#! /bin/sh /usr/share/dpatch/dpatch-run ## 25_mkstemp.dpatch by Hans de Goede ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Temp file vulnerability Security fix! @DPATCH@ diff -urNad xfig~/f_readeps.c xfig/f_readeps.c --- xfig~/f_readeps.c +++ xfig/f_readeps.c @@ -250,11 +250,10 @@ int urx, llx, ury, lly; int pdf_flag; { - static tempseq = 0; char buf[300]; FILE *tmpfp, *pixfile, *gsfile; char *psnam, *driver; - int status, wid, ht, nbitmap; + int status, wid, ht, nbitmap, fd; char tmpfile[PATH_MAX], pixnam[PATH_MAX], errnam[PATH_MAX], @@ -270,8 +269,12 @@ /* re-open the pipe */ close_picfile(file, filetype); file = open_picfile(tmpfile, &filetype, PIPEOK, pixnam); - sprintf(tmpfile, "%s/%s%06d", TMPDIR, "xfig-eps", getpid()); - if ((tmpfp = fopen(tmpfile, "wb")) == NULL) { + snprintf(tmpfile, sizeof(tmpfile), "%s/xfig-eps.XXXXXX", TMPDIR); + if ((fd = mkstemp(tmpfile)) == -1 || (tmpfp = fdopen(fd, "wb")) == NULL) { + if (fd != -1) { + unlink(tmpfile); + close(fd); + } file_msg("Couldn't open tmp file %s, %s", tmpfile, strerror(errno)); return False; } @@ -280,10 +283,20 @@ fclose(tmpfp); } /* make name /TMPDIR/xfig-pic######.pix */ - sprintf(pixnam, "%s/%s%06d.pix", TMPDIR, "xfig-pic", tempseq); + snprintf(pixnam, sizeof(pixnam), "%s/xfig-pic.XXXXXX", TMPDIR); + if ((fd = mkstemp(pixnam)) == -1) { + file_msg("Couldn't open tmp file %s, %s", pixnam, strerror(errno)); + return False; + } + close(fd); + /* and file name for any error messages from gs */ - sprintf(errnam, "%s/%s%06d.err", TMPDIR, "xfig-pic", tempseq); - tempseq++; + snprintf(errnam, sizeof(errnam), "%s/xfig-picerr.XXXXXX", TMPDIR); + if ((fd = mkstemp(errnam)) == -1) { + file_msg("Couldn't open tmp file %s, %s", errnam, strerror(errno)); + return False; + } + close(fd); /* generate gs command line */ /* for monochrome, use pbm */ diff -urNad xfig~/f_readgif.c xfig/f_readgif.c --- xfig~/f_readgif.c +++ xfig/f_readgif.c @@ -76,7 +76,7 @@ char buf[BUFLEN],pcxname[PATH_MAX]; FILE *giftopcx; struct Cmap localColorMap[MAX_COLORMAP_SIZE]; - int i, stat, size; + int i, stat, size, fd; int useGlobalColormap; unsigned int bitPixel, red, green, blue; unsigned char c; @@ -173,7 +173,13 @@ /* now call giftopnm and ppmtopcx */ /* make name for temp output file */ - sprintf(pcxname, "%s/%s%06d.pix", TMPDIR, "xfig-pcx", getpid()); + snprintf(pcxname, sizeof(pcxname), "%s/xfig-pcx.XXXXXX", TMPDIR); + if ((fd = mkstemp(pcxname)) == -1) { + file_msg("Cannot create temporary file\n"); + return FileInvalid; + } + close(fd); + /* make command to convert gif to pcx into temp file */ sprintf(buf, "giftopnm -quiet | ppmtopcx -quiet > %s", pcxname); if ((giftopcx = popen(buf,"w" )) == 0) { diff -urNad xfig~/f_readppm.c xfig/f_readppm.c --- xfig~/f_readppm.c +++ xfig/f_readppm.c @@ -34,10 +34,16 @@ { char buf[BUFLEN],pcxname[PATH_MAX]; FILE *giftopcx; - int stat, size; + int stat, size, fd; /* make name for temp output file */ - sprintf(pcxname, "%s/%s%06d.pix", TMPDIR, "xfig-pcx", getpid()); + snprintf(pcxname, sizeof(pcxname), "%s/xfig-pcx.XXXXXX", TMPDIR); + if ((fd = mkstemp(pcxname)) == -1) { + file_msg("Cannot open temp file %s: %s\n", pcxname, strerror(errno)); + return