Attachment 2054 Details for Bug 5458 – gnash-0.8.9-CVE-2011-4328.diff

[patch] gnash-0.8.9-CVE-2011-4328.diff

gnash-0.8.9-CVE-2011-4328.diff (text/plain), 5.14 KB, created by David Walser on 2012-04-20 20:19:53 CEST

(hide)

Description:

Filename:

MIME Type:

Creator: David Walser

Created: 2012-04-20 20:19:53 CEST

Size: 5.14 KB

patch

obsolete

>From 8fc19a890ee787d26200dc1b8b5546e3bb15ac7b Mon Sep 17 00:00:00 2001
>From: Gabriele Giacone <1o5g4r8o@gmail.com>
>Date: Thu, 01 Dec 2011 00:59:15 +0000
>Subject: CVE-2011-4328 fix. mkstemps and boost::iostreams. See bug #34903
>
>---
>diff --git a/macros/boost.m4 b/macros/boost.m4
>index 7c7bb4a..c672870 100644
>--- a/macros/boost.m4
>+++ b/macros/boost.m4
>@@ -34,10 +34,10 @@ AC_DEFUN([GNASH_PATH_BOOST],
>   libname=""
>   dnl this is a list of *required* headers. If any of these are missing, this
>   dnl test will return a failure, and Gnash won't build.
>-  boost_headers="detail/lightweight_mutex.hpp thread/thread.hpp multi_index_container.hpp multi_index/key_extractors.hpp thread/mutex.hpp program_options/options_description.hpp"
>+  boost_headers="detail/lightweight_mutex.hpp thread/thread.hpp multi_index_container.hpp multi_index/key_extractors.hpp thread/mutex.hpp program_options/options_description.hpp boost/iostreams/stream.hpp"
>   dnl this is a list of *required* libraries. If any of these are missing, this
>   dnl test will return a failure, and Gnash won't build.
>-  boost_libs="thread program_options"
>+  boost_libs="thread program_options iostreams"
> 
>   dnl this is a list of *recommended* libraries. If any of these are missing, this
>   dnl test will return a warning, and Gnash will build, but testing won't work.
>diff --git a/plugin/npapi/Makefile.am b/plugin/npapi/Makefile.am
>index 58566d9..cd2a92b 100644
>--- a/plugin/npapi/Makefile.am
>+++ b/plugin/npapi/Makefile.am
>@@ -78,6 +78,7 @@ libgnashplugin_la_SOURCES  = plugin.cpp \
> 
> libgnashplugin_la_LIBADD   = \
> 	$(GLIB_LIBS) \
>+	-lboost_iostreams \
> 	$(NULL)
> 
> # Scriptable plugin support
>diff --git a/plugin/npapi/plugin.cpp b/plugin/npapi/plugin.cpp
>index 55bafc3..edcecfe 100644
>--- a/plugin/npapi/plugin.cpp
>+++ b/plugin/npapi/plugin.cpp
>@@ -25,6 +25,8 @@
> #include <boost/scoped_array.hpp>
> #include <boost/algorithm/string/replace.hpp>
> #include <boost/algorithm/string/find.hpp>
>+#include <boost/iostreams/device/file_descriptor.hpp>
>+#include <boost/iostreams/stream.hpp>
> #include <cassert>
> #include <string>
> #include <cstdlib> // getenv
>@@ -150,6 +152,17 @@ getPluginDescription()
>     return desc;
> }
> 
>+boost::iostreams::file_descriptor_sink getfdsink(char mkstemplate[]);
>+
>+boost::iostreams::file_descriptor_sink
>+getfdsink(char mksTemplate[])
>+{
>+  int suffix = std::string(mksTemplate).size() - std::string(mksTemplate).find("XXXXXX") - 6;
>+  int fd = mkstemps (mksTemplate, suffix);
>+  boost::iostreams::file_descriptor_sink fdsink(fd, boost::iostreams::close_handle);
>+  return fdsink;
>+}
>+
> //
> // general initialization and shutdown
> //
>@@ -965,22 +978,23 @@ create_standalone_launcher(const std::string& page_url, const std::string& swf_u
>         return;
>     }
> 
>-    std::ofstream saLauncher;
>-
>-    std::stringstream ss;
>-    static int debugno = 0;
>-    debugno = (debugno + 1) % 10;
>-    ss << "/tmp/gnash-debug-" << debugno << ".sh";
>-    saLauncher.open(ss.str().c_str(), std::ios::out | std::ios::trunc);
>+    char debugname[] = "/tmp/gnash-debug-XXXXXX.sh";
>+    boost::iostreams::file_descriptor_sink fdsink = getfdsink(debugname);
>+    if (fdsink.handle() == -1) {
>+        gnash::log_error("Failed to create sink: %s", debugname);
>+        return;
>+    }
>+    boost::iostreams::stream<boost::iostreams::file_descriptor_sink>
>+        saLauncher (fdsink);
> 
>     if (!saLauncher) {
>-        gnash::log_error("Failed to open new file for standalone launcher: " + ss.str());
>+        gnash::log_error("Failed to open new file for standalone launcher: %s", debugname);
>         return;
>     }
> 
>     saLauncher << "#!/bin/sh" << std::endl
>                << "export GNASH_COOKIES_IN="
>-               << "/tmp/gnash-cookies." << getpid() << std::endl
>+               << std::getenv("GNASH_COOKIES_IN") << std::endl
>                << getGnashExecutable() << " ";
> 
>     if (!page_url.empty()) {
>@@ -1003,6 +1017,7 @@ create_standalone_launcher(const std::string& page_url, const std::string& swf_u
>                << std::endl;
> 
>     saLauncher.close();
>+    fdsink.close();
> #endif
> }
> 
>@@ -1102,11 +1117,14 @@ nsPluginInstance::setupCookies(const std::string& pageurl)
>     }
> 
>     gnash::log_debug("The Cookie for %s is %s", url, ncookie);
>-    std::ofstream cookiefile;
>-    std::stringstream ss;
>-    ss << "/tmp/gnash-cookies." << getpid();
>-
>-    cookiefile.open(ss.str().c_str(), std::ios::out | std::ios::trunc);
>+    char cookiename[] = "/tmp/gnash-cookies.XXXXXX";
>+    boost::iostreams::file_descriptor_sink fdsink = getfdsink(cookiename);
>+    if (fdsink.handle() == -1) {
>+        gnash::log_error("Failed to create sink: %s", cookiename);
>+        return;
>+    }
>+    boost::iostreams::stream<boost::iostreams::file_descriptor_sink>
>+        cookiefile (fdsink);
> 
>     // Firefox provides cookies in the following format:
>     //
>@@ -1127,8 +1144,9 @@ nsPluginInstance::setupCookies(const std::string& pageurl)
>     }
>  
>     cookiefile.close();
>+    fdsink.close();
>   
>-    if (setenv("GNASH_COOKIES_IN", ss.str().c_str(), 1) < 0) {
>+    if (setenv("GNASH_COOKIES_IN", cookiename, 1) < 0) {
>         gnash::log_error(
>             "Couldn't set environment variable GNASH_COOKIES_IN to %s",
>             ncookie);
>--
>cgit v0.9.0.2

