Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package tvtime
The patch fixes #924076, a insecure usage of /tmp.
The important part of the debdiff is this:
--- a/src/utils.c
+++ b/src/utils.c
@@ -202,17 +202,11 @@
}
}
- /* If we can't use our /tmp directory, put the fifo in $HOME. */
- if( !mkdir_and_force_owner( fifodir, uid, getgid() ) ) {
- if( asprintf( &fifo, "%s/.tvtime/tvtimefifo-%s",
- getenv( "HOME" ), hostname ) < 0 ) {
- fifo = 0;
- }
- } else {
- if( asprintf( &fifo, "%s/tvtimefifo-%s", fifodir, hostname ) < 0 ) {
- fifo = 0;
- }
- }
+ /* put the fifo in $HOME */
+ if( asprintf( &fifo, "%s/.tvtime/tvtimefifo-%s",
+ getenv( "HOME" ), hostname ) < 0 ) {
+ fifo = 0;
+ }
free( hostname );
free( fifodir );
return fifo;
(Sorry for the refreshing of the patches, I realized this just now that
this would not have been necessary)
Debdiff attached.
Cheers,
tobi
unblock tvtime/1.0.11-4
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru tvtime-1.0.11/debian/changelog tvtime-1.0.11/debian/changelog
--- tvtime-1.0.11/debian/changelog 2018-12-10 23:50:07.000000000 +0100
+++ tvtime-1.0.11/debian/changelog 2019-04-05 20:27:01.000000000 +0200
@@ -1,3 +1,14 @@
+tvtime (1.0.11-5) unstable; urgency=medium
+
+ * QA upload.
+ * Create repository on salsa.
+ * Refresh patches
+ * Fix "insecure use of /tmp" by only using the fall back to $HOME.
+ This is patch 0002-disable-insecure-temp-file.patch
+ (Closes: #924076)
+
+ -- Tobias Frost <t...@debian.org> Fri, 05 Apr 2019 20:27:01 +0200
+
tvtime (1.0.11-4) unstable; urgency=medium
* QA upload.
diff -Nru tvtime-1.0.11/debian/control tvtime-1.0.11/debian/control
--- tvtime-1.0.11/debian/control 2018-12-10 23:50:07.000000000 +0100
+++ tvtime-1.0.11/debian/control 2019-04-05 19:56:54.000000000 +0200
@@ -22,6 +22,8 @@
libasound2-dev
Standards-Version: 3.9.3
Homepage: https://linuxtv.org/wiki/index.php/Tvtime
+VCS-Browser: https://salsa.debian.org/debian/tvtime
+VCS-Git: https://salsa.debian.org/debian/tvtime.git
Package: tvtime
Architecture: any
diff -Nru
tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch
tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch
---
tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch
2018-12-10 21:35:44.000000000 +0100
+++
tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch
2019-04-05 19:57:51.000000000 +0200
@@ -14,8 +14,6 @@
src/get_media_devices.c | 1 +
1 file changed, 1 insertion(+)
-diff --git a/src/get_media_devices.c b/src/get_media_devices.c
-index 619734ea..453b0677 100644
--- a/src/get_media_devices.c
+++ b/src/get_media_devices.c
@@ -23,6 +23,7 @@
@@ -26,6 +24,3 @@
#include <string.h>
#include <stdlib.h>
#include <malloc.h>
---
-2.11.0
-
diff -Nru tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch
tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch
--- tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch
1970-01-01 01:00:00.000000000 +0100
+++ tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch
2019-04-05 20:10:15.000000000 +0200
@@ -0,0 +1,25 @@
+--- a/src/utils.c
++++ b/src/utils.c
+@@ -202,17 +202,11 @@
+ }
+ }
+
+- /* If we can't use our /tmp directory, put the fifo in $HOME. */
+- if( !mkdir_and_force_owner( fifodir, uid, getgid() ) ) {
+- if( asprintf( &fifo, "%s/.tvtime/tvtimefifo-%s",
+- getenv( "HOME" ), hostname ) < 0 ) {
+- fifo = 0;
+- }
+- } else {
+- if( asprintf( &fifo, "%s/tvtimefifo-%s", fifodir, hostname ) < 0 ) {
+- fifo = 0;
+- }
+- }
++ /* put the fifo in $HOME */
