pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/converters Fix insecure-temporary-files, as reported i...
details: https://anonhg.NetBSD.org/pkgsrc/rev/1d78e5d40cde
branches: trunk
changeset: 543047:1d78e5d40cde
user: dholland <dholland%pkgsrc.org@localhost>
date: Sun Jun 01 21:46:37 2008 +0000
description:
Fix insecure-temporary-files, as reported in Debian bug 480972.
PKGREVISION++.
diffstat:
converters/uudeview/Makefile | 4 +-
converters/uudeview/distinfo | 3 +-
converters/uudeview/patches/patch-ac | 42 ++++++++++++++++++
converters/uulib/Makefile | 4 +-
converters/uulib/distinfo | 4 +-
converters/uulib/patches/patch-ab | 17 +++++++
converters/uulib/patches/patch-ac | 83 ++++++++++++++++++++++++++++++++++++
7 files changed, 151 insertions(+), 6 deletions(-)
diffs (209 lines):
diff -r d67849759f0c -r 1d78e5d40cde converters/uudeview/Makefile
--- a/converters/uudeview/Makefile Sun Jun 01 19:52:55 2008 +0000
+++ b/converters/uudeview/Makefile Sun Jun 01 21:46:37 2008 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.27 2007/02/22 19:26:15 wiz Exp $
+# $NetBSD: Makefile,v 1.28 2008/06/01 21:49:56 dholland Exp $
#
DISTNAME= uudeview-0.5.20
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= converters
MASTER_SITES= http://www.fpx.de/fp/Software/UUDeview/download/
diff -r d67849759f0c -r 1d78e5d40cde converters/uudeview/distinfo
--- a/converters/uudeview/distinfo Sun Jun 01 19:52:55 2008 +0000
+++ b/converters/uudeview/distinfo Sun Jun 01 21:46:37 2008 +0000
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.7 2005/02/23 16:12:35 agc Exp $
+$NetBSD: distinfo,v 1.8 2008/06/01 21:49:56 dholland Exp $
SHA1 (uudeview-0.5.20.tar.gz) = 2c6ab7d355b545218bd0877d598bd5327d9fd125
RMD160 (uudeview-0.5.20.tar.gz) = 9bb52fa3ad4979383ff16d1e8d8a302c5c794c66
Size (uudeview-0.5.20.tar.gz) = 261574 bytes
SHA1 (patch-aa) = bf7e281b7e0e2ceae6bc8c19c9e64cdb7d5a9d64
SHA1 (patch-ab) = bdd62a84d0f62c697dd4440df861c343ffeb683a
+SHA1 (patch-ac) = 2ae6579816e2ee1273c2c8db6bf82b8954a3d16c
diff -r d67849759f0c -r 1d78e5d40cde converters/uudeview/patches/patch-ac
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/converters/uudeview/patches/patch-ac Sun Jun 01 21:46:37 2008 +0000
@@ -0,0 +1,42 @@
+$NetBSD: patch-ac,v 1.5 2008/06/01 21:49:56 dholland Exp $
+
+--- unix/uudeview.c.orig 2003-04-12 19:33:55.000000000 -0400
++++ unix/uudeview.c 2008-06-01 17:02:31.000000000 -0400
+@@ -31,6 +31,7 @@
+ #include <stdio.h>
+ #include <ctype.h>
+ #include <signal.h>
++#include <paths.h>
+
+ #ifdef HAVE_FCNTL_H
+ #include <fcntl.h>
+@@ -440,6 +441,7 @@
+ {
+ static char buffer[1024];
+ char *stdfile;
++ int targetfd;
+ FILE *target;
+ size_t bytes;
+ int res;
+@@ -449,11 +451,20 @@
+ return 0;
+ }
+
+- if ((stdfile = tempnam (NULL, "uu")) == NULL) {
++ if ((stdfile = strdup (_PATH_TMP "uu.XXXXXX")) == NULL) {
+ fprintf (stderr, "proc_stdin: cannot get temporary file\n");
+ return 0;
+ }
+
++ if ((targetfd = mkstemp (stdfile)) < 0) {
++ fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n",
++ stdfile, strerror (errno));
++ _FP_free (stdfile);
++ return 0;
++ }
++
++ /* file now safely exists, reopen it with the right mode */
++ close(targetfd);
+ if ((target = fopen (stdfile, "wb")) == NULL) {
+ fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n",
+ stdfile, strerror (errno));
diff -r d67849759f0c -r 1d78e5d40cde converters/uulib/Makefile
--- a/converters/uulib/Makefile Sun Jun 01 19:52:55 2008 +0000
+++ b/converters/uulib/Makefile Sun Jun 01 21:46:37 2008 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.41 2007/09/18 19:44:40 heinz Exp $
+# $NetBSD: Makefile,v 1.42 2008/06/01 21:46:37 dholland Exp $
#
DISTNAME= uudeview-0.5.20
PKGNAME= uulib-0.5.20
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= converters
MASTER_SITES= http://www.fpx.de/fp/Software/UUDeview/download/
diff -r d67849759f0c -r 1d78e5d40cde converters/uulib/distinfo
