[pkgsrc/trunk]: pkgsrc/textproc/po4a Stop po4a from writing files with known ...

[tonnerre <tonnerre%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/3c826625c942
branches:  trunk
changeset: 543117:3c826625c942
user:      tonnerre <tonnerre%pkgsrc.org@localhost>
date:      Wed Jun 04 22:10:11 2008 +0000

description:
Stop po4a from writing files with known names into world-writable directories.
Fixes CVE-2007-4462.

diffstat:

 textproc/po4a/Makefile         |   4 ++--
 textproc/po4a/distinfo         |   3 ++-
 textproc/po4a/patches/patch-ab |  21 +++++++++++++++++++++
 3 files changed, 25 insertions(+), 3 deletions(-)

diffs (51 lines):

diff -r 80116048cbdc -r 3c826625c942 textproc/po4a/Makefile
--- a/textproc/po4a/Makefile    Wed Jun 04 15:07:58 2008 +0000
+++ b/textproc/po4a/Makefile    Wed Jun 04 22:10:11 2008 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.9 2007/07/25 17:13:58 he Exp $
+# $NetBSD: Makefile,v 1.10 2008/06/04 22:10:11 tonnerre Exp $
 #
 
 DISTNAME=              po4a-0.23
-PKGREVISION=           3
+PKGREVISION=           4
 CATEGORIES=            textproc
 MASTER_SITES=          http://alioth.debian.org/download.php/1317/
 
diff -r 80116048cbdc -r 3c826625c942 textproc/po4a/distinfo
--- a/textproc/po4a/distinfo    Wed Jun 04 15:07:58 2008 +0000
+++ b/textproc/po4a/distinfo    Wed Jun 04 22:10:11 2008 +0000
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.1.1.1 2006/01/13 18:21:56 wiz Exp $
+$NetBSD: distinfo,v 1.2 2008/06/04 22:10:11 tonnerre Exp $
 
 SHA1 (po4a-0.23.tar.gz) = 749a7823c976befc6a84d443ef7225bd41477b59
 RMD160 (po4a-0.23.tar.gz) = 79174c0ed576ac793495be7addb407d919f3daf9
 Size (po4a-0.23.tar.gz) = 736399 bytes
 SHA1 (patch-aa) = 501a5fc0265d06285c13f3501793ad2a92c95081
+SHA1 (patch-ab) = 3c3745e57464e8ed2c5389f2490bbb28d400026d
diff -r 80116048cbdc -r 3c826625c942 textproc/po4a/patches/patch-ab
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/po4a/patches/patch-ab    Wed Jun 04 22:10:11 2008 +0000
@@ -0,0 +1,21 @@
+$NetBSD: patch-ab,v 1.1 2008/06/04 22:10:11 tonnerre Exp $
+
+--- lib/Locale/Po4a/Po.pm.orig 2005-12-09 18:24:46.000000000 +0100
++++ lib/Locale/Po4a/Po.pm
+@@ -426,14 +426,14 @@ sub gettextize { 
+       # Make sure both type are the same
+       #
+       if ($typeorig ne $typetrans){
+-          $pores->write("/tmp/gettextization.failed.po");
++          $pores->write("gettextization.failed.po");
+           die wrap_msg(dgettext("po4a",
+               "po4a gettextization: Structure disparity between original and translated files:\n".
+               "msgid (at %s) is of type '%s' while\n".
+               "msgstr (at %s) is of type '%s'.\n".
+               "Original text: %s\n".
+               "Translated text: %s\n".
+-              "(result so far dumped to /tmp/gettextization.failed.po)")."%s",
++              "(result so far dumped to gettextization.failed.po)")."%s",
+               $reforig, $typeorig, $reftrans, $typetrans, $orig, $trans,$toobad);
+       }
+