Package: cvs
Version: 1:1.12.9-14
Priority: wishlist
Tags: patch

Cvsbug has a temporary file handling issue as reported by Fedora [1]
even though this bug does not apply to the Debian package (cvsbug
is not distributed) it would be nice if it where applied anyway
to the sources (to avoid people from picking up this script with
this vulnerability, like gcvs seems to have done).

Attached is the patch based on the Bugzilla report [2]

Also, note that even if cvsbug is not installed its manpage is. You
might want to remove it.

Regards

Javier


[1] http://lwn.net/Alerts/148865/
[2] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166366
--- cvsbug.in.orig      2005-08-26 09:12:22.000000000 +0200
+++ cvsbug.in   2005-08-26 09:12:55.000000000 +0200
@@ -109,14 +109,14 @@
     /usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
       cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
     ORIGINATOR="`cat $TEMP`"
-    rm -f $TEMP
+    > $TEMP
   fi
 fi
 
 if [ "$ORIGINATOR" = "" ]; then
   grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
   ORIGINATOR="`cat $TEMP`"
-  rm -f $TEMP
+  > $TEMP
 fi
 
 if [ -n "$ORGANIZATION" ]; then

Attachment: signature.asc
Description: Digital signature

Reply via email to