[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debian-devel:15551] current xdvi-pl depends on perl-5.8

Hi,

Because the current xdvi-pl depends on perl-5.8, it is impossible to
install tetex-bin to woody or sarge, even if it is recompiled.  So, I
propose the attached patch, which makes xdvi-pl independent from
perl-5.8.

I think that the misusage of tempfile() enables the attack described
in the bug report #174987.  When tempfile() is called with a template
but without DIR option, it creates a temporary file on the current
working directory without checking whether the directory is safe or
not.  Therefore, when this misusage is removed, xdvi-pl is still safe
and do not depend on perl-5.8.


--- xdvi-pl.orig	30 Jan 2003 06:17:22 -0000
+++ xdvi-pl	1 Feb 2003 05:22:43 -0000
@@ -23,9 +23,11 @@
 # the arguments to handled gzipped dvi files, which not have errors if
 # there are spaces in some arguments.
 
-use 5.008;  # The temporary file "open" command below was only introduced here
 use strict;
+use FileHandle;
 use File::Basename;
+use File::Spec;
+use File::Temp qw/ tempfile /;
 
 my @NAMEOPT;
 if (@ARGV == 1 and ($ARGV[0] eq '-help' or $ARGV[0] eq '-version')) {
@@ -62,9 +64,12 @@
 	my @command = $1 eq 'bz2' ? qw(bzip2 -d -c) : qw(gzip -d -c);
 
 	require Fcntl;
-	open TEMP, "+>", undef
+	my( $fh, $tmpname ) = tempfile( "tetexXXXXXX",
+					DIR => File::Spec->tmpdir(),
+					SUFFIX => ".dvi",
+					UNLINK => 1 )
 	    or die "xdvi: cannot create temporary file: $!\n";
-	fcntl TEMP, Fcntl::F_SETFD(), 0
+	fcntl $fh, Fcntl::F_SETFD(), 0
 	    or die "xdvi: disabling close-on-exec for temporary file: $!\n";
 
 	if (my $child = fork) {
@@ -76,12 +81,12 @@
 		die "xdvi: $command[0] terminated with exit code $code\n";
 	    }
 	} elsif (defined $child) {
-	    open STDOUT, ">&TEMP";
+	    STDOUT->fdopen( $fh, "w" );
 	    exec @command, $filename;
 	} else {
 	    die "xdvi: fork: $!\n";
 	}
-	$status = system('xdvi.bin', @NAMEOPT, @ARGV, "/dev/fd/".fileno(TEMP));
+	$status = system('xdvi.bin', @NAMEOPT, @ARGV, $tmpname);
     } else {
 	$status = system('xdvi.bin', @NAMEOPT, @ARGV, $filename);
     }

-- 
TSUCHIYA Masatoshi