Security fix patch. Fix insecure temporary file and directory creations. (CAN-2004-0231).

vfs/ChangeLog

@@ -1,3 +1,15 @@
+2004-08-16  Pavel S. Shirshov  <pavelsh@mail.ru>
+
+	* extfs/deb.in: Security fix patch. Fix insecure temporary file and 
+	directory creations. (CAN-2004-0231).
+
+        * extfs/uar.in: Likewise.
+	* extfs/uha.in: Likewise.
+	* extfs/ulha.in: Likewise.
+        * extfs/urar.in: Likewise.
+        * extfs/uzip.in: Likewise.
+        * extfs/uzoo.in: Likewise.
+
 2004-08-14  Andrew V. Samoilov  <sav@bcs.zp.ua>
 
 	* extfs.c (extfs_init): Fix possible off-by-one buffer underflow

vfs/extfs/deb.in

@@ -149,15 +149,10 @@ sub mcdebfs_run
 	}
 	else
 	{
-	        $suffix = "aaa";
-		while (1) {
-		    $tmpdir = "/tmp/mcdebfs.run".$$.$suffix;
-		    last if mkdir $tmpdir, 0700;
-		    $suffix++;
-		    # Somebody is being really nasty, give up
-		    exit 1 if $suffix eq "zzz";
-		}
-		
+		use File::Temp qw(mkdtemp);
+		my $template = "/tmp/mcdebfs.run.XXXXXX";
+		$template="$ENV{MC_TMPDIR}/mcdebfs.XXXXXX" if ($ENV{MC_TMPDIR});
+		$tmpdir = mkdtemp($template);
 		$tmpcmd="$tmpdir/run";
 		&mcdebfs_copyout($archive, $filename, $tmpcmd);
 		system("chmod u+x $tmpcmd");

vfs/extfs/uar.in

@@ -22,8 +22,7 @@ mcarfs_copyout ()
 
 mcarfs_copyin ()
 {
-    TMPDIR=/tmp/mctmpdir-uar.$$
-    mkdir $TMPDIR || exit 1
+    TMPDIR=`mktemp -d ${MC_TMPDIR:-/tmp}/mctmpdir-uar.XXXXXX` || exit 1
     name=`basename "$2"`
     (cd $TMPDIR && cp -fp "$3" $name && $XAR r "$1" $name)
     rm -rf $TMPDIR

vfs/extfs/uha.in

@@ -31,8 +31,7 @@ mchafs_list ()
 
 mchafs_copyout ()
 {
-    TMPDIR="/tmp/mctmpdir-uha.$$"
-    mkdir $TMPDIR || exit 1
+    TMPDIR=`mktemp -d ${MC_TMPDIR:-/tmp}/mctmpdir-uha.XXXXXX` || exit 1
     cd $TMPDIR
 
     $HA xyq "$1" "$2" >/dev/null

vfs/extfs/ulha.in

@@ -35,12 +35,6 @@ LHA_LIST="lha lq"
 LHA_GET="lha pq"
 LHA_PUT="lha aq"
 
-# Define a directory to create a temporary file for when
-# running a command to be run from the archive
-TMPDIR="/tmp/mctmpdir-uha.$$"
-# Temporary file within the directory
-TMPCMD=$TMPDIR/run
-
 # The 'list' command executive
 
 mc_lha_fs_list()
@@ -121,9 +115,9 @@ mc_lha_fs_copyin ()
 
 mc_lha_fs_run()
 {
+   TMPDIR=`mktemp -d ${MC_TMPDIR:-/tmp}/mctmpdir-ulha.XXXXXX` || exit 1
    trap "rm -rf $TMPDIR; exit 0" 1 2 3 4 15
-   # FIXME: Try harder to generate a unique directory if this fails
-   mkdir -m 0700 $TMPDIR || exit 1
+   TMPCMD=$TMPDIR/run
    $LHA_GET "$1" "$2" > $TMPCMD  
    chmod a+x $TMPCMD
    $TMPCMD

vfs/extfs/urar.in

@@ -77,8 +77,7 @@ mcrarfs_mkdir ()
 # preserve pwd. It is clean, but is it necessary?
     pwd=`pwd`
 # Create a directory and create in it a tmp directory with the good name     
-    dir=tmpdir.${RANDOM}
-    mkdir $dir
+    dir=`mktemp -d ${MC_TMPDIR:-/tmp}/mctmpdir-urar.XXXXXX` || exit 1
     cd $dir
     mkdir -p "$2"  
 # rar cannot create an empty directory    

vfs/extfs/uzip.in

@@ -344,10 +344,10 @@ sub cleandirs {
 
 # Make a temporary directory with mode 0700.
 sub mktmpdir {
-	while (1) {
-		my $dir = POSIX::tmpnam();
-		return $dir if mkdir ($dir, 0700);
-	}
+	use File::Temp qw(mkdtemp);
+	my $template = "/tmp/mcuzipfs.XXXXXX";
+	$template="$ENV{MC_TMPDIR}/mcuzipfs.XXXXXX" if ($ENV{MC_TMPDIR});
+	return mkdtemp($template);
 }
 
 # Make a filename absolute and return it.

vfs/extfs/uzoo.in

@@ -13,8 +13,7 @@ ZOO=zoo
 # it to a temporary directory.
 mklink ()
 {
-    TMPDIR="/tmp/mctmpdir-uzoo.$$"
-    mkdir $TMPDIR || exit 1
+    TMPDIR=`mktemp -d ${MC_TMPDIR:-/tmp}/mctmpdir-uzoo.XXXXXX` || exit 1
     trap 'cd /; rm -rf $TMPDIR' 0 1 2 3 5 13 15
     ARCHIVE=$TMPDIR/tmp.zoo
     ln -sf "$1" "$ARCHIVE"