--- ./wml_contrib/wmg.cgi.CVE-2008-0665_CVE-2008-0666 2005-12-01 19:50:13.000000000 +0200 +++ ./wml_contrib/wmg.cgi 2008-03-22 22:38:40.781355117 +0200 @@ -367,14 +367,7 @@ ($w, $h, $t) = Image::Size::imgsize(\$contents); if ($w*$h == 1) { # read image into GD - $tmpfile = "/tmp/pe.tmp.$$"; - unlink($tmpfile); - open(TMP, ">$tmpfile"); - print TMP $contents; - close(TMP); - open(TMP, "<$tmpfile"); - $tmpimg = newFromGif GD::Image(TMP); - close(TMP); + $tmpimg = newFromGif GD::Image($contents); unlink($tmpfile); if ($tmpimg->transparent != -1) { my $im = new GD::Image($w, $h); --- ./wml_backend/p1_ipp/ipp.src.CVE-2008-0665_CVE-2008-0666 2005-12-01 19:50:13.000000000 +0200 +++ ./wml_backend/p1_ipp/ipp.src 2008-03-22 22:38:40.780354378 +0200 @@ -17,6 +17,7 @@ use Getopt::Long 2.13; use IO::Handle 1.15; use IO::File 1.06; +use File::Temp; # # help functions @@ -565,6 +566,8 @@ # process the pre-loaded include files # $tmpdir = $ENV{'TMPDIR'} || '/tmp'; +my $tmpldir = ($ENV{'TMPDIR'} || '/tmp') . '/ipp.XXXXXX'; +$tmpdir = mkdtemp($tmpldir) or die "Unable to create temporary directory: $!\n"; $tmpfile = $tmpdir . "/ipp.$$.tmp"; unlink($tmpfile); $tmp = new IO::File; --- ./wml_backend/p3_eperl/eperl_sys.c.CVE-2008-0665_CVE-2008-0666 2005-12-01 19:50:13.000000000 +0200 +++ ./wml_backend/p3_eperl/eperl_sys.c 2008-03-22 22:41:48.681350598 +0200 @@ -211,13 +211,20 @@ { char ca[1024]; char *cp, *tmpdir; + char tmpfile[]="eperl_sourceXXXXXX"; int i; + int fd=-1; tmpdir = getenv ("TMPDIR"); if (tmpdir == (char *) NULL) tmpdir="/tmp"; - snprintf(ca, sizeof(ca), "%s/%s.%d.tmp%d", tmpdir, id, (int)getpid(), mytmpfilecnt++); + snprintf(ca, sizeof(ca), "%s/%s", tmpdir, tmpfile); + if((fd = mkstemp(ca)) == -1){ + perror("can not create tmpfile"); + return NULL; + } + close(fd); ca[sizeof(ca)-1] = NUL; cp = strdup(ca); for (i = 0; mytmpfiles[i] != NULL; i++)