Pullup ticket 1665 - requested by joerg

security fix for noweb

Revisions pulled up:
- pkgsrc/devel/noweb/Makefile			1.33
- pkgsrc/devel/noweb/distinfo			1.4
- pkgsrc/devel/noweb/patches/patch-ab		1.1
- pkgsrc/devel/noweb/patches/patch-ac		1.1
- pkgsrc/devel/noweb/patches/patch-ad		1.1
- pkgsrc/devel/noweb/patches/patch-ae		1.1
- pkgsrc/devel/noweb/patches/patch-af		1.1
- pkgsrc/devel/noweb/patches/patch-ag		1.1
- pkgsrc/devel/noweb/patches/patch-ah		1.1
- pkgsrc/devel/noweb/patches/patch-ai		1.1
- pkgsrc/devel/noweb/patches/patch-aj		1.1
- pkgsrc/devel/noweb/patches/patch-ak		1.1
- pkgsrc/devel/noweb/patches/patch-al		1.1
- pkgsrc/devel/noweb/patches/patch-am		1.1
- pkgsrc/devel/noweb/patches/patch-an		1.1

   Module Name:		pkgsrc
   Committed By:	joerg
   Date:		Tue May 23 16:07:04 UTC 2006

   Modified Files:
   	pkgsrc/devel/noweb: Makefile distinfo
   Added Files:
   	pkgsrc/devel/noweb/patches: patch-ab patch-ac patch-ad patch-ae
   	    patch-af patch-ag patch-ah patch-ai patch-aj patch-ak patch-al
   	    patch-am patch-an

   Log Message:
   Fix insecure temporary file generation. Based on Debian patchset,
   but handles more cases. Bump revision.

15 files changed, 264 insertions, 3 deletions

diff --git a/devel/noweb/Makefile b/devel/noweb/Makefile
index 0d8c7098b31..ffc178cfd54 100644
--- a/devel/noweb/Makefile
+++ b/devel/noweb/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.32 2006/03/04 21:29:18 jlam Exp $
+# $NetBSD: Makefile,v 1.32.2.1 2006/05/24 00:05:17 salo Exp $
 
 DISTNAME=		noweb-2.9a
-PKGREVISION=		2
+PKGREVISION=		3
 CATEGORIES=		devel
 MASTER_SITES=		ftp://ftp.cs.virginia.edu/pub/nr/
 EXTRACT_SUFX=		.tgz
@@ -16,6 +16,17 @@ WRKSRC=			${WRKDIR}/src
 
 .include "../../mk/bsd.prefs.mk"
 
+USE_TOOLS+=	mktemp:run
+
+SUBST_CLASSES+=		mktemp
+SUBST_FILES.mktemp+=	awk/totex.nw lib/toascii shell/toroff shell/noroff
+SUBST_FILES.mktemp+=	shell/nonu shell/cpif awkname shell/roff.nw
+SUBST_FILES.mktemp+=	shell/roff.mm ../contrib/conrado/d2tex
+SUBST_FILES.mktemp+=	../contrib/jobling/correct-refs.nw
+SUBST_FILES.mktemp+=	../contrib/norman/htmlgif/pstopbm
+SUBST_SED.mktemp+=	-e 's,@MKTEMP@,${TOOLS_PATH.mktemp},g'
+SUBST_STAGE.mktemp=	post-patch
+
 .if ${OPSYS} != "SunOS"
 do-configure:
 	(cd ${WRKSRC} ; ./awkname awk)
diff --git a/devel/noweb/distinfo b/devel/noweb/distinfo
index 35e69b26ab1..44c232c1b93 100644
--- a/devel/noweb/distinfo
+++ b/devel/noweb/distinfo
@@ -1,6 +1,19 @@
-$NetBSD: distinfo,v 1.3 2005/02/23 22:24:22 agc Exp $
+$NetBSD: distinfo,v 1.3.10.1 2006/05/24 00:05:17 salo Exp $
 
