Fix insecure-temporary-files, as reported in Debian bug 480972.

PKGREVISION++.
author: dholland <dholland@pkgsrc.org> 2008-06-01 21:46:37 +0000
committer: dholland <dholland@pkgsrc.org> 2008-06-01 21:46:37 +0000
commit: 404db2c68f08d5c3c6251d8e1fd772d73bab2cca (patch)
tree: 4de30ea741897513c2484903d39abe38b17dbae8 /converters/uulib
parent: acab28d42baec465eeaca0a0798802fbfce37dbc (diff)
download: pkgsrc-404db2c68f08d5c3c6251d8e1fd772d73bab2cca.tar.gz
4 files changed, 105 insertions, 3 deletions
diff --git a/converters/uulib/Makefile b/converters/uulib/Makefile
index 1ccac90a098..2a7252bb31d 100644
--- a/converters/uulib/Makefile
+++ b/converters/uulib/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.41 2007/09/18 19:44:40 heinz Exp $
+# $NetBSD: Makefile,v 1.42 2008/06/01 21:46:37 dholland Exp $
 #
 
 DISTNAME=	uudeview-0.5.20
 PKGNAME=	uulib-0.5.20
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	converters
 MASTER_SITES=	http://www.fpx.de/fp/Software/UUDeview/download/
 
diff --git a/converters/uulib/distinfo b/converters/uulib/distinfo
index 3a560196768..55da6ddf364 100644
--- a/converters/uulib/distinfo
+++ b/converters/uulib/distinfo
@@ -1,6 +1,8 @@
-$NetBSD: distinfo,v 1.9 2005/11/03 20:05:54 rillig Exp $
+$NetBSD: distinfo,v 1.10 2008/06/01 21:46:37 dholland Exp $
 
 SHA1 (uudeview-0.5.20.tar.gz) = 2c6ab7d355b545218bd0877d598bd5327d9fd125
 RMD160 (uudeview-0.5.20.tar.gz) = 9bb52fa3ad4979383ff16d1e8d8a302c5c794c66
 Size (uudeview-0.5.20.tar.gz) = 261574 bytes
 SHA1 (patch-aa) = 8ea37995ef4426bcd008246b1465ad5428da7bd8
+SHA1 (patch-ab) = f23ca7945a0697dc8e49ba9c7765bfa655ed8566
+SHA1 (patch-ac) = 7322b738ba427515a508eff41cce4139d4fda86e
diff --git a/converters/uulib/patches/patch-ab b/converters/uulib/patches/patch-ab
new file mode 100644
index 00000000000..5fd392348ce
--- /dev/null
+++ b/converters/uulib/patches/patch-ab
@@ -0,0 +1,17 @@
+$NetBSD: patch-ab,v 1.3 2008/06/01 21:46:37 dholland Exp $
+
+--- uulib/fptools.c.orig	2004-02-23 19:05:32.000000000 -0500
++++ uulib/fptools.c	2008-06-01 16:08:35.000000000 -0400
+@@ -517,6 +517,7 @@
+   return number;
+ }
+ 
++#if 0 /* insecure */
+ /*
+  * tempnam is not ANSI, but tmpnam is. Ignore the prefix here.
+  */
+@@ -526,3 +527,4 @@
+ {
+   return _FP_strdup (tmpnam (NULL));
+ }
++#endif
diff --git a/converters/uulib/patches/patch-ac b/converters/uulib/patches/patch-ac
new file mode 100644
index 00000000000..dd4eadfa8a0
--- /dev/null
+++ b/converters/uulib/patches/patch-ac
@@ -0,0 +1,83 @@
+$NetBSD: patch-ac,v 1.1 2008/06/01 21:46:37 dholland Exp $
+
+--- uulib/uunconc.c.orig	2004-03-01 17:52:27.000000000 -0500
++++ uulib/uunconc.c	2008-06-01 17:05:57.000000000 -0400
+@@ -49,6 +49,7 @@
+ #include <errno.h>
+ #endif
+ 
++#include <paths.h>
+ #include <crc32.h>
+ #include <uudeview.h>
+ #include <uuint.h>
+@@ -1306,6 +1307,7 @@
+ {
+   int state=BEGIN, part=-1, res=0, hb;
+   long rsize, dsize, numbytes;
++  int dataoutfd;
+   FILE *datain, *dataout;
+   unsigned char r[8];
+   char *mode, *ntmp;
+@@ -1329,13 +1331,13 @@
+   else
+     mode = "wb";	/* otherwise in binary          */
+ 
+-  if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
++  if ((data->binfile = strdup (_PATH_TMP "uu.XXXXXX")) == NULL) {
+     UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
+ 	       uustring (S_NO_TEMP_NAME));
+     return UURET_NOMEM;
+   }
+ 
+-  if ((dataout = fopen (data->binfile, mode)) == NULL) {
++  if ((dataoutfd = mkstemp (data->binfile)) < 0) {
+     /*
+      * we couldn't create a temporary file. Usually this means that TMP
+      * and TEMP aren't set
+@@ -1348,6 +1350,19 @@
+     uu_errno = errno;
+     return UURET_IOERR;
+   }
++
++  /* file now safely exists, reopen it using the right mode */
++  close (dataoutfd);
++  if ((dataout = fopen (data->binfile, mode)) < 0) {
++    UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
++	       uustring (S_WR_ERR_TARGET),
++	       data->binfile, strerror (uu_errno = errno));
++    _FP_free (data->binfile);
++    data->binfile = NULL;
++    uu_errno = errno;
++    return UURET_IOERR;
++  }
++
+   /*
+    * we don't have begin lines in Base64 or plain text files.
+    */
+@@ -1496,7 +1511,7 @@
+    */
+ 
+   if (data->uudet == BH_ENCODED && data->binfile) {
+-    if ((ntmp = tempnam (NULL, "uu")) == NULL) {
++    if ((ntmp = strdup (_PATH_TMP "uu.XXXXXX")) == NULL) {
+       UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
+ 		 uustring (S_NO_TEMP_NAME));
+       progress.action = 0;
+@@ -1510,6 +1525,17 @@
+       free (ntmp);
+       return UURET_IOERR;
+     }
++    if ((dataoutfd = mkstemp (ntmp)) < 0) {
++      UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
++		 uustring (S_NOT_OPEN_TARGET),
++		 ntmp, strerror (uu_errno = errno));
++      progress.action = 0;
++      fclose (datain);
++      free   (ntmp);
++      return UURET_IOERR;
++    }
++    /* file now safely exists; reopen it with the right mode */
++    close (dataoutfd);
+     if ((dataout = fopen (ntmp, "wb")) == NULL) {
+       UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
+ 		 uustring (S_NOT_OPEN_TARGET),
author	dholland <dholland@pkgsrc.org>	2008-06-01 21:46:37 +0000
committer	dholland <dholland@pkgsrc.org>	2008-06-01 21:46:37 +0000
commit	404db2c68f08d5c3c6251d8e1fd772d73bab2cca (patch)
tree	4de30ea741897513c2484903d39abe38b17dbae8 /converters/uulib
parent	acab28d42baec465eeaca0a0798802fbfce37dbc (diff)
download	pkgsrc-404db2c68f08d5c3c6251d8e1fd772d73bab2cca.tar.gz