Package: conky / 1.9.0-6

fix-CVE-2011-3616.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
Description: Fix CVE-2011-3616; avoid rewriting an arbitrary user file
 The getSkillname function in the eve module in Conky 1.8.1 and earlier allows
 local users to overwrite arbitrary files via a symlink attack on /tmp/.cesf.
 Although this has been patched in upstream git, the latest stable Conky
 releases (including 1.9.0) have not been patched upstream and thus still seem
 to be vulnerable.
Origin: upstream, http://git.omp.am/?p=conky.git;a=patch;h=70b6f35a846f7b85bd11e66c1f23feee6b369688
Bug: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3616
Bug: http://sourceforge.net/support/tracker.php?aid=3524945
Bug-Debian: http://bugs.debian.org/612033
Bug-Ubuntu: https://launchpad.net/bugs/607309

--- a/src/eve.c
+++ b/src/eve.c
@@ -251,19 +251,6 @@
 	}
 }
 
-static int file_exists(const char *filename)
-{
-	struct stat fi;
-
-	if ((stat(filename, &fi)) == 0) {
-		if (fi.st_size > 0)
-			return 1;
-		else
-			return 0;
-	} else
-		return 0;
-}
-
 static void writeSkilltree(char *content, const char *filename)
 {
 	FILE *fp = fopen(filename, "w");
@@ -279,13 +266,12 @@
 	xmlDocPtr doc = 0;
 	xmlNodePtr root = 0;
 
-	if (!file_exists(file)) {
-		skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE);
-		writeSkilltree(skilltree, file);
-		free(skilltree);
-	}
+	skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE);
+	writeSkilltree(skilltree, file);
+	free(skilltree);
 
 	doc = xmlReadFile(file, NULL, 0);
+	unlink(file);
 	if (!doc)
 		return NULL;
 
@@ -336,7 +322,7 @@
 static char *eve(char *userid, char *apikey, char *charid)
 {
 	Character *chr = NULL;
-	const char *skillfile = "/tmp/.cesf";
+	char skillfile[] = "/tmp/.cesfXXXXXX";
 	int i = 0;
 	char *output = 0;
 	char *timel = 0;
@@ -344,6 +330,7 @@
 	char *content = 0;
 	time_t now = 0;
 	char *error = 0;
+	int tmp_fd, old_umask;
 
 
 	for (i = 0; i < MAXCHARS; i++) {
@@ -396,6 +383,14 @@
 
 		output = (char *)malloc(200 * sizeof(char));
 		timel = formatTime(&chr->ends);
+		old_umask = umask(0066);
+		tmp_fd = mkstemp(skillfile);
+		umask(old_umask);
+		if (tmp_fd == -1) {
+			error = strdup("Cannot create temporary file");
+			return error;
+		}
+		close(tmp_fd);
 		skill = getSkillname(skillfile, chr->skill);
 
 		chr->skillname = strdup(skill);