Package: cvs Version: 1:1.12.9-14 Priority: wishlist Tags: patch Cvsbug has a temporary file handling issue as reported by Fedora [1] even though this bug does not apply to the Debian package (cvsbug is not distributed) it would be nice if it where applied anyway to the sources (to avoid people from picking up this script with this vulnerability, like gcvs seems to have done).
Attached is the patch based on the Bugzilla report [2] Also, note that even if cvsbug is not installed its manpage is. You might want to remove it. Regards Javier [1] http://lwn.net/Alerts/148865/ [2] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166366
--- cvsbug.in.orig 2005-08-26 09:12:22.000000000 +0200
+++ cvsbug.in 2005-08-26 09:12:55.000000000 +0200
@@ -109,14 +109,14 @@
/usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
ORIGINATOR="`cat $TEMP`"
- rm -f $TEMP
+ > $TEMP
fi
fi
if [ "$ORIGINATOR" = "" ]; then
grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
ORIGINATOR="`cat $TEMP`"
- rm -f $TEMP
+ > $TEMP
fi
if [ -n "$ORGANIZATION" ]; then
signature.asc
Description: Digital signature

