From e1e8ca91b9c8929418f5cb4949b73887e4d31644 Mon Sep 17 00:00:00 2001 From: handsome_feng Date: Tue, 21 May 2024 16:55:32 +0800 Subject: [PATCH] add patch fix-security-issue-predictable-filenames-with-system and upload 3.0.3.1-2 to debian --- debian/changelog | 7 ++ ...ty-issue-predictable-filenames-with-system | 85 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 93 insertions(+) create mode 100644 debian/patches/fix-security-issue-predictable-filenames-with-system create mode 100644 debian/patches/series diff --git a/debian/changelog b/debian/changelog index c5118526..88469298 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +kylin-nm (3.0.3.1-2) unstable; urgency=medium + + * Add patch: fix-security-issue-predictable-filenames-with-system. + (Closes: #1070113) + + -- handsome_feng Tue, 21 May 2024 16:53:40 +0800 + kylin-nm (3.0.3.1-1) unstable; urgency=medium * Fix implicit declaration of function. (Closes: #1066555) diff --git a/debian/patches/fix-security-issue-predictable-filenames-with-system b/debian/patches/fix-security-issue-predictable-filenames-with-system new file mode 100644 index 00000000..be75dd0e --- /dev/null +++ b/debian/patches/fix-security-issue-predictable-filenames-with-system @@ -0,0 +1,85 @@ +Index: kylin-nm/src/kylin-network-interface.c +=================================================================== +--- kylin-nm.orig/src/kylin-network-interface.c ++++ kylin-nm/src/kylin-network-interface.c +@@ -32,6 +32,8 @@ + #include + #include + #include ++#include ++#include + + //获取网络接口名 + ifname *kylin_network_get_ifacename() +@@ -194,19 +196,43 @@ activecon *kylin_network_get_activecon_i + struct passwd *pwd; + pwd = getpwuid(getuid()); + char *name = pwd->pw_name; +- char *tmpPrefix = "/tmp/kylin-nm-activecon-"; +- char *chr = "nmcli connection show -active > "; ++ char tmpTemplate[] = "/tmp/kylin-nm-activecon-XXXXXX"; ++ int fd = mkstemp(tmpTemplate); ++ if (fd == -1) { ++ syslog(LOG_ERR, "mkstemp() failed in kylin_network_get_activecon_info: %s", strerror(errno)); ++ return NULL; ++ } + +- char *cmd; +- asprintf(&cmd, "%s%s%s", chr, tmpPrefix, name); +- char *path; +- asprintf(&path, "%s%s", tmpPrefix, name); +- int status = system(cmd); +- if (status != 0) +- syslog(LOG_ERR, "execute 'nmcli connection show -active' in function 'kylin_network_get_activecon_info' failed"); +- free(cmd); ++ pid_t pid = fork(); ++ if (pid == -1) { ++ syslog(LOG_ERR, "fork() in kylin_network_get_activecon_info failed"); ++ close(fd); ++ unlink(tmpTemplate); ++ return NULL; ++ } else if (pid == 0) { ++ //Child process ++ dup2(fd, STDOUT_FILENO); ++ close(fd); ++ ++ execlp("nmcli", "nmcli", "connection", "show", "--active",(char *)NULL); ++ ++ // If execlp() fails ++ syslog(LOG_ERR, "execlp() failed"); ++ _exit(EXIT_FAILURE); ++ } else { ++ // Parent process ++ int status; ++ waitpid(pid, &status, 0); ++ if (status !=0 ) { ++ syslog(LOG_ERR, "execute 'nmcli connection show --active' in 'kylin_network_get_activecon_info' failed"); ++ close(fd); ++ unlink(tmpTemplate); ++ return NULL; ++ } ++ close(fd); ++ } + +- char *filename = path; ++ char *filename = strdup(tmpTemplate); + + FILE *activefp; + int activenum=0; +@@ -233,7 +259,6 @@ activecon *kylin_network_get_activecon_i + printf("error!"); + + } +- free(path); + + fgets(StrLine,1024,fp); + while(!feof(fp)) +@@ -325,6 +350,8 @@ activecon *kylin_network_get_activecon_i + } + fclose(fp); + ++ unlink(tmpTemplate); ++ + activelist[count].con_name=NULL; + activelist[count].type=NULL; + activelist[count].dev=NULL; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 00000000..575cfcf7 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +fix-security-issue-predictable-filenames-with-system