GMT-5.4.5-alt1_1.x86_64	unsafe-tmp-usage-in-scripts	fail	The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/bin/gmt_shell_functions.sh: $ grep -A5 -B5 /tmp/ /usr/bin/gmt_shell_functions.sh cat <<- EOF > doc.kml <?xml version="1.0" encoding="UTF-8"?> <kml xmlns="http://www.opengis.net/kml/2.2"> <Document> EOF ls kml/*.kml > /tmp/$$.lis while read file; do cat <<- EOF >> doc.kml <NetworkLink> <name>$file</name> <Link> <href> $file </href> </Link> </NetworkLink> EOF done < /tmp/$$.lis cat <<- EOF >> doc.kml </Document> </kml> EOF zip -rq9 $name.kmz doc.kml kml if [ $remove -eq 0 ]; then mv -f kml/* .. fi rm -rf kml doc.kml /tmp/$$.lis } # For animations: Build animated gif from stills gmt_build_gif() { if [ $# -eq 0 ]; then -- usage: gmt_launch_jobs [-c <n_cpu>] [-l <nlines_per_cluster>] [-n] [-v] [-w] <commandfile> <commandfile> is a file with a list of all the commands -c Specify how many separate cores to use [$n_cpu] -l Specify how many lines constitute one job cluster [1] -n Dry-run. Do not launch jobs but leave core scripts as /tmp/gmt_launch_jobs.##.sh -r Remove core scripts when the jobs complete -v Verbose. Give progress messages -w Wait for completion of all core jobs before exiting EOF return -- *) echo "gmt_launch_jobs: No such option ($1)" >&2 ;; esac shift done egrep -v '^#|^$' $1 > /tmp/$$.sh nL=`wc -l /tmp/$$.sh | awk '{printf "%d\n", $1}'` n_chunks=`gmt math -Q $nL $n_lines DIV =` bad=`gmt math -Q $n_chunks DUP RINT SUB ABS 1e-10 GT =` if [ $bad -eq 1 ]; then echo "gmt_launch_jobs: Your number of commands is not a multiple of $n_lines" >&2 exit 1 -- tag="."$$ fi # Create n_cpu empty files for execution let cpu=0 while [ $cpu -lt $n_cpu ]; do printf "#!/bin/bash\n# gmt_launch_jobs command file chunk # ${cpu}\n#---------------------------------\n" > /tmp/gmt_launch_jobs${tag}.$cpu.sh let cpu=cpu+1 done # Distribute $n_lines from the commands across these core scripts let chunk=0; let cpu=0; let sub=n_lines-1; let last=0 while [ $chunk -lt $n_chunks ]; do let last=last+n_lines let first=last-sub sed -n ${first},${last}p /tmp/$$.sh >> /tmp/gmt_launch_jobs${tag}.$cpu.sh let cpu=cpu+1 if [ $cpu -eq $n_cpu ]; then let cpu=0 fi let chunk=chunk+1 done # Launch the $n_cpu scripts let cpu=0 while [ $cpu -lt $n_cpu ]; do if [ $blabber -eq 1 ]; then echo "gmt_launch_jobs: Starting /tmp/gmt_launch_jobs${tag}.$cpu.sh" >&2 fi if [ $do_remove -eq 1 ]; then echo "rm -f /tmp/gmt_launch_jobs${tag}.$cpu.sh" >> /tmp/gmt_launch_jobs${tag}.$cpu.sh fi if [ $dryrun -eq 0 ]; then bash /tmp/gmt_launch_jobs${tag}.$cpu.sh & fi let cpu=cpu+1 done rm -f /tmp/$$.sh if [ $do_wait -eq 1 ] && [ $dryrun -eq 0 ]; then wait # Wait until all jobs launched by this script have completed if [ $blabber -eq 1 ]; then echo "gmt_launch_jobs: All $n_cpu jobs completed" >&2 fi; 
GMT-common-5.4.5-alt1_1.noarch	unsafe-tmp-usage-in-scripts	fail	The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/gmt/tools/gmt_prepmex.sh: $ grep -A5 -B5 /tmp/ /usr/share/gmt/tools/gmt_prepmex.sh # First get a reliable absolute path to the bundle's top directory pushd `dirname $0` > /dev/null BUNDLEDIR=`pwd | sed -e sB/Contents/Resources/share/toolsBBg` popd > /dev/null # Set path to the new gmt installation MEXGM5TDIR=/tmp/$$/gmt # Set path to additional subdirectories MEXLIBDIR=$MEXGM5TDIR/lib MEXINCDIR=$MEXGM5TDIR/include MEXSHADIR=$MEXGM5TDIR/share MEXBINDIR=$MEXGM5TDIR/bin -- cp -r etc usr $MEXBINDIR # Now copy the lib files printf "gmt_prepmex.sh: Copy and rename libraries\n" >&2 cd $BUNDLEDIR/Contents/Resources/lib # Find a list of all libs shipped with the OSX bundle, except our own: ls *.dylib | egrep -v 