commit/gnus: matsl: Remove security issue with predictable temp-file-name

Wednesday, 21 May 2014

        1 new commit in gnus:

https://bitbucket.org/xemacs/gnus/commits/de3a26f0a6a6/
Changeset:   de3a26f0a6a6
User:        matsl
Date:        2014-05-21 15:46:07
Summary:     Remove security issue with predictable temp-file-name

2014-05-18  Mats Lidell  <matsl(a)xemacs.org&gt;

        * gnus-fun.el (gnus-grab-cam-face): Upstream security issue. Do
        not use predictable temp-file name.
        (http://bugs.debian.org/747100) Patch by Glenn Morris.
Affected #:  2 files

diff -r fbd60960928439b47a767ff913e9f289c3e4d811 -r
de3a26f0a6a657e20c40fd622ac6f7a6a97c5a91 ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
＠＠ -1,3 +1,9 ＠＠
+2014-05-18  Mats Lidell  <matsl(a)xemacs.org&gt;
+
+	* gnus-fun.el (gnus-grab-cam-face): Upstream security issue. Do
+	not use predictable temp-file name.
+	(http://bugs.debian.org/747100) Patch by Glenn Morris.
+
 2014-05-15  Norbert Koch  <viteno(a)xemacs.org&gt;

 	* Makefile (VERSION): XEmacs package 1.97 released.

diff -r fbd60960928439b47a767ff913e9f289c3e4d811 -r
de3a26f0a6a657e20c40fd622ac6f7a6a97c5a91 lisp/gnus-fun.el
--- a/lisp/gnus-fun.el
+++ b/lisp/gnus-fun.el
＠＠ -227,20 +227,21 ＠＠
   (interactive)
   (shell-command "xawtv-remote snap ppm")
   (let ((file nil)
+	(tempfile (make-temp-file "gnus-face-" nil ".ppm"))
 	result)
     (while (null (setq file (directory-files "/tftpboot/sparky/tmp"
 					     t "snap.*ppm")))
       (sleep-for 1))
     (setq file (car file))
     (shell-command
-     (format "pnmcut -left 110 -top 30 -width 144 -height 144 '%s' |
pnmscale -width 48 -height 48 | ppmtopgm > /tmp/gnus.face.ppm"
-	     file))
+     (format "pnmcut -left 110 -top 30 -width 144 -height 144 '%s' |
pnmscale -width 48 -height 48 | ppmtopgm > %s"
+	     file tempfile))
     (let ((gnus-convert-image-to-face-command
 	   (format "cat '%%s' | ppmquant %%d | ppmchange %s | pnmtopng"
 		   (gnus-fun-ppm-change-string))))
-      (setq result (gnus-face-from-file "/tmp/gnus.face.ppm")))
+      (setq result (gnus-face-from-file tempfile)))
     (delete-file file)
-    ;;(delete-file "/tmp/gnus.face.ppm")
+    ;;(delete-file tempfile)    ; FIXME why are we not deleting it?!
     result))

 (defun gnus-fun-ppm-change-string ()

Repository URL: https://bitbucket.org/xemacs/gnus/

--

This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.
_______________________________________________
XEmacs-Patches mailing list
XEmacs-Patches(a)xemacs.org
http://lists.xemacs.org/mailman/listinfo/xemacs-patches

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003