[pkgsrc/trunk]: pkgsrc/mail/mutt Make sure that a temporary has been opened w...

[tron <tron%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/b7e00e78bf61
branches:  trunk
changeset: 520886:b7e00e78bf61
user:      tron <tron%pkgsrc.org@localhost>
date:      Wed Nov 01 13:32:32 2006 +0000

description:
Make sure that a temporary has been opened with proper permissions.
That fixes the security problem reported in CVE-2006-5298.

diffstat:

 mail/mutt/Makefile         |   3 ++-
 mail/mutt/distinfo         |   3 ++-
 mail/mutt/patches/patch-ad |  29 +++++++++++++++++++++++++++++
 3 files changed, 33 insertions(+), 2 deletions(-)

diffs (62 lines):

diff -r 59e5c499b384 -r b7e00e78bf61 mail/mutt/Makefile
--- a/mail/mutt/Makefile        Wed Nov 01 13:02:37 2006 +0000
+++ b/mail/mutt/Makefile        Wed Nov 01 13:32:32 2006 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.144 2006/07/14 19:55:56 tron Exp $
+# $NetBSD: Makefile,v 1.145 2006/11/01 13:32:32 tron Exp $
 
 DISTNAME=              mutt-1.4.2.2i
+PKGREVISION=           1
 PKGNAME=               ${DISTNAME:C/i$//}
 CATEGORIES=            mail
 MASTER_SITES=          ftp://ftp.mutt.org/mutt/ \
diff -r 59e5c499b384 -r b7e00e78bf61 mail/mutt/distinfo
--- a/mail/mutt/distinfo        Wed Nov 01 13:02:37 2006 +0000
+++ b/mail/mutt/distinfo        Wed Nov 01 13:32:32 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.31 2006/07/14 19:55:56 tron Exp $
+$NetBSD: distinfo,v 1.32 2006/11/01 13:32:32 tron Exp $
 
 SHA1 (mutt-1.4.2.2i.tar.gz) = 0ee12f734f21186b143fa96a5ea79f72397747fb
 RMD160 (mutt-1.4.2.2i.tar.gz) = a749c13e9b56b0f3cf09ce5eabae3fd2edce4c0a
@@ -6,6 +6,7 @@
 SHA1 (patch-aa) = 057c11486bb855e321853a106992c8792b75b812
 SHA1 (patch-ab) = 46518ebcd144bdb19da3f2238455d25544539e23
 SHA1 (patch-ac) = acfece3438c1cadc43247c590045699be7212ede
+SHA1 (patch-ad) = e207b279b4b6cf9bd29f5537beedb3f34453b62d
 SHA1 (patch-ag) = c369b0b5d4855e50a016530f81190b2cbd47cef1
 SHA1 (patch-ah) = 04549728683b4250a26f6d6c7a212b8d505014d2
 SHA1 (patch-ai) = 317b736d6b9a896e1ee185cce37a1c2184c02cde
diff -r 59e5c499b384 -r b7e00e78bf61 mail/mutt/patches/patch-ad
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/mutt/patches/patch-ad        Wed Nov 01 13:32:32 2006 +0000
@@ -0,0 +1,29 @@
+$NetBSD: patch-ad,v 1.8 2006/11/01 13:32:32 tron Exp $
+
+--- lib.c.orig 2002-04-29 18:12:18.000000000 +0100
++++ lib.c      2006-11-01 13:22:51.000000000 +0000
+@@ -351,8 +351,8 @@
+   struct stat osb, nsb;
+   int fd;
+ 
+-  if ((fd = open (path, flags, 0600)) < 0)
+-    return fd;
++  if ((fd = open (path, flags, S_IRUSR|S_IWUSR)) < 0)
++    return (-1);
+ 
+   /* make sure the file is not symlink */
+   if (lstat (path, &osb) < 0 || fstat (fd, &nsb) < 0 ||
+@@ -363,6 +363,13 @@
+     return (-1);
+   }
+ 
++  /* Make sure the file is owned by us and has save permissions. */
++  if (nsb.st_uid != geteuid() ||
++      (nsb.st_mode & (S_IRWXG|S_IRWXO)) != 0) {
++    close (fd);
++    return (-1);
++  }
++
+   return (fd);
+ }
+