I couldn't access Marcos Marado's patch for this bug, so I did the work again. I only dealt with aegis-web; the other vulnerable code in aegis is in examples and is therefore not so critical.
Here's the diff for my NMU. The stable version of aegis-web has an
almost identical version of the vulnerable CGI script, which my patch
applies to with an offset of 2 lines.
Ben.
diff -u aegis-4.24/debian/control aegis-4.24/debian/control
--- aegis-4.24/debian/control
+++ aegis-4.24/debian/control
@@ -62,7 +62,7 @@
Package: aegis-web
Architecture: any
-Depends: ${shlibs:Depends}, aegis, apache | httpd
+Depends: ${shlibs:Depends}, aegis, apache | httpd, mktemp
Replaces: aegis3-web, aegis (<< 4.10)
Conflicts: aegis3-web
Description: aegis web based user interface
diff -u aegis-4.24/debian/changelog aegis-4.24/debian/changelog
--- aegis-4.24/debian/changelog
+++ aegis-4.24/debian/changelog
@@ -1,3 +1,12 @@
+aegis (4.24-3.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Add patch for aegis.cgi to make temporary file creation secure
+ (closes: #496400)
+ * Add dependency on mktemp, introduced by this patch
+
+ -- Ben Hutchings <[EMAIL PROTECTED]> Sat, 06 Sep 2008 19:58:13 +0100
+
aegis (4.24-3) unstable; urgency=low
* integrate updated patch to fix aefinish with non-existing $HOME,
only in patch2:
unchanged:
--- aegis-4.24.orig/debian/patches/11_cgi_use_secure_temp_files.patch
+++ aegis-4.24/debian/patches/11_cgi_use_secure_temp_files.patch
@@ -0,0 +1,338 @@
+--- script/aegis.cgi.in.orig 2008-09-06 18:48:00.000000000 +0100
++++ script/aegis.cgi.in 2008-09-06 19:15:51.000000000 +0100
+@@ -40,6 +40,12 @@
+ . /etc/aegis.cgi.conf
+ fi
+
++# securely create temporary file
++# Debian change to fix bug 496400
++aegis_tmp() {
++ mktemp /tmp/aegis$1.XXXXXX || exit 1
++}
++
+ extra=
+ lang=en
+ file=proj_list
+@@ -74,8 +80,12 @@
+ then
+ test -z "$project" && exit 1
+ test -z "$change" && change="--baseline"
++
++ out=$(aegis_tmp .ae)
++ log=$(aegis_tmp)
++
+ $bindir/aedist --send $project $change -ndh -naa \
+- -o /tmp/aegis.$$.ae > /tmp/aegis.$$ 2>&1
++ -o $out > $log 2>&1
+ status=$?
+ if test $status -ne 0
+ then
+@@ -88,18 +98,18 @@
+ echo '</tt></blockquote>'
+ echo "terminated with exit status $status."
+ echo 'The following text was produced <blockquote><pre>'
+- sed 's|<|\<|g' < /tmp/aegis.$$
++ sed 's|<|\<|g' < $log
+ echo '</pre></blockquote>'
+ echo '<hr>'
+ echo 'This page was generated'
+ date
+ echo '</body></html>'
+- rm /tmp/aegis.$$*
++ rm $out $log
+ exit 1
+ fi
+
+- cat /tmp/aegis.$$.ae
+- rm /tmp/aegis.$$*
++ cat $out
++ rm $out $log
+ exit 0
+ fi
+
+@@ -107,8 +117,12 @@
+ then
+ test -z "$project" && exit 1
+ test -z "$change" && change="--baseline"
++
++ out=$(aegis_tmp .ae)
++ log=$(aegis_tmp)
++
+ $bindir/aepatch --send $project $change -naa \
+- -o /tmp/aegis.$$.ae > /tmp/aegis.$$ 2>&1
++ -o $out > $log 2>&1
+ status=$?
+ if test $status -ne 0
+ then
+@@ -121,18 +135,18 @@
+ echo '</tt></blockquote>'
+ echo "terminated with exit status $status."
