netbsd-bugs: pkg/21812: make sure x11/Xaos never installs setuid root

Subject: pkg/21812: make sure x11/Xaos never installs setuid root
To: None <gnats-bugs@gnats.netbsd.org>
From: None <reed@reedmedia.net>
List: netbsd-bugs
Date: 06/06/2003 09:31:55
>Number:         21812
>Category:       pkg
>Synopsis:       make sure x11/Xaos never installs setuid root
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Fri Jun 06 16:33:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     
>Release:        NetBSD 1.6
>Organization:
http://bsd.reedmedia.net/
>Environment:
	
	
System: NetBSD rainier.reedmedia.net 1.6 NetBSD 1.6 (JCR-20020927) #3: Sat Sep 28 13:40:20 PDT 2002 reed@rainier.reedmedia.net:/usr/src/sys/arch/i386/compile/JCR-20020927 i386
Architecture: i386
Machine: i386
>Description:
On NetBSD, pkgsrc/x11/Xaos won't install setuid root
because it doesn't detect the libvga.

But maybe on another platform it will. This is not good,
because code has buffer overflows and a bugtraq announcement
indicates it is exploitable.
>How-To-Repeat:
	
>Fix:
This patch is so it never is setuid.

Index: x11/XaoS/distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/x11/XaoS/distinfo,v
retrieving revision 1.1
diff -b -u -r1.1 distinfo
--- x11/XaoS/distinfo	2002/03/25 16:19:30	1.1
+++ x11/XaoS/distinfo	2003/06/06 16:28:51
@@ -3,4 +3,4 @@
 SHA1 (XaoS-3.0.tar.gz) = 1537e5ec5a60dd018bc3bf8ee6cc8f81943b539b
 Size (XaoS-3.0.tar.gz) = 491049 bytes
 SHA1 (patch-aa) = 6e176f87e319f05f46c234df303a1cdf818921bd
-SHA1 (patch-ab) = c2b369ea5a372a0d8a2083fb7fab7345ff6a3d38
+SHA1 (patch-ab) = b0e802103b382c3177af3196badf21a3b4615547
Index: x11/XaoS/patches/patch-ab
===================================================================
RCS file: /cvsroot/pkgsrc/x11/XaoS/patches/patch-ab,v
retrieving revision 1.1
diff -b -u -r1.1 patch-ab
--- x11/XaoS/patches/patch-ab	2002/03/25 16:19:31	1.1
+++ x11/XaoS/patches/patch-ab	2003/06/06 16:28:51
@@ -1,12 +1,13 @@
-$NetBSD: patch-ab,v 1.1 2002/03/25 16:19:31 atatat Exp $
+$NetBSD$
 
-Run install-info
-
---- Makefile.in.orig	Wed Mar  4 16:49:12 1998
-+++ Makefile.in	Sun Mar 24 00:36:57 2002
-@@ -43,5 +43,5 @@
+--- Makefile.in.orig	Wed Mar  4 13:49:12 1998
++++ Makefile.in
+@@ -41,7 +41,7 @@ install: 
+ 	@INSTALL@ -m 444 catalogs/* $(datadir)/XaoS/catalogs
+ 	@INSTALL@ -m 444 doc/README doc/README.bugs doc/compilers.txt doc/ANNOUNCE doc/PROBLEMS doc/tutorial.txt $(datadir)/XaoS/doc
  	@INSTALL@ -m 444 doc/xaos.6 $(mandir)/man6
- 	@STICKY@
+-	@STICKY@
++#	@STICKY@
  	@INSTALL@ -m 444 doc/xaos.info $(infodir)
 -	#install-info doc/xaos.info 
 +	install-info --info-dir=${prefix}/info ${prefix}/info/xaos.info
>Release-Note:
>Audit-Trail:
>Unformatted: