apt-get: Create the temporary downloaded changelog inside tmpdir

The code is creating a secure temporary directory, but then creates
the changelog alongside the tmpdir in the same base directory. This
defeats the secure tmpdir creation, making the filename predictable.

Inject a '/' between the tmpdir and the changelog filename.

diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc
index 2e283da5af09b89be90a87e94f26f720c42a847c..cfa79339b7b9aa9574535f45587c892329513c2c 100644 (file)
--- a/cmdline/apt-get.cc
+++ b/cmdline/apt-get.cc
@@ -1563,7 +1563,7 @@ static bool DoChangelog(CommandLine &CmdL)
    {
       string changelogfile;
       if (downOnly == false)
-        changelogfile.append(tmpname).append("changelog");
+        changelogfile.append(tmpname).append("/changelog");
       else
         changelogfile.append(Ver.ParentPkg().Name()).append(".changelog");
       if (DownloadChangelog(Cache, Fetcher, Ver, changelogfile) && downOnly == false)