 SHA1 (noweb-2.9a.tgz) = 0ee5f97c56fa7898be9815ad817036f8aee0193b
 RMD160 (noweb-2.9a.tgz) = ee61f44091d2634550d33528b426af508ffad729
 Size (noweb-2.9a.tgz) = 728608 bytes
 SHA1 (patch-aa) = 0c0c446173c1ee13eeb0b80041cb8cf98e3c7325
+SHA1 (patch-ab) = 99200991f1dab7aaef349611c11a881483f40888
+SHA1 (patch-ac) = 364d7eb43abac9c33807b7b7d20ff9368f7568d2
+SHA1 (patch-ad) = 6102295ab1c37bb16c92cae3c77a97349794cde4
+SHA1 (patch-ae) = 0079598edc015f0ce387cb1058d06581e05f07c6
+SHA1 (patch-af) = 1af1d268381546ff214450caa7914f30106ff131
+SHA1 (patch-ag) = 5e3e8f271f5a80dda593e908fdbff2a7d5cb6dc6
+SHA1 (patch-ah) = 3038e41f2362de61cd3ad0882c7d39cb3b7e952d
+SHA1 (patch-ai) = a9c82e80ac288f7a3316cf3fb671d5a680012054
+SHA1 (patch-aj) = 800210a1143b37e6cb14bc0fdda7ada3b36692e1
+SHA1 (patch-ak) = 8cc2ee6177c633b2e1913790ab63016c19cf5eef
+SHA1 (patch-al) = d9fd8a2b59ef6b4a8cae57815ff339de6df8567d
+SHA1 (patch-am) = 89803aa4d0db6a9dcbb95832193ce19e25d7ff29
+SHA1 (patch-an) = c706aeeadb59d4b21053518d1c5dcb970be7aaae
diff --git a/devel/noweb/patches/patch-ab b/devel/noweb/patches/patch-ab
new file mode 100644
index 00000000000..db8d1957014
--- /dev/null
+++ b/devel/noweb/patches/patch-ab
@@ -0,0 +1,13 @@
+$NetBSD: patch-ab,v 1.1.2.2 2006/05/24 00:05:17 salo Exp $
+
+--- elisp/noweb-mode.el.orig	1999-02-16 22:12:21.000000000 +0100
++++ elisp/noweb-mode.el
+@@ -213,7 +213,7 @@ Misc:
+   (add-hook 'isearch-mode-hook 'noweb-note-isearch-mode)
+   (add-hook 'isearch-mode-end-hook 'noweb-note-isearch-mode-end)
+   (run-hooks 'noweb-mode-hook)
+-  (message "nobweb mode: use `M-x noweb-describe-mode' for further information"))
++  (message "noweb mode: use `M-x noweb-describe-mode' for further information"))
+ 
+ (defun noweb-setup-keymap ()
+   "Setup the noweb-mode keymap.  This function is rerun every time the
diff --git a/devel/noweb/patches/patch-ac b/devel/noweb/patches/patch-ac
new file mode 100644
index 00000000000..90e5a26849f
--- /dev/null
+++ b/devel/noweb/patches/patch-ac
@@ -0,0 +1,13 @@
+$NetBSD: patch-ac,v 1.1.2.2 2006/05/24 00:05:17 salo Exp $
+
+--- awkname.orig	1995-05-26 02:49:07.000000000 +0200
++++ awkname
+@@ -5,7 +5,7 @@ case $# in
+ esac
+ 
+ rc=0
+-new=/tmp/$$.new; old=/tmp/$$.old
++new=$(@MKTEMP@ -t noweb_new) || exit 1; old=$(@MKTEMP@ -t noweb_old) || exit 1
+ 
+ for file in lib/emptydefn lib/unmarkup lib/toascii \
+                         awk/noidx awk/totex awk/tohtml awk/noindex \
diff --git a/devel/noweb/patches/patch-ad b/devel/noweb/patches/patch-ad
new file mode 100644
index 00000000000..39e55bd2ed9
--- /dev/null
+++ b/devel/noweb/patches/patch-ad
@@ -0,0 +1,13 @@
+$NetBSD: patch-ad,v 1.1.2.2 2006/05/24 00:05:17 salo Exp $
+
+--- shell/cpif.orig	1993-03-01 23:22:02.000000000 +0100
++++ shell/cpif
+@@ -17,7 +17,7 @@ case $# in
+ 0)		echo 'Usage: '`basename $0`' [ -eq -ne ] file...' 1>&2; exit 2
