- new (fixes insecure creation of temporary files vulnerability)

Changed files:
    cscope-CAN-2004-0996.patch -> 1.1

diff --git a/cscope-CAN-2004-0996.patch b/cscope-CAN-2004-0996.patch
new file mode 100644 (file)
index 0000000..4084b13
--- /dev/null
+++ b/cscope-CAN-2004-0996.patch
@@ -0,0 +1,38 @@
+--- cscope-15.3.orig/src/main.c
++++ cscope-15.3/src/main.c
+@@ -336,9 +336,32 @@
+       }
+ 
+       /* create the temporary file names */
+-      pid = getpid();
+-      (void) sprintf(temp1, "%s/cscope%d.1", tmpdir, pid);
+-      (void) sprintf(temp2, "%s/cscope%d.2", tmpdir, pid);
++      do {
++              char *tempfile = tempnam(tmpdir, "cscope1");
++              if (!tempfile) {
++                      fprintf (stderr, "Can't create tempfile\n");
++                      exit(1);
++              }
++              if (strlen(tempfile) >= sizeof(temp1)) {
++                      fprintf (stderr, "TMPDIR path is too long\n");
++                      exit(1);
++              }
++              strncpy (temp1, tempfile, sizeof (temp1));
++              free (tempfile);
++      } while (open (temp1, O_CREAT|O_EXCL|O_WRONLY, S_IREAD|S_IWRITE) < 0);
++      do {
++              char *tempfile = tempnam(tmpdir, "cscope2");
++              if (!tempfile) {
++                      fprintf (stderr, "Can't create tempfile\n");
++                      exit(1);
++              }
++              if (strlen(tempfile) >= sizeof(temp2)) {
++                      fprintf (stderr, "TMPDIR path is too long\n");
++                      exit(1);
++              }
++              strncpy (temp2, tempfile, sizeof (temp2));
++              free (tempfile);
++      } while (open (temp2, O_CREAT|O_EXCL|O_WRONLY, S_IREAD|S_IWRITE) < 0);
+ 
+       /* if running in the foreground */
+       if (signal(SIGINT, SIG_IGN) != SIG_IGN) {