diff options
author | Hans de Graaff <graaff@gentoo.org> | 2008-02-29 15:31:50 +0000 |
---|---|---|
committer | Hans de Graaff <graaff@gentoo.org> | 2008-02-29 15:31:50 +0000 |
commit | 454473faaad20fe09c37864e6db2107393d169f6 (patch) | |
tree | e258b852fed61f557f1aeb58f87965af51875115 /dev-lang/wml | |
parent | alpha/ia64/sparc/x86 stable (diff) | |
download | historical-454473faaad20fe09c37864e6db2107393d169f6.tar.gz historical-454473faaad20fe09c37864e6db2107393d169f6.tar.bz2 historical-454473faaad20fe09c37864e6db2107393d169f6.zip |
Fix insecure tmpfile usage #209927
Package-Manager: portage-2.1.4.4
Diffstat (limited to 'dev-lang/wml')
-rw-r--r-- | dev-lang/wml/ChangeLog | 11 | ||||
-rw-r--r-- | dev-lang/wml/Manifest | 14 | ||||
-rw-r--r-- | dev-lang/wml/files/wml-2.0.11-tmpfile.patch | 68 | ||||
-rw-r--r-- | dev-lang/wml/wml-2.0.11-r3.ebuild | 61 |
4 files changed, 151 insertions, 3 deletions
diff --git a/dev-lang/wml/ChangeLog b/dev-lang/wml/ChangeLog index 13bf1688e620..95f78cdaa41b 100644 --- a/dev-lang/wml/ChangeLog +++ b/dev-lang/wml/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for dev-lang/wml -# Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/dev-lang/wml/ChangeLog,v 1.37 2007/12/23 13:14:16 graaff Exp $ +# Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/dev-lang/wml/ChangeLog,v 1.38 2008/02/29 15:31:49 graaff Exp $ + +*wml-2.0.11-r3 (29 Feb 2008) + + 29 Feb 2008; Hans de Graaff <graaff@gentoo.org> + +files/wml-2.0.11-tmpfile.patch, +wml-2.0.11-r3.ebuild: + Fix insecure temporary file usage (CVE-2008-0665, CVE-2008-0666), Gentoo bug + #209927, based on a patch by Debian. *wml-2.0.11-r2 (23 Dec 2007) diff --git a/dev-lang/wml/Manifest b/dev-lang/wml/Manifest index ec29e0caad32..2bef53f4ea07 100644 --- a/dev-lang/wml/Manifest +++ b/dev-lang/wml/Manifest @@ -1,8 +1,20 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + AUX 2.0.9-fix-configure.in.patch 1411 RMD160 54aa0b173fd0dc1fdc5f7f652682cec078f78a25 SHA1 762954af3422b7f3a1ed100023d71bdf279e0252 SHA256 e59dee3fd10b2cc9603f15fbff1ccdf466d5c9fd919c09c058a0aaa3b7064286 +AUX wml-2.0.11-tmpfile.patch 2367 RMD160 7141e7ffbabe0471d3cd508ca38b2755b646ed76 SHA1 d5bbef415b15ec4142ffd36a4b4b80b47078fff0 SHA256 335d4ae47ebd260743ee57b07509a56430b4ca221e1350f77ded2d6433787db0 AUX wml-2.0.9-autotools-update.patch 2720 RMD160 b1b7c2304660506a02cf74fc147a40f8de8c8e8f SHA1 12491ac4b82a085f69b71b33f63582eaf90d08a6 SHA256 09cfc157fb4e4a06070375161b0cd38eeed7154701f729196ed2753ea5c0a9c6 AUX wml-2.0.9-gcc41.patch 361 RMD160 7801e31d2e2d379c148902a697c46bec15cde831 SHA1 e2b904437a6a873d583def0600ac04257eef5d55 SHA256 7c983ec6d7f659eb1b152f03b98764df40d51b6b5d1ceb7fbee4a79b695c5e33 DIST wml-2.0.11.tar.gz 3115230 RMD160 fead82a35d116447b860d7b1c506c6de187355e8 SHA1 14dd7c23461716171a66b65676bca6e19a593007 SHA256 8e11ef19ea67ff9c4b28ff0fcacf5098881ac0c5f09ddfe3abc29f1e12be5d4a