summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHans de Graaff <graaff@gentoo.org>2008-02-29 15:31:50 +0000
committerHans de Graaff <graaff@gentoo.org>2008-02-29 15:31:50 +0000
commit454473faaad20fe09c37864e6db2107393d169f6 (patch)
treee258b852fed61f557f1aeb58f87965af51875115 /dev-lang/wml
parentalpha/ia64/sparc/x86 stable (diff)
downloadhistorical-454473faaad20fe09c37864e6db2107393d169f6.tar.gz
historical-454473faaad20fe09c37864e6db2107393d169f6.tar.bz2
historical-454473faaad20fe09c37864e6db2107393d169f6.zip
Fix insecure tmpfile usage #209927
Package-Manager: portage-2.1.4.4
Diffstat (limited to 'dev-lang/wml')
-rw-r--r--dev-lang/wml/ChangeLog11
-rw-r--r--dev-lang/wml/Manifest14
-rw-r--r--dev-lang/wml/files/wml-2.0.11-tmpfile.patch68
-rw-r--r--dev-lang/wml/wml-2.0.11-r3.ebuild61
4 files changed, 151 insertions, 3 deletions
diff --git a/dev-lang/wml/ChangeLog b/dev-lang/wml/ChangeLog
index 13bf1688e620..95f78cdaa41b 100644
--- a/dev-lang/wml/ChangeLog
+++ b/dev-lang/wml/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for dev-lang/wml
-# Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-lang/wml/ChangeLog,v 1.37 2007/12/23 13:14:16 graaff Exp $
+# Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/dev-lang/wml/ChangeLog,v 1.38 2008/02/29 15:31:49 graaff Exp $
+
+*wml-2.0.11-r3 (29 Feb 2008)
+
+ 29 Feb 2008; Hans de Graaff <graaff@gentoo.org>
+ +files/wml-2.0.11-tmpfile.patch, +wml-2.0.11-r3.ebuild:
+ Fix insecure temporary file usage (CVE-2008-0665, CVE-2008-0666), Gentoo bug
+ #209927, based on a patch by Debian.
*wml-2.0.11-r2 (23 Dec 2007)
diff --git a/dev-lang/wml/Manifest b/dev-lang/wml/Manifest
index ec29e0caad32..2bef53f4ea07 100644
--- a/dev-lang/wml/Manifest
+++ b/dev-lang/wml/Manifest
@@ -1,8 +1,20 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
AUX 2.0.9-fix-configure.in.patch 1411 RMD160 54aa0b173fd0dc1fdc5f7f652682cec078f78a25 SHA1 762954af3422b7f3a1ed100023d71bdf279e0252 SHA256 e59dee3fd10b2cc9603f15fbff1ccdf466d5c9fd919c09c058a0aaa3b7064286
+AUX wml-2.0.11-tmpfile.patch 2367 RMD160 7141e7ffbabe0471d3cd508ca38b2755b646ed76 SHA1 d5bbef415b15ec4142ffd36a4b4b80b47078fff0 SHA256 335d4ae47ebd260743ee57b07509a56430b4ca221e1350f77ded2d6433787db0
AUX wml-2.0.9-autotools-update.patch 2720 RMD160 b1b7c2304660506a02cf74fc147a40f8de8c8e8f SHA1 12491ac4b82a085f69b71b33f63582eaf90d08a6 SHA256 09cfc157fb4e4a06070375161b0cd38eeed7154701f729196ed2753ea5c0a9c6
AUX wml-2.0.9-gcc41.patch 361 RMD160 7801e31d2e2d379c148902a697c46bec15cde831 SHA1 e2b904437a6a873d583def0600ac04257eef5d55 SHA256 7c983ec6d7f659eb1b152f03b98764df40d51b6b5d1ceb7fbee4a79b695c5e33
DIST wml-2.0.11.tar.gz 3115230 RMD160 fead82a35d116447b860d7b1c506c6de187355e8 SHA1 14dd7c23461716171a66b65676bca6e19a593007 SHA256 8e11ef19ea67ff9c4b28ff0fcacf5098881ac0c5f09ddfe3abc29f1e12be5d4a
