From ddbf251840c7151f4befec53e3b6ebe6aba08aae Mon Sep 17 00:00:00 2001 From: Tatsuya Kinoshita Date: Fri, 26 Jan 2018 18:49:25 +0900 Subject: New patch 957_mkdtemp.patch to fix /tmp file races [CVE-2018-6198] (closes: #888097) --- debian/patches/957_mkdtemp.patch | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 debian/patches/957_mkdtemp.patch (limited to 'debian/patches/957_mkdtemp.patch') diff --git a/debian/patches/957_mkdtemp.patch b/debian/patches/957_mkdtemp.patch new file mode 100644 index 0000000..7581a69 --- /dev/null +++ b/debian/patches/957_mkdtemp.patch @@ -0,0 +1,35 @@ +Subject: Make temporary directory safely when ~/.w3m is unwritable +From: Tatsuya Kinoshita +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888097 [CVE-2018-6198] +Origin: https://salsa.debian.org/debian/w3m/commit/18dcbadf2771cdb0c18509b14e4e73505b242753 + +diff --git a/main.c b/main.c +index 85b0003..b99928c 100644 +--- a/main.c ++++ b/main.c +@@ -5972,6 +5972,11 @@ w3m_exit(int i) + #ifdef __MINGW32_VERSION + WSACleanup(); + #endif ++ if (no_rc_dir && tmp_dir != rc_dir) ++ if (rmdir(tmp_dir) != 0) { ++ fprintf(stderr, "Can't remove temporary directory (%s)!\n", tmp_dir); ++ exit(1); ++ } + exit(i); + } + +diff --git a/rc.c b/rc.c +index 7de87b8..428241c 100644 +--- a/rc.c ++++ b/rc.c +@@ -1330,6 +1330,9 @@ init_rc(void) + ((tmp_dir = getenv("TMP")) == NULL || *tmp_dir == '\0') && + ((tmp_dir = getenv("TEMP")) == NULL || *tmp_dir == '\0')) + tmp_dir = "/tmp"; ++ tmp_dir = mkdtemp(Strnew_m_charp(tmp_dir, "/w3m-XXXXXX", NULL)->ptr); ++ if (tmp_dir == NULL) ++ tmp_dir = rc_dir; + create_option_search_table(); + goto open_rc; + } -- cgit v1.2.3