Use mkstemp in netperf code to open the debug log in order to avoid

a symlink vulnerability. This fixes CVE-2007-1444.

5 files changed, 86 insertions, 2 deletions

diff --git a/benchmarks/netperf/Makefile b/benchmarks/netperf/Makefile
index f5a6f171150..7080ac403fe 100644
--- a/benchmarks/netperf/Makefile
+++ b/benchmarks/netperf/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.4 2007/12/29 10:14:50 wiz Exp $
+# $NetBSD: Makefile,v 1.5 2008/05/12 15:49:30 tonnerre Exp $
 #
 
 DISTNAME=	netperf-2.3pl1
 PKGNAME=	netperf-2.3.1
+PKGREVISION=	1
 CATEGORIES=	benchmarks
 MASTER_SITES=	ftp://ftp.cup.hp.com/dist/networking/benchmarks/netperf/archive/ \
 		ftp://ftp.netperf.org/netperf/archive/ \
diff --git a/benchmarks/netperf/distinfo b/benchmarks/netperf/distinfo
index e8e780ee87b..89321ba6caf 100644
--- a/benchmarks/netperf/distinfo
+++ b/benchmarks/netperf/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.2 2007/08/08 20:30:13 joerg Exp $
+$NetBSD: distinfo,v 1.3 2008/05/12 15:49:30 tonnerre Exp $
 
 SHA1 (netperf-2.3pl1.tar.gz) = 288c34b6c4d937b06422a8cdab3dcae5ed58cc17
 RMD160 (netperf-2.3pl1.tar.gz) = 83f2afd612b7d4d4b486b82554f4e792c5e8509d
@@ -10,3 +10,6 @@ SHA1 (patch-ad) = a829f207d8af01497887b4386d184a4b0d14774f
 SHA1 (patch-ae) = 4848b2699cdbf2b9059f6e0290afc929d94f514c
 SHA1 (patch-af) = 720808dcbdbc6fa1ea55aae43ea1e24c333d9891
 SHA1 (patch-ag) = 4139125768a4b037692ab3cefcb2562ccc5c4b0f
+SHA1 (patch-ah) = ae945388b12d9b964f2728d07ce17d543c440bdd
+SHA1 (patch-ai) = ca2d19efa72f2ac40f66eb5c61272b90b080aec4
+SHA1 (patch-ak) = 35da529b4509791718e2912bc8d59a32ea992933
diff --git a/benchmarks/netperf/patches/patch-ah b/benchmarks/netperf/patches/patch-ah
new file mode 100644
index 00000000000..6f030e4ae66
--- /dev/null
+++ b/benchmarks/netperf/patches/patch-ah
@@ -0,0 +1,12 @@
+$NetBSD: patch-ah,v 1.1 2008/05/12 15:49:30 tonnerre Exp $
+
+--- netlib.h.orig	2004-09-21 23:33:40.000000000 +0200
++++ netlib.h
+@@ -343,6 +343,7 @@ extern  int     lib_num_loc_cpus;
+ extern  SOCKET  server_sock;
+ extern  int     times_up;
+ extern  FILE    *where;
++extern	int	fd;
+ extern  int     loops_per_msec;
+ extern  float   lib_local_per_cpu_util[];
+   
diff --git a/benchmarks/netperf/patches/patch-ai b/benchmarks/netperf/patches/patch-ai
new file mode 100644
index 00000000000..48e2f33f305
--- /dev/null
+++ b/benchmarks/netperf/patches/patch-ai
@@ -0,0 +1,56 @@
+$NetBSD: patch-ai,v 1.1 2008/05/12 15:49:30 tonnerre Exp $
+
+--- netserver.c.orig	2004-09-21 23:33:40.000000000 +0200
++++ netserver.c
+@@ -138,6 +138,9 @@ FILE	*afp;
+ short	listen_port_num;
+ extern	char	*optarg;
+ extern	int	optind, opterr;
++#ifndef WIN32
++char debuglog[] = "/tmp/netperf.debugXXXXXX";
++#endif
+ 
+ #ifndef WIN32
+ #define SERVER_ARGS "dn:p:v:46"
+@@ -181,8 +184,14 @@ process_requests()
+       netperf_response.content.response_type = DEBUG_OK;
+       send_response();
+ 	  //+*+SAF why???
+-	  if (!debug) 
++	  if (!debug)
++	  {
+ 	      fclose(where);
++#ifndef WIN32
++	      unlink(debuglog);
++	      close(fd);
++#endif
++	  }
+       break;
+       
+     case CPU_CALIBRATE:
+@@ -730,7 +739,13 @@ struct sockaddr name;
+ 
+ /*  unlink(DEBUG_LOG_FILE); */
+ #ifndef WIN32
+-  if ((where = fopen(DEBUG_LOG_FILE, "w")) == NULL) {
++  if ((fd = mkstemp(debuglog)) == -1 || (where = fdopen(fd, "w+")) == NULL)
++  {
++    if (fd != -1)
++    {
++      unlink(debuglog);
++      close(fd);
++    }
+     perror("netserver: debug file");
+     exit(1);
+   }
+@@ -761,10 +776,6 @@ struct sockaddr name;
+   }
+ #endif
+  
+-#ifndef WIN32 
+-  chmod(DEBUG_LOG_FILE,0644);
+-#endif
+-  
+ #if WIN32
+   if (child) {
+ 	  server_sock = (SOCKET)GetStdHandle(STD_INPUT_HANDLE);
diff --git a/benchmarks/netperf/patches/patch-ak b/benchmarks/netperf/patches/patch-ak
new file mode 100644
index 00000000000..865f2ac0022
--- /dev/null
+++ b/benchmarks/netperf/patches/patch-ak
@@ -0,0 +1,12 @@
+$NetBSD: patch-ak,v 1.1 2008/05/12 15:49:30 tonnerre Exp $
+
+--- netlib.c.orig	2004-09-21 23:33:40.000000000 +0200
++++ netlib.c
+@@ -422,6 +422,7 @@ union   netperf_request_struct  netperf_
+ union   netperf_response_struct netperf_response;
+ 
+ FILE    *where;
++int	fd = -1;
+ 
+ char    libfmt = 'm';
+