pulseaudio-0.9.15: Fix a flaw in the tmp directory handling

* Address CVE-2009-1299, compare with http://www.debian.org/security/2010/dsa-2017

diff --git a/recipes/pulseaudio/files/CVE-2009-1299.patch b/recipes/pulseaudio/files/CVE-2009-1299.patch
new file mode 100644 (file)
index 0000000..63314b8
--- /dev/null
+++ b/recipes/pulseaudio/files/CVE-2009-1299.patch
@@ -0,0 +1,86 @@
+From d3efa43d85ac132c6a5a416a2b6f2115f5d577ee Mon Sep 17 00:00:00 2001
+From: Kees Cook <kees@ubuntu.com>
+Date: Tue, 2 Mar 2010 21:33:34 -0800
+Subject: [PATCH] core-util: ensure that we chmod only the dir we ourselves created
+
+---
+ configure.ac              |    2 +-
+ src/pulsecore/core-util.c |   39 ++++++++++++++++++++++++++++++++++-----
+ 2 files changed, 35 insertions(+), 6 deletions(-)
+
+Index: pulseaudio-0.9.15/configure.ac
+===================================================================
+--- pulseaudio-0.9.15.orig/configure.ac        2010-03-17 14:50:02.000000000 +0800
++++ pulseaudio-0.9.15/configure.ac     2010-03-17 14:52:27.250075828 +0800
+@@ -403,7 +403,7 @@
+ AC_FUNC_FORK
+ AC_FUNC_GETGROUPS
+ AC_FUNC_SELECT_ARGTYPES
+-AC_CHECK_FUNCS([chmod chown clock_gettime getaddrinfo getgrgid_r getgrnam_r \
++AC_CHECK_FUNCS([chmod chown fstat fchown fchmod clock_gettime getaddrinfo getgrgid_r getgrnam_r \
+     getpwnam_r getpwuid_r gettimeofday getuid inet_ntop inet_pton mlock nanosleep \
+     pipe posix_fadvise posix_madvise posix_memalign setpgid setsid shm_open \
+     sigaction sleep sysconf pthread_setaffinity_np])
+Index: pulseaudio-0.9.15/src/pulsecore/core-util.c
+===================================================================
+--- pulseaudio-0.9.15.orig/src/pulsecore/core-util.c   2010-03-17 14:49:59.000000000 +0800
++++ pulseaudio-0.9.15/src/pulsecore/core-util.c        2010-03-17 14:51:37.680079062 +0800
+@@ -178,7 +178,7 @@
+ /** Creates a directory securely */
+ int pa_make_secure_dir(const char* dir, mode_t m, uid_t uid, gid_t gid) {
+     struct stat st;
+-    int r, saved_errno;
++    int r, saved_errno, fd;
+ 
+     pa_assert(dir);
+ 
+@@ -196,16 +196,45 @@
+     if (r < 0 && errno != EEXIST)
+         return -1;
+ 
+-#ifdef HAVE_CHOWN
++#ifdef HAVE_FSTAT
++    if ((fd = open(dir,
++#ifdef O_CLOEXEC
++                   O_CLOEXEC|
++#endif
++#ifdef O_NOCTTY
++                   O_NOCTTY|
++#endif
++#ifdef O_NOFOLLOW
++                   O_NOFOLLOW|
++#endif
++                   O_RDONLY)) < 0)
++        goto fail;
++
++    if (fstat(fd, &st) < 0) {
++        pa_assert_se(pa_close(fd) >= 0);
++        goto fail;
++    }
++
++    if (!S_ISDIR(st.st_mode)) {
++        pa_assert_se(pa_close(fd) >= 0);
++        errno = EEXIST;
++        goto fail;
++    }
++
++#ifdef HAVE_FCHOWN
+     if (uid == (uid_t)-1)
+         uid = getuid();
+     if (gid == (gid_t)-1)
+         gid = getgid();
+-    (void) chown(dir, uid, gid);
++    (void) fchown(fd, uid, gid);
++#endif
++
++#ifdef HAVE_FCHMOD
++    (void) fchmod(fd, m);
+ #endif
+ 
+-#ifdef HAVE_CHMOD
+-    chmod(dir, m);
++    pa_assert_se(pa_close(fd) >= 0);
++
+ #endif
+ 
+ #ifdef HAVE_LSTAT

diff --git a/recipes/pulseaudio/pulseaudio_0.9.15.bb b/recipes/pulseaudio/pulseaudio_0.9.15.bb
index 64ca916..760e408 100644 (file)
--- a/recipes/pulseaudio/pulseaudio_0.9.15.bb
+++ b/recipes/pulseaudio/pulseaudio_0.9.15.bb
@@ -1,7 +1,7 @@
 require pulseaudio.inc
 
 DEPENDS += "gdbm speex"
-PR = "${INC_PR}.4"
+PR = "${INC_PR}.5"
 
 inherit gettext
 
@@ -15,6 +15,7 @@ SRC_URI += "\
   file://fixbluezbuild.patch;patch=1 \
   file://tls_m4.patch;patch=1 \
   file://sbc-thumb.patch;patch=1 \
+  file://CVE-2009-1299.patch;patch=1 \
 "
 
 do_compile_prepend() {