[Pkg-javascript-devel] Bug#850879: datatables.js: Build uses static filenames in /tmp, does not catch errors

Christoph Biedl debian.axhn at manchmal.in-ulm.de
Tue Jan 10 20:24:42 UTC 2017 

Source: datatables.js
Version: 1.10.13+dfsg-1
Severity: normal
Tags: patch upstream

Dear Maintainer,

the build process for the datatables.js package uses static filenames
in /tmp/, among them /tmp/closure_error.log which also does not get
removed.

This is at least bad style. Although symlinks attacks on build systems
are not a very likely scenario, this still becomes a problem if
the files already exist but belong to another user - something that
happens if several users on the same host try to build that package:

|     JS compressing dataTables.bootstrap4.js
| cp: cannot create regular file '/tmp/dataTables.bootstrap4.js': Permission denied
| Can't remove /tmp/dataTables.bootstrap4.js: Operation not permitted, skipping file.
| rm: cannot remove '/tmp/closure_error.log': Operation not permitted
| include.sh: line 132: /tmp/closure_error.log: Permission denied
| rm: cannot remove '/tmp/dataTables.bootstrap4.js': Operation not permitted
|       File size: 0

The much worse thing: The build does *not* catch that situation. Instead,
the package is happily built with zero-sized files.

The patch attached adds the usage of a random temporary directory that
is cleaned up upon exit. Also the make.sh script now uses errexit. This
should catch all unexpected errors during execution.

According to diffoscope, the created binary packages are bitwise
identical.

Cheers,

    Christoph, do not apply as-is

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.1 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: unable to detect
-------------- next part --------------
A non-text attachment was scrubbed...
Name: use-tempdir-and-errexit.patch
Type: text/x-diff
Size: 3273 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20170110/7bf62f63/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20170110/7bf62f63/attachment.sig>

More information about the Pkg-javascript-devel mailing list