New patch 957_mkdtemp.patch to fix /tmp file races [CVE-2018-6198]

(closes: #888097)

2 files changed, 36 insertions, 0 deletions

diff --git a/debian/patches/957_mkdtemp.patch b/debian/patches/957_mkdtemp.patch
new file mode 100644
index 0000000..7581a69
--- /dev/null
+++ b/debian/patches/957_mkdtemp.patch
@@ -0,0 +1,35 @@
+Subject: Make temporary directory safely when ~/.w3m is unwritable
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888097 [CVE-2018-6198]
+Origin: https://salsa.debian.org/debian/w3m/commit/18dcbadf2771cdb0c18509b14e4e73505b242753
+
+diff --git a/main.c b/main.c
+index 85b0003..b99928c 100644
+--- a/main.c
++++ b/main.c
+@@ -5972,6 +5972,11 @@ w3m_exit(int i)
+ #ifdef __MINGW32_VERSION
+     WSACleanup();
+ #endif
++    if (no_rc_dir && tmp_dir != rc_dir)
++	if (rmdir(tmp_dir) != 0) {
++	    fprintf(stderr, "Can't remove temporary directory (%s)!\n", tmp_dir);
++	    exit(1);
++	}
+     exit(i);
+ }
+ 
+diff --git a/rc.c b/rc.c
+index 7de87b8..428241c 100644
+--- a/rc.c
++++ b/rc.c
+@@ -1330,6 +1330,9 @@ init_rc(void)
+ 	((tmp_dir = getenv("TMP")) == NULL || *tmp_dir == '\0') &&
+ 	((tmp_dir = getenv("TEMP")) == NULL || *tmp_dir == '\0'))
+ 	tmp_dir = "/tmp";
++    tmp_dir = mkdtemp(Strnew_m_charp(tmp_dir, "/w3m-XXXXXX", NULL)->ptr);
++    if (tmp_dir == NULL)
++	tmp_dir = rc_dir;
+     create_option_search_table();
+     goto open_rc;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 3600e96..8cedc6a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 020_debian.patch
 955_tbl-indent.patch
 956_columnpos.patch
+957_mkdtemp.patch