'libgmt.dylib|libpostscriptlight.dylib' > /tmp/l.lis # For each, duplicate into /opt/gmt but add a leading X to each name while read lib; do new=`echo $lib | awk '{printf "libX%s\n", substr($1,4)}'` cp $lib $MEXLIBDIR/$new done < /tmp/l.lis # Copy the supplement shared plugin cp gmt/plugins/supplements.so $MEXLIBDIR/gmt/plugins cd $MEXLIBDIR ls *.dylib > /tmp/l.lis printf "gmt_prepmex.sh: Rebaptize libraries\n" >&2 # For all libs in $MEXLIBDIR, change internal references to contain the leading "X" while read lib; do otool -L $lib | grep executable_path | awk '{print $1}' > /tmp/t.lis let k=1 while read old; do new=`echo $old | awk -F/ '{printf "libX%s\n", substr($NF,4)}'` if [ $k -eq 1 ]; then # Do the id change was=`echo $lib | awk -F/ '{print substr($1,4)}'` install_name_tool -id /opt/gmt/lib/$new $lib else install_name_tool -change $old /opt/gmt/lib/$new $lib fi let k=k+1 done < /tmp/t.lis done < /tmp/l.lis # Set links to the new libs ln -s libXgmt.dylib libgmt.dylib ln -s libXpostscriptlight.dylib libpostscriptlight.dylib ln -s libXgmt.5.dylib libXgmt.dylib ln -s libXpostscriptlight.5.dylib libXpostscriptlight.dylib -- fi fi # Do plugin supplement separately since not called lib* cd gmt/plugins otool -L supplements.so | grep executable_path | awk '{print $1}' > /tmp/t.lis let k=1 while read old; do new=`echo $old | awk -F/ '{printf "libX%s\n", substr($NF,4)}'` install_name_tool -change $old /opt/gmt/lib/$new supplements.so let k=k+1 done < /tmp/t.lis # Do bin dir cd $MEXBINDIR otool -L gmt | grep executable_path | awk '{print $1}' > /tmp/t.lis let k=1 while read old; do new=`echo $old | awk -F/ '{printf "libX%s\n", substr($NF,4)}'` install_name_tool -change $old /opt/gmt/lib/$new gmt let k=k+1 done < /tmp/t.lis chmod -R ugo+r $MEXGM5TDIR printf "gmt_prepmex.sh: Install /opt/gmt\n" >&2 sudo cp -fpR $MEXGM5TDIR /opt rm -rf /tmp/$$ cd $here version=`/opt/gmt/bin/gmt-config --version` # Report cat << EOF >&2 gmt_prepmex.sh: Made updated GMT $version installation in /opt/gmt Found error in /usr/share/gmt/tools/gmt_make_custom_code.sh: $ grep -A5 -B5 /tmp/ /usr/share/gmt/tools/gmt_make_custom_code.sh # Make sure we get both upper- and lower-case versions of the tag U_TAG=`echo $LIB | tr '[a-z]' '[A-Z]'` L_TAG=`echo $LIB | tr '[A-Z]' '[a-z]'` # Look in current dir grep "#define THIS_MODULE_LIB" *.c | awk -F: '{print $1}' | sort > /tmp/tmp.lis rm -f /tmp/NAME.lis /tmp/LIB.lis /tmp/PURPOSE.lis /tmp/KEYS.lis /tmp/all.lis while read program; do grep "#define THIS_MODULE_NAME" $program | awk '{print $3}' | sed -e 's/"//g' >> /tmp/NAME.lis grep "#define THIS_MODULE_LIB" $program | awk '{print $3}' | sed -e 's/"//g' >> /tmp/LIB.lis grep "#define THIS_MODULE_PURPOSE" $program | sed -e 's/#define THIS_MODULE_PURPOSE//g' | awk '{print $0}' >> /tmp/PURPOSE.lis grep "#define THIS_MODULE_KEYS" $program | sed -e 's/#define THIS_MODULE_KEYS//g' | awk '{print $0}' >> /tmp/KEYS.lis done < /tmp/tmp.lis # Prepend group+name so we can get a list sorted on group name then individual programs paste /tmp/LIB.lis /tmp/NAME.lis | awk '{printf "%s%s|%s\n", $1, $2, $2}' > /tmp/SORT.txt paste /tmp/SORT.txt /tmp/LIB.lis /tmp/PURPOSE.lis /tmp/KEYS.lis | sort -k1 > /tmp/SORTED.txt awk -F"|" '{print $2}' /tmp/SORTED.txt > /tmp/$LIB.txt rm -f /tmp/tmp.lis /tmp/NAME.lis /tmp/LIB.lis /tmp/PURPOSE.lis /tmp/KEYS.lis /tmp/SORTED.txt /tmp/SORT.txt # Extract the extension purpose string from CMakeLists.txt LIB_STRING=`grep LIB_STRING CMakeLists.txt | awk -F= '{print $NF}'` # The output file produced -- /ALT /bin /boot /dev /etc /home /lib /lib64 /libx32 /lost+found /media /mnt /opt /proc /root /run /sbin /selinux /srv /sys /tmp /usr /var Declaration