apt-get: Create the temporary downloaded changelog inside tmpdir

The code is creating a secure temporary directory, but then creates
the changelog alongside the tmpdir in the same base directory. This
defeats the secure tmpdir creation, making the filename predictable.

Inject a '/' between the tmpdir and the changelog filename.

diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc
index 0cea05cb358f3694de447d69cc85cde28db6778c..13a85d34b003e80f267ba36607e0e7be5858ba48 100644 (file)
--- a/cmdline/apt-get.cc
+++ b/cmdline/apt-get.cc
@@ -1588,7 +1588,7 @@ static bool DoChangelog(CommandLine &CmdL)
    {
       string changelogfile;
       if (downOnly == false)
-        changelogfile.append(tmpname).append("changelog");
+        changelogfile.append(tmpname).append("/changelog");
       else
         changelogfile.append(Ver.ParentPkg().Name()).append(".changelog");
       if (DownloadChangelog(Cache, Fetcher, Ver, changelogfile) && downOnly == false)