File fix-CVE-2011-3616.patch of Package conky
Description: Fix CVE-2011-3616; avoid rewriting an arbitrary user file
The getSkillname function in the eve module in Conky 1.8.1 and earlier allows
local users to overwrite arbitrary files via a symlink attack on /tmp/.cesf.
Although this has been patched in upstream git, the latest stable Conky
releases (including 1.9.0) have not been patched upstream and thus still seem
to be vulnerable.
Origin: upstream, http://git.omp.am/?p=conky.git;a=patch;h=70b6f35a846f7b85bd11e66c1f23feee6b369688
Bug: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3616
Bug: http://sourceforge.net/support/tracker.php?aid=3524945
Bug-Debian: http://bugs.debian.org/612033
Bug-Ubuntu: https://launchpad.net/bugs/607309
--- a/src/eve.c
+++ b/src/eve.c
@@ -251,19 +251,6 @@
}
}
-static int file_exists(const char *filename)
-{
- struct stat fi;
-
- if ((stat(filename, &fi)) == 0) {
- if (fi.st_size > 0)
- return 1;
- else
- return 0;
- } else
- return 0;
-}
-
static void writeSkilltree(char *content, const char *filename)
{
FILE *fp = fopen(filename, "w");
@@ -279,13 +266,12 @@
xmlDocPtr doc = 0;
xmlNodePtr root = 0;
- if (!file_exists(file)) {
- skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE);
- writeSkilltree(skilltree, file);
- free(skilltree);
- }
+ skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE);
+ writeSkilltree(skilltree, file);
+ free(skilltree);
doc = xmlReadFile(file, NULL, 0);
+ unlink(file);
if (!doc)
return NULL;
@@ -336,7 +322,7 @@
static char *eve(char *userid, char *apikey, char *charid)
{
Character *chr = NULL;
- const char *skillfile = "/tmp/.cesf";
+ char skillfile[] = "/tmp/.cesfXXXXXX";
int i = 0;
char *output = 0;
char *timel = 0;
@@ -344,6 +330,7 @@
char *content = 0;
time_t now = 0;
char *error = 0;
+ int tmp_fd, old_umask;
for (i = 0; i < MAXCHARS; i++) {
@@ -396,6 +383,14 @@
output = (char *)malloc(200 * sizeof(char));
timel = formatTime(&chr->ends);
+ old_umask = umask(0066);
+ tmp_fd = mkstemp(skillfile);
+ umask(old_umask);
+ if (tmp_fd == -1) {
+ error = strdup("Cannot create temporary file");
+ return error;
+ }
+ close(tmp_fd);
skill = getSkillname(skillfile, chr->skill);
chr->skillname = strdup(skill);