+ esac
+ 
+-new=/tmp/$$
++new=$(@MKTEMP@ noweb) || exit 1
+ trap 'rm -f $new; exit 1' 1 2 15	# clean up files
+ 
+ cat >$new
diff --git a/devel/noweb/patches/patch-ae b/devel/noweb/patches/patch-ae
new file mode 100644
index 00000000000..bb1b36e1836
--- /dev/null
+++ b/devel/noweb/patches/patch-ae
@@ -0,0 +1,13 @@
+$NetBSD: patch-ae,v 1.1.2.2 2006/05/24 00:05:17 salo Exp $
+
+--- shell/nonu.orig	1993-08-19 20:46:04.000000000 +0200
++++ shell/nonu
+@@ -2,7 +2,7 @@
+ LIB=/usr/public/pkg/noweb/lib
+ # attempt to convert nuweb to noweb using sam
+ 
+-tmp=/tmp/nonu$$
++tmp=$(@MKTEMP@ -t nonu) || exit 1
+ trap '/bin/rm -f $tmp; exit 1' 1 2 15	# clean up files
+ cp $1 $tmp || exit 1
+ 
diff --git a/devel/noweb/patches/patch-af b/devel/noweb/patches/patch-af
new file mode 100644
index 00000000000..a1ab836176f
--- /dev/null
+++ b/devel/noweb/patches/patch-af
@@ -0,0 +1,27 @@
+$NetBSD: patch-af,v 1.1.2.2 2006/05/24 00:05:17 salo Exp $
+
+--- shell/noroff.orig	1999-02-16 22:58:52.000000000 +0100
++++ shell/noroff
+@@ -35,9 +35,10 @@ fi
+ 
+ base="`basename $1 | sed '/\./s/\.[^.]*$//'`"
+ tagsfile="$base.nwt"
++tmpfile=$(@MKTEMP@ tags) || exit 1
+ (echo ".so $macrodir/tmac.w"
+ if [ -r "$tagsfile" ]; then 
+-   cp $tagsfile /tmp/tags.$$
++   cp $tagsfile $tmpfile
+    $AWK '{
+ 	     if      (sub(/^###TAG### /       , "")) tags[$1] = $2
+ 	     else if (sub(/^###BEGINCHUNKS###/, "")) printf ".de CLIST\n.CLISTBEGIN\n"
+@@ -88,8 +89,8 @@ if [ -r "$tagsfile" ]; then 
+ 	 #	print str3
+ 	 #	print convquote(str3)
+ 	 # }
+-	 function tag(s) { if (s in tags) return tags[s]; else return "???" }' /tmp/tags.$$
+-   rm -f /tmp/tags.$$
++	 function tag(s) { if (s in tags) return tags[s]; else return "???" }' $tmpfile
++   rm -f $tmpfile
+  fi
+  cat "$@") |
+ ($ROFF $opts 2>$tagsfile)
diff --git a/devel/noweb/patches/patch-ag b/devel/noweb/patches/patch-ag
new file mode 100644
index 00000000000..78438d42602
--- /dev/null
+++ b/devel/noweb/patches/patch-ag
@@ -0,0 +1,13 @@
+$NetBSD: patch-ag,v 1.1.2.2 2006/05/24 00:05:17 salo Exp $
+
+--- shell/toroff.orig	1999-02-16 22:58:52.000000000 +0100
++++ shell/toroff
+@@ -9,7 +9,7 @@ for i do
+            exit 1;;
+     esac
+ done
+-awkfile="/tmp/noweb$$.awk"
++awkfile=$(@MKTEMP@ -t noweb) || exit 1
+ trap 'rm -f $awkfile' 0 1 2 10 14 15
+ cat > $awkfile << 'EOF'
+ /^@begin docs 0$/ { if (delay) next }
diff --git a/devel/noweb/patches/patch-ah b/devel/noweb/patches/patch-ah
new file mode 100644
index 00000000000..378e71d01a4
--- /dev/null
+++ b/devel/noweb/patches/patch-ah
@@ -0,0 +1,17 @@
+$NetBSD: patch-ah,v 1.1.2.2 2006/05/24 00:05:17 salo Exp $
+
+--- lib/toascii.orig	1999-02-16 22:58:52.000000000 +0100
++++ lib/toascii
+@@ -7,9 +7,9 @@ for i do
+                 *)      echo "This can't happen -- $i passed to toascii" 1>&2 ; exit 1 ;;
+         esac
+ done
