[foomatic/f14] Use mktemp when creating debug log file in foomatic-rip (CVE-2011-2924, bug #726426).

Tim Waugh twaugh at fedoraproject.org
Thu Aug 18 14:01:48 UTC 2011 

commit ffe39365f71de45f81fbc2b3e38af060e284dd1d
Author: Tim Waugh <twaugh at redhat.com>
Date:   Thu Aug 18 12:15:52 2011 +0100

    Use mktemp when creating debug log file in foomatic-rip (CVE-2011-2924, bug #726426).

 foomatic-filters-CVE-2011-2924.patch |   12 ++++++++++++
 foomatic.spec                        |   11 ++++++++++-
 2 files changed, 22 insertions(+), 1 deletions(-)
---
diff --git a/foomatic-filters-CVE-2011-2924.patch b/foomatic-filters-CVE-2011-2924.patch
new file mode 100644
index 0000000..236b2c9
--- /dev/null
+++ b/foomatic-filters-CVE-2011-2924.patch
@@ -0,0 +1,12 @@
+diff -up foomatic-filters-4.0.8/renderer.c.CVE-2011-2924 foomatic-filters-4.0.8/renderer.c
+--- foomatic-filters-4.0.8/renderer.c.CVE-2011-2924	2011-07-25 10:50:57.000000000 +0100
++++ foomatic-filters-4.0.8/renderer.c	2011-08-18 12:12:36.758458765 +0100
+@@ -434,7 +434,7 @@ int exec_kid3(FILE *in, FILE *out, void 
+         }
+ 
+         /* Save the data supposed to be fed into the renderer also into a file*/
+-        dstrprepend(commandline, "tee -a " LOG_FILE ".ps | ( ");
++        dstrprepend(commandline, "tee $(mktemp " LOG_FILE "-XXXXXX.ps) | ( ");
+         dstrcat(commandline, ")");
+     }
+ 
diff --git a/foomatic.spec b/foomatic.spec
index 5c84715..700a904 100644
--- a/foomatic.spec
+++ b/foomatic.spec
@@ -4,7 +4,7 @@
 Summary: Tools for using the foomatic database of printers and printer drivers
 Name:       foomatic
 Version:    %{enginever}
-Release:    1%{?dist}
+Release:    2%{?dist}
 License:    GPLv2+
 Group: System Environment/Libraries
 
@@ -15,6 +15,7 @@ Source0: http://www.openprinting.org/download/foomatic/foomatic-db-engine-%{engi
 Source1: http://www.openprinting.org/download/foomatic/foomatic-filters-%{filtersver}.tar.gz
 
 ## PATCHES FOR FOOMATIC-FILTERS (PATCHES 1 TO 100)
+Patch1: foomatic-filters-CVE-2011-2924.patch
 
 ## PATCHES FOR FOOMATIC-DB-ENGINE (PATCHES 101 TO 200)
 
@@ -73,6 +74,10 @@ CUPS print filters for the foomatic package.
 %setup -q -c -a 1
 
 pushd foomatic-filters-%{filtersver}
+# Use mktemp when creating debug log file in foomatic-rip
+# (CVE-2011-2924, bug #726426).
+%patch1 -p1 -b .CVE-2011-2924
+
 aclocal
 automake --add-missing
 autoconf
@@ -179,6 +184,10 @@ rm -fr %buildroot $RPM_BUILD_DIR/%{name}
 %{_mandir}/man1/foomatic-rip.1*
 
 %changelog
+* Tue Aug 18 2011 Tim Waugh <twaugh at redhat.com> - 4.0.8-2
+- Use mktemp when creating debug log file in foomatic-rip
+  (CVE-2011-2924, bug #726426).
+
 * Mon Jul 25 2011 Jiri Popelka <jpopelka at redhat.com> - 4.0.8-1
 - 4.0.8 (all patches merged upstream)

More information about the scm-commits mailing list