+ echo 'The following text was produced <blockquote><pre>'
+- sed 's|<|\<|g' < /tmp/aegis.$$
++ sed 's|<|\<|g' < $log
+ echo '</pre></blockquote>'
+ echo '<hr>'
+ echo 'This page was generated'
+ date
+ echo '</body></html>'
+- rm /tmp/aegis.$$*
++ rm $out $log
+ exit 1
+ fi
+
+- cat /tmp/aegis.$$.ae
+- rm /tmp/aegis.$$*
++ cat $out
++ rm $out $log
+ exit 0
+ fi
+
+@@ -140,8 +154,12 @@
+ then
+ test -z "$project" && exit 1
+ test -z "$change" && change="--baseline"
++
++ out=$(aegis_tmp .ae)
++ log=$(aegis_tmp)
++
+ $bindir/aetar --send $project $change \
+- -o /tmp/aegis.$$.ae > /tmp/aegis.$$ 2>&1
++ -o $out > $log 2>&1
+ status=$?
+ if test $status -ne 0
+ then
+@@ -154,21 +172,21 @@
+ echo '</tt></blockquote>'
+ echo "terminated with exit status $status."
+ echo 'The following text was produced <blockquote><pre>'
+- sed 's|<|\<|g' < /tmp/aegis.$$
++ sed 's|<|\<|g' < $log
+ echo '</pre></blockquote>'
+ echo '<hr>'
+ echo 'This page was generated'
+ date
+ echo '</body></html>'
+- rm /tmp/aegis.$$*
++ rm $out $log
+ exit 1
+ fi
+
+ echo 'Content-Type: application/x-tar-gz'
+ echo 'Content-Transfer-Encoding: 8bit'
+ echo ''
+- cat /tmp/aegis.$$.ae
+- rm /tmp/aegis.$$*
++ cat $out
++ rm $out $log
+ exit 0
+ fi
+
+@@ -180,11 +198,16 @@
+
+ File=$extra;
+
++ ver1=$(aegis_tmp .1)
++ ver2=$(aegis_tmp .2)
++ err=$(aegis_tmp .log)
++ out=$(aegis_tmp .out)
++
+ cmdcmd="$bindir/aereport -f $datadir/en/html/file_diff.rpt $delta1 \
+- $delta2 $File /tmp/aegis.$$.1 /tmp/aegis.$$.2 $project $change -unf"
++ $delta2 $File $ver1 $ver2 $project $change -unf"
+
+ # the script will work out where to get the file from
+- cmd="`$cmdcmd 2> /tmp/aegis.$$.log`";
++ cmd="`$cmdcmd 2> $err`";
+ status=$?
+
+ if test $status -ne 0
+@@ -198,18 +221,18 @@
+ echo '</tt></blockquote>'
+ echo "terminated with exit status $status."
+ echo 'The following text was produced <blockquote><pre>'
+- sed 's|<|\<|g' < /tmp/aegis.$$.log
++ sed 's|<|\<|g' < $err
+ echo '</pre></blockquote>'
+ echo '<hr>'
+ echo 'This page was generated'
+ date
+ echo '</body></html>'
+- rm -f /tmp/aegis.$$.*
++ rm -f $ver1 $ver2 $err $out
+ exit 1
+ fi
+- rm -f /tmp/aegis.$$.*
++ rm -f $ver1 $ver2
+
+- eval "$cmd 2> /tmp/aegis.$$.log" > /tmp/aegis.$$.out
++ eval "$cmd 2> $err" > $out
+ status=$?
+ if test $status -ne 0
+ then
+@@ -222,16 +245,16 @@
+ echo '</tt></blockquote>'
+ echo "terminated with exit status $status."
+ echo 'The following text was produced <blockquote><pre>'
+- sed 's|<|\<|g' < /tmp/aegis.$$.log
++ sed 's|<|\<|g' < $err
+ echo '</pre></blockquote>'
+ echo '<hr>'
+ echo 'This page was generated'
+ date
+ echo '</body></html>'
+- rm -f /tmp/aegis.$$.*
++ rm -f $err $out
+ exit 1
+ fi
+- rm /tmp/aegis.$$.log
++ rm -f $err
+
+ echo 'Content-Type: text/html'
+ echo ''
+@@ -247,13 +270,13 @@
+ echo "<br>Delta $delta1, Delta $delta2"
+ echo '</h1>'
+ echo '<pre>'
+- sed 's|<|\<|g' < /tmp/aegis.$$.out
++ sed 's|<|\<|g' < $out
+ echo '</pre>'
+ echo '<hr>'
+ echo 'This page was generated'
+ date
+ echo '</body></html>'
+- rm -f /tmp/aegis.$$.*
++ rm -f $out
+ exit 0
+ fi
+
+@@ -266,10 +289,14 @@
+ test -z "$delta" && Delta="";
+
+ File="$extra"
++
++ out=$(aegis_tmp)
++ log=$(aegis_tmp .log)
++
+ if test -z "$change"
+ then
+ $bindir/aegis -cp -ind $project -baserel $File $Delta \
+- -o /tmp/aegis.$$ 2> /tmp/aegis.$$.log
++ -o $out 2> $log
+ status=$?
