From fde8138f44aa66be36220d6efe81891fe4146f2b Mon Sep 17 00:00:00 2001
From: Rob Browning <rlb@defaultvalue.org>
Date: Sat, 26 Apr 2008 22:27:13 -0700
Subject: [PATCH] Fix an insecurity in vcdiff's temporary file handling
 (CVE-2008-1694).

---
 debian/changelog                              |  8 +++--
 ...cdiff-tmp-file-handling-cve-2008-1694.diff | 33 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 debian/patches/fix-vcdiff-tmp-file-handling-cve-2008-1694.diff

diff --git a/debian/changelog b/debian/changelog
index 17a32764ae6..4ab93b734d3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,14 @@
-emacs22 (22.2+2-2) unstable; urgency=low
+emacs22 (22.2+2-2) unstable; urgency=medium
 
   * Fix debian-expand-file-name-dfsg and describe-gnu-project (C-h C-p).
     Thanks to Valery V. Vorotyntsev <valery.vv@gmail.com>.
     (closes: #448391, #477215)
 
- -- Rob Browning <rlb@defaultvalue.org>  Sat, 26 Apr 2008 20:15:07 -0700
+  * Fix an insecurity in vcdiff's temporary file handling
+    (CVE-2008-1694). Thanks to Moritz Muehlenhoff <jmm@debian.org> and
+    Steve Grubb. (closes: #476611)
+
+ -- Rob Browning <rlb@defaultvalue.org>  Sat, 26 Apr 2008 22:02:40 -0700
 
 emacs22 (22.2+2-1) unstable; urgency=low
 
diff --git a/debian/patches/fix-vcdiff-tmp-file-handling-cve-2008-1694.diff b/debian/patches/fix-vcdiff-tmp-file-handling-cve-2008-1694.diff
new file mode 100644
index 00000000000..fa23579a213
--- /dev/null
+++ b/debian/patches/fix-vcdiff-tmp-file-handling-cve-2008-1694.diff
@@ -0,0 +1,33 @@
+* A problem with insecure temporary file handling in vcdiff has been fixed.
+  Patch: fix-vcdiff-tmp-file-handling-cve-2008-1694.diff
+  Provided-by: Moritz Muehlenhoff <jmm@debian.org>
+  Originally-reported-by: Steve Grubb
+  Date: Fri, 18 Apr 2008 00:00:45 +0200
+  Added-by: Rob Browning <rlb@defaultvalue.org>
+  Status: incorporated upstream
+
+  The vcdiff script should use temporary files more securely.  Without
+  this fix a local attacker might have been able to use a symlink
+  attack to force vcdiff to overwrite an arbitrary file.
+
+Index: sid/lib-src/vcdiff
+===================================================================
+--- sid.orig/lib-src/vcdiff
++++ sid/lib-src/vcdiff
+@@ -84,14 +84,14 @@
+ 	case $f in
+ 	s.* | */s.*)
+ 		if
+-			rev1=/tmp/geta$$
++			rev1=`mktemp /tmp/geta.XXXXXXXX`
+ 			get -s -p -k $sid1 "$f" > $rev1 &&
+ 			case $sid2 in
+ 			'')
+ 				workfile=`expr " /$f" : '.*/s.\(.*\)'`
+ 				;;
+ 			*)
+-				rev2=/tmp/getb$$
++				rev2=`mktemp /tmp/getb.XXXXXXXX`
+ 				get -s -p -k $sid2 "$f" > $rev2
+ 				workfile=$rev2
+ 			esac
diff --git a/debian/patches/series b/debian/patches/series
index 0deae65a2f1..28c2081c645 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,4 +7,5 @@ fix-vc-path.diff
 require-movemail-use-liblockfile.diff
 avoid-fakemail-mail-loss.diff
 version-mention-debian.diff
+fix-vcdiff-tmp-file-handling-cve-2008-1694.diff
 autofiles.diff
-- 
2.30.2