diff --git a/audacious-plugins-2.2-tmp-vuln.patch b/audacious-plugins-2.2-tmp-vuln.patch index 0da12a6..ef08586 100644 --- a/audacious-plugins-2.2-tmp-vuln.patch +++ b/audacious-plugins-2.2-tmp-vuln.patch @@ -1,83 +1,114 @@ diff -Nur audacious-plugins-2.2-orig/src/streambrowser/streambrowser.c audacious-plugins-2.2-tmp-vuln/src/streambrowser/streambrowser.c --- audacious-plugins-2.2-orig/src/streambrowser/streambrowser.c 2009-11-22 23:49:53.000000000 +0100 -+++ audacious-plugins-2.2-tmp-vuln/src/streambrowser/streambrowser.c 2010-02-05 20:44:34.000000000 +0100 -@@ -611,18 +611,21 @@ ++++ audacious-plugins-2.2-tmp-vuln/src/streambrowser/streambrowser.c 2010-02-06 19:35:33.000000000 +0100 +@@ -611,16 +611,20 @@ { gint playlist = aud_playlist_get_active(); gint entrycount = aud_playlist_entry_count(playlist); -+ gchar* tempname = g_strconcat( "file://", g_build_filename(audacious_get_localdir(), "streambrowser-tmp-playlist.pls", NULL) ); ++ gchar * unix_name = g_build_filename (audacious_get_localdir (), ++ PLAYLIST_TEMP_FILE, NULL); ++ gchar * uri_name = g_filename_to_uri (unix_name, NULL, NULL); if (strlen(streaminfo->playlist_url) > 0) { debug("fetching stream playlist for station '%s' from '%s'\n", streaminfo->name, streaminfo->playlist_url); - if (!fetch_remote_to_local_file(streaminfo->playlist_url, PLAYLIST_TEMP_FILE)) { - failure("shoutcast: stream playlist '%s' could not be downloaded to '%s'\n", streaminfo->playlist_url, PLAYLIST_TEMP_FILE); -+ if (!fetch_remote_to_local_file(streaminfo->playlist_url, tempname)) { -+ failure("shoutcast: stream playlist '%s' could not be downloaded to '%s'\n", streaminfo->playlist_url, tempname); -+ g_free(tempname); - return; +- return; ++ if (!fetch_remote_to_local_file(streaminfo->playlist_url, uri_name)) { ++ failure ("shoutcast: stream playlist '%s' could not be downloaded " ++ "to '%s'\n", streaminfo->playlist_url, uri_name); ++ goto DONE; } - debug("stream playlist '%s' successfuly downloaded to '%s'\n", streaminfo->playlist_url, PLAYLIST_TEMP_FILE); -+ debug("stream playlist '%s' successfuly downloaded to '%s'\n", streaminfo->playlist_url, tempname); ++ debug("stream playlist '%s' successfuly downloaded to '%s'\n", streaminfo->playlist_url, uri_name); - aud_playlist_insert_playlist(aud_playlist_get_active(), entrycount, PLAYLIST_TEMP_FILE); -+ aud_playlist_insert_playlist(aud_playlist_get_active(), entrycount, tempname); ++ aud_playlist_insert_playlist(aud_playlist_get_active(), entrycount, uri_name); debug("stream playlist '%s' added\n", streaminfo->playlist_url); } -+ g_free(tempname); - if (strlen(streaminfo->url) > 0) { +@@ -628,6 +632,10 @@ aud_playlist_insert_playlist(aud_playlist_get_active(), entrycount, streaminfo->url); + debug("stream '%s' added\n", streaminfo->url); + } ++ ++DONE: ++ g_free (unix_name); ++ g_free (uri_name); + } + + static void on_plugin_services_menu_item_click() diff -Nur audacious-plugins-2.2-orig/src/streambrowser/streambrowser.h audacious-plugins-2.2-tmp-vuln/src/streambrowser/streambrowser.h --- audacious-plugins-2.2-orig/src/streambrowser/streambrowser.h 2009-11-22 23:49:53.000000000 +0100 -+++ audacious-plugins-2.2-tmp-vuln/src/streambrowser/streambrowser.h 2010-02-05 20:43:50.000000000 +0100 -@@ -23,7 +23,6 @@ ++++ audacious-plugins-2.2-tmp-vuln/src/streambrowser/streambrowser.h 2010-02-06 19:29:11.000000000 +0100 +@@ -23,7 +23,7 @@ #define DEF_STRING_LEN 1024 #define DEF_BUFFER_SIZE 512 #define MAX_UPDATE_THREADS 4 -#define PLAYLIST_TEMP_FILE "file:///tmp/playlist.pls" ++#define PLAYLIST_TEMP_FILE "streambrowser-playlist-temp.pls" #define STREAMBROWSER_ICON_SMALL DATA_DIR G_DIR_SEPARATOR_S "images" G_DIR_SEPARATOR_S "streambrowser-16x16.png" #define STREAMBROWSER_ICON DATA_DIR G_DIR_SEPARATOR_S "images" G_DIR_SEPARATOR_S "streambrowser-64x64.png" diff -Nur audacious-plugins-2.2-orig/src/streambrowser/xiph.c audacious-plugins-2.2-tmp-vuln/src/streambrowser/xiph.c --- audacious-plugins-2.2-orig/src/streambrowser/xiph.c 2009-11-22 23:49:53.000000000 +0100 -+++ audacious-plugins-2.2-tmp-vuln/src/streambrowser/xiph.c 2010-02-05 