EBUILD wml-2.0.11-r1.ebuild 1638 RMD160 33555233a5d62a798791b116e7b311fa65d13684 SHA1 40207572486bf6d702bfca0fc5ee635dd381d3f7 SHA256 4d0d5a08c72135aa17e211835c4b46a06abab2e52b8061e6bb54af1fce29be7f EBUILD wml-2.0.11-r2.ebuild 1754 RMD160 99a204a00952deb78b48883f8e25de6dceda43c3 SHA1 2097b0890d6ccf11006338ff97966508abae907a SHA256 7de71309023ef7dd3e450879a08b5d493483a12a256d81860b8a775c142fcf0e -MISC ChangeLog 4526 RMD160 9eeba495f3e70fcab12f0eda8309e2cddaaeacce SHA1 4b84f658bc0b49e2a20de2386f99b761eb48ab4f SHA256 64d3cc712410d6e1d46ec200f4ccc8b66a2e130fe9bb9dec50c2ce624710715c +EBUILD wml-2.0.11-r3.ebuild 1801 RMD160 4111948184e6c67c9a71f9ea99cef894b25987f7 SHA1 ff1deb6f786e2ee1e41a480e728d56c9846b3ab8 SHA256 55676912f3d3dda7df6a8975a53a48e1d79c340dd347b9e0b224172a6a7d58c9 +MISC ChangeLog 4783 RMD160 ec5650e5ace63cfb3ddab090ffbd075935cf0de0 SHA1 235f83ee551f53c137bc92bcc3f83d0fc73fc749 SHA256 aec78ce82361d0c7fc369d756a3c86e7a0dbd2b0d6e131c0e15d387071d249d6 MISC metadata.xml 255 RMD160 2e04128b5183df88816f4d226448444d02439c3c SHA1 95202de91147c591bc326f12ec296131aa445e7b SHA256 4791ad0953ab9cd515144e1517b927fe1824859496dd7c84c32af20d5f99c20e +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.7 (GNU/Linux) + +iD8DBQFHyCV1QUozDL2JlH4RAiW6AJ934aGxKYYIGF99FR4bl2AqC4ieZwCfWGRC +texFkv3E00hxS0j0GuclaKI= +=2lNo +-----END PGP SIGNATURE----- diff --git a/dev-lang/wml/files/wml-2.0.11-tmpfile.patch b/dev-lang/wml/files/wml-2.0.11-tmpfile.patch new file mode 100644 index 000000000000..d8cfccd9e442 --- /dev/null +++ b/dev-lang/wml/files/wml-2.0.11-tmpfile.patch @@ -0,0 +1,68 @@ +This patch fixes insecure tmpfile usage as mentioned in #209927. It is +essentially the debian patch mentioned in that bug report. + +diff -u wml-2.0.11/wml_contrib/wmg.cgi wml-2.0.11/wml_contrib/wmg.cgi +--- wml-2.0.11/wml_contrib/wmg.cgi ++++ wml-2.0.11/wml_contrib/wmg.cgi +@@ -366,14 +366,7 @@ + ($w, $h, $t) = Image::Size::imgsize(\$contents); + if ($w*$h == 1) { + # read image into GD +- $tmpfile = "/tmp/pe.tmp.$$"; +- unlink($tmpfile); +- open(TMP, ">$tmpfile"); +- print TMP $contents; +- close(TMP); +- open(TMP, "<$tmpfile"); +- $tmpimg = newFromGif GD::Image(TMP); +- close(TMP); ++ $tmpimg = newFromGifData GD::Image($contents); + unlink($tmpfile); + if ($tmpimg->transparent != -1) { + my $im = new GD::Image($w, $h); +diff -u wml-2.0.11/wml_backend/p1_ipp/ipp.src wml-2.0.11/wml_backend/p1_ipp/ipp.src +--- wml-2.0.11/wml_backend/p1_ipp/ipp.src 2005-12-01 18:50:13.000000000 +0100 ++++ wml-2.0.11/wml_backend/p1_ipp/ipp.src 2008-02-29 16:06:15.000000000 +0100 +@@ -17,6 +17,7 @@ + use Getopt::Long 2.13; + use IO::Handle 1.15; + use IO::File 1.06; ++use File::Temp qw/ mkdtemp /; + + # + # help functions +@@ -564,8 +565,8 @@ + # + # process the pre-loaded include files + # +-$tmpdir = $ENV{'TMPDIR'} || '/tmp'; +-$tmpfile = $tmpdir . "/ipp.