FileInvalid; + } + close(fd); + /* make command to convert gif to pcx into temp file */ sprintf(buf, "ppmtopcx > %s 2> /dev/null", pcxname); if ((giftopcx = popen(buf,"w" )) == 0) { diff -urNad xfig~/f_readtif.c xfig/f_readtif.c --- xfig~/f_readtif.c +++ xfig/f_readtif.c @@ -33,11 +33,16 @@ { char buf[2*PATH_MAX+40],pcxname[PATH_MAX]; FILE *tiftopcx; - int stat; + int stat, fd; /* make name for temp output file */ - sprintf(pcxname, "%s/%s%06d.pix", TMPDIR, "xfig-pcx", getpid()); - + snprintf(pcxname, sizeof(pcxname), "%s/xfig-pcx.XXXXXX", TMPDIR); + if ((fd = mkstemp(pcxname)) == -1) { + file_msg("Cannot open temp file %s: %s\n", pcxname, strerror(errno)); + return FileInvalid; + } + close(fd); + /* make command to convert tif to pnm then to pcx into temp file */ /* for some reason, tifftopnm requires a file and can't work in a pipe */ sprintf(buf, "tifftopnm %s 2> /dev/null | ppmtopcx > %s 2> /dev/null", diff -urNad xfig~/f_util.c xfig/f_util.c --- xfig~/f_util.c +++ xfig/f_util.c @@ -906,14 +906,20 @@ int strain_out(char *name) { char line[RC_BUFSIZ+1], *tok; + int fd; /* make a temp filename in the user's home directory so we can just rename it to .xfigrc after creating it */ - sprintf(tmpname, "%s/%s%06d", userhome, "xfig-xfigrc", getpid()); - tmpf = fopen(tmpname,"wb"); - if (tmpf == 0) { - file_msg("Can't make temporary file for .xfigrc - error: %s",strerror(errno)); - return -1; + snprintf(tmpname, sizeof(tmpname), "%s/xfig-xfigrc.XXXXXX", userhome); + + if ((fd = mkstemp(tmpname)) == -1 || (tmpf = fdopen(fd, "wb")) == NULL) { + file_msg("Can't make temporary file for .xfigrc - error: %s", + strerror(errno)); + if (fd != -1) { + unlink(tmpname); + close(fd); + } + return -1; } /* read the .xfigrc file and write all to temp file except file names */ xfigrc = fopen(xfigrc_name,"r"); diff -urNad xfig~/main.c xfig/main.c --- xfig~/main.c +++ xfig/main.c @@ -657,8 +657,10 @@ update_figs = False; /* get the TMPDIR environment variable for temporary files */ - if ((TMPDIR = getenv("XFIGTMPDIR"))==NULL) - TMPDIR = "/tmp"; + if ((TMPDIR = getenv("XFIGTMPDIR"))==NULL) { + if ((TMPDIR = getenv("TMPDIR")) == NULL) + TMPDIR = "/tmp"; + } /* first check args to see if user wants to scale the figure as it is read in and make sure it is a resonable (positive) number */ @@ -1673,7 +1675,14 @@ if (userhome != NULL && *strcpy(cut_buf_name, userhome) != '\0') { strcat(cut_buf_name, "/.xfig"); } else { - sprintf(cut_buf_name, "%s/xfig%06d", TMPDIR, getpid()); + int fd; + sprintf(cut_buf_name, "%s/xfig.XXXXXX", TMPDIR); + if ((fd = mkstemp(cut_buf_name)) == -1) { + fprintf(stderr, "Can't create temporary file for cut_buff: %s\n", + strerror(errno)); + exit(0); + } + close(fd); } } diff -urNad xfig~/mode.c xfig/mode.c --- xfig~/mode.c +++ xfig/mode.c @@ -86,7 +86,7 @@ int cur_exp_lang; /* gets initialized in main.c */ Boolean batch_exists = False; -char batch_file[32]; +char batch_file[PATH_MAX]; /*******************************************************************/ /* If you change the order of the lang_items[] you must change the */ diff -urNad xfig~/u_print.c xfig/u_print.c --- xfig~/u_print.c +++ xfig/u_print.c @@ -92,9 +92,16 @@ char syspr[2*PATH_MAX+200]; char tmpfile[PATH_MAX]; char *name; + int fd; - sprintf(tmpfile, "%s/%s%06d", TMPDIR, "xfig-print", getpid()); + snprintf(tmpfile, sizeof(tmpfile), "%s/xfig-print.XXXXXX", TMPDIR); warnexist = False; + if ((fd = mkstemp(tmpfile)) == -1) { + file_msg("Can't open temp file %s: %s\n", tmpfile, strerror(errno)); + return; + } + close(fd); + init_write_tmpfile(); if (write_file(tmpfile, False)) { end_write_tmpfile(); @@ -671,10 +678,16 @@ char errfname[PATH_MAX]; FILE *errfile; char str[400]; - int status; + int status, fd; /* make temp filename for any errors */ - sprintf(errfname, "%s/xfig-export%06d.err", TMPDIR, getpid()); + snprintf(errfname, sizeof(errfname), "%s/xfig-export.XXXXXX", TMPDIR); + if ((fd = mkstemp(errfname)) == -1) { + file_msg("Can't open temp file %s: %s\n", errfname, strerror(errno)); + return 1; + } + close(fd); + /* direct any output from fig2dev to this file */ strcat(command, " 2> "); strcat(command, errfname); diff -urNad xfig~/w_print.c xfig/w_print.c --- xfig~/w_print.c +++ xfig/w_print.c @@ -295,9 +295,10 @@ do_print_batch(Widget w) { FILE *infp,*outfp; - char tmp_exp_file[32]; + char tmp_exp_file[PATH_MAX]; char str[255]; char backgrnd[10], grid[80]; + int fd; if (writing_batch || emptyfigure_msg(print_msg)) return; @@ -306,11 +307,20 @@ /* this could happen if the user presses the button too fast */ writing_batch = True; - /* make a temporary name to write the batch stuff to */ - sprintf(batch_file, "%s/%s%06d", TMPDIR, "xfig-batch", getpid()); /* make a temporary name to write this figure to */ - sprintf(tmp_exp_file, "%s/%s%06d", TMPDIR, "xfig-exp", getpid()); - batch_exists = True; + snprintf(tmp_exp_file, sizeof(tmp_exp_file), "%s/xfig-exp.XXXXXX", + TMPDIR); + + if (batch_exists != True) { + /* make a temporary name to write the batch stuff to */ + sprintf(batch_file, "%s/xfig-batch.XXXXXX", TMPDIR); + if ((fd = mkstemp(batch_file)) == -1) { + file_msg("Error creating temporary file"); + return; + } + close(fd); + batch_exists = True; + } if (!print_popup) create_print_panel(w); @@ -323,6 +333,12 @@ /* make a #rrggbb string from the background color */ make_rgb_string(export_background_color, backgrnd); + if ((fd = mkstemp(tmp_exp_file)) == -1) { + file_msg("Error creating temporary file"); + return; + } + close(fd); + /* get grid params and assemble into fig2dev parm */ get_grid_spec(grid, print_grid_minor_text, print_grid_major_text); diff -urNad xfig~/w_srchrepl.c xfig/w_srchrepl.c --- xfig~/w_srchrepl.c +++ xfig/w_srchrepl.c @@ -788,7 +788,7 @@ char *cmd; char str[300]; FILE *fp; - int len, i; + int len, i, fd; Boolean done = FALSE; static int lines = 0; @@ -804,9 +804,12 @@ } lines = 0; - sprintf(filename, "%s/xfig-spell.%d", TMPDIR, (int)getpid()); - fp = fopen(filename, "w"); - if (fp == NULL) { + snprintf(filename, sizeof(filename), "%s/xfig-spell.XXXXXX", TMPDIR); + if ((fd = mkstemp(filename)) == -1 || (fp = fdopen(fd, "w")) == NULL) { + if (fd != -1) { + unlink(filename); + close(fd); + } file_msg("Can't open temporary file: %s: %s\n", filename, strerror(errno)); } else { /* locate all text objects and write them to file fp */