← Back to branch summary

~ubuntu-branches/debian/lenny/screen/lenny

« back to all changes in this revision

Viewing changes to debian/patches/22no_public_exchange.dpatch

  • Committer: Bazaar Package Importer
  • Author(s): Jan Christoph Nordholz
  • Date: 2009-04-04 02:10:09 UTC
  • Revision ID: james.westby@ubuntu.com-20090404021009-rt3sfm2fp8u234i7
Tags: 4.0.3-11+lenny1
http://bugs.debian.org/521123
* Security upload.
* Change the fix for #433338 so symlink attacks against the
  public exchange file are prevented again. Closes: #521123.
  Tracked as CVE-2009-1214 and CVE-2009-1215.

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/22no_public_exchange.dpatch
1
 
#! /bin/sh /usr/share/dpatch/dpatch-run
2
 
## 22no_public_exchange.dpatch by  <hesso@pool.math.tu-berlin.de>
3
 
##
4
 
## All lines beginning with `## DP:' are a description of the patch.
5
 
## DP: No description.
6
 
 
7
 
@DPATCH@
8
 
diff -Naur screen-4.0.3.orig/fileio.c screen-4.0.3/fileio.c
9
 
--- screen-4.0.3.orig/fileio.c  2008-06-01 23:39:49.000000000 +0200
10
 
+++ screen-4.0.3/fileio.c       2008-06-01 23:44:58.000000000 +0200
11
 
@@ -414,7 +414,17 @@
12
 
          fnbuf[sizeof(fnbuf) - 1] = 0;
13
 
          fn = fnbuf;
14
 
        }
15
 
+/**
16
 
+ * I consider this 'public exchange file' feature a bad idea, at least
17
 
+ * if this is the default case. I really don't like the idea of an admin
18
 
+ * copying configuration file snippets around that might get changed
19
 
+ * in that buffer file.
20
 
+ * Drop the notion of a 'public' exchange file. If someone explictly wants
21
 
+ * to share his copy buffer contents, he is free to chmod it after its
22
 
+ * creation.
23
 
+ * Jan Nordholz <hesso@pool.math.tu-berlin.de>, 2007/08/07
24
 
       public = !strcmp(fn, DEFAULT_BUFFERFILE);
25
 
+ */
26
 
 # ifdef HAVE_LSTAT
27
 
       exists = !lstat(fn, &stb);
28
 
       if (public && exists && (S_ISLNK(stb.st_mode) || stb.st_nlink > 1))