From 8fc19a890ee787d26200dc1b8b5546e3bb15ac7b Mon Sep 17 00:00:00 2001
From: Gabriele Giacone <1o5g4r8o@gmail.com>
Date: Thu, 01 Dec 2011 00:59:15 +0000
Subject: CVE-2011-4328 fix. mkstemps and boost::iostreams. See bug #34903

---
diff --git a/macros/boost.m4 b/macros/boost.m4
index 7c7bb4a..c672870 100644
--- a/macros/boost.m4
+++ b/macros/boost.m4
@@ -34,10 +34,10 @@ AC_DEFUN([GNASH_PATH_BOOST],
   libname=""
   dnl this is a list of *required* headers. If any of these are missing, this
   dnl test will return a failure, and Gnash won't build.
-  boost_headers="detail/lightweight_mutex.hpp thread/thread.hpp multi_index_container.hpp multi_index/key_extractors.hpp thread/mutex.hpp program_options/options_description.hpp"
+  boost_headers="detail/lightweight_mutex.hpp thread/thread.hpp multi_index_container.hpp multi_index/key_extractors.hpp thread/mutex.hpp program_options/options_description.hpp boost/iostreams/stream.hpp"
   dnl this is a list of *required* libraries. If any of these are missing, this
   dnl test will return a failure, and Gnash won't build.
-  boost_libs="thread program_options"
+  boost_libs="thread program_options iostreams"
 
   dnl this is a list of *recommended* libraries. If any of these are missing, this
   dnl test will return a warning, and Gnash will build, but testing won't work.
diff --git a/plugin/npapi/Makefile.am b/plugin/npapi/Makefile.am
index 58566d9..cd2a92b 100644
--- a/plugin/npapi/Makefile.am
+++ b/plugin/npapi/Makefile.am
@@ -78,6 +78,7 @@ libgnashplugin_la_SOURCES  = plugin.cpp \
 
 libgnashplugin_la_LIBADD   = \
 	$(GLIB_LIBS) \
+	-lboost_iostreams \
 	$(NULL)
 
