summaryrefslogtreecommitdiff
path: root/community/fish/CVE-2014-2906.patch
blob: 739eb71db483ad041f42e8b17e767191ba345e3d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
From c0989dce2d882c94eb3183e7b94402ba53534abb Mon Sep 17 00:00:00 2001
From: David Adam <zanchey@ucc.gu.uwa.edu.au>
Date: Sun, 20 Apr 2014 23:51:20 +0800
Subject: [PATCH] use mktemp(1) to generate temporary file names

Fix for CVE-2014-2906.

Closes a race condition in funced which would allow execution of
arbitrary code; closes a race condition in psub which would allow
alternation of the data stream.

Note that `psub -f` does not work (#1040); a fix should be committed
separately for ease of maintenance.
---
 share/functions/funced.fish |  6 +-----
 share/functions/psub.fish   | 11 +++--------
 2 files changed, 4 insertions(+), 13 deletions(-)

diff --git a/share/functions/funced.fish b/share/functions/funced.fish
index 3c2de06..ca2e277 100644
--- a/share/functions/funced.fish
+++ b/share/functions/funced.fish
@@ -81,11 +81,7 @@ function funced --description 'Edit function definition'
         return 0
     end
 
-    set -q TMPDIR; or set -l TMPDIR /tmp
-    set -l tmpname (printf "$TMPDIR/fish_funced_%d_%d.fish" %self (random))
-    while test -f $tmpname
-        set tmpname (printf "$TMPDIR/fish_funced_%d_%d.fish" %self (random))
-    end
+    set tmpname (mktemp -t fish_funced.XXXXXXXXXX)
 
     if functions -q -- $funcname
         functions -- $funcname > $tmpname
diff --git a/share/functions/psub.fish b/share/functions/psub.fish
index 42e34c7..7877aa4 100644
--- a/share/functions/psub.fish
+++ b/share/functions/psub.fish
@@ -45,21 +45,16 @@ function psub --description "Read from stdin into a file and output the filename
 		return
 	end
 
-	# Find unique file name for writing output to
-	while true
-		set filename /tmp/.psub.(echo %self).(random);
-		if not test -e $filename
-			break;
-		end
-	end
-
 	if test use_fifo = 1
 		# Write output to pipe. This needs to be done in the background so
 		# that the command substitution exits without needing to wait for
 		# all the commands to exit
+                set dir (mktemp -d /tmp/.psub.XXXXXXXXXX); or return
+                set filename $dir/psub.fifo
 		mkfifo $filename
 		cat >$filename &
 	else
+                set filename (mktemp /tmp/.psub.XXXXXXXXXX)
 		cat >$filename
 	end
 
-- 
1.9.1