+ if test $status -ne 0
+ then
+@@ -282,20 +309,20 @@
+ echo '</tt></blockquote>'
+ echo "terminated with exit status $status."
+ echo 'The following text was produced <blockquote><pre>'
+- sed 's|<|\<|g' < /tmp/aegis.$$.log
++ sed 's|<|\<|g' < $log
+ echo '</pre></blockquote>'
+ echo '<hr>'
+ echo 'This page was generated'
+ date
+ echo '</body></html>'
+- rm -f /tmp/aegis.$$ /tmp/aegis.$$.log
++ rm -f $out $log
+ exit 1
+ fi
+- rm -f /tmp/aegis.$$.log
++ rm -f $log
+ else
+ # the script will work out where to get the file from
+ cmd="`$bindir/aereport -f $datadir/en/html/cp_command.rpt $File
\
+- /tmp/aegis.$$ -unf $project $change 2> /tmp/aegis.$$.log`"
++ $out -unf $project $change 2> $log`"
+
+ status=$?
+ if test $status -ne 0
+@@ -307,22 +334,21 @@
+ echo '<blockquote><tt>'
+ echo $bindir/aereport -f \
+ $datadir/en/html/cp_command.rpt $File \
+- /tmp/aegis.$$ -unf $project $change
++ $out -unf $project $change
+ echo '</tt></blockquote>'
+ echo "terminated with exit status $status."
+ echo 'The following text was produced <blockquote><pre>'
+- sed 's|<|\<|g' < /tmp/aegis.$$.log
++ sed 's|<|\<|g' < $log
+ echo '</pre></blockquote>'
+ echo '<hr>'
+ echo 'This page was generated'
+ date
+ echo '</body></html>'
+- rm /tmp/aegis.$$.log
++ rm $out $log
+ exit 1
+ fi
+- rm /tmp/aegis.$$.log
+
+- eval "$cmd 2> /tmp/aegis.$$.log"
++ eval "$cmd 2> $log"
+ status=$?
+ if test $status -ne 0
+ then
+@@ -335,16 +361,16 @@
+ echo '</tt></blockquote>'
+ echo "terminated with exit status $status."
+ echo 'The following text was produced <blockquote><pre>'
+- sed 's|<|\<|g' < /tmp/aegis.$$.log
++ sed 's|<|\<|g' < $log
+ echo '</pre></blockquote>'
+ echo '<hr>'
+ echo 'This page was generated'
+ date
+ echo '</body></html>'
+- rm -f /tmp/aegis.$$.log /tmp/aegis.$$
++ rm -f $out $log
+ exit 1
+ fi
+- rm /tmp/aegis.$$.log
++ rm $log
+ fi
+
+ echo 'Content-Type: text/html'
+@@ -360,19 +386,21 @@
+ echo "<br>File <i>$x</i>"
+ echo '</h1>'
+ echo '<pre>'
+- sed 's|<|\<|g' < /tmp/aegis.$$
++ sed 's|<|\<|g' < $out
+ echo '</pre>'
+ echo '<hr>'
+ echo 'This page was generated'
+ date
+ echo '</body></html>'
+- rm /tmp/aegis.$$
++ rm $out
+ exit 0
+ fi
+
++log=$(aegis_tmp)
++
+ $bindir/aereport --file $datadir/$lang/html/$file.rpt \
+ $project $change $extra --page-width=1000 --unformatted \
+- > /tmp/aegis.$$ 2>&1
++ > $log 2>&1
+
+ status=$?
+ if test $status -ne 0
+@@ -387,14 +415,14 @@
+ echo '</tt></blockquote>'
+ echo "terminated with exit status $status."
+ echo 'The following text was produced <blockquote><pre>'
+- sed 's|<|\<|g' < /tmp/aegis.$$
++ sed 's|<|\<|g' < $log
+ echo '</pre></blockquote>'
+ echo '<hr>'
+ echo 'This page was generated'
+ date
+ echo '</body></html>'
+ else
+- cat /tmp/aegis.$$
++ cat $log
+ fi
+-rm /tmp/aegis.$$
++rm $log
+ exit 0
signature.asc
Description: This is a digitally signed message part