--- a/converters/uulib/distinfo Sun Jun 01 19:52:55 2008 +0000
+++ b/converters/uulib/distinfo Sun Jun 01 21:46:37 2008 +0000
@@ -1,6 +1,8 @@
-$NetBSD: distinfo,v 1.9 2005/11/03 20:05:54 rillig Exp $
+$NetBSD: distinfo,v 1.10 2008/06/01 21:46:37 dholland Exp $
SHA1 (uudeview-0.5.20.tar.gz) = 2c6ab7d355b545218bd0877d598bd5327d9fd125
RMD160 (uudeview-0.5.20.tar.gz) = 9bb52fa3ad4979383ff16d1e8d8a302c5c794c66
Size (uudeview-0.5.20.tar.gz) = 261574 bytes
SHA1 (patch-aa) = 8ea37995ef4426bcd008246b1465ad5428da7bd8
+SHA1 (patch-ab) = f23ca7945a0697dc8e49ba9c7765bfa655ed8566
+SHA1 (patch-ac) = 7322b738ba427515a508eff41cce4139d4fda86e
diff -r d67849759f0c -r 1d78e5d40cde converters/uulib/patches/patch-ab
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/converters/uulib/patches/patch-ab Sun Jun 01 21:46:37 2008 +0000
@@ -0,0 +1,17 @@
+$NetBSD: patch-ab,v 1.3 2008/06/01 21:46:37 dholland Exp $
+
+--- uulib/fptools.c.orig 2004-02-23 19:05:32.000000000 -0500
++++ uulib/fptools.c 2008-06-01 16:08:35.000000000 -0400
+@@ -517,6 +517,7 @@
+ return number;
+ }
+
++#if 0 /* insecure */
+ /*
+ * tempnam is not ANSI, but tmpnam is. Ignore the prefix here.
+ */
+@@ -526,3 +527,4 @@
+ {
+ return _FP_strdup (tmpnam (NULL));
+ }
++#endif
diff -r d67849759f0c -r 1d78e5d40cde converters/uulib/patches/patch-ac
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/converters/uulib/patches/patch-ac Sun Jun 01 21:46:37 2008 +0000
@@ -0,0 +1,83 @@
+$NetBSD: patch-ac,v 1.1 2008/06/01 21:46:37 dholland Exp $
+
+--- uulib/uunconc.c.orig 2004-03-01 17:52:27.000000000 -0500
++++ uulib/uunconc.c 2008-06-01 17:05:57.000000000 -0400
+@@ -49,6 +49,7 @@
+ #include <errno.h>
+ #endif
+
++#include <paths.h>
+ #include <crc32.h>
+ #include <uudeview.h>
+ #include <uuint.h>
+@@ -1306,6 +1307,7 @@
+ {
+ int state=BEGIN, part=-1, res=0, hb;
+ long rsize, dsize, numbytes;
++ int dataoutfd;
+ FILE *datain, *dataout;
+ unsigned char r[8];
+ char *mode, *ntmp;
+@@ -1329,13 +1331,13 @@
+ else
+ mode = "wb"; /* otherwise in binary */
+
+- if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
++ if ((data->binfile = strdup (_PATH_TMP "uu.XXXXXX")) == NULL) {
+ UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
+ uustring (S_NO_TEMP_NAME));
+ return UURET_NOMEM;
+ }
+
+- if ((dataout = fopen (data->binfile, mode)) == NULL) {
++ if ((dataoutfd = mkstemp (data->binfile)) < 0) {
+ /*
+ * we couldn't create a temporary file. Usually this means that TMP
+ * and TEMP aren't set
+@@ -1348,6 +1350,19 @@
+ uu_errno = errno;
+ return UURET_IOERR;
+ }
++
++ /* file now safely exists, reopen it using the right mode */
++ close (dataoutfd);
++ if ((dataout = fopen (data->binfile, mode)) < 0) {
++ UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
++ uustring (S_WR_ERR_TARGET),
++ data->binfile, strerror (uu_errno = errno));
++ _FP_free (data->binfile);
++ data->binfile = NULL;
++ uu_errno = errno;
++ return UURET_IOERR;
++ }
++
+ /*
+ * we don't have begin lines in Base64 or plain text files.
+ */
+@@ -1496,7 +1511,7 @@
+ */
+
+ if (data->uudet == BH_ENCODED && data->binfile) {
+- if ((ntmp = tempnam (NULL, "uu")) == NULL) {
++ if ((ntmp = strdup (_PATH_TMP "uu.XXXXXX")) == NULL) {
+ UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
+ uustring (S_NO_TEMP_NAME));
+ progress.action = 0;
+@@ -1510,6 +1525,17 @@
+ free (ntmp);
+ return UURET_IOERR;
+ }
++ if ((dataoutfd = mkstemp (ntmp)) < 0) {
++ UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
++ uustring (S_NOT_OPEN_TARGET),
++ ntmp, strerror (uu_errno = errno));
++ progress.action = 0;
++ fclose (datain);
++ free (ntmp);
++ return UURET_IOERR;
++ }
++ /* file now safely exists; reopen it with the right mode */
++ close (dataoutfd);
+ if ((dataout = fopen (ntmp, "wb")) == NULL) {
+ UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
+ uustring (S_NOT_OPEN_TARGET),
Home |
Main Index |
Thread Index |
Old Index