diff options
author | salo <salo@pkgsrc.org> | 2006-02-02 12:08:14 +0000 |
---|---|---|
committer | salo <salo@pkgsrc.org> | 2006-02-02 12:08:14 +0000 |
commit | 082f8c9c2130090f8e42db2f99b2415450b168bb (patch) | |
tree | c92ab944d7a3837c920b22caac2f83282823cbc1 /mail/p5-Mail-Audit/patches | |
parent | 69c163eb40fab5cc359efb63615fa563822c187d (diff) | |
download | pkgsrc-082f8c9c2130090f8e42db2f99b2415450b168bb.tar.gz |
Security fix for SA18652 / CVE-2005-4536:
"Mail::Audit module logs to a temporary file with a predictable filename
in an insecure fashion when logging is turned on."
Patch from Debian.
Diffstat (limited to 'mail/p5-Mail-Audit/patches')
-rw-r--r-- | mail/p5-Mail-Audit/patches/patch-aa | 29 | ||||
-rw-r--r-- | mail/p5-Mail-Audit/patches/patch-ab | 38 |
2 files changed, 67 insertions, 0 deletions
diff --git a/mail/p5-Mail-Audit/patches/patch-aa b/mail/p5-Mail-Audit/patches/patch-aa new file mode 100644 index 00000000000..ccc30e263c7 --- /dev/null +++ b/mail/p5-Mail-Audit/patches/patch-aa @@ -0,0 +1,29 @@ +$NetBSD: patch-aa,v 1.1 2006/02/02 12:08:14 salo Exp $ + +Security fix for SA18656, from Debian. + +--- Audit.pm.orig 2002-03-03 18:11:20.000000000 +0100 ++++ Audit.pm 2006-02-02 12:48:52.000000000 +0100 +@@ -4,7 +4,13 @@ + + my $logging; + my $loglevel=3; +-my $logfile = "/tmp/".getpwuid($>)."-audit.log"; ++my $logfile; ++if (exists $ENV{HOME} and defined $ENV{HOME} and -d $ENV{HOME}) { ++ $logfile = "$ENV{HOME}/.mail_audit.log" ++} ++else { ++ (undef,$logfile) = tempfile("mail_audit.log-XXXXX",TMPDIR=>1); ++} + + # ---------------------------------------------------------- + # no user-modifiable parts below this line. +@@ -18,6 +24,7 @@ + use vars qw($VERSION @ISA @EXPORT @EXPORT_OK $ASSUME_MSGPREFIX); + # @ISA will depend on whether the message is MIME; if it is, we'll be MIME::Entity. if not, we'll be Mail::Internet. + use Fcntl ':flock'; ++use File::Temp qw(tempfile); + + $ASSUME_MSGPREFIX = 0; + diff --git a/mail/p5-Mail-Audit/patches/patch-ab b/mail/p5-Mail-Audit/patches/patch-ab new file mode 100644 index 00000000000..456e8e845bb --- /dev/null +++ b/mail/p5-Mail-Audit/patches/patch-ab @@ -0,0 +1,38 @@ +$NetBSD: patch-ab,v 1.1 2006/02/02 12:08:14 salo Exp $ + +Security fix for SA18656, from Debian. + +--- Audit/MimeEntity.pm.orig 2002-01-18 01:23:32.000000000 +0100 ++++ Audit/MimeEntity.pm 2006-02-02 12:48:52.000000000 +0100 +@@ -4,6 +4,7 @@ + + use strict; + use File::Path; ++use File::Temp qw(tempdir) + use MIME::Parser; + use MIME::Entity; + use Mail::Audit::MailInternet; +@@ -12,10 +13,12 @@ + + $VERSION = '2.0'; + +-$MIME_PARSER_TMPDIR = "/tmp/".getpwuid($>)."-mailaudit"; +- + my $parser = MIME::Parser->new(); + ++# Create a tempdir using File::Temp::tempdir, have it be destroyed at ++# END{} time. ++$MIME_PARSER_TMPDIR = tempdir(CLEANUP => 1); ++ + my @to_rmdir; + + sub autotype_new { +@@ -23,8 +26,6 @@ + my $mailinternet = shift; + + $parser->ignore_errors(1); +- mkdir ($MIME_PARSER_TMPDIR, 0777); +- if (! -d $MIME_PARSER_TMPDIR) { $MIME_PARSER_TMPDIR = "/tmp" } + $parser->output_under($MIME_PARSER_TMPDIR); + + # todo: add eval error trapping. if there's a problem, return Mail::Audit::MailInternet as a fallback. |