 # Scriptable plugin support
diff --git a/plugin/npapi/plugin.cpp b/plugin/npapi/plugin.cpp
index 55bafc3..edcecfe 100644
--- a/plugin/npapi/plugin.cpp
+++ b/plugin/npapi/plugin.cpp
@@ -25,6 +25,8 @@
 #include <boost/scoped_array.hpp>
 #include <boost/algorithm/string/replace.hpp>
 #include <boost/algorithm/string/find.hpp>
+#include <boost/iostreams/device/file_descriptor.hpp>
+#include <boost/iostreams/stream.hpp>
 #include <cassert>
 #include <string>
 #include <cstdlib> // getenv
@@ -150,6 +152,17 @@ getPluginDescription()
     return desc;
 }
 
+boost::iostreams::file_descriptor_sink getfdsink(char mkstemplate[]);
+
+boost::iostreams::file_descriptor_sink
+getfdsink(char mksTemplate[])
+{
+  int suffix = std::string(mksTemplate).size() - std::string(mksTemplate).find("XXXXXX") - 6;
+  int fd = mkstemps (mksTemplate, suffix);
+  boost::iostreams::file_descriptor_sink fdsink(fd, boost::iostreams::close_handle);
+  return fdsink;
+}
+
 //
 // general initialization and shutdown
 //
@@ -965,22 +978,23 @@ create_standalone_launcher(const std::string& page_url, const std::string& swf_u
         return;
     }
 
-    std::ofstream saLauncher;
-
-    std::stringstream ss;
-    static int debugno = 0;
-    debugno = (debugno + 1) % 10;
-    ss << "/tmp/gnash-debug-" << debugno << ".sh";
-    saLauncher.open(ss.str().c_str(), std::ios::out | std::ios::trunc);
+    char debugname[] = "/tmp/gnash-debug-XXXXXX.sh";
+    boost::iostreams::file_descriptor_sink fdsink = getfdsink(debugname);
+    if (fdsink.handle() == -1) {
+        gnash::log_error("Failed to create sink: %s", debugname);
+        return;
+    }
+    boost::iostreams::stream<boost::iostreams::file_descriptor_sink>
+        saLauncher (fdsink);
 
     if (!saLauncher) {
-        gnash::log_error("Failed to open new file for standalone launcher: " + ss.str());
+        gnash::log_error("Failed to open new file for standalone launcher: %s", debugname);
         return;
     }
 
     saLauncher << "#!/bin/sh" << std::endl
                << "export GNASH_COOKIES_IN="
-               << "/tmp/gnash-cookies." << getpid() << std::endl
+               << std::getenv("GNASH_COOKIES_IN") << std::endl
                << getGnashExecutable() << " ";
 
     if (!page_url.empty()) {
@@ -1003,6 +1017,7 @@ create_standalone_launcher(const std::string& page_url, const std::string& swf_u
                << std::endl;
 
     saLauncher.close();
+    fdsink.close();
 #endif
 }
 
@@ -1102,11 +1117,14 @@ nsPluginInstance::setupCookies(const std::string& pageurl)
     }
 
     gnash::log_debug("The Cookie for %s is %s", url, ncookie);
-    std::ofstream cookiefile;
-    std::stringstream ss;
-    ss << "/tmp/gnash-cookies." << getpid();
-
-    cookiefile.open(ss.str().c_str(), std::ios::out | std::ios::trunc);
+    char cookiename[] = "/tmp/gnash-cookies.XXXXXX";
+    boost::iostreams::file_descriptor_sink fdsink = getfdsink(cookiename);
+    if (fdsink.handle() == -1) {
+        gnash::log_error("Failed to create sink: %s", cookiename);
+        return;
+    }
+    boost::iostreams::stream<boost::iostreams::file_descriptor_sink>
+        cookiefile (fdsink);
 
     // Firefox provides cookies in the following format:
     //
@@ -1127,8 +1144,9 @@ nsPluginInstance::setupCookies(const std::string& pageurl)
     }
  
     cookiefile.close();
+    fdsink.close();
   
-    if (setenv("GNASH_COOKIES_IN", ss.str().c_str(), 1) < 0) {
+    if (setenv("GNASH_COOKIES_IN", cookiename, 1) < 0) {
         gnash::log_error(
             "Couldn't set environment variable GNASH_COOKIES_IN to %s",
             ncookie);
--
cgit v0.9.0.2

Actions: View | Diff

Attachments on bug 5458: 2054 | 2055