Address privilege-escalation vulnerability (http://secunia.com/advisories/32806/)

due to insecure temp file usage.

Bump pkgrev.

3 files changed, 80 insertions, 3 deletions

diff --git a/cad/gnetlist/Makefile b/cad/gnetlist/Makefile
index 2c53eced9d7..5d73f1c70d3 100644
--- a/cad/gnetlist/Makefile
+++ b/cad/gnetlist/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.45 2008/06/20 01:09:08 joerg Exp $
+# $NetBSD: Makefile,v 1.46 2008/11/30 23:48:00 dmcmahill Exp $
 #
 
 DISTNAME=		geda-gnetlist-${PKGVERSION}
 PKGNAME=		gnetlist-${PKGVERSION}
+PKGREVISION=		1
 CATEGORIES=		cad
 
 MAINTAINER=		dmcmahill@NetBSD.org
diff --git a/cad/gnetlist/distinfo b/cad/gnetlist/distinfo
index 23f8e7ac16e..9d58880db0e 100644
--- a/cad/gnetlist/distinfo
+++ b/cad/gnetlist/distinfo
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.24 2008/02/01 02:34:23 dmcmahill Exp $
+$NetBSD: distinfo,v 1.25 2008/11/30 23:48:00 dmcmahill Exp $
 
 SHA1 (geda/geda-gnetlist-1.4.0.tar.gz) = 494e4d9f323a935f6a858138101b5bed6788ce2f
 RMD160 (geda/geda-gnetlist-1.4.0.tar.gz) = 4e2c295ae6033da05cdffd62c28c41c4a5443843
 Size (geda/geda-gnetlist-1.4.0.tar.gz) = 402250 bytes
-SHA1 (patch-aa) = 1fdc681538545f5712a423bc62b1ce89fbc7ff4c
+SHA1 (patch-aa) = ce30c3a2d6541cc1e4c8b3762bbd1076d3748eb3
diff --git a/cad/gnetlist/patches/patch-aa b/cad/gnetlist/patches/patch-aa
new file mode 100644
index 00000000000..df6d548fcd8
--- /dev/null
+++ b/cad/gnetlist/patches/patch-aa
@@ -0,0 +1,76 @@
+$NetBSD: patch-aa,v 1.13 2008/11/30 23:48:00 dmcmahill Exp $
+
+Address privilege-escalation vulnerability (http://secunia.com/advisories/32806/)
+due to insecure temp file usage.
+
+Patch from upstream sources.
+--- scripts/sch2eaglepos.sh.orig	2007-12-30 02:49:04.000000000 +0000
++++ scripts/sch2eaglepos.sh
+@@ -1,17 +1,23 @@
+-#!/bin/bash
++#!/bin/sh
+ # By Braddock Gaskill (braddock@braddock.com), August 2004.  This
+ # software is hereby declared to be in the public domain by Braddock
+ # Gaskill, the author.
+ FNAME="$1"
+ if [ -z "$FNAME" ]; then
+-    echo "$0 <inputfile.sch>"
+-    echo "This script will read a gschem schematic and attempt to
+-    extract the relative positions of the components in the schematic,
+-    and generate corresponding MOVE instructions for Eagle.  You will
+-    likely have to adjust XOFFSET, YOFFSET, XSCAL, and YSCALE at the
+-    top of the script to obtain usable positions."
+-    echo "By Braddock Gaskill (braddock@braddock.com), August 2004"
+-    exit -1;
++    cat << EOF
++
++$0 <inputfile.sch>
++
++This script will read a gschem schematic and attempt to
++extract the relative positions of the components in the schematic,
++and generate corresponding MOVE instructions for Eagle.  You will
++likely have to adjust XOFFSET, YOFFSET, XSCAL, and YSCALE at the
++top of the script to obtain usable positions.
++
++By Braddock Gaskill (braddock@braddock.com), August 2004
++
++EOF
++    exit -1
+ fi
+ XOFFSET=40000
+ YOFFSET=33000
+@@ -20,10 +26,24 @@ YOFFSET=33000
+ XSCALE=9000
+ YSCALE=9000
+ 
+-TMP=/tmp/$$
+-grep -B1 refdes= "$FNAME" |sed 's/=/ /' | cut -d" " -f2,3 |grep -v '^--' >/tmp/$$
++tmpdir=/tmp/$$
++mkdir -m 0700 -p $tmpdir
++rc=$?
++if test $rc -ne 0 ; then
++	cat << EOF
++
++$0: ERROR -- Failed to create $tmpdir with 0700 permissions.  mkdir returned $rc.
+ 
+-3<$TMP
++Make sure that $tmpdir does not already exist and that you have permissions to 
++create it.
++
++EOF
++	exit 1
++fi
++tmpf=${tmpdir}/tmpf
++grep -B1 refdes= "$FNAME" |sed 's/=/ /' | cut -d" " -f2,3 |grep -v '^--' >${tmpf}
++
++3<$tmpf
+ while read -u 3; do
+     # the directory on the client to backup
+     X=`echo $REPLY | cut -d' ' -f1`
+@@ -34,4 +54,5 @@ while read -u 3; do
+     Y=`echo "scale=5; ($Y - $YOFFSET) / $YSCALE" |bc`
+     echo "MOVE '$PART' ($X $Y);"
+ done
+-rm "$TMP"
++rm -fr "${tmpdir}"
++