head	1.3;
access;
symbols
	pkgsrc-2013Q2:1.3.0.8
	pkgsrc-2013Q2-base:1.3
	pkgsrc-2012Q4:1.3.0.6
	pkgsrc-2012Q4-base:1.3
	pkgsrc-2011Q4:1.3.0.4
	pkgsrc-2011Q4-base:1.3
	pkgsrc-2011Q2:1.3.0.2
	pkgsrc-2011Q2-base:1.3
	pkgsrc-2009Q4:1.2.0.10
	pkgsrc-2009Q4-base:1.2
	pkgsrc-2009Q3:1.2.0.8
	pkgsrc-2009Q3-base:1.2
	pkgsrc-2009Q2:1.2.0.6
	pkgsrc-2009Q2-base:1.2
	pkgsrc-2009Q1:1.2.0.4
	pkgsrc-2009Q1-base:1.2
	pkgsrc-2008Q4:1.2.0.2
	pkgsrc-2008Q4-base:1.2;
locks; strict;
comment	@# @;


1.3
date	2010.03.01.02.58.26;	author ahoka;	state dead;
branches;
next	1.2;

1.2
date	2008.12.19.15.14.20;	author ahoka;	state Exp;
branches;
next	1.1;

1.1
date	2008.12.17.23.49.57;	author ahoka;	state Exp;
branches;
next	;


desc
@@


1.3
log
@Update to the 2.3.0 RC1 version.
@
text
@$NetBSD: patch-ae,v 1.2 2008/12/19 15:14:20 ahoka Exp $

--- cmus-status-display.orig	2007-07-27 16:52:13.000000000 +0200
+++ cmus-status-display
@@@@ -19,7 +19,7 @@@@
 output()
 {
 	# write status to /tmp/cmus-status (not very useful though)
-	echo "$*" >> /tmp/cmus-status 2>&1
+	echo "$*" >> $HOME/.cmus-status 2>&1
 
 	# WMI (http://wmi.modprobe.de/)
 	#wmiremote -t "$*" &> /dev/null
@


1.2
log
@Use a more elegant solution than in the previous commit.
@
text
@d1 1
a1 1
$NetBSD: patch-ae,v 1.1 2008/12/17 23:49:57 ahoka Exp $
@


1.1
log
@A security issue has been reported in cmus, which can be exploited by
malicious, local users to perform certain actions with escalated
privileges.

The security issue is caused due to the "cmus-status-display" script using
temporary files in an insecure manner. This can be exploited to
e.g. overwrite arbitrary files via symlink attacks.

This commit fixes this issue.
@
text
@d1 1
a1 1
$NetBSD$
d5 1
a5 2
@@@@ -18,8 +18,13 @@@@
 
a7 3
+	# write status to stdout
+	echo "$*"
+
d10 1
a10 3
+	# WARNING! This opens a vulnerability to overwrite files with
+	# symlink attack if you use a predictable filename in /tmp.
+	#echo "$*" >> /tmp/cmus-status 2>&1
@