GMT-6.4.0-alt1_10.x86_64	unsafe-tmp-usage-in-scripts	fail	The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/gmt_shell_functions.sh: $ grep -A5 -B5 /tmp/ /usr/bin/gmt_shell_functions.sh cat <<- EOF > doc.kml <?xml version="1.0" encoding="UTF-8"?> <kml xmlns="http://www.opengis.net/kml/2.2"> <Document> EOF ls kml/*.kml > /tmp/$$.lis while read file; do name=$(basename $file .kml) cat << EOF >> doc.kml <NetworkLink> <name>$name</name> <Link> <href> $file </href> </Link> </NetworkLink> EOF done < /tmp/$$.lis cat << EOF >> doc.kml </Document> </kml> EOF zip -rq9 $name.kmz doc.kml kml if [ $remove -eq 0 ]; then mv -f kml/* .. fi rm -rf kml doc.kml /tmp/$$.lis } # For animations: Build animated gif from stills gmt_build_gif() { if [ $# -eq 0 ]; then -- usage: gmt_launch_jobs [-c <n_cpu>] [-l <nlines_per_cluster>] [-n] [-v] [-w] <commandfile> <commandfile> is a file with a list of all the commands -c Specify how many separate cores to use [$n_cpu] -l Specify how many lines constitute one job cluster [1] -n Dry-run. Do not launch jobs but leave core scripts as /tmp/gmt_launch_jobs.##.sh -r Remove core scripts when the jobs complete -v Verbose. Give progress messages -w Wait for completion of all core jobs before exiting EOF return -- *) echo "gmt_launch_jobs: No such option ($1)" >&2 ;; esac shift done egrep -v '^#|^$' $1 > /tmp/$$.sh nL=$(wc -l /tmp/$$.sh | awk '{printf "%d\n", $1}') n_chunks=$(gmt math -Q $nL $n_lines DIV =) bad=$(gmt math -Q $n_chunks DUP RINT SUB ABS 1e-10 GT =) if [ $bad -eq 1 ]; then echo "gmt_launch_jobs: Your number of commands is not a multiple of $n_lines" >&2 exit 1 -- tag="."$$ fi # Create n_cpu empty files for execution let cpu=0 while [ $cpu -lt $n_cpu ]; do printf "#!/usr/bin/env bash\n# gmt_launch_jobs command file chunk # ${cpu}\n#---------------------------------\n" > /tmp/gmt_launch_jobs${tag}.$cpu.sh let cpu=cpu+1 done # Distribute $n_lines from the commands across these core scripts let chunk=0; let cpu=0; let sub=n_lines-1; let last=0 while [ $chunk -lt $n_chunks ]; do let last=last+n_lines let first=last-sub sed -n ${first},${last}p /tmp/$$.sh >> /tmp/gmt_launch_jobs${tag}.$cpu.sh let cpu=cpu+1 if [ $cpu -eq $n_cpu ]; then let cpu=0 fi let chunk=chunk+1 done # Launch the $n_cpu scripts let cpu=0 while [ $cpu -lt $n_cpu ]; do if [ $blabber -eq 1 ]; then echo "gmt_launch_jobs: Starting /tmp/gmt_launch_jobs${tag}.$cpu.sh" >&2 fi if [ $do_remove -eq 1 ]; then echo "rm -f /tmp/gmt_launch_jobs${tag}.$cpu.sh" >> /tmp/gmt_launch_jobs${tag}.$cpu.sh fi if [ $dryrun -eq 0 ]; then bash /tmp/gmt_launch_jobs${tag}.$cpu.sh & fi let cpu=cpu+1 done rm -f /tmp/$$.sh if [ $do_wait -eq 1 ] && [ $dryrun -eq 0 ]; then wait # Wait until all jobs launched by this script have completed if [ $blabber -eq 1 ]; then echo "gmt_launch_jobs: All $n_cpu jobs completed" >&2 fi; 
GMT-common-6.4.0-alt1_10.noarch	unsafe-tmp-usage-in-scripts	fail	The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/gmt/tools/gmt_prepmex.sh: $ grep -A5 -B5 /tmp/ /usr/share/gmt/tools/gmt_prepmex.sh # First get a reliable absolute path to the bundle's top directory pushd $(dirname $0) > /dev/null BUNDLEDIR=$(pwd | sed -e sB/Contents/Resources/share/toolsBBg) popd > /dev/null # Set path to the new gmt installation MEXGMT5DIR=/tmp/$$/gmt # Set path to additional subdirectories MEXLIBDIR=$MEXGMT5DIR/lib MEXINCDIR=$MEXGMT5DIR/include MEXSHADIR=$MEXGMT5DIR/share MEXBINDIR=$MEXGMT5DIR/bin -- cp -r etc usr $MEXBINDIR # Now copy the lib files printf "gmt_prepmex.sh: Copy and rename libraries\n" >&2 cd $BUNDLEDIR/Contents/Resources/lib # Find a list of all libs shipped with the OSX bundle, except our own: ls *.dylib | egrep -v 'libgmt.dylib|libpostscriptlight.dylib' > /tmp/l.lis # For each, duplicate into /opt/gmt but add a leading X to each name while read lib; do new=$(echo $lib | awk '{printf "libX%s\n", substr($1,4)}') cp $lib $MEXLIBDIR/$new done < /tmp/l.lis # Copy the supplement shared plugin cp gmt/plugins/supplements.so $MEXLIBDIR/gmt/plugins cd $MEXLIBDIR ls *.dylib > /tmp/l.lis printf "gmt_prepmex.sh: Rebaptize libraries\n" >&2 # For all libs in $MEXLIBDIR, change internal references to contain the leading "X" while read lib; do otool -L $lib | grep executable_path | awk '{print $1}' > /tmp/t.lis let k=1 while read old; do new=$(echo $old | awk -F/ '{printf "libX%s\n", substr($NF,4)}') if [ $k -eq 1 ]; then # Do the id change was=$(echo $lib | awk -F/ '{print substr($1,4)}') install_name_tool -id /opt/gmt/lib/$new $lib else install_name_tool -change $old /opt/gmt/lib/$new $lib fi let k=k+1 done < /tmp/t.lis done < /tmp/l.lis # Set links to the new libs ln -s libXgmt.dylib libgmt.dylib ln -s libXpostscriptlight.dylib libpostscriptlight.dylib ln -s libXgmt.6.dylib libXgmt.dylib ln -s libXpostscriptlight.6.dylib libXpostscriptlight.dylib -- fi fi # Do plugin supplement separately since not called lib* cd gmt/plugins otool -L supplements.so | grep executable_path | awk '{print $1}' > /tmp/t.lis let k=1 while read old; do new=$(echo $old | awk -F/ '{printf "libX%s\n", substr($NF,4)}') install_name_tool -change $old /opt/gmt/lib/$new supplements.so let k=k+1 done < /tmp/t.lis # Do bin dir cd $MEXBINDIR otool -L gmt | grep executable_path | awk '{print $1}' > /tmp/t.lis let k=1 while read old; do new=$(echo $old | awk -F/ '{printf "libX%s\n", substr($NF,4)}') install_name_tool -change $old /opt/gmt/lib/$new gmt let k=k+1 done < /tmp/t.lis chmod -R ugo+r $MEXGMT5DIR printf "gmt_prepmex.sh: Install /opt/gmt\n" >&2 sudo cp -fpR $MEXGMT5DIR /opt rm -rf /tmp/$$ cd $here version=$(/opt/gmt/bin/gmt-config --version) # Report cat << EOF >&2 gmt_prepmex.sh: Made updated GMT $version installation in /opt/gmt;