tags 1105210 + patch
thanks
Package: auctex
Version: 13.2-1
Dear Maintainer,
I have reproduced the bug and fixed it with the attached patch.
There is also a fix for an uninitialized variable used in the
case that the program block does not exit with an error code
set. This happens when the update-auctex-elisp script is run
after install.
Kind regards,
Enkelena
From 64346e6075e830eaceb35cc2bac0ddaf1e55835f Mon Sep 17 00:00:00 2001
From: EnkelenaH <[email protected]>
Date: Sat, 17 May 2025 19:51:40 +0200
Subject: Fix unsafe tmpfile creation in update-auctex-elisp.eperl
Use /var/run instead of the root directory for mktemp to avoid potential
security issues with tmpfile creation. Also ensure the tmpfile is deleted
after use.
Initialize the EXIT_STATUS variable.
---
debian/update-auctex-elisp.eperl | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/debian/update-auctex-elisp.eperl b/debian/update-auctex-elisp.eperl
index e73611b0..3bf20c74 100644
--- a/debian/update-auctex-elisp.eperl
+++ b/debian/update-auctex-elisp.eperl
@@ -46,6 +46,7 @@ done
<: # Default flavors: only GNU, XEmacs comes with its own AUCTeX :>//
FLAVORS=${*:-'emacs'}
LOGMASK='/var/lib/auctex/%s/CompilationLog'
+EXIT_STATUS=0
if [ -n "${_UPDATE_AUCTEX_ELISP_DAEMON_MODE}" ]; then
<: # A daemon child: trust ${FLAVORS} :>//
@@ -107,7 +108,7 @@ for FLAVOR in ${_FLAVORS}; do
"(log to ${LOGFILE})..."
if [ -z "${NO_ACT}" -o "${NO_ACT}" != 'true' ]; then
exec {stdout}>&1 {stderr}>&2 &>${LOGFILE}
- INITFILE=$(mktemp ./XXXXXXXX-el)
+ INITFILE=$(mktemp /var/run/XXXXXXXX-el)
cat <<EOF >${INITFILE}
(defun font-lock-fontify-syntactic-keywords-region (start end))
EOF
@@ -119,6 +120,7 @@ EOF
|| EXIT_STATUS=$?
[ -z "${NO_ACT}" -o "${NO_ACT}" != 'true' ] && \
exec 1>&${stdout} 2>&${stderr}
+ rm --force ${INITFILE}
if [ ${EXIT_STATUS} -gt 0 ]; then
echo -e ' failed.\n<LOGFILE>'
${NO_ACT:+'echo'} cat ${LOGFILE}
--
2.39.5