$$.tmp"; ++my $tmpldir = ($ENV{'TMPDIR'} || '/tmp') . '/ipp.XXXXXX'; ++$tmpdir = mkdtemp($tmpldir) or die "Unable to create temporary directory: $!\n";$tmpfile = $tmpdir . "/ipp.$$.tmp"; + unlink($tmpfile); + $tmp = new IO::File; + $tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!"); +--- wml-2.0.11.orig/wml_backend/p3_eperl/eperl_sys.c ++++ wml-2.0.11/wml_backend/p3_eperl/eperl_sys.c +@@ -211,13 +211,20 @@ + { + char ca[1024]; + char *cp, *tmpdir; ++ char tmpfile[] = "eperl_sourceXXXXXX"; + int i; ++ int fd = -1; + + tmpdir = getenv ("TMPDIR"); + if (tmpdir == (char *) NULL) + tmpdir="/tmp"; + +- snprintf(ca, sizeof(ca), "%s/%s.%d.tmp%d", tmpdir, id, (int)getpid(), mytmpfilecnt++); ++ snprintf(ca, sizeof(ca), "%s/%s", tmpdir, tmpfile); ++ if ((fd = mkstemp(ca)) == -1) { ++ perror("Cannot create tmpfile"); ++ return NULL; ++ } ++ close(fd); + ca[sizeof(ca)-1] = NUL; + cp = strdup(ca); + for (i = 0; mytmpfiles[i] != NULL; i++) diff --git a/dev-lang/wml/wml-2.0.11-r3.ebuild b/dev-lang/wml/wml-2.0.11-r3.ebuild new file mode 100644 index 000000000000..1d32b98a10d9 --- /dev/null +++ b/dev-lang/wml/wml-2.0.11-r3.ebuild @@ -0,0 +1,61 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/dev-lang/wml/wml-2.0.11-r3.ebuild,v 1.1 2008/02/29 15:31:49 graaff Exp $ + +inherit fixheadtails eutils autotools multilib + +DESCRIPTION="Website META Language" +HOMEPAGE="http://thewml.org/" +SRC_URI="http://thewml.org/distrib/${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~ia64 ~ppc ~s390 ~sparc ~x86" +IUSE="" + +DEPEND="dev-libs/libpcre + dev-lang/perl" + +src_unpack() { + unpack ${A} + ht_fix_all + cd "${S}" + + epatch "${FILESDIR}/wml-2.0.9-gcc41.patch" + epatch "${FILESDIR}/wml-2.0.9-autotools-update.patch" + epatch "${FILESDIR}/wml-2.0.11-tmpfile.patch" + + einfo "Patching Makefile.in files to fix various problems" + # Patch Makefile to avoid stripping binaries + for m in $(find "${S}" -name Makefile.in -print); do + sed -i -e "s/-m 755 -s/-m 755/" "${m}" || die "Could not run sed on ${m}" + sed -i -e "/^libdir.*/s::libdir = \$(prefix)/$(get_libdir)\$(libsubdir):" "${m}" || die "Could not run sed on ${m}" + done + + # Patch Makefile to avoid a dependency on lynx just for documentation + sed -i -e "s/lynx -dump -nolist -width=72/cat/" wml_aux/tidy/Makefile.in || die + + for d in $(find "${S}" \( -name configure.ac -o -name configure.in \) -exec dirname {} \;); do + pushd ${d} &>/dev/null + AT_NOELIBTOOLIZE="yes" eautoreconf + popd &>/dev/null + done + + elibtoolize +} + +src_compile() { + econf --libdir=/usr/$(get_libdir) || die "./configure failed" + emake || die "emake failed" +} + +# The default src_test first checks if 'make test' is possible using the '-n' +# option of make, but this messes up the tests completely. +src_test() { + emake -j1 test +} + +src_install() { + einstall || die + dodoc ANNOUNCE BUGREPORT C* INSTALL MANIFEST README* SUPPORT VERSION* +} |