From 36026451ce52055460d47ca8d6f5f3c219bb1c6e Mon Sep 17 00:00:00 2001
From: Juan RP <xtraeme@voidlinux.eu>
Date: Sun, 26 Jul 2015 09:02:04 +0200
Subject: [PATCH] Fix some insecure temporary files reported by Coverity.

---
 bin/xbps-create/main.c      | 4 +++-
 bin/xbps-rindex/repoflush.c | 5 ++++-
 lib/package_script.c        | 6 +++++-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/bin/xbps-create/main.c b/bin/xbps-create/main.c
index 4544fac5..2735d532 100644
--- a/bin/xbps-create/main.c
+++ b/bin/xbps-create/main.c
@@ -843,9 +843,11 @@ main(int argc, char **argv)
 	/*
 	 * Create a temp file to store archive data.
 	 */
-	tname = xbps_xasprintf(".xbps-pkg-XXXXXX");
+	tname = xbps_xasprintf(".xbps-pkg-XXXXXXXXX");
+	myumask = umask(S_IXUSR|S_IRWXG|S_IRWXO);
 	pkg_fd = mkstemp(tname);
 	assert(pkg_fd != -1);
+	umask(myumask);
 	/*
 	 * Process the binary package's archive (ustar compressed with xz).
 	 */
diff --git a/bin/xbps-rindex/repoflush.c b/bin/xbps-rindex/repoflush.c
index 877560a7..0b56a95e 100644
--- a/bin/xbps-rindex/repoflush.c
+++ b/bin/xbps-rindex/repoflush.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2013-2014 Juan Romero Pardines.
+ * Copyright (c) 2013-2015 Juan Romero Pardines.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -44,13 +44,16 @@ repodata_flush(struct xbps_handle *xhp, const char *repodir,
 	struct archive *ar;
 	char *repofile, *tname, *buf;
 	int rv, repofd = -1;
+	mode_t mask;
 
 	/* Create a tempfile for our repository archive */
 	repofile = xbps_repo_path(xhp, repodir);
 	tname = xbps_xasprintf("%s.XXXXXXXXXX", repofile);
+	mask = umask(S_IXUSR|S_IRWXG|S_IRWXO);
 	if ((repofd = mkstemp(tname)) == -1)
 		return false;
 
+	umask(mask);
 	/* Create and write our repository archive */
 	ar = archive_write_new();
 	assert(ar);
diff --git a/lib/package_script.c b/lib/package_script.c
index de27459c..690301cf 100644
--- a/lib/package_script.c
+++ b/lib/package_script.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2012-2013 Juan Romero Pardines.
+ * Copyright (c) 2012-2015 Juan Romero Pardines.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -43,6 +43,7 @@ xbps_pkg_exec_buffer(struct xbps_handle *xhp,
 	const char *tmpdir, *version;
 	char *pkgname, *fpath;
 	int fd, rv;
+	mode_t mask;
 
 	assert(blob);
 	assert(pkgver);
@@ -71,12 +72,15 @@ xbps_pkg_exec_buffer(struct xbps_handle *xhp,
 	}
 
 	/* Create temp file to run script */
+	mask = umask(S_IXUSR|S_IRWXG|S_IRWXO);
 	if ((fd = mkstemp(fpath)) == -1) {
+		umask(mask);
 		rv = errno;
 		xbps_dbg_printf(xhp, "%s: mkstemp %s\n",
 		    __func__, strerror(errno));
 		goto out;
 	}
+	umask(mask);
 	/* write blob to our temp fd */
 	ret = write(fd, blob, blobsiz);
 	if (ret == -1) {