if (fdsink.handle() == -1) {
+ gnash::log_error("Failed to create sink: %s", debugname);
+ return;
+ }
+ boost::iostreams::stream<boost::iostreams::file_descriptor_sink>
+ saLauncher (fdsink);
if (!saLauncher) {
- gnash::log_error("Failed to open new file for standalone launcher: " + ss.str());
+ gnash::log_error("Failed to open new file for standalone launcher: %s", debugname);
return;
}
@@ -951,6 +965,7 @@ create_standalone_launcher(const std::st
<< std::endl;
saLauncher.close();
+ fdsink.close();
#endif
}
@@ -996,15 +1011,20 @@ nsPluginInstance::getCmdLine(int hostfd,
std::string ncookie (cookie, length);
if (cookie) {
gnash::log_debug("The Cookie for %s is %s", url, ncookie);
- std::ofstream cookiefile;
- std::stringstream ss;
- ss << "/tmp/gnash-cookies." << getpid();
-
- cookiefile.open(ss.str().c_str(), std::ios::out | std::ios::trunc);
+ char cookiename[] = "/tmp/gnash-cookies.XXXXXX";
+ boost::iostreams::file_descriptor_sink fdsink = getfdsink(cookiename);
+ if (fdsink.handle() == -1) {
+ gnash::log_error("Failed to create sink: %s", cookiename);
+ return arg_vec;
+ }
+ boost::iostreams::stream<boost::iostreams::file_descriptor_sink>
+ cookiefile (fdsink);
+
cookiefile << "Set-Cookie: " << ncookie << std::endl;
cookiefile.close();
+ fdsink.close();
- if (setenv("GNASH_COOKIES_IN", ss.str().c_str(), 1) < 0) {
+ if (setenv("GNASH_COOKIES_IN", cookiename, 1) < 0) {
gnash::log_error(
"Couldn't set environment variable GNASH_COOKIES_IN to %s",
ncookie);