++ if( asprintf( &fifo, "%s/.tvtime/tvtimefifo-%s",
++ getenv( "HOME" ), hostname ) < 0 ) {
++ fifo = 0;
++ }
+ free( hostname );
+ free( fifodir );
+ return fifo;
diff -Nru tvtime-1.0.11/debian/patches/freetype.patch
tvtime-1.0.11/debian/patches/freetype.patch
--- tvtime-1.0.11/debian/patches/freetype.patch 2018-10-26 17:32:26.000000000
+0200
+++ tvtime-1.0.11/debian/patches/freetype.patch 2019-04-05 19:57:50.000000000
+0200
@@ -2,9 +2,9 @@
Author: Adrian Bunk <b...@debian.org>
Bug-Debian: https://bugs.debian.org/892455
---- tvtime-1.0.11.orig/configure.ac
-+++ tvtime-1.0.11/configure.ac
-@@ -71,10 +71,7 @@ dnl ------------------------------------
+--- a/configure.ac
++++ b/configure.ac
+@@ -71,10 +71,7 @@
dnl freetype
dnl ---------------------------------------------
dnl Test for freetype
@@ -16,9 +16,9 @@
dnl ---------------------------------------------
dnl libxml2
---- tvtime-1.0.11.orig/src/Makefile.am
-+++ tvtime-1.0.11/src/Makefile.am
-@@ -19,9 +19,6 @@ pkgsysconfdir = $(sysconfdir)/@PACKAGE@
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -19,9 +19,6 @@
tmpdir = /tmp
localedir = $(datadir)/locale
diff -Nru tvtime-1.0.11/debian/patches/home.diff
tvtime-1.0.11/debian/patches/home.diff
--- tvtime-1.0.11/debian/patches/home.diff 2016-12-12 01:43:08.000000000
+0100
+++ tvtime-1.0.11/debian/patches/home.diff 2019-04-05 19:57:49.000000000
+0200
@@ -1,7 +1,5 @@
-Index: tvtime/src/tvtime-command.c
-===================================================================
---- tvtime.orig/src/tvtime-command.c 2014-04-25 17:27:37.935860003 +0200
-+++ tvtime/src/tvtime-command.c 2014-04-25 17:27:37.931859906 +0200
+--- a/src/tvtime-command.c
++++ b/src/tvtime-command.c
@@ -39,6 +39,9 @@
int main( int argc, char **argv )
@@ -12,10 +10,8 @@
int nc = tvtime_num_commands();
config_t *cfg;
FILE *fifo;
-Index: tvtime/src/tvtime-configure.c
-===================================================================
---- tvtime.orig/src/tvtime-configure.c 2014-04-25 17:27:37.935860003 +0200
-+++ tvtime/src/tvtime-configure.c 2014-04-25 17:36:42.644717220 +0200
+--- a/src/tvtime-configure.c
++++ b/src/tvtime-configure.c
@@ -19,6 +19,8 @@
#include <stdio.h>
#include <sys/types.h>
@@ -35,10 +31,8 @@
config_t *cfg;
/*
-Index: tvtime/src/tvtime-scanner.c
-===================================================================
---- tvtime.orig/src/tvtime-scanner.c 2014-04-25 17:27:37.935860003 +0200
-+++ tvtime/src/tvtime-scanner.c 2014-04-25 17:36:20.736208769 +0200
+--- a/src/tvtime-scanner.c
++++ b/src/tvtime-scanner.c
@@ -24,6 +24,7 @@
#include <sys/types.h>
#include <sys/stat.h>
@@ -47,7 +41,7 @@
#include <fcntl.h>
#include <unistd.h>
#ifdef HAVE_CONFIG_H
-@@ -42,6 +43,9 @@
+@@ -47,6 +48,9 @@
int main( int argc, char **argv )
{
@@ -57,11 +51,9 @@
config_t *cfg;
station_mgr_t *stationmgr = 0;
videoinput_t *vidin;
-Index: tvtime/src/tvtime.c
-===================================================================
---- tvtime.orig/src/tvtime.c 2014-04-25 17:27:37.935860003 +0200
-+++ tvtime/src/tvtime.c 2014-04-25 17:27:37.935860003 +0200
-@@ -2643,6 +2643,9 @@
+--- a/src/tvtime.c
++++ b/src/tvtime.c
+@@ -2624,6 +2624,9 @@
int main( int argc, char **argv )
{
diff -Nru tvtime-1.0.11/debian/patches/saveconfig.diff
tvtime-1.0.11/debian/patches/saveconfig.diff
--- tvtime-1.0.11/debian/patches/saveconfig.diff 2017-01-26
11:40:33.000000000 +0100
+++ tvtime-1.0.11/debian/patches/saveconfig.diff 2019-04-05
19:57:47.000000000 +0200
@@ -1,5 +1,5 @@