20:43:41.000000000 +0100 -@@ -162,6 +162,8 @@ ++++ audacious-plugins-2.2-tmp-vuln/src/streambrowser/xiph.c 2010-02-06 19:37:53.000000000 +0100 +@@ -162,6 +162,10 @@ static void refresh_streamdir(void) { -+ gchar* tempname = g_strconcat( "file://", g_build_filename(audacious_get_localdir(), "streambrowser-tmp-xiph_yp.xml", NULL) ); ++ gchar * unix_name = g_build_filename (audacious_get_localdir (), ++ XIPH_TEMP_FILENAME, NULL); ++ gchar * uri_name = g_filename_to_uri (unix_name, NULL, NULL); + /* free any previously fetched streamdir data */ if (xiph_entries != NULL) { free(xiph_entries); -@@ -170,13 +172,15 @@ +@@ -170,16 +174,18 @@ xiph_entry_count = 0; debug("xiph: fetching streaming directory file '%s'\n", XIPH_STREAMDIR_URL); - if (!fetch_remote_to_local_file(XIPH_STREAMDIR_URL, XIPH_TEMP_FILENAME)) { - failure("xiph: stream directory file '%s' could not be downloaded to '%s'\n", XIPH_STREAMDIR_URL, XIPH_TEMP_FILENAME); -+ if (!fetch_remote_to_local_file(XIPH_STREAMDIR_URL, tempname)) { -+ failure("xiph: stream directory file '%s' could not be downloaded to '%s'\n", XIPH_STREAMDIR_URL, tempname); -+ g_free(tempname); - return; +- return; ++ ++ if (! fetch_remote_to_local_file (XIPH_STREAMDIR_URL, uri_name)) { ++ failure ("xiph: stream directory file '%s' could not be downloaded to " ++ "'%s'\n", XIPH_STREAMDIR_URL, uri_name); ++ goto DONE; } - debug("xiph: stream directory file '%s' successfuly downloaded to '%s'\n", XIPH_STREAMDIR_URL, XIPH_TEMP_FILENAME); -+ debug("xiph: stream directory file '%s' successfuly downloaded to '%s'\n", XIPH_STREAMDIR_URL, tempname); ++ debug("xiph: stream directory file '%s' successfuly downloaded to '%s'\n", XIPH_STREAMDIR_URL, uri_name); - xmlDoc *doc = xmlReadFile(XIPH_TEMP_FILENAME, NULL, 0); -+ xmlDoc *doc = xmlReadFile(tempname, NULL, 0); -+ g_free(tempname); ++ xmlDoc *doc = xmlReadFile(uri_name, NULL, 0); if (doc == NULL) { failure("xiph: failed to read stream directory file\n"); - return; +- return; ++ goto DONE; + } + + xmlNode *root_node = xmlDocGetRootElement(doc); +@@ -222,6 +228,10 @@ + xmlFreeDoc(doc); + + debug("xiph: streaming directory successfuly loaded\n"); ++ ++DONE: ++ g_free (unix_name); ++ g_free (uri_name); + } + + static gboolean genre_match(gchar *string1, gchar *string2) diff -Nur audacious-plugins-2.2-orig/src/streambrowser/xiph.h audacious-plugins-2.2-tmp-vuln/src/streambrowser/xiph.h --- audacious-plugins-2.2-orig/src/streambrowser/xiph.h 2009-11-22 23:49:53.000000000 +0100 -+++ audacious-plugins-2.2-tmp-vuln/src/streambrowser/xiph.h 2010-02-05 20:42:47.000000000 +0100 -@@ -26,7 +26,6 @@ ++++ audacious-plugins-2.2-tmp-vuln/src/streambrowser/xiph.h 2010-02-06 19:29:26.000000000 +0100 +@@ -26,7 +26,7 @@ #define XIPH_NAME "Xiph" #define XIPH_ICON DATA_DIR G_DIR_SEPARATOR_S "images" G_DIR_SEPARATOR_S "xiph.png" #define XIPH_STREAMDIR_URL "http://dir.xiph.org/yp.xml" -#define XIPH_TEMP_FILENAME "file:///tmp/xiph_yp.xml" ++#define XIPH_TEMP_FILENAME "streambrowser-xiph-temp.xml" gboolean xiph_streaminfo_fetch(category_t *category, streaminfo_t *streaminfo); diff --git a/audacious-plugins.spec b/audacious-plugins.spec index 069fabe..32f1761 100644 --- a/audacious-plugins.spec +++ b/audacious-plugins.spec @@ -5,7 +5,7 @@ Name: audacious-plugins Version: 2.2 -Release: 19%{?dist} +Release: 20%{?dist} Summary: Plugins for the Audacious media player Group: Applications/Multimedia URL: http://audacious-media-player.org/ @@ -53,7 +53,7 @@ Patch11: audacious-plugins-2.2-streambrowser-race.patch Patch12: audacious-plugins-2.2-ladspa.patch # Patch13: audacious-plugins-2.2-neon-error-handling.patch -# +# revised version merged upstream Patch14: audacious-plugins-2.2-tmp-vuln.patch BuildRequires: audacious-devel >= %{aud_ver} @@ -299,6 +299,10 @@ update-desktop-database &> /dev/null || : %changelog +* Sat Feb 6 2010 Michael Schwendt - 2.2-20 +- Use the John Lindgren's revised patch for the temp file vuln + (which properly frees also the g_build_filename allocated string). + * Fri Feb 5 2010 Michael Schwendt - 2.2-19 - Fix temp file vulnerability in streambrowser plugin.