EBUILD wml-2.0.11-r1.ebuild 1638 RMD160 33555233a5d62a798791b116e7b311fa65d13684 SHA1 40207572486bf6d702bfca0fc5ee635dd381d3f7 SHA256 4d0d5a08c72135aa17e211835c4b46a06abab2e52b8061e6bb54af1fce29be7f
EBUILD wml-2.0.11-r2.ebuild 1754 RMD160 99a204a00952deb78b48883f8e25de6dceda43c3 SHA1 2097b0890d6ccf11006338ff97966508abae907a SHA256 7de71309023ef7dd3e450879a08b5d493483a12a256d81860b8a775c142fcf0e
-MISC ChangeLog 4526 RMD160 9eeba495f3e70fcab12f0eda8309e2cddaaeacce SHA1 4b84f658bc0b49e2a20de2386f99b761eb48ab4f SHA256 64d3cc712410d6e1d46ec200f4ccc8b66a2e130fe9bb9dec50c2ce624710715c
+EBUILD wml-2.0.11-r3.ebuild 1801 RMD160 4111948184e6c67c9a71f9ea99cef894b25987f7 SHA1 ff1deb6f786e2ee1e41a480e728d56c9846b3ab8 SHA256 55676912f3d3dda7df6a8975a53a48e1d79c340dd347b9e0b224172a6a7d58c9
+MISC ChangeLog 4783 RMD160 ec5650e5ace63cfb3ddab090ffbd075935cf0de0 SHA1 235f83ee551f53c137bc92bcc3f83d0fc73fc749 SHA256 aec78ce82361d0c7fc369d756a3c86e7a0dbd2b0d6e131c0e15d387071d249d6
MISC metadata.xml 255 RMD160 2e04128b5183df88816f4d226448444d02439c3c SHA1 95202de91147c591bc326f12ec296131aa445e7b SHA256 4791ad0953ab9cd515144e1517b927fe1824859496dd7c84c32af20d5f99c20e
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.7 (GNU/Linux)
+
+iD8DBQFHyCV1QUozDL2JlH4RAiW6AJ934aGxKYYIGF99FR4bl2AqC4ieZwCfWGRC
+texFkv3E00hxS0j0GuclaKI=
+=2lNo
+-----END PGP SIGNATURE-----
diff --git a/dev-lang/wml/files/wml-2.0.11-tmpfile.patch b/dev-lang/wml/files/wml-2.0.11-tmpfile.patch
new file mode 100644
index 000000000000..d8cfccd9e442
--- /dev/null
+++ b/dev-lang/wml/files/wml-2.0.11-tmpfile.patch
@@ -0,0 +1,68 @@
+This patch fixes insecure tmpfile usage as mentioned in #209927. It is
+essentially the debian patch mentioned in that bug report.
+
+diff -u wml-2.0.11/wml_contrib/wmg.cgi wml-2.0.11/wml_contrib/wmg.cgi
+--- wml-2.0.11/wml_contrib/wmg.cgi
++++ wml-2.0.11/wml_contrib/wmg.cgi
+@@ -366,14 +366,7 @@
+ ($w, $h, $t) = Image::Size::imgsize(\$contents);
+ if ($w*$h == 1) {
+ # read image into GD
+- $tmpfile = "/tmp/pe.tmp.$$";
+- unlink($tmpfile);
+- open(TMP, ">$tmpfile");
+- print TMP $contents;
+- close(TMP);
+- open(TMP, "<$tmpfile");
+- $tmpimg = newFromGif GD::Image(TMP);
+- close(TMP);
++ $tmpimg = newFromGifData GD::Image($contents);
+ unlink($tmpfile);
+ if ($tmpimg->transparent != -1) {
+ my $im = new GD::Image($w, $h);
+diff -u wml-2.0.11/wml_backend/p1_ipp/ipp.src wml-2.0.11/wml_backend/p1_ipp/ipp.src
+--- wml-2.0.11/wml_backend/p1_ipp/ipp.src 2005-12-01 18:50:13.000000000 +0100
++++ wml-2.0.11/wml_backend/p1_ipp/ipp.src 2008-02-29 16:06:15.000000000 +0100
+@@ -17,6 +17,7 @@
+ use Getopt::Long 2.13;
+ use IO::Handle 1.15;
+ use IO::File 1.06;
++use File::Temp qw/ mkdtemp /;
+
+ #
+ # help functions
+@@ -564,8 +565,8 @@
+ #
+ # process the pre-loaded include files
+ #
+-$tmpdir = $ENV{'TMPDIR'} || '/tmp';
+-$tmpfile = $tmpdir . "/ipp.$$.tmp";
++my $tmpldir = ($ENV{'TMPDIR'} || '/tmp') . '/ipp.XXXXXX';
++$tmpdir = mkdtemp($tmpldir) or die "Unable to create temporary directory: $!\n";$tmpfile = $tmpdir . "/ipp.$$.tmp";
+ unlink($tmpfile);
+ $tmp = new IO::File;
+ $tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!");
+--- wml-2.0.11.orig/wml_backend/p3_eperl/eperl_sys.c
++++ wml-2.0.11/wml_backend/p3_eperl/eperl_sys.c
+@@ -211,13 +211,20 @@
+ {
+ char ca[1024];
+ char *cp, *tmpdir;
++ char tmpfile[] = "eperl_sourceXXXXXX";
+ int i;
++ int fd = -1;
+
+ tmpdir = getenv ("TMPDIR");
+ if (tmpdir == (char *) NULL)
+ tmpdir="/tmp";
+
+- snprintf(ca, sizeof(ca), "%s/%s.%d.tmp%d", tmpdir, id, (int)getpid(), mytmpfilecnt++);
++ snprintf(ca, sizeof(ca), "%s/%s", tmpdir, tmpfile);
++ if ((fd = mkstemp(ca)) == -1) {
++ perror("Cannot create tmpfile");
++ return NULL;
++ }
++ close(fd);
+ ca[sizeof(ca)-1] = NUL;
+ cp = strdup(ca);
+ for (i = 0; mytmpfiles[i] != NULL; i++)
diff --git a/dev-lang/wml/wml-2.0.11-r3.ebuild b/dev-lang/wml/wml-2.0.11-r3.ebuild
new file mode 100644
index 000000000000..1d32b98a10d9
--- /dev/null
+++ b/dev-lang/wml/wml-2.0.11-r3.ebuild
@@ -0,0 +1,61 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-lang/wml/wml-2.0.11-r3.ebuild,v 1.1 2008/02/29 15:31:49 graaff Exp $
+
+inherit fixheadtails eutils autotools multilib
+
+DESCRIPTION="Website META Language"
+HOMEPAGE="http://thewml.org/"
+SRC_URI="http://thewml.org/distrib/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ia64 ~ppc ~s390 ~sparc ~x86"
+IUSE=""
+
+DEPEND="dev-libs/libpcre
+ dev-lang/perl"
+
+src_unpack() {
+ unpack ${A}
+ ht_fix_all
+ cd "${S}"
+
+ epatch "${FILESDIR}/wml-2.0.9-gcc41.patch"
+ epatch "${FILESDIR}/wml-2.0.9-autotools-update.patch"
+ epatch "${FILESDIR}/wml-2.0.11-tmpfile.patch"
+
+ einfo "Patching Makefile.in files to fix various problems"
+ # Patch Makefile to avoid stripping binaries
+ for m in $(find "${S}" -name Makefile.in -print); do
+ sed -i -e "s/-m 755 -s/-m 755/" "${m}" || die "Could not run sed on ${m}"
+ sed -i -e "/^libdir.*/s::libdir = \$(prefix)/$(get_libdir)\$(libsubdir):" "${m}" || die "Could not run sed on ${m}"
+ done
+
+ # Patch Makefile to avoid a dependency on lynx just for documentation
+ sed -i -e "s/lynx -dump -nolist -width=72/cat/" wml_aux/tidy/Makefile.in || die
+
+ for d in $(find "${S}" \( -name configure.ac -o -name configure.in \) -exec dirname {} \;); do
+ pushd ${d} &>/dev/null
+ AT_NOELIBTOOLIZE="yes" eautoreconf
+ popd &>/dev/null
+ done
+
+ elibtoolize
+}
+
+src_compile() {
+ econf --libdir=/usr/$(get_libdir) || die "./configure failed"
+ emake || die "emake failed"
+}
+
+# The default src_test first checks if 'make test' is possible using the '-n'
+# option of make, but this messes up the tests completely.
+src_test() {
+ emake -j1 test
+}
+
+src_install() {
+ einstall || die
+ dodoc ANNOUNCE BUGREPORT C* INSTALL MANIFEST README* SUPPORT VERSION*
+}