Securitu fix for CAN-2004-1773:

"Multiple buffer overflows in sharutils 4.2.1 and earlier may allow attackers
 to execute arbitrary code via long output from wc to shar, or unknown vectors
 in unshar."

Patch from SuSE/Gentoo. Also add more sanity checking patches from the latter.

6 files changed, 227 insertions, 10 deletions

diff --git a/archivers/gsharutils/Makefile b/archivers/gsharutils/Makefile
index 880c2239db1..733a464bb3e 100644
--- a/archivers/gsharutils/Makefile
+++ b/archivers/gsharutils/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.24 2005/02/26 04:42:50 tv Exp $
+# $NetBSD: Makefile,v 1.25 2005/03/31 14:17:05 salo Exp $
 
 DISTNAME=	sharutils-4.2.1
 PKGNAME=	g${DISTNAME}
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	archivers
 MASTER_SITES=	${MASTER_SITE_GNU:=sharutils/}
 
@@ -10,10 +10,10 @@ MAINTAINER=	tech-pkg@NetBSD.org
 HOMEPAGE=	http://www.gnu.org/software/sharutils/sharutils.html
 COMMENT=	Allow packing and unpacking of shell archives
 
-PKG_INSTALLATION_TYPES=	overwrite pkgviews
-
 BUILD_USES_MSGFMT=	yes
 
+PKG_INSTALLATION_TYPES=	overwrite pkgviews
+
 USE_BUILDLINK3=		yes
 USE_PKGLOCALEDIR=	yes
 GNU_CONFIGURE=		yes
@@ -26,6 +26,10 @@ CONFIGURE_ARGS+=	--disable-uucode
 
 .include "../../mk/bsd.prefs.mk"
 
+.if empty(OPSYS:M*BSD)
+DEPENDS+=		mktemp>=1.5:../../sysutils/mktemp
+.endif
+
 # gettext 0.11+ has renamed internal symbols, and gsharutils is
 # being a very bad neighbor by using them directly.  To fix, force
 # use of gettext >= 0.11, and rename the symbol in gsharutils.  -tv
diff --git a/archivers/gsharutils/distinfo b/archivers/gsharutils/distinfo
index 3c40d557bed..bcf90baf216 100644
--- a/archivers/gsharutils/distinfo
+++ b/archivers/gsharutils/distinfo
@@ -1,12 +1,15 @@
-$NetBSD: distinfo,v 1.10 2005/02/23 14:45:23 agc Exp $
+$NetBSD: distinfo,v 1.11 2005/03/31 14:17:05 salo Exp $
 
 SHA1 (sharutils-4.2.1.tar.gz) = 3f0c0af31bd429cee1e088eb74867f20f8d399ef
 RMD160 (sharutils-4.2.1.tar.gz) = 06e1629aa8a1c982e6032f194df6f5fe85f85b43
 Size (sharutils-4.2.1.tar.gz) = 306022 bytes
 SHA1 (patch-aa) = 654641dee00efc19771546cf1753d1025c18d9be
 SHA1 (patch-ab) = cc46cfb2ff26861f9c3cd482a31a5c59226a1899
-SHA1 (patch-ac) = 76bf1dedc34a462dd05a55511d9caf578cae78d0
+SHA1 (patch-ac) = 2fbf90458b0a81082db6b1bd343efb5f2062a947
 SHA1 (patch-ad) = fe6ba534c9830294c97dd37586aaa2c63d385a4c
 SHA1 (patch-ae) = 8b88d98af2d1f24ba2623e8d56b36061806f5e12
 SHA1 (patch-af) = 50aee8dc24a33892a0f17f7aeb5cfbae1adcb0c9
 SHA1 (patch-ag) = af78d21124b33f0d8bdc27969119222e4d79008e
+SHA1 (patch-ah) = 1540064ef3a21a4486950ca24432f471bf1366a9
+SHA1 (patch-ai) = a95e116d517e5fe536a31d12db1c33daaf2609af
+SHA1 (patch-aj) = ee4dbff6419932244d277f79b34c93cea97f3a90
diff --git a/archivers/gsharutils/patches/patch-ac b/archivers/gsharutils/patches/patch-ac
index 7b145a25917..344d456e56d 100644
--- a/archivers/gsharutils/patches/patch-ac
+++ b/archivers/gsharutils/patches/patch-ac
@@ -1,8 +1,24 @@
-$NetBSD: patch-ac,v 1.2 1999/05/23 20:33:46 tv Exp $
+$NetBSD: patch-ac,v 1.3 2005/03/31 14:17:05 salo Exp $
 
