[pkgsrc/trunk]: pkgsrc/archivers/arc Security fix for CAN-2005-2945 and CAN-2...

[salo <salo%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/d6b22e720dea
branches:  trunk
changeset: 500322:d6b22e720dea
user:      salo <salo%pkgsrc.org@localhost>
date:      Thu Oct 06 14:23:39 2005 +0000

description:
Security fix for CAN-2005-2945 and CAN-2005-2992:

"arc 5.21j and earlier create temporary files with world-readable permissions,
which allows local users to read sensitive information from files created by
arc or marc."

http://www.zataz.net/adviso/arc-09052005.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2945

Patch from Debian.

diffstat:

 archivers/arc/Makefile         |   4 ++--
 archivers/arc/distinfo         |   3 ++-
 archivers/arc/patches/patch-ae |  30 ++++++++++++++++++++++++++++++
 3 files changed, 34 insertions(+), 3 deletions(-)

diffs (62 lines):

diff -r 08e99f56b4eb -r d6b22e720dea archivers/arc/Makefile
--- a/archivers/arc/Makefile    Thu Oct 06 13:13:28 2005 +0000
+++ b/archivers/arc/Makefile    Thu Oct 06 14:23:39 2005 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.23 2005/04/15 04:36:45 snj Exp $
+# $NetBSD: Makefile,v 1.24 2005/10/06 14:23:39 salo Exp $
 
 DISTNAME=       arc521e.pl8
 PKGNAME=        arc-5.21e
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    archivers
 MASTER_SITES=   ftp://ftp.kiarchive.ru/pub/unix/arcers/
 EXTRACT_SUFX=   .tar.Z
diff -r 08e99f56b4eb -r d6b22e720dea archivers/arc/distinfo
--- a/archivers/arc/distinfo    Thu Oct 06 13:13:28 2005 +0000
+++ b/archivers/arc/distinfo    Thu Oct 06 14:23:39 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2005/05/08 05:45:42 minskim Exp $
+$NetBSD: distinfo,v 1.9 2005/10/06 14:23:39 salo Exp $
 
 SHA1 (arc521e.pl8.tar.Z) = 34210f9aeaac39a15b34e6aa400b38127b6a2a20
 RMD160 (arc521e.pl8.tar.Z) = 1fcd823b93b4e633244797ed231318c5bc741965
@@ -7,3 +7,4 @@
 SHA1 (patch-ab) = 64fba2f0b5d03f26e427ecddc70e2a9b6b2fc521
 SHA1 (patch-ac) = 64d87af431c6bc0ded0b26167782309a7bfadd8a
 SHA1 (patch-ad) = 6f82d17b8eb2f2353d7ebfffaec1d52673acc7a0
+SHA1 (patch-ae) = bb176dee99c3fbc43e0fa00a2ae2ebe00865cc72
diff -r 08e99f56b4eb -r d6b22e720dea archivers/arc/patches/patch-ae
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/archivers/arc/patches/patch-ae    Thu Oct 06 14:23:39 2005 +0000
@@ -0,0 +1,30 @@
+$NetBSD: patch-ae,v 1.1 2005/10/06 14:23:39 salo Exp $
+
+Security fix for CAN-2005-2945 and CAN-2005-2992, from Debian.
+
+--- arcsvc.c.orig      1992-04-15 00:58:40.000000000 +0200
++++ arcsvc.c   2005-10-06 16:07:28.000000000 +0200
+@@ -17,6 +17,9 @@
+        Computer Innovations Optimizing C86
+ */
+ #include <stdio.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
+ #include "arc.h"
+ #if   _MTS
+ #include <mts.h>
+@@ -52,7 +55,12 @@
+       }
+ #endif
+       if (chg) {              /* if opening for changes */
+-              if (!(new = fopen(newname, OPEN_W)))
++              int fd;
++
++              if ((fd = open(newname, O_CREAT|O_EXCL|O_RDWR, S_IREAD|S_IWRITE)) == -1)
++                      arcdie("Cannot create archive copy: %s", newname);
++
++              if (!(new = fdopen(fd, OPEN_W)))
+                       arcdie("Cannot create archive copy: %s", newname);
+ 
+       changing = chg;         /* note if open for changes */