Use patch supplied by Michael Schröder: http://bugzilla.suse.de [#39122, password protected]

Submitted to Gentoo by Karl Eichwalder <ke@gnu.franken.de>
Fix format string handling problems with command line parsing shar -o
Gentoo security bug #46998

5 files changed, 171 insertions, 9 deletions

diff --git a/app-arch/sharutils/ChangeLog b/app-arch/sharutils/ChangeLog
index 21bf6f92798f..a0c6c5250531 100644
--- a/app-arch/sharutils/ChangeLog
+++ b/app-arch/sharutils/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for app-arch/sharutils
 # Copyright 2002-2004 Gentoo Technologies, Inc.; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-arch/sharutils/ChangeLog,v 1.8 2004/04/10 07:20:17 mr_bones_ Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-arch/sharutils/ChangeLog,v 1.9 2004/05/15 16:53:02 solar Exp $
+
+*sharutils-4.2.1-r9 (15 May 2004)
+
+  15 May 2004; <solar@gentoo.org> sharutils-4.2.1-r9.ebuild,
+  files/sharutils-4.2.1-buffer-check.patch:
+  Use patch supplied by Michael Schröder: http://bugzilla.suse.de [#39122,
+  password protected] Submitted to Gentoo by Karl Eichwalder <ke@gnu.franken.de>
+  Fix format string handling problems with command line parsing shar -o Gentoo
+  security bug #46998
 
   10 Apr 2004; Michael Sterrett <mr_bones_@gentoo.org>
   sharutils-4.2.1-r6.ebuild, sharutils-4.2.1-r7.ebuild,
diff --git a/app-arch/sharutils/Manifest b/app-arch/sharutils/Manifest
index 7b4a077f159d..f983551bad3d 100644
--- a/app-arch/sharutils/Manifest
+++ b/app-arch/sharutils/Manifest
@@ -1,9 +1,11 @@
-MD5 646e6324ea5d132ce52143222cb8bf9d ChangeLog 2992
+MD5 18bd121179048caea18fba964b6b43a2 ChangeLog 3387
 MD5 ad2c8d9e6aadb667f4d23695ea506711 sharutils-4.2.1-r6.ebuild 1379
 MD5 45aa49d0ec9ad55622e4576fcc6cfe82 sharutils-4.2.1-r7.ebuild 1263
 MD5 e1b8b5ee3ea291ad60c04ddc3ca1e106 sharutils-4.2.1-r8.ebuild 1373
+MD5 3e7b719567a159b382afcffb88b4c756 sharutils-4.2.1-r9.ebuild 1377
 MD5 a0ed4cfc65c5d37392c6b3816d3fbdbe files/digest-sharutils-4.2.1-r6 67
 MD5 7d4e2f6e03e950c25babc22219bee53d files/sharutils-4.2.1-r6-gentoo.diff 3253
 MD5 a0ed4cfc65c5d37392c6b3816d3fbdbe files/digest-sharutils-4.2.1-r7 67
 MD5 a0ed4cfc65c5d37392c6b3816d3fbdbe files/digest-sharutils-4.2.1-r8 67
-MD5 d9745ded9b7d77d91dbff930598badcd files/sharutils-4.2.1-buffer-check.patch 356
+MD5 aeb2dc437bac48b13e8ebc1d632013ad files/sharutils-4.2.1-buffer-check.patch 2416
+MD5 a0ed4cfc65c5d37392c6b3816d3fbdbe files/digest-sharutils-4.2.1-r9 67
diff --git a/app-arch/sharutils/files/digest-sharutils-4.2.1-r9 b/app-arch/sharutils/files/digest-sharutils-4.2.1-r9
new file mode 100644
index 000000000000..afb942300ec9
--- /dev/null
+++ b/app-arch/sharutils/files/digest-sharutils-4.2.1-r9
@@ -0,0 +1 @@
+MD5 b8ba1d409f07edcb335ff72a27bd9828 sharutils-4.2.1.tar.gz 306022
diff --git a/app-arch/sharutils/files/sharutils-4.2.1-buffer-check.patch b/app-arch/sharutils/files/sharutils-4.2.1-buffer-check.patch
index 96ad67645019..46cf35e8a7f4 100644
--- a/app-arch/sharutils/files/sharutils-4.2.1-buffer-check.patch
+++ b/app-arch/sharutils/files/sharutils-4.2.1-buffer-check.patch
@@ -1,11 +1,98 @@
---- src/shar.c.orig	2004-04-06 17:51:40.849154592 -0400
-+++ src/shar.c	2004-04-06 17:53:13.843017376 -0400
-@@ -1905,7 +1905,7 @@
+Index: src/shar.c
+===================================================================
+RCS file: /home/ke/cvsroot/sharutils/src/shar.c,v
+retrieving revision 1.22
+diff -u -r1.22 shar.c
+--- src/shar.c	2 Dec 2002 20:52:10 -0000	1.22
++++ src/shar.c	15 May 2004 09:13:16 -0000
+@@ -255,11 +255,11 @@
+ /* Position for first file in the shar file.  */
+ static off_t first_file_position;
+ 
+-/* Base for output filename.  FIXME: No fix limit in GNU... */
+-static char output_base_name[50];
++/* Base for output filename.  */
++static char *output_base_name;
+ 
+-/* Actual output filename.  FIXME: No fix limit in GNU... */
+-static char output_filename[50];
++/* Actual output filename.  */
++static char *output_filename;
+ 
+ static char *submitter_address = NULL;
+ 
+@@ -1727,7 +1727,12 @@
+ static void
+ open_output ()
+ {
+-  sprintf (output_filename, output_base_name, ++part_number);
++  size_t l;
++  l = strlen(output_base_name) + 128;
++  if (output_filename)
++    free(output_filename);
++  output_filename = xmalloc(l);
++  snprintf(output_filename, l, output_base_name, ++part_number);
+   output = fopen (output_filename, "w");
+   if (!output)
+     error (EXIT_FAILURE, errno, _("Opening `%s'"), output_filename);
+@@ -1907,6 +1912,42 @@
+     file_size_limit = lim;
+ }
+ 
++
++char *parse_output_base_name(char *arg)
++{
++  int c;
++  int hadarg = 0;
++  char *fmt, *p;
++
++  for (p = arg ; (c = *p++) != 0; )
++    {
++      if (c != '%')
++	continue;
++      c = *p++;
++      if (c == '%')
++	continue;
++      if (hadarg)
++	return 0;
++      while (c != 0 && strchr("#0+- 'I", c) != 0)
++	c = *p++;
++      while (c != 0 && c >= '0' && c <= '9')
++	c = *p++;
++      if (c == '.')
++	c = *p++;
++      while (c != 0 && c >= '0' && c <= '9')
++	c = *p++;
++      if (c == 0 || strchr("diouxX", c) == 0)
++	return 0;
++      hadarg = 1;
++    }
++  fmt = xmalloc(strlen(arg) + (hadarg ? 1 : 6));
++  strcpy(fmt, arg);
++  if (!hadarg)
++    strcat(fmt, ".%02d");
++  return fmt;
++}
++
++
+ /*---.
+ | ?  |
+ `---*/
+@@ -2047,9 +2088,14 @@
  	break;
  
        case 'o':
 -	strcpy (output_base_name, optarg);
-+	strncpy (output_base_name, optarg, sizeof(output_base_name));
- 	if (!strchr (output_base_name, '%'))
- 	  strcat (output_base_name, ".%02d");
+-	if (!strchr (output_base_name, '%'))
+-	  strcat (output_base_name, ".%02d");
++	if (output_base_name)
++	  free (output_base_name);
++        output_base_name = parse_output_base_name(optarg);
++        if (!output_base_name)
++	  {
++	    fprintf (stderr, _("illegal output prefix\n"));
++	    exit (EXIT_FAILURE);
++	  }
  	part_number = 0;
+ 	open_output ();
+ 	break;
diff --git a/app-arch/sharutils/sharutils-4.2.1-r9.ebuild b/app-arch/sharutils/sharutils-4.2.1-r9.ebuild
new file mode 100644
index 000000000000..0dc9b638d7d9
--- /dev/null
+++ b/app-arch/sharutils/sharutils-4.2.1-r9.ebuild
@@ -0,0 +1,63 @@
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-arch/sharutils/sharutils-4.2.1-r9.ebuild,v 1.1 2004/05/15 16:53:02 solar Exp $
+
+inherit eutils
+
+DESCRIPTION="Tools to deal with shar archives"
+HOMEPAGE="http://www.gnu.org/software/sharutils/"
+SRC_URI="mirror://gentoo/${P}.tar.gz
+	mirror://gnu/${PN}/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~x86 ~amd64 ~ppc ~sparc ~alpha ~hppa ~ia64 ~ppc64 ~s390 ~mips"
+IUSE="nls"
+
+RDEPEND="sys-apps/texinfo
+	nls? ( >=sys-devel/gettext-0.10.35 )"
+DEPEND="${RDEPEND}
+	>=sys-apps/sed-4"
+
+src_unpack() {
+	unpack ${A}
+	cd ${S}
+	epatch ${FILESDIR}/${P}-r6-gentoo.diff
+	epatch ${FILESDIR}/${P}-buffer-check.patch #46998
+
+	cd ${S}/po
+	cp ja_JP.EUC.po ja.po
+	cp ja_JP.EUC.gmo ja.gmo
+	sed -i \
+		-e 's/aangemaakt/aangemaakt\\n/' nl.po \
+			|| die "sed nl.po failed"
+	sed -i \
+		-e 's/de %dk/de %dk\\n/' pt.po \
+			|| die "sed pt.po failed"
+}
+
+src_compile() {
+	econf `use_enable nls` || die
+	emake || die "emake failed"
+}
+
+src_install() {
+	local x=
+
+	einstall \
+		localedir=${D}/usr/share/locale \
+		|| die
+
+	doman doc/*.[15]
+	# Remove some strange locales
+	cd ${D}/usr/share/locale
+	for x in *.
+	do
+	  rm -rf ${x}
+	done
+	rm -rf ${D}/usr/lib
+
+	cd ${S}
+	dodoc AUTHORS BACKLOG ChangeLog ChangeLog.OLD \
+		NEWS README README.OLD THANKS TODO
+}