[DebianGIS-dev] r1835 - packages/gpsdrive/trunk/debian/patches

nd-guest at alioth.debian.org nd-guest at alioth.debian.org
Mon Dec 29 16:12:01 UTC 2008 

Author: nd-guest
Date: 2008-12-29 16:12:01 +0000 (Mon, 29 Dec 2008)
New Revision: 1835

Added:
   packages/gpsdrive/trunk/debian/patches/101-signalposreq.dpatch
   packages/gpsdrive/trunk/debian/patches/102-unittest.dpatch
Modified:
   packages/gpsdrive/trunk/debian/patches/00list
Log:
add patches to fix several symlink vulnerabilites.


Modified: packages/gpsdrive/trunk/debian/patches/00list
===================================================================
--- packages/gpsdrive/trunk/debian/patches/00list	2008-12-27 15:33:32 UTC (rev 1834)
+++ packages/gpsdrive/trunk/debian/patches/00list	2008-12-29 16:12:01 UTC (rev 1835)
@@ -16,3 +16,5 @@
 98-mapnik-exception
 99-autobestmap
 100-fix-insecure-tempfiles
+101-signalposreq
+102-unittest

Added: packages/gpsdrive/trunk/debian/patches/101-signalposreq.dpatch
===================================================================
--- packages/gpsdrive/trunk/debian/patches/101-signalposreq.dpatch	                        (rev 0)
+++ packages/gpsdrive/trunk/debian/patches/101-signalposreq.dpatch	2008-12-29 16:12:01 UTC (rev 1835)
@@ -0,0 +1,70 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 101-signalposreq.dpatch by Andreas Putzo <andreas at putzo.net>
+##
+## DP: Remove signalposreq() from gpsdrive, vulnerable to symlink attacks.
+## DP: Remove weird deletion of temporary files.
+
+ at DPATCH@
+diff -urNad gpsdrive-2.10~pre4-6.dfsg~/src/gpsdrive.c gpsdrive-2.10~pre4-6.dfsg/src/gpsdrive.c
+--- gpsdrive-2.10~pre4-6.dfsg~/src/gpsdrive.c	2008-12-28 18:10:54.000000000 +0000
++++ gpsdrive-2.10~pre4-6.dfsg/src/gpsdrive.c	2008-12-28 18:11:27.000000000 +0000
+@@ -3087,9 +3087,6 @@
+     /*  all default values must be set BEFORE readconfig! */
+     g_strlcpy (setpositionname, "", sizeof (setpositionname));
+ 
+-    /* setup signal handler */
+-    signal (SIGUSR1, signalposreq);
+-
+     sql_load_lib();
+     /*  I18l */
+ 
+@@ -3419,9 +3416,6 @@
+     gdk_pixbuf_unref (friendspixbuf);
+ 
+ 
+-    unlink ("/tmp/cammain.pid");
+-    unlink ("/tmp/gpsdrivetext.out");
+-    unlink ("/tmp/gpsdrivepos");
+     if (local_config.savetrack)
+ 	savetrackfile (2);
+     sqlend ();
+diff -urNad gpsdrive-2.10~pre4-6.dfsg~/src/gpsproto.h gpsdrive-2.10~pre4-6.dfsg/src/gpsproto.h
+--- gpsdrive-2.10~pre4-6.dfsg~/src/gpsproto.h	2007-09-14 21:47:13.000000000 +0000
++++ gpsdrive-2.10~pre4-6.dfsg/src/gpsproto.h	2008-12-28 18:11:32.000000000 +0000
+@@ -75,7 +75,6 @@
+ gint settings_main_cb (GtkWidget *widget, guint datum);
+ gint sel_message_cb (GtkWidget * widget, guint datum);
+ gint setmessage_cb (GtkWidget * widget, guint datum);
+-void signalposreq ();
+ gint reinsertwp_cb (GtkWidget * widget, guint datum);
+ GdkPixbuf *create_pixbuf (const gchar * filename);
+ gint simulated_pos (GtkWidget * widget, guint * datum);
+diff -urNad gpsdrive-2.10~pre4-6.dfsg~/src/splash.c gpsdrive-2.10~pre4-6.dfsg/src/splash.c
+--- gpsdrive-2.10~pre4-6.dfsg~/src/splash.c	2007-09-14 21:47:13.000000000 +0000
++++ gpsdrive-2.10~pre4-6.dfsg/src/splash.c	2008-12-28 18:11:18.000000000 +0000
+@@ -630,25 +630,3 @@
+ 			  (gtk_widget_destroy), NULL);
+ 	return TRUE;
+ }
+-
+-
+-/* writes time and position to /tmp/gpsdrivepos */
+-void
+-signalposreq ()
+-{
+-	FILE *f;
+-	time_t t;
+-	struct tm *ts;
+-
+-	f = fopen ("/tmp/gpsdrivepos", "w");
+-	if (f == NULL)
+-	{
+-		perror ("/tmp/gpsdrivepos");
+-		return;
+-	}
+-	time (&t);
+-	ts = localtime (&t);
+-	fprintf (f, asctime (ts));
+-	fprintf (f, "POS %f %f\n", coords.current_lat, coords.current_lon);
+-	fclose (f);
+-}


Property changes on: packages/gpsdrive/trunk/debian/patches/101-signalposreq.dpatch
___________________________________________________________________
Name: svn:executable
   + *

Added: packages/gpsdrive/trunk/debian/patches/102-unittest.dpatch
===================================================================
--- packages/gpsdrive/trunk/debian/patches/102-unittest.dpatch	                        (rev 0)
+++ packages/gpsdrive/trunk/debian/patches/102-unittest.dpatch	2008-12-29 16:12:01 UTC (rev 1835)
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 102-unittest.dpatch by Andreas Putzo <andreas at putzo.net>
+##
+## DP: Use mkdtemp to avoid a potential symlink attack.
+
+ at DPATCH@
+diff -urNad gpsdrive-2.10~pre4-6.dfsg~/src/unit_test.c gpsdrive-2.10~pre4-6.dfsg/src/unit_test.c
+--- gpsdrive-2.10~pre4-6.dfsg~/src/unit_test.c	2007-09-15 15:12:03.000000000 +0000
++++ gpsdrive-2.10~pre4-6.dfsg/src/unit_test.c	2008-12-29 15:33:26.000000000 +0000
+@@ -649,10 +649,12 @@
+     gchar fn[500];
+     gint response;
+ 
+-
+-    g_snprintf (dir_proc, sizeof (dir_proc), "/tmp/gpsdrive-unit-test");
+-    mkdir (dir_proc, 0777);
+-    g_snprintf (dir_proc, sizeof (dir_proc), "/tmp/gpsdrive-unit-test/proc");
++    strncpy(dir_proc, "/tmp/gpsdrive-unit-test.XXXXXX", sizeof(dir_proc));
++    if (mkdtemp(dir_proc) == NULL) {
++        printf("Error: Faild to create temporary directory\n");
++        exit(1);
++    }
++    strncat(dir_proc, "/proc", sizeof(dir_proc));
+     mkdir (dir_proc, 0777);
+ 
+     if (mydebug > 0)


Property changes on: packages/gpsdrive/trunk/debian/patches/102-unittest.dpatch
___________________________________________________________________
Name: svn:executable
   + *

More information about the Pkg-grass-devel mailing list