CVS commit: pkgsrc/textproc/miller

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/textproc/miller
From: "Frederic Cambus" <fcambus%netbsd.org@localhost>
Date: Thu, 3 Sep 2020 08:14:13 +0000

Module Name:    pkgsrc
Committed By:   fcambus
Date:           Thu Sep  3 08:14:13 UTC 2020

Modified Files:
        pkgsrc/textproc/miller: Makefile distinfo

Log Message:
miller: update to 5.9.1.

ChangeLog:

Security update: disallow --prepipe in .mlrrc

As of Miller 5.9.0, you can have a .mlrrc file containing preferred flags.

As reported in #363, it would be possible for someone to prepare a repository
or some other zipfile/tarfile, for example, containing datasets, and send it
to you. They could have a line of the form prepipe do_something_bad; cat in
that repository, so when you ran any mlr commands in there, it would run the
do_something_bad command (whatever that might be).

The fix is (a) disallow prepipe within .mlrrc files; (b) as a consolation,
allow new prepipe-zcat and prepipe-gunzip options which are safe to use.

Fixes CVE-2020-15167.


To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 pkgsrc/textproc/miller/Makefile
cvs rdiff -u -r1.18 -r1.19 pkgsrc/textproc/miller/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/textproc/miller/Makefile
diff -u pkgsrc/textproc/miller/Makefile:1.19 pkgsrc/textproc/miller/Makefile:1.20
--- pkgsrc/textproc/miller/Makefile:1.19        Thu Aug 20 14:01:27 2020
+++ pkgsrc/textproc/miller/Makefile     Thu Sep  3 08:14:13 2020
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.19 2020/08/20 14:01:27 fcambus Exp $
+# $NetBSD: Makefile,v 1.20 2020/09/03 08:14:13 fcambus Exp $
 
-DISTNAME=      mlr-5.9.0
+DISTNAME=      mlr-5.9.1
 PKGNAME=       ${DISTNAME:S/mlr/miller/}
 CATEGORIES=    devel
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=johnkerl/}

Index: pkgsrc/textproc/miller/distinfo
diff -u pkgsrc/textproc/miller/distinfo:1.18 pkgsrc/textproc/miller/distinfo:1.19
--- pkgsrc/textproc/miller/distinfo:1.18        Thu Aug 20 14:01:27 2020
+++ pkgsrc/textproc/miller/distinfo     Thu Sep  3 08:14:13 2020
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.18 2020/08/20 14:01:27 fcambus Exp $
+$NetBSD: distinfo,v 1.19 2020/09/03 08:14:13 fcambus Exp $
 
-SHA1 (mlr-5.9.0.tar.gz) = ed7e896f9d88cc7c9c082d7cc5ed5cd1082ab7be
-RMD160 (mlr-5.9.0.tar.gz) = a8e5e43023c77831301eff884b5d46c41b21c3f0
-SHA512 (mlr-5.9.0.tar.gz) = 45c67b0841417787ed1bd4c96f1d63d695c6b28dc7386eeb167aa5194ae0080c61be2aa69d39f80200bc3787dcfdb74a437005df2474bcd94eda03d510984eae
-Size (mlr-5.9.0.tar.gz) = 1270452 bytes
+SHA1 (mlr-5.9.1.tar.gz) = 5493910bf727141df1aa6c2a2be60ed6e20d3a06
+RMD160 (mlr-5.9.1.tar.gz) = de4c6e1f5f7b1a074d3c30a73be0f5aa5e0b69af
+SHA512 (mlr-5.9.1.tar.gz) = ea16a917c500be442a8a4bff37c5de92a4924f9adc1c121bb28a5b4aba87f9429bf17127718639544a6e83f0e2519e9fe5860ed961c4f83486105970b2be39be
+Size (mlr-5.9.1.tar.gz) = 1270739 bytes

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index