Re: deb vfs security issue (CAN-2004-0494)

["Andrew V. Samoilov" <andrew email zp ua>]

Hi Leonard,

> On Wed, 2004-08-18 at 21:35, Andrew V. Samoilov wrote:
> > patchfs and uzip is ok ;-) 
> 
> I see. copyin is passed unchecked parameters, but those are quotemeta'd
> with myin. This seems to be the case in most opens, except one: copyout.
> Are you sure 'open 0, "> $out";' is fine?
 
Well `open O,  '>', $out` is more right and secure here and in apt.in, rpms.in .
Patch attached.  Can you commit this one?

vfs/ChangeLog:

patchfs
-- 
Regards,
Andrew V. Samoilov.

vfs/ChangeLog:

	* extfs/patchfs.in (copyout): Use 3-arguments open().

--- patchfs.in~	Thu Aug 19 10:06:11 2004
+++ patchfs.in	Thu Aug 19 10:22:42 2004
@@ -235,7 +235,7 @@ sub copyout
 	$buf.=$_ if ($found || $state==0)
     }
     if ($found) {
-	open O, "> $out";
+	open O, '>', $out;
 	print O $buf;
 	close O;
     }
--- patchfs.in~	Fri Jan 30 02:22:17 2004
+++ patchfs.in	Thu Aug 19 10:06:11 2004
@@ -345,19 +345,19 @@ if ($ARGV[0] eq 'list') {
     open I, myin($ARGV[1]).'|';
     list $ARGV[1];
     exit 0;
-} if ($ARGV[0] eq 'copyout') {
+} elsif ($ARGV[0] eq 'copyout') {
     open I, myin($ARGV[1])."|";
     copyout ($ARGV[2], $ARGV[3]);
     exit 0;
-} if ($ARGV[0] eq 'rm') {
+} elsif ($ARGV[0] eq 'rm') {
     open I, myin($ARGV[1])."|";
     rm ($ARGV[1], $ARGV[2]);
     exit 0;
-} if ($ARGV[0] eq 'rmdir') {
+} elsif ($ARGV[0] eq 'rmdir') {
     exit 0;
-} if ($ARGV[0] eq 'mkdir') {
+} elsif ($ARGV[0] eq 'mkdir') {
     exit 0;
-} if ($ARGV[0] eq 'copyin') {
+} elsif ($ARGV[0] eq 'copyin') {
     copyin ($ARGV[1], $ARGV[2], $ARGV[3]);
     exit 0;
 }