modifiers for DLL support (MSC et al) etc/ usr/ #include "declspec.h" /ALT /bin /boot /dev /etc /home /lib /lib64 /libx32 /lost+found /media /mnt /opt /proc /root /run /sbin /selinux /srv /sys /tmp /usr /var Prototypes of all modules in the GMT ${L_TAG} library etc/ usr/ EOF gawk '{printf "EXTERN_MSC int GMT_%s (void *API, int mode, void *args);\n", $1;}' /tmp/$LIB.txt >> ${FILE_CUSTOM_MODULE_H} cat << EOF >> ${FILE_CUSTOM_MODULE_H} /ALT /bin /boot /dev /etc /home /lib /lib64 /libx32 /lost+found /media /mnt /opt /proc /root /run /sbin /selinux /srv /sys /tmp /usr /var Pretty print all modules in the GMT ${L_TAG} library and their purposes etc/ usr/ EXTERN_MSC void gmt_${L_TAG}_module_show_all (void *API); /ALT /bin /boot /dev /etc /home /lib /lib64 /libx32 /lost+found /media /mnt /opt /proc /root /run /sbin /selinux /srv /sys /tmp /usr /var List all modules in the GMT ${L_TAG} library to stdout etc/ usr/ -- gawk ' BEGIN { FS = "\t"; } { printf "\t{\"%s\", \"%s\", %s, %s},\n", $1, $2, $4, $6; }' /tmp/$LIB.txt >> ${FILE_CUSTOM_MODULE_C} cat << EOF >> ${FILE_CUSTOM_MODULE_C} {NULL, NULL, NULL, NULL} /ALT /bin /boot /dev /etc /home /lib /lib64 /libx32 /lost+found /media /mnt /opt /proc /root /run /sbin /selinux /srv /sys /tmp /usr /var last element == NULL detects end of array etc/ usr/ }; EOF; 
GMT-doc-5.4.5-alt1_1.noarch	unsafe-tmp-usage-in-scripts	fail	The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/doc/gmt/supplements/misc/dim.template.sh: $ grep -A5 -B5 /tmp/ /usr/share/doc/gmt/supplements/misc/dim.template.sh if [ ! -f $ors ]; then mkdir -p $orsout gmt grdcut $bathy $box -G/tmp/$$.t.nc # the area of interest # A.1. Set filter parameters for an equidistant set of filters: minW= # Minimum filter width candidate for ORS (e.g., 60) in km maxW= # Maximum filter width candidate for ORS (e.g., 600) in km intW= # Filter width step (e.g., 20) in km -- STEP=`gmt gmtmath -T$minW/$maxW/$intW -N1/0 =` for width in $STEP do echo "W = $width km" gmt dimfilter $bathy $box -G/tmp/$$.dim.nc -F${dim_filter}${width} -D${dim_dist} -N${dim_quantity}${dim_sectors} # DiM filter gmt grdfilter /tmp/$$.dim.nc -G$orsout/dim.${width}.nc -F${dim_smooth_type}${dim_smooth_width} -D${dim_dist} # smoothing gmt grdmath /tmp/$$.t.nc $orsout/dim.${width}.nc SUB = /tmp/$$.sd.nc # residual from DiM gmt grdvolume /tmp/$$.sd.nc -Sk -C$level -Vl | awk '{print r,$2,$3,$4}' r=${width} >> $ors # ORS from DiM done fi # B) Compute DiM-based regional -- let n_widths=0 for i in $width do if [ ! -f $orsout/dim.${i}.nc ]; then echo "filtering W = ${i} km" gmt dimfilter $bathy $box -G/tmp/$$.dim.nc -F${dim_filter}${i} -D${dim_dist} -N${dim_quantity}${dim_sectors} # DiM filter gmt grdfilter /tmp/$$.dim.nc -G$orsout/dim.${i}.nc -F${dim_smooth_type}${dim_smooth_width} -D${dim_dist} # smoothing fi if [ ! -f $alldepth ]; then gmt grd2xyz -Z $orsout/dim.${i}.nc > /tmp/$$.${i}.depth fi let n_widths=n_widths+1 done if [ ! -f $alldepth ]; then paste /tmp/$$.*.depth > /tmp/$$.t.depth # the number of columns can be different for each case awk '{print $1," ",$2," ",$3," ",$4," ",$5," ",$6," ",$7," ",$8," ",$9}' /tmp/$$.t.depth > $alldepth awk '{for (k = 1; k <= '"$n_widths"', k++) print $1," ",$2," ",$3," ",$4," ",$5," ",$6," ",$7," ",$8," ",$9}' /tmp/$$.t.depth > $alldepth gmt grd2xyz $bathy $box -V > $bathy.xyz fi gmt dimfilter $alldepth -Q${n_widths} > /tmp/$$.out wc -l /tmp/$$.out $bathy.xyz paste $bathy.xyz /tmp/$$.out | awk '{print $1,$2,$4}' > /tmp/$$.dim.xyz paste $bathy.xyz /tmp/$$.out | awk '{print $1,$2,$5}' > /tmp/$$.err.xyz gmt xyz2grd /tmp/$$.dim.xyz -G$dim -I1m $box -V -r gmt xyz2grd /tmp/$$.err.xyz -G$err -I1m $box -V -r fi;