diff options
| author | salo <salo@pkgsrc.org> | 2006-02-02 12:08:14 +0000 |
|---|---|---|
| committer | salo <salo@pkgsrc.org> | 2006-02-02 12:08:14 +0000 |
| commit | 082f8c9c2130090f8e42db2f99b2415450b168bb (patch) | |
| tree | c92ab944d7a3837c920b22caac2f83282823cbc1 | |
| parent | 69c163eb40fab5cc359efb63615fa563822c187d (diff) | |
| download | pkgsrc-082f8c9c2130090f8e42db2f99b2415450b168bb.tar.gz | |
Security fix for SA18652 / CVE-2005-4536:
"Mail::Audit module logs to a temporary file with a predictable filename
in an insecure fashion when logging is turned on."
Patch from Debian.
| -rw-r--r-- | mail/p5-Mail-Audit/Makefile | 4 | ||||
| -rw-r--r-- | mail/p5-Mail-Audit/distinfo | 4 | ||||
| -rw-r--r-- | mail/p5-Mail-Audit/patches/patch-aa | 29 | ||||
| -rw-r--r-- | mail/p5-Mail-Audit/patches/patch-ab | 38 |
4 files changed, 72 insertions, 3 deletions
diff --git a/mail/p5-Mail-Audit/Makefile b/mail/p5-Mail-Audit/Makefile index d67a9e4bf77..ea8aee233ec 100644 --- a/mail/p5-Mail-Audit/Makefile +++ b/mail/p5-Mail-Audit/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.16 2005/08/06 06:19:22 jlam Exp $ +# $NetBSD: Makefile,v 1.17 2006/02/02 12:08:14 salo Exp $ DISTNAME= Mail-Audit-2.1 PKGNAME= p5-${DISTNAME} SVR4_PKGNAME= p5mau -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= mail perl5 MASTER_SITES= ${MASTER_SITE_PERL_CPAN:=Mail/} diff --git a/mail/p5-Mail-Audit/distinfo b/mail/p5-Mail-Audit/distinfo index 022e8f458e8..7152499def9 100644 --- a/mail/p5-Mail-Audit/distinfo +++ b/mail/p5-Mail-Audit/distinfo @@ -1,5 +1,7 @@ -$NetBSD: distinfo,v 1.4 2005/04/18 16:57:13 wiz Exp $ +$NetBSD: distinfo,v 1.5 2006/02/02 12:08:14 salo Exp $ SHA1 (Mail-Audit-2.1.tar.gz) = 4fbfc782c8230025b793c2e15eff231acfa55f57 RMD160 (Mail-Audit-2.1.tar.gz) = c59d006f1f9aa544e854be089f3fe793a8694d4f Size (Mail-Audit-2.1.tar.gz) = 21669 bytes +SHA1 (patch-aa) = 8d1646afb5ac34de60fa19c2aa15c80210c9d6a7 +SHA1 (patch-ab) = e7d95c44d63dc2e78f30774e0c1092e59268376d diff --git a/mail/p5-Mail-Audit/patches/patch-aa b/mail/p5-Mail-Audit/patches/patch-aa new file mode 100644 index 00000000000..ccc30e263c7 --- /dev/null +++ b/mail/p5-Mail-Audit/patches/patch-aa @@ -0,0 +1,29 @@ +$NetBSD: patch-aa,v 1.1 2006/02/02 12:08:14 salo Exp $ + +Security fix for SA18656, from Debian. + +--- Audit.pm.orig 2002-03-03 18:11:20.000000000 +0100 ++++ Audit.pm 2006-02-02 12:48:52.000000000 +0100 +@@ -4,7 +4,13 @@ + + my $logging; + my $loglevel=3; +-my $logfile = "/tmp/".getpwuid($>)."-audit.log"; ++my $logfile; ++if (exists $ENV{HOME} and defined $ENV{HOME} and -d $ENV{HOME}) { ++ $logfile = "$ENV{HOME}/.mail_audit.log" ++} ++else { ++ (undef,$logfile) = tempfile("mail_audit.log-XXXXX",TMPDIR=>1); ++} + + # ---------------------------------------------------------- + # no user-modifiable parts below this line. +@@ -18,6 +24,7 @@ + use vars qw($VERSION @ISA @EXPORT @EXPORT_OK $ASSUME_MSGPREFIX); + # @ISA will depend on whether the message is MIME; if it is, we'll be MIME::Entity. if not, we'll be Mail::Internet. + use Fcntl ':flock'; ++use File::Temp qw(tempfile); + + $ASSUME_MSGPREFIX = 0; + diff --git a/mail/p5-Mail-Audit/patches/patch-ab b/mail/p5-Mail-Audit/patches/patch-ab new file mode 100644 index 00000000000..456e8e845bb --- /dev/null +++ b/mail/p5-Mail-Audit/patches/patch-ab @@ -0,0 +1,38 @@ +$NetBSD: patch-ab,v 1.1 2006/02/02 12:08:14 salo Exp $ + +Security fix for SA18656, from Debian. + +--- Audit/MimeEntity.pm.orig 2002-01-18 01:23:32.000000000 +0100 ++++ Audit/MimeEntity.pm 2006-02-02 12:48:52.000000000 +0100 +@@ -4,6 +4,7 @@ + + use strict; + use File::Path; ++use File::Temp qw(tempdir) + use MIME::Parser; + use MIME::Entity; + use Mail::Audit::MailInternet; +@@ -12,10 +13,12 @@ + + $VERSION = '2.0'; + +-$MIME_PARSER_TMPDIR = "/tmp/".getpwuid($>)."-mailaudit"; +- + my $parser = MIME::Parser->new(); + ++# Create a tempdir using File::Temp::tempdir, have it be destroyed at ++# END{} time. ++$MIME_PARSER_TMPDIR = tempdir(CLEANUP => 1); ++ + my @to_rmdir; + + sub autotype_new { +@@ -23,8 +26,6 @@ + my $mailinternet = shift; + + $parser->ignore_errors(1); +- mkdir ($MIME_PARSER_TMPDIR, 0777); +- if (! -d $MIME_PARSER_TMPDIR) { $MIME_PARSER_TMPDIR = "/tmp" } + $parser->output_under($MIME_PARSER_TMPDIR); + + # todo: add eval error trapping. if there's a problem, return Mail::Audit::MailInternet as a fallback. |