[pkgsrc/trunk]: pkgsrc/mail/p5-Mail-Audit Security fix for SA18652 / CVE-2005...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/mail/p5-Mail-Audit Security fix for SA18652 / CVE-2005...
From: salo <salo%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 03:00:00 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/3d317005d073
branches:  trunk
changeset: 507451:3d317005d073
user:      salo <salo%pkgsrc.org@localhost>
date:      Thu Feb 02 12:08:14 2006 +0000

description:
Security fix for SA18652 / CVE-2005-4536:

"Mail::Audit module logs to a temporary file with a predictable filename
 in an insecure fashion when logging is turned on."

Patch from Debian.

diffstat:

 mail/p5-Mail-Audit/Makefile         |   4 +-
 mail/p5-Mail-Audit/distinfo         |   4 ++-
 mail/p5-Mail-Audit/patches/patch-aa |  29 ++++++++++++++++++++++++++++
 mail/p5-Mail-Audit/patches/patch-ab |  38 +++++++++++++++++++++++++++++++++++++
 4 files changed, 72 insertions(+), 3 deletions(-)

diffs (102 lines):

diff -r 7afef286300a -r 3d317005d073 mail/p5-Mail-Audit/Makefile
--- a/mail/p5-Mail-Audit/Makefile       Thu Feb 02 09:29:25 2006 +0000
+++ b/mail/p5-Mail-Audit/Makefile       Thu Feb 02 12:08:14 2006 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.16 2005/08/06 06:19:22 jlam Exp $
+# $NetBSD: Makefile,v 1.17 2006/02/02 12:08:14 salo Exp $
 
 DISTNAME=      Mail-Audit-2.1
 PKGNAME=       p5-${DISTNAME}
 SVR4_PKGNAME=  p5mau
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    mail perl5
 MASTER_SITES=  ${MASTER_SITE_PERL_CPAN:=Mail/}
 
diff -r 7afef286300a -r 3d317005d073 mail/p5-Mail-Audit/distinfo
--- a/mail/p5-Mail-Audit/distinfo       Thu Feb 02 09:29:25 2006 +0000
+++ b/mail/p5-Mail-Audit/distinfo       Thu Feb 02 12:08:14 2006 +0000
@@ -1,5 +1,7 @@
-$NetBSD: distinfo,v 1.4 2005/04/18 16:57:13 wiz Exp $
+$NetBSD: distinfo,v 1.5 2006/02/02 12:08:14 salo Exp $
 
 SHA1 (Mail-Audit-2.1.tar.gz) = 4fbfc782c8230025b793c2e15eff231acfa55f57
 RMD160 (Mail-Audit-2.1.tar.gz) = c59d006f1f9aa544e854be089f3fe793a8694d4f
 Size (Mail-Audit-2.1.tar.gz) = 21669 bytes
+SHA1 (patch-aa) = 8d1646afb5ac34de60fa19c2aa15c80210c9d6a7
+SHA1 (patch-ab) = e7d95c44d63dc2e78f30774e0c1092e59268376d
diff -r 7afef286300a -r 3d317005d073 mail/p5-Mail-Audit/patches/patch-aa
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/p5-Mail-Audit/patches/patch-aa       Thu Feb 02 12:08:14 2006 +0000
@@ -0,0 +1,29 @@
+$NetBSD: patch-aa,v 1.1 2006/02/02 12:08:14 salo Exp $
+
+Security fix for SA18656, from Debian.
+
+--- Audit.pm.orig      2002-03-03 18:11:20.000000000 +0100
++++ Audit.pm   2006-02-02 12:48:52.000000000 +0100
+@@ -4,7 +4,13 @@
+ 
+ my $logging;
+ my $loglevel=3;
+-my $logfile = "/tmp/".getpwuid($>)."-audit.log";
++my $logfile;
++if (exists $ENV{HOME} and defined $ENV{HOME} and -d $ENV{HOME}) {
++     $logfile = "$ENV{HOME}/.mail_audit.log"
++}
++else {
++     (undef,$logfile) = tempfile("mail_audit.log-XXXXX",TMPDIR=>1);
++}
+ 
+ # ----------------------------------------------------------
+ # no user-modifiable parts below this line.
+@@ -18,6 +24,7 @@
+ use vars qw($VERSION @ISA @EXPORT @EXPORT_OK $ASSUME_MSGPREFIX);
+ # @ISA will depend on whether the message is MIME; if it is, we'll be MIME::Entity.  if not, we'll be Mail::Internet.
+ use Fcntl ':flock';
++use File::Temp qw(tempfile);
+ 
+ $ASSUME_MSGPREFIX = 0;
+ 
diff -r 7afef286300a -r 3d317005d073 mail/p5-Mail-Audit/patches/patch-ab
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/p5-Mail-Audit/patches/patch-ab       Thu Feb 02 12:08:14 2006 +0000
@@ -0,0 +1,38 @@
+$NetBSD: patch-ab,v 1.1 2006/02/02 12:08:14 salo Exp $
+
+Security fix for SA18656, from Debian.
+
+--- Audit/MimeEntity.pm.orig   2002-01-18 01:23:32.000000000 +0100
++++ Audit/MimeEntity.pm        2006-02-02 12:48:52.000000000 +0100
+@@ -4,6 +4,7 @@
+ 
+ use strict;
+ use File::Path;
++use File::Temp qw(tempdir)
+ use MIME::Parser;
+ use MIME::Entity;
+ use Mail::Audit::MailInternet;
+@@ -12,10 +13,12 @@
+ 
+ $VERSION = '2.0';
+ 
+-$MIME_PARSER_TMPDIR = "/tmp/".getpwuid($>)."-mailaudit";
+-
+ my $parser = MIME::Parser->new();
+ 
++# Create a tempdir using File::Temp::tempdir, have it be destroyed at
++# END{} time.
++$MIME_PARSER_TMPDIR = tempdir(CLEANUP => 1);
++
+ my @to_rmdir;
+ 
+ sub autotype_new { 
+@@ -23,8 +26,6 @@
+     my $mailinternet = shift;
+ 
+     $parser->ignore_errors(1);
+-    mkdir ($MIME_PARSER_TMPDIR, 0777);
+-    if (! -d $MIME_PARSER_TMPDIR) { $MIME_PARSER_TMPDIR = "/tmp" }
+     $parser->output_under($MIME_PARSER_TMPDIR);
+ 
+     # todo: add eval error trapping.  if there's a problem, return Mail::Audit::MailInternet as a fallback.

Prev by Date: [pkgsrc/trunk]: pkgsrc/net/nmap Add DragonFly support. Also recognize DragonF...
Next by Date: [pkgsrc/trunk]: pkgsrc/devel/nspr Update to nspr-4.6.1. This addresses PR#32...
Previous by Thread: [pkgsrc/trunk]: pkgsrc/net/nmap Add DragonFly support. Also recognize DragonF...
Next by Thread: [pkgsrc/trunk]: pkgsrc/devel/nspr Update to nspr-4.6.1. This addresses PR#32...
Indexes:

Home | Main Index | Thread Index | Old Index