Debian Bug report logs - #110609
dialog: perl API creates a statically named temp file

version graph

Package: dialog; Maintainer for dialog is Santiago Vila <sanvila@debian.org>; Source for dialog is src:dialog.

Reported by: euclid80@yahoo.com

Date: Thu, 30 Aug 2001 01:48:02 UTC

Severity: important

Found in version 0.9a-20000118-3

Fixed in version dialog/0.9a-20011014-1

Done: Santiago Vila <sanvila@debian.org>

Bug is archived. No further changes may be made.

Forwarded to "Thomas E. Dickey" <dickey@herndon4.his.com>

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#110609; Package dialog. Full text and rfc822 format available.

Acknowledgement sent to euclid80@yahoo.com:
New Bug report received and forwarded. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: euclid80@yahoo.com
To: submit@bugs.debian.org
Subject: dialog: perl API creates a statically named temp file
Date: Wed, 29 Aug 2001 19:35:17 -0600
Package: dialog
Version: 0.9a-20000118-3
Severity: important

The perl API in /usr/lib/perl5/dialog.pl uses a tmp file
(/tmp/dialogout) in its return_output subroutine.  This
prevents simultaneous use of the API by two processes
(also a security risk?).  The following is a patch which
solves the problem by removing the need for a temp file:


375c375
<     local ( $res );
---
>     local ( $res ) = 1;
377,388c377,386
<     open(SAVESTDERR, ">&STDERR");
<     open(STDERR, ">/tmp/dialogout");
<     $res = system($command);
<     close(STDERR);
<     open(STDERR, ">&SAVESTDERR");
<     
<     open(IN, "/tmp/dialogout");
<     if ($listp) {
< 	@dialog_result = ();
< 	while (<IN>) {
< 	    chop;
< 	    $dialog_result[@dialog_result] = $_;
---
> 	pipe(PARENT_READER, CHILD_WRITER);
> 	# We have to fork (as opposed to using "system") so that the parent
> 	# process can read from the pipe to avoid deadlock.
> 	my ($pid) = fork;
> 	if ($pid == 0) # child
> 	{
> 		close(PARENT_READER);
> 	    open(STDERR, ">&CHILD_WRITER");
> 	    exec($command);
> 		die("no exec");
390,391c388,403
<     } else {
< 	$dialog_result = <IN>;
---
> 	if ($pid > 0) # parent
> 	{
> 		close( CHILD_WRITER );
>     	if ($listp)
> 		{
> 			@dialog_result = ();
> 			while (<PARENT_READER>)
> 			{
> 		    	chop;
> 			    $dialog_result[@dialog_result] = $_;
> 			}
> 		}
> 		else { $dialog_result = <PARENT_READER>; }
> 		close(PARENT_READER);
> 		waitpid($pid,0);
> 		$res = $?;
393,395d404
<     close(IN);
<     unlink("/tmp/dialogout");
< 
397,401c406
<     if (! $res) {
< 	return 1;
<     } else {
< 	return 0;
<     }
---
>     if (! $res) { return 1; } else { return 0; }

-- System Information
Debian Release: 2.2
Kernel Version: Linux james 2.2.19 #1 Mon Aug 27 23:28:29 CST 2001 i686 unknown

Versions of the packages dialog depends on:
ii  debianutils    1.13.3         Miscellaneous utilities specific to Debian.
ii  libc6          2.1.3-18       GNU C Library: Shared libraries and Timezone
ii  libncurses5    5.0-6.0potato1 Shared libraries for terminal handling



Reply sent to Santiago Vila <sanvila@unex.es>:
You have marked Bug as forwarded. Full text and rfc822 format available.

Message #8 received at 110609-forwarded@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: "Thomas E. Dickey" <dickey@herndon4.his.com>
Cc: <110609-forwarded@bugs.debian.org>, <euclid80@yahoo.com>
Subject: Bug#110609: dialog: perl API creates a statically named temp file (fwd)
Date: Thu, 30 Aug 2001 11:44:55 +0200 (CEST)
Hello.

Received today.