---- src/shar.c.orig	Sun Jun  8 22:47:22 1997
-+++ src/shar.c	Sun Jun  8 22:47:37 1997
-@@ -688,7 +688,7 @@
+--- src/shar.c.orig	1999-09-10 21:20:41.000000000 +0200
++++ src/shar.c	2005-03-31 15:33:03.000000000 +0200
+@@ -211,11 +211,11 @@
+ /* Position for first file in the shar file.  */
+ static long first_file_position;
+ 
+-/* Base for output filename.  FIXME: No fix limit in GNU... */
+-static char output_base_name[50];
++/* Base for output filename.  */
++static char *output_base_name;
+ 
+-/* Actual output filename.  FIXME: No fix limit in GNU... */
+-static char output_filename[50];
++/* Actual output filename.  */
++static char *output_filename;
+ 
+ static char *submitter_address = NULL;
+ 
+@@ -696,7 +696,7 @@
       const char *local_name;
       const char *restore_name;
  {
@@ -11,3 +27,98 @@ $NetBSD: patch-ac,v 1.2 1999/05/23 20:33:46 tv Exp $
  	   mode_string (struct_stat.st_mode), restore_name);
    return 0;
  }
+@@ -1571,7 +1571,7 @@
+ 	  sprintf (command, "%s '%s'", CHARACTER_COUNT_COMMAND, local_name);
+ 	  if (pfp = popen (command, "r"), pfp)
+ 	    {
+-	      char wc[BUFSIZ];
++		char wc[BUFSIZ], tempform[50];      
+ 	      const char *prefix = "";
+ 
+ 	      if (did_md5)
+@@ -1579,8 +1579,8 @@
+ 		  fputs ("  else\n", output);
+ 		  prefix = "  ";
+ 		}
+-
+-	      fscanf (pfp, "%s", wc);
++	sprintf (tempform, "%%%ds", BUFSIZ - 1);
++	fscanf (pfp, tempform, wc);
+ 	      fprintf (output, "\
+ %s  shar_count=\"`%s '%s'`\"\n\
+ %s  test %s -eq \"$shar_count\" ||\n\
+@@ -1634,7 +1634,12 @@
+ static void
+ open_output ()
+ {
+-  sprintf (output_filename, output_base_name, ++part_number);
++  size_t l;
++  l = strlen(output_base_name) + 128;
++  if (output_filename)
++    free(output_filename);
++  output_filename = xmalloc(l);
++  snprintf(output_filename, l, output_base_name, ++part_number);
+   output = fopen (output_filename, "w");
+   if (!output)
+     error (EXIT_FAILURE, errno, _("Opening `%s'"), output_filename);
+@@ -1771,6 +1776,42 @@
+   { NULL, 0, NULL, 0 },
+ };
+ 
++
++char *parse_output_base_name(char *arg)
++{
++  int c;
++  int hadarg = 0;
++  char *fmt, *p;
++
++  for (p = arg ; (c = *p++) != 0; )
++    {
++      if (c != '%')
++	continue;
++      c = *p++;
++      if (c == '%')
++	continue;
++      if (hadarg)
++	return 0;
++      while (c != 0 && strchr("#0+- 'I", c) != 0)
++	c = *p++;
++      while (c != 0 && c >= '0' && c <= '9')
++	c = *p++;
++      if (c == '.')
++	c = *p++;
++      while (c != 0 && c >= '0' && c <= '9')
++	c = *p++;
++      if (c == 0 || strchr("diouxX", c) == 0)
++	return 0;
++      hadarg = 1;
++    }
++  fmt = xmalloc(strlen(arg) + (hadarg ? 1 : 6));
++  strcpy(fmt, arg);
++  if (!hadarg)
++    strcat(fmt, ".%02d");
++  return fmt;
++}
++
++
+ /*---.
+ | ?  |
+ `---*/
+@@ -1905,9 +1946,14 @@
+ 	break;
+ 
+       case 'o':
+-	strcpy (output_base_name, optarg);
+-	if (!strchr (output_base_name, '%'))
+-	  strcat (output_base_name, ".%02d");
++	if (output_base_name)
++	  free (output_base_name);
++        output_base_name = parse_output_base_name(optarg);
++        if (!output_base_name)
++	  {
++	    fprintf (stderr, _("illegal output prefix\n"));
++	    exit (EXIT_FAILURE);
++	  }
+ 	part_number = 0;
+ 	open_output ();
+ 	break;
diff --git a/archivers/gsharutils/patches/patch-ah b/archivers/gsharutils/patches/patch-ah
new file mode 100644
index 00000000000..088399f8c18
--- /dev/null