---- ../orig/tvtime-1.0.2/./src/tvtimeconf.c 2005-09-08 04:07:56.000000000
+0000
-+++ ./src/tvtimeconf.c 2012-12-07 11:05:25.000000000 +0000
+--- a/src/tvtimeconf.c
++++ b/src/tvtimeconf.c
@@ -34,6 +34,7 @@
#include <errno.h>
#include <libxml/parser.h>
@@ -8,7 +8,7 @@
#ifdef HAVE_CONFIG_H
# include "config.h"
#endif
-@@ -565,7 +566,30 @@
+@@ -596,7 +597,30 @@
}
xmlKeepBlanksDefault( 0 );
@@ -40,7 +40,7 @@
if( create_file ) {
if( chown( config_filename, getuid(), getgid() ) < 0 ) {
lfprintf( stderr, _("Cannot change owner of %s: %s.\n"),
-@@ -844,14 +868,6 @@
+@@ -897,14 +921,6 @@
ct->buttonmapmenu[ 4 ] = TVTIME_MENU_UP;
ct->buttonmapmenu[ 5 ] = TVTIME_MENU_DOWN;
@@ -55,7 +55,7 @@
/* First read in global settings. */
asprintf( &base, "%s/tvtime.xml", CONFDIR );
if( file_is_openable_for_read( base ) ) {
-@@ -1043,6 +1059,7 @@
+@@ -1113,6 +1129,7 @@
int option_index = 0;
int filename_specified = 0;
int c;
@@ -63,7 +63,8 @@
if( argc == 1 ) {
print_config_usage( argv );
-@@ -1052,10 +1069,10 @@
+@@ -1123,11 +1140,11 @@
+ "aAhmMF:g:I:d::b::i::c:n::D:f::x:t::Ll::R::p::P::z::",
long_options, &option_index )) != -1 ) {
switch( c ) {
- case 'a': ct->aspect = 1; break;
@@ -79,7 +80,7 @@
case 'F': if( ct->config_filename ) free( ct->config_filename );
filename_specified = 1;
ct->config_filename = expand_user_path( optarg );
-@@ -1065,18 +1082,20 @@
+@@ -1137,18 +1154,20 @@
ct->config_filename );
conf_xml_parse( ct, ct->config_filename );
}
@@ -103,7 +104,7 @@
}
break;
case 'b': if( !optarg ) {
-@@ -1085,6 +1104,7 @@
+@@ -1157,6 +1176,7 @@
} else {
free( ct->vbidev );
ct->vbidev = strdup( optarg );
@@ -111,7 +112,7 @@
}
break;
case 'i': if( !optarg ) {
-@@ -1092,16 +1112,18 @@
+@@ -1164,16 +1184,18 @@
config_get_inputnum( ct ) );
} else {
ct->inputnum = atoi( optarg );
@@ -131,7 +132,7 @@
}
break;
case 'l': if( !optarg ) {
-@@ -1110,6 +1132,7 @@
+@@ -1182,6 +1204,7 @@
} else {
if( ct->xmltvlanguage ) free( ct->xmltvlanguage );
ct->xmltvlanguage = strdup( optarg );
@@ -139,7 +140,7 @@
}
break;
case 'n': if( !optarg ) {
-@@ -1117,6 +1140,7 @@
+@@ -1189,6 +1212,7 @@
} else {
free( ct->norm );
ct->norm = strdup( optarg );
@@ -147,7 +148,7 @@
}
break;
case 'f': if( !optarg ) {
-@@ -1125,6 +1149,7 @@
+@@ -1197,6 +1221,7 @@
} else {
free( ct->freq );
ct->freq = strdup( optarg );
@@ -155,13 +156,15 @@
}
break;
case 'R': if( !optarg ) {
-@@ -1132,4 +1157,5 @@
+@@ -1204,6 +1229,7 @@
+ config_get_priority( ct ) );
} else {
ct->priority = atoi( optarg );
+ config_needs_saving = 1;
}
break;
-@@ -1212,6 +1212,7 @@
+ case 'p': if( !optarg ) {
+@@ -1212,6 +1238,7 @@
} else {
free( ct->alsa_inputdev );
ct->alsa_inputdev = strdup( optarg );
@@ -169,7 +172,7 @@
}
break;
case 'P': if( !optarg ) {
-@@ -1220,6 +1221,7 @@
+@@ -1220,6 +1247,7 @@
} else {
free( ct->alsa_outputdev );
ct->alsa_outputdev = strdup( optarg );
@@ -177,7 +180,7 @@
}
break;
case 'z': if( !optarg ) {
-@@ -1227,6 +1229,7 @@
+@@ -1227,6 +1255,7 @@
config_get_alsa_latency( ct ) );
} else {
ct->alsa_latency = atoi( optarg );
@@ -185,7 +188,7 @@
}
break;
default:
-@@ -1235,6 +1238,9 @@
+@@ -1235,6 +1264,9 @@
}
}
diff -Nru tvtime-1.0.11/debian/patches/series
tvtime-1.0.11/debian/patches/series
--- tvtime-1.0.11/debian/patches/series 2018-12-10 21:36:08.000000000 +0100
+++ tvtime-1.0.11/debian/patches/series 2019-04-05 20:20:32.000000000 +0200
@@ -2,3 +2,4 @@
home.diff
freetype.patch
0001-Fix-warning-implicit-declaration-of-function-minor-m.patch
+0002-disable-insecure-temp-file.patch