---------- Forwarded message ----------
Date: Wed, 29 Aug 2001 19:35:17 -0600
From: euclid80@yahoo.com
To: submit@bugs.debian.org
Subject: Bug#110609: dialog: perl API creates a statically named temp file

Package: dialog
Version: 0.9a-20000118-3
Severity: important

The perl API in /usr/lib/perl5/dialog.pl uses a tmp file
(/tmp/dialogout) in its return_output subroutine.  This
prevents simultaneous use of the API by two processes
(also a security risk?).  The following is a patch which
solves the problem by removing the need for a temp file:


375c375
<     local ( $res );
---
>     local ( $res ) = 1;
377,388c377,386
<     open(SAVESTDERR, ">&STDERR");
<     open(STDERR, ">/tmp/dialogout");
<     $res = system($command);
<     close(STDERR);
<     open(STDERR, ">&SAVESTDERR");
<
<     open(IN, "/tmp/dialogout");
<     if ($listp) {
< 	@dialog_result = ();
< 	while (<IN>) {
< 	    chop;
< 	    $dialog_result[@dialog_result] = $_;
---
> 	pipe(PARENT_READER, CHILD_WRITER);
> 	# We have to fork (as opposed to using "system") so that the parent
> 	# process can read from the pipe to avoid deadlock.
> 	my ($pid) = fork;
> 	if ($pid == 0) # child
> 	{
> 		close(PARENT_READER);
> 	    open(STDERR, ">&CHILD_WRITER");
> 	    exec($command);
> 		die("no exec");
390,391c388,403
<     } else {
< 	$dialog_result = <IN>;
---
> 	if ($pid > 0) # parent
> 	{
> 		close( CHILD_WRITER );
>     	if ($listp)
> 		{
> 			@dialog_result = ();
> 			while (<PARENT_READER>)
> 			{
> 		    	chop;
> 			    $dialog_result[@dialog_result] = $_;
> 			}
> 		}
> 		else { $dialog_result = <PARENT_READER>; }
> 		close(PARENT_READER);
> 		waitpid($pid,0);
> 		$res = $?;
393,395d404
<     close(IN);
<     unlink("/tmp/dialogout");
<
397,401c406
<     if (! $res) {
< 	return 1;
<     } else {
< 	return 0;
<     }
---
>     if (! $res) { return 1; } else { return 0; }

-- System Information
Debian Release: 2.2
Kernel Version: Linux james 2.2.19 #1 Mon Aug 27 23:28:29 CST 2001 i686 unknown

Versions of the packages dialog depends on:
ii  debianutils    1.13.3         Miscellaneous utilities specific to Debian.
ii  libc6          2.1.3-18       GNU C Library: Shared libraries and Timezone
ii  libncurses5    5.0-6.0potato1 Shared libraries for terminal handling




Message #9 received at 110609-forwarded@bugs.debian.org (full text, mbox):

From: "Thomas E. Dickey" <dickey@herndon4.his.com>
To: Santiago Vila <sanvila@unex.es>
Cc: <110609-forwarded@bugs.debian.org>, <euclid80@yahoo.com>
Subject: Re: Bug#110609: dialog: perl API creates a statically named temp file (fwd)
Date: Thu, 30 Aug 2001 06:13:59 -0400 (EDT)
On Thu, 30 Aug 2001, Santiago Vila wrote:

I suppose so (I haven't done anything with the perl interface; would be
nice to have an example script that _calls_ the interface - though I
suppose I could write one, it hasn't been an issue since I don't know
who uses that script).

