#! /bin/sh /usr/share/dpatch/dpatch-run ## 100-fix-insecure-tempfiles.dpatch by Andreas Putzo ## ## DP: Fix insecure tempfile creation in geo-code. ## DP: Thanks Moritz Muehlenhoff . @DPATCH@ diff -urNad gpsdrive-2.10~pre4-6.dfsg~/scripts/geo-code gpsdrive-2.10~pre4-6.dfsg/scripts/geo-code --- gpsdrive-2.10~pre4-6.dfsg~/scripts/geo-code 2007-09-14 21:47:07.000000000 +0000 +++ gpsdrive-2.10~pre4-6.dfsg/scripts/geo-code 2008-12-28 17:47:39.000000000 +0000 @@ -83,6 +83,7 @@ # error() { echo "`basename $PROGNAME`: $1" >&2 + remove_cruft exit 1 } @@ -130,8 +131,9 @@ a) SQLMATCH=all;; D) DEBUG="$OPTARG";; U) echo "Getting latest version of this script..." - curl -o$UPDATEcodeFILE "$UPDATEcodeURL" - echo "Latest version is in $UPDATEcodeFILE" + destdir=`mktemp -d` + curl -o$destdir/$UPDATEcodeFILE "$UPDATEcodeURL" + echo "Latest version is in $destdir/$UPDATEcodeFILE" exit ;; h|\?) usage;; @@ -239,7 +241,7 @@ # procedure to remove cruft files # remove_cruft() { - for i in $STYLE $COORDS $OUTWAY $MAP + for i in $STYLE $COORDS $OUTWAY $MAP $TMP do [ -f $i ] && rm -f $i done @@ -248,11 +250,11 @@ # # Main Program # -TMP=/tmp/geo$$ -STYLE=${TMP}.style -COORDS=${TMP}.coords -OUTWAY=${TMP}.way -MAP=${TMP}.gif +TMP=`mktemp -d` +STYLE=${TMP}/style +COORDS=${TMP}/coords +OUTWAY=${TMP}/way +MAP=${TMP}/gif UA="Mozilla/5.0" if [ "$GURL" != "" ]; then @@ -269,7 +271,6 @@ | head -n1 \ ` if [ "$URL" = "" ]; then - cp $COORDS /tmp/geo.google error "Unable to lookup telephone number or name with Google" else URL="http://maps.yahoo.com/$URL" @@ -295,7 +296,7 @@ fi if [ $DEBUG -gt 0 ]; then - filter="tee /tmp/geo.yahoo" + filter="tee `mktemp`" else filter=cat fi @@ -306,9 +307,9 @@ -e 's/.*slt=\([^%]*\).*sln=\([^%]*\).*Create.*/\1 \2/p' \ > $COORDS -if [ $DEBUG -gt 0 ]; then - cp $COORDS /tmp/geo.coords -fi +#if [ $DEBUG -gt 0 ]; then +# cp -d $COORDS /tmp/geo.coords +#fi # # Convert the coords, address, and type to the desired