Fix security issue CVE-2015-7543

[taken from Debian arts patches]
(cherry picked from commit 56eb4ba333)
v3.5.13-sru
Slávek Banko 9 years ago
parent 0b38e09529
commit 85d0c0e837

@ -192,7 +192,8 @@ int build_link(const char *tmp_prefix, const char *kde_prefix, int kdehostname)
if (result == 0) return 0; /* Success */ if (result == 0) return 0; /* Success */
unlink(kde_tmp_dir); unlink(kde_tmp_dir);
strncat(user_tmp_dir, "XXXXXX", PATH_MAX - strlen(user_tmp_dir)); strncat(user_tmp_dir, "XXXXXX", PATH_MAX - strlen(user_tmp_dir));
mktemp(user_tmp_dir); /* We want a directory, not a file, so using mkstemp makes no sense and is wrong */ if (mkdtemp(user_tmp_dir) == NULL)
return 1;
return create_link(kde_tmp_dir, user_tmp_dir); return create_link(kde_tmp_dir, user_tmp_dir);
} }
if ((result == -1) || (!S_ISLNK(stat_buf.st_mode))) if ((result == -1) || (!S_ISLNK(stat_buf.st_mode)))
@ -218,14 +219,16 @@ int build_link(const char *tmp_prefix, const char *kde_prefix, int kdehostname)
if (result == 0) return 0; /* Success */ if (result == 0) return 0; /* Success */
unlink(kde_tmp_dir); unlink(kde_tmp_dir);
strncat(user_tmp_dir, "XXXXXX", PATH_MAX - strlen(user_tmp_dir)); strncat(user_tmp_dir, "XXXXXX", PATH_MAX - strlen(user_tmp_dir));
mktemp(user_tmp_dir); /* We want a directory, not a file, so using mkstemp makes no sense and is wrong */ if (mkdtemp(user_tmp_dir) == NULL)
return 1;
return create_link(kde_tmp_dir, user_tmp_dir); return create_link(kde_tmp_dir, user_tmp_dir);
} }
result = check_tmp_dir(tmp_buf); result = check_tmp_dir(tmp_buf);
if (result == 0) return 0; /* Success */ if (result == 0) return 0; /* Success */
unlink(kde_tmp_dir); unlink(kde_tmp_dir);
strncat(user_tmp_dir, "XXXXXX", PATH_MAX - strlen(user_tmp_dir)); strncat(user_tmp_dir, "XXXXXX", PATH_MAX - strlen(user_tmp_dir));
mktemp(user_tmp_dir); /* We want a directory, not a file, so using mkstemp makes no sense and is wrong */ if (mkdtemp(user_tmp_dir) == NULL)
return 1;
return create_link(kde_tmp_dir, user_tmp_dir); return create_link(kde_tmp_dir, user_tmp_dir);
} }

Loading…
Cancel
Save