+-awkfile="tmp/awk$$.tmp"
+-textfile="/tmp/text$$.tmp"
+-tagsfile="/tmp/tags$$.tmp"
++awkfile=$(@MKTEMP@ -t awk -s) || exit 1
++textfile=$(@MKTEMP@ -t text -s) || exit 1
++tagsfile=$(@MKTEMP@ -t tags -s) || exit 1
+ export awkfile textfile tagsfile
+ trap 'rm -f $awkfile $textfile $tagsfile' 0 1 2 10 14 15
+ nawk 'BEGIN { textfile=ENVIRON["textfile"]
diff --git a/devel/noweb/patches/patch-ai b/devel/noweb/patches/patch-ai
new file mode 100644
index 00000000000..cf2d628fd18
--- /dev/null
+++ b/devel/noweb/patches/patch-ai
@@ -0,0 +1,13 @@
+$NetBSD: patch-ai,v 1.1.2.2 2006/05/24 00:05:17 salo Exp $
+
+--- awk/totex.nw.orig	1996-05-31 21:04:15.000000000 +0200
++++ awk/totex.nw
+@@ -24,7 +24,7 @@ nawk '<<awk program for conversion to {\
+ @
+ On an ugly system, we have to put it in a file.
+ <<invoke awk program using file>>=
+-awkfile=/tmp/totex$$.awk
++awkfile=$(@MKTEMP@ -t totex) || exit 1
+ trap 'rm -f $awkfile; exit 1' 0 1 2 15	# clean up files
+ cat > $awkfile << 'EOF'
+ <<awk program for conversion to {\TeX}>>
diff --git a/devel/noweb/patches/patch-aj b/devel/noweb/patches/patch-aj
new file mode 100644
index 00000000000..552bc6204a8
--- /dev/null
+++ b/devel/noweb/patches/patch-aj
@@ -0,0 +1,24 @@
+$NetBSD: patch-aj,v 1.1.2.2 2006/05/24 00:05:17 salo Exp $
+
+--- ../contrib/norman/htmlgif/pstopbm.orig	1998-08-07 20:29:32.000000000 +0200
++++ ../contrib/norman/htmlgif/pstopbm
+@@ -36,8 +36,8 @@ while [ $# -gt 0 ]; do
+   shift
+ done
+ 
+-tmp=/tmp/pstopbm$$
+-tmpa=$tmp.a
++tmp=$(@MKTEMP@ -t pstopbm) || exit 1
++tmpa=$(@MKTEMP@ -t pstopbm_a -s) || exit 1
+ if [ $# -eq 0 ]; then cat > $tmp; else cat "$@" > $tmp; fi
+ 
+ if echo "$@" | fgrep .eps > /dev/null; then
+@@ -76,7 +76,7 @@ exit 0
+ 
+ 
+ if [ $# -eq 0 ]; then
+-  tmp=/tmp/pstopbm$$
++  tmp=$(@MKTEMP@ -t pstopbm) || exit 1
+   cat > $tmp
+   gs -q -sDEVICE=$device -sOutputFile=- -dNOPAUSE -dMAGSTEP=1.0 $tmp
+ else
diff --git a/devel/noweb/patches/patch-ak b/devel/noweb/patches/patch-ak
new file mode 100644
index 00000000000..22c8a675f4b
--- /dev/null
+++ b/devel/noweb/patches/patch-ak
@@ -0,0 +1,19 @@
+$NetBSD: patch-ak,v 1.1.2.2 2006/05/24 00:05:17 salo Exp $
+
+--- ../contrib/jobling/correct-refs.nw.orig	1995-05-24 20:12:48.000000000 +0200
++++ ../contrib/jobling/correct-refs.nw
+@@ -332,11 +332,12 @@ gawk -f $LIB/awk-scripts.awk anchor-list
+ echo Processing HTML nodes
+ foreach f (*.awk)
+    set root=$f:r
++   set tmpfile=`@MKTEMP@ -t noweb` || exit 1
+    echo -n Processing $root.html
+-   gawk -f $f < $root.html >! /tmp/$root.html
++   gawk -f $f < $root.html >! $tmpfile
+    echo "..." Done
+    cp $root.html $root.html.bak
+-   cp /tmp/$root.html $root.html
++   cp $tmpfile $root.html
+ end
+ 
+ @
diff --git a/devel/noweb/patches/patch-al b/devel/noweb/patches/patch-al
new file mode 100644
index 00000000000..36604c1c171
--- /dev/null