> Hello.
>
> Received today.
>
> ---------- Forwarded message ----------
> Date: Wed, 29 Aug 2001 19:35:17 -0600
> From: euclid80@yahoo.com
> To: submit@bugs.debian.org
> Subject: Bug#110609: dialog: perl API creates a statically named temp file
>
> Package: dialog
> Version: 0.9a-20000118-3
> Severity: important
>
> The perl API in /usr/lib/perl5/dialog.pl uses a tmp file
> (/tmp/dialogout) in its return_output subroutine.  This
> prevents simultaneous use of the API by two processes
> (also a security risk?).  The following is a patch which
> solves the problem by removing the need for a temp file:
>
>
> 375c375
> <     local ( $res );
> ---
> >     local ( $res ) = 1;
> 377,388c377,386
> <     open(SAVESTDERR, ">&STDERR");
> <     open(STDERR, ">/tmp/dialogout");
> <     $res = system($command);
> <     close(STDERR);
> <     open(STDERR, ">&SAVESTDERR");
> <
> <     open(IN, "/tmp/dialogout");
> <     if ($listp) {
> < 	@dialog_result = ();
> < 	while (<IN>) {
> < 	    chop;
> < 	    $dialog_result[@dialog_result] = $_;
> ---
> > 	pipe(PARENT_READER, CHILD_WRITER);
> > 	# We have to fork (as opposed to using "system") so that the parent
> > 	# process can read from the pipe to avoid deadlock.
> > 	my ($pid) = fork;
> > 	if ($pid == 0) # child
> > 	{
> > 		close(PARENT_READER);
> > 	    open(STDERR, ">&CHILD_WRITER");
> > 	    exec($command);
> > 		die("no exec");
> 390,391c388,403
> <     } else {
> < 	$dialog_result = <IN>;
> ---
> > 	if ($pid > 0) # parent
> > 	{
> > 		close( CHILD_WRITER );
> >     	if ($listp)
> > 		{
> > 			@dialog_result = ();
> > 			while (<PARENT_READER>)
> > 			{
> > 		    	chop;
> > 			    $dialog_result[@dialog_result] = $_;
> > 			}
> > 		}
> > 		else { $dialog_result = <PARENT_READER>; }
> > 		close(PARENT_READER);
> > 		waitpid($pid,0);
> > 		$res = $?;
> 393,395d404
> <     close(IN);
> <     unlink("/tmp/dialogout");
> <
> 397,401c406
> <     if (! $res) {
> < 	return 1;
> <     } else {
> < 	return 0;
> <     }
> ---
> >     if (! $res) { return 1; } else { return 0; }
>
> -- System Information
> Debian Release: 2.2
> Kernel Version: Linux james 2.2.19 #1 Mon Aug 27 23:28:29 CST 2001 i686 unknown
>
> Versions of the packages dialog depends on:
> ii  debianutils    1.13.3         Miscellaneous utilities specific to Debian.
> ii  libc6          2.1.3-18       GNU C Library: Shared libraries and Timezone
> ii  libncurses5    5.0-6.0potato1 Shared libraries for terminal handling
>
>

-- 
T.E.Dickey <dickey@herndon4.his.com>
http://dickey.his.com
ftp://dickey.his.com




Reply sent to Santiago Vila <sanvila@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to euclid80@yahoo.com:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #14 received at 110609-close@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@debian.org>
To: 110609-close@bugs.debian.org
Subject: Bug#110609: fixed in dialog 0.9a-20011014-1
Date: Mon, 15 Oct 2001 14:54:34 -0400
We believe that the bug you reported is fixed in the latest version of
dialog, which has been installed in the Debian FTP archive:

dialog_0.9a-20011014-1.diff.gz
  to pool/main/d/dialog/dialog_0.9a-20011014-1.diff.gz
dialog_0.9a-20011014.orig.tar.gz
  to pool/main/d/dialog/dialog_0.9a-20011014.orig.tar.gz
dialog_0.9a-20011014-1.dsc
  to pool/main/d/dialog/dialog_0.9a-20011014-1.dsc
dialog_0.9a-20011014-1_i386.deb
  to pool/main/d/dialog/dialog_0.9a-20011014-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 110609@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated dialog package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.6
Date: Mon, 15 Oct 2001 19:58:22 +0200
Source: dialog
Binary: dialog
Architecture: source i386
Version: 0.9a-20011014-1
Distribution: unstable
Urgency: low
Maintainer: Santiago Vila <sanvila@debian.org>
Description: 
 dialog     - Displays user-friendly dialog boxes from shell scripts
Closes: 99264 110609
Changes: 
 dialog (0.9a-20011014-1) unstable; urgency=low
 .
   * New upstream release, should fix the following bugs:
   - Allow scripts to alter the exit codes, mainly to distinguish ESC and
     ERROR exits. This is done by setting a shell variable such as DIALOG_ESC
     to a new value (Closes: #99264).
   - Modified dialog.pl to avoid using a statically-named tempfile, allowing
     multiple processes to use this script (Closes: #110609).
   * Added new sample script msgbox2 to the examples directory.
Files: 
 74d1c68135eee71153654800cf489216 628 misc optional dialog_0.9a-20011014-1.dsc
 3099b89807e88d47ad4567cc7964a7b0 194466 misc optional dialog_0.9a-20011014.orig.tar.gz
 10112233f0d3f522fade1e6f1396d44e 5268 misc optional dialog_0.9a-20011014-1.diff.gz
 8993dbae671afe8b4c3a63fb6944ccf8 97830 misc optional dialog_0.9a-20011014-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7yyS/d9Uuvj7yPNYRAjFwAJ9Au8cgSilVc9JAsWez+SW0Qy1jCACdFlsO
PU1CJbRY1I7ZPUkZlH8yny8=
=LyRo
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 14:06:16 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.