+++ b/archivers/gsharutils/patches/patch-ah
@@ -0,0 +1,36 @@
+$NetBSD: patch-ah,v 1.5 2005/03/31 14:17:05 salo Exp $
+
+--- src/unshar.c.orig	1995-11-21 17:22:14.000000000 +0100
++++ src/unshar.c	2005-03-31 15:33:03.000000000 +0200
+@@ -346,8 +346,8 @@
+ {
+   size_t size_read;
+   FILE *file;
+-  char name_buffer[NAME_BUFFER_SIZE];
+-  char copy_buffer[NAME_BUFFER_SIZE];
++  char name_buffer[NAME_BUFFER_SIZE] = {'\0'};
++  char copy_buffer[NAME_BUFFER_SIZE] = {'\0'};
+   int optchar;
+ 
+   program_name = argv[0];
+@@ -409,13 +409,13 @@
+   if (optind < argc)
+     for (; optind < argc; optind++)
+       {
+-	if (argv[optind][0] == '/')
+-	  stpcpy (name_buffer, argv[optind]);
+-	else
+-	  {
+-	    char *cp = stpcpy (name_buffer, current_directory);
+-	    *cp++ = '/';
+-	    stpcpy (cp, argv[optind]);
++	if (argv[optind][0] == '/') {
++		strncpy (name_buffer, argv[optind], sizeof(name_buffer));
++		name_buffer[sizeof(name_buffer)-1] = '\0';
++	}
++	else {
++		snprintf(name_buffer, sizeof(name_buffer),"%s/%s", current_directory, argv[optind]);
++		name_buffer[sizeof(name_buffer)-1] = '\0';
+ 	  }
+ 	if (file = fopen (name_buffer, "r"), !file)
+ 	  error (EXIT_FAILURE, errno, name_buffer);
diff --git a/archivers/gsharutils/patches/patch-ai b/archivers/gsharutils/patches/patch-ai
new file mode 100644
index 00000000000..9c434355a7e
--- /dev/null
+++ b/archivers/gsharutils/patches/patch-ai
@@ -0,0 +1,46 @@
+$NetBSD: patch-ai,v 1.3 2005/03/31 14:17:05 salo Exp $
+
+--- src/uudecode.c.orig	1995-12-02 04:14:14.000000000 +0100
++++ src/uudecode.c	2005-03-31 15:51:27.000000000 +0200
+@@ -81,6 +81,9 @@
+ /* Single character decode.  */
+ #define	DEC(Char) (((Char) - ' ') & 077)
+ 
++#if !defined S_ISLNK && defined S_IFLNK
++# define S_ISLNK(m) (((m) & S_IFMT) == S_IFLNK)
++#endif
+ 
+ static int
+ read_stduu (inname)
+@@ -279,6 +282,7 @@
+   char buf[2 * BUFSIZ];
+   char *outname;
+   int do_base64 = 0;
++  struct stat attr;
+ 
+   /* Search for header line.  */
+ 
+@@ -337,6 +341,23 @@
+ 	}
+     }
+ 
++  /* Check out file if it exists */
++  if (strcmp (outname, "/dev/stdout") != 0 && strcmp (outname, "-") != 0
++      && !access(outname, F_OK)) {
++    if (lstat(outname, &attr) == -1) {
++      error (0, errno, _("cannot access %s"), outname);
++      return 1;
++    }
++    if (S_ISFIFO(attr.st_mode)){
++      error (0, errno, _("denied writing FIFO (%s)"), outname);
++      return 1;
++    }
++    if (S_ISLNK(attr.st_mode)) {
++      error (0, errno, _("not following symlink (%s)"), outname);
++      return 1;
++    }
++  }
++
+   /* Create output file and set mode.  */
+ 
+   if (strcmp (outname, "/dev/stdout") != 0 && strcmp (outname, "-") != 0
diff --git a/archivers/gsharutils/patches/patch-aj b/archivers/gsharutils/patches/patch-aj
new file mode 100644
index 00000000000..57c79f7b075
--- /dev/null
+++ b/archivers/gsharutils/patches/patch-aj
@@ -0,0 +1,17 @@
+$NetBSD: patch-aj,v 1.4 2005/03/31 14:17:05 salo Exp $
+
+--- src/mailshar.in.orig	1995-11-26 00:42:47.000000000 +0100
++++ src/mailshar.in	2005-03-31 15:51:27.000000000 +0200
+@@ -33,7 +33,11 @@
+ If none of -MTBzZ are given, -z is automatically selected if *none*
+ of the FILEs have an .arc, .exz, .gif, .z, .gz, .Z, .zip or .zoo suffix."
+ 
+-temp=/usr/tmp/$$.shar
++temp=`mktemp -q /tmp/$0.XXXXXX`
++if [ $? -ne 0 ]; then
++    echo "$0: Can't create temp file, exiting..."
++    exit 1
++fi
+ 
+ ### Decode the options.
+