+++ b/devel/noweb/patches/patch-al
@@ -0,0 +1,11 @@
+$NetBSD: patch-al,v 1.1.2.2 2006/05/24 00:05:17 salo Exp $
+
+--- ../contrib/conrado/d2tex.orig	1993-10-27 18:37:11.000000000 +0100
++++ ../contrib/conrado/d2tex
+@@ -1,5 +1,5 @@
+ #! /bin/sh
+-KEYGEN=/tmp/d2tex$$
++KEYGEN=$(@MKTEMP@ -t d2tex) || exit 1
+ trap "rm -f $KEYGEN; exit 1" 1 2 3 15
+ cat > $KEYGEN <<END_OF_FILE
+ COMMENT#1
diff --git a/devel/noweb/patches/patch-am b/devel/noweb/patches/patch-am
new file mode 100644
index 00000000000..9885dd7e5c0
--- /dev/null
+++ b/devel/noweb/patches/patch-am
@@ -0,0 +1,32 @@
+$NetBSD: patch-am,v 1.1.2.2 2006/05/24 00:05:17 salo Exp $
+
+--- shell/roff.mm.orig	1998-08-18 21:33:04.000000000 +0200
++++ shell/roff.mm
+@@ -214,7 +214,7 @@ copy the awk program into a temporary fi
+ .ADDLIST 1a
+ .PRINTLIST
+ 
+-awkfile="/tmp/noweb$$.awk"
++awkfile=$(@MKTEMP@ -t noweb) || { echo "$0: Cannot create temporary file" >&2; exit 1;  }
+ trap 'rm -f $awkfile' 0 1 2 10 14 15
+ cat > $awkfile \&<< 'EOF'
+ \c
+@@ -1628,14 +1628,15 @@ base="`basename $1 | sed '/\./s/\.[^.]*$
+ tagsfile="$base.nwt"
+ (echo ".so $macrodir/tmac.w"
+ if [ -r "$tagsfile" ]; then 
+-   cp $tagsfile /tmp/tags.$$
++   tagstemp=$(@MKTEMP@ -t tags) || { echo "$0: Cannot create temporary file" >&2; exit 1;  }
++   cp $tagsfile $tagstemp
+    $AWK '\c
+ .USE "action for \*[BEGINCONVQUOTE]tags\*[ENDCONVQUOTE] line" 11c
+ \&
+          \c
+ .USE "functions" 8a
+-\&' /tmp/tags.$$
+-   rm -f /tmp/tags.$$
++\&' $tagstemp
++   rm -f $tagstemp
+  fi
+  cat "$@") |
+ ($ROFF $opts 2>$tagsfile)
diff --git a/devel/noweb/patches/patch-an b/devel/noweb/patches/patch-an
new file mode 100644
index 00000000000..04ba5f56021
--- /dev/null
+++ b/devel/noweb/patches/patch-an
@@ -0,0 +1,29 @@
+$NetBSD: patch-an,v 1.1.2.2 2006/05/24 00:05:17 salo Exp $
+
+--- shell/roff.nw.orig	1998-08-17 02:27:09.000000000 +0200
++++ shell/roff.nw
+@@ -80,7 +80,8 @@ single quotes and double quotes, so neit
+ other, and quoting each quote is ugly.  The pragmatic solution is to
+ copy the awk program into a temporary file, using a shell here-document.
+ <<invoke awk program>>=
+-awkfile="/tmp/noweb$$.awk"
++awkfile=$(@MKTEMP@ -t noweb) || { echo "$0: Cannot create temporary file" >&2; exit 1;  }
++
+ trap 'rm -f $awkfile' 0 1 2 10 14 15
+ cat > $awkfile << 'EOF'
+ <<awk program>>
+@@ -664,10 +665,11 @@ base="`basename $1 | sed '/\./s/\.[^.]*$
+ tagsfile="$base.nwt"
+ (echo ".so $macrodir/tmac.w"
+ if [ -r "$tagsfile" ]; then 
+-   cp $tagsfile /tmp/tags.$$
++   tagstemp=$(@MKTEMP@ -t tags) || { echo "$0: Cannot create temporary file" >&2; exit 1;  }
++   cp $tagsfile $tagstemp
+    $AWK '<<action for [[tags]] line>>
+-         <<functions>>' /tmp/tags.$$
+-   rm -f /tmp/tags.$$
++         <<functions>>' $tagstemp
++   rm -f $tagstemp
+  fi
+  cat "$@") |
+ ($ROFF $opts 2>$tagsfile)