Use official upstream patch for CVE-2006-5297 and CVE-2006-5298 security

issues from mutt GIT repo. Bump PKGREVISION.
author: salo <salo@pkgsrc.org> 2006-12-11 12:47:13 +0000
committer: salo <salo@pkgsrc.org> 2006-12-11 12:47:13 +0000
commit: 4027aab42d855115f4b50175bf30ed53461f7ebd (patch)
tree: 7becdd11433f76bc988e5f6759eed82235860dff /mail
parent: 9c7d1b525ffd6e1005f03e13337bc6c2ba981643 (diff)
download: pkgsrc-4027aab42d855115f4b50175bf30ed53461f7ebd.tar.gz
3 files changed, 88 insertions, 26 deletions
diff --git a/mail/mutt-devel/Makefile b/mail/mutt-devel/Makefile
index 40ee8e08f91..69b3879165e 100644
--- a/mail/mutt-devel/Makefile
+++ b/mail/mutt-devel/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.54 2006/11/07 09:27:11 joerg Exp $
+# $NetBSD: Makefile,v 1.55 2006/12/11 12:47:13 salo Exp $
 
 DISTNAME=		mutt-1.5.13
-PKGREVISION=		1
+PKGREVISION=		2
 CATEGORIES=		mail
 MUTT_SITES=		ftp://ftp.mutt.org/mutt/ \
 			ftp://ftp.stealth.net/pub/mirrors/ftp.mutt.org/pub/mutt/ \
diff --git a/mail/mutt-devel/distinfo b/mail/mutt-devel/distinfo
index 2eb0318b7ae..8e9bdd88d6c 100644
--- a/mail/mutt-devel/distinfo
+++ b/mail/mutt-devel/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.35 2006/11/03 18:19:07 tonio Exp $
+$NetBSD: distinfo,v 1.36 2006/12/11 12:47:13 salo Exp $
 
 SHA1 (mutt-1.5.13.tar.gz) = 6d5b88d33e1727bf0342c31f06d55d7a3d2d4e0a
 RMD160 (mutt-1.5.13.tar.gz) = 9327b7f928aad78a20c2395629113ac2519bb945
@@ -10,7 +10,7 @@ SHA1 (patch-aa) = 59d89dce24110be2927c8a1ea1fa5b780d644372
 SHA1 (patch-ab) = 67e0deb5af56830397d897979ac806f9c16fdbda
 SHA1 (patch-ac) = b48ff9f66ff2b483b5aa0c312e08bd22c7cf03be
 SHA1 (patch-ad) = ecfa994c7c5e494b6eb7356327b96de6559146fc
-SHA1 (patch-ae) = e207b279b4b6cf9bd29f5537beedb3f34453b62d
+SHA1 (patch-ae) = 1ff6efde4e7d380008c466800d6164b51a4b3414
 SHA1 (patch-ag) = 84637d95fa9aa0cf58a6e6b2c82b783efa21cf66
 SHA1 (patch-ah) = 4227c5768b900e58fa4a679e6ad67efc974a70b5
 SHA1 (patch-ai) = 7d9883198a22615fb1792a41fce3ee9821f48f08
diff --git a/mail/mutt-devel/patches/patch-ae b/mail/mutt-devel/patches/patch-ae
index 90dade48819..b67941237cb 100644
--- a/mail/mutt-devel/patches/patch-ae
+++ b/mail/mutt-devel/patches/patch-ae
@@ -1,29 +1,91 @@
-$NetBSD: patch-ae,v 1.7 2006/11/03 18:19:07 tonio Exp $
+$NetBSD: patch-ae,v 1.8 2006/12/11 12:47:13 salo Exp $
 
---- lib.c.orig	2002-04-29 18:12:18.000000000 +0100
-+++ lib.c	2006-11-01 13:22:51.000000000 +0000
-@@ -351,8 +351,8 @@
+Security fixes for CVE-2006-5297 and CVE-2006-5298, from mutt git.
+
+--- lib.c.orig	2006-05-18 20:44:29.000000000 +0200
++++ lib.c	2006-12-11 13:39:27.000000000 +0100
+@@ -481,13 +481,84 @@ int safe_rename (const char *src, const 
+   return 0;
+ }
+ 
++/* Create a temporary directory next to a file name */
++
++int mutt_mkwrapdir (const char *path, char *newfile, size_t nflen, 
++		    char *newdir, size_t ndlen)
++{
++  const char *basename;
++  char parent[_POSIX_PATH_MAX];
++  char *p;
++  int rv;
++
++  strfcpy (parent, NONULL (path), sizeof (parent));
++  
++  if ((p = strrchr (parent, '/')))
++  {
++    *p = '\0';
++    basename = p + 1;
++  }
++  else
++  {
++    strfcpy (parent, ".", sizeof (parent));
++    basename = path;
++  }
++
++  do 
++  {
++    snprintf (newdir, ndlen, "%s/%s", parent, ".muttXXXXXX");
++    mktemp (newdir);
++  } 
++  while ((rv = mkdir (newdir, 0700)) == -1 && errno == EEXIST);
++  
++  if (rv == -1)
++    return -1;
++  
++  snprintf (newfile, nflen, "%s/%s", newdir, NONULL(basename));
++  return 0;  
++}
++
++int mutt_put_file_in_place (const char *path, const char *safe_file, const char *safe_dir)
++{
++  int rv;
++  
++  rv = safe_rename (safe_file, path);
++  unlink (safe_file);
++  rmdir (safe_dir);
++  return rv;
++}
++
+ int safe_open (const char *path, int flags)
+ {
    struct stat osb, nsb;
    int fd;
  
--  if ((fd = open (path, flags, 0600)) < 0)
--    return fd;
-+  if ((fd = open (path, flags, S_IRUSR|S_IWUSR)) < 0)
-+    return (-1);
++  if (flags & O_EXCL) 
++  {
++    char safe_file[_POSIX_PATH_MAX];
++    char safe_dir[_POSIX_PATH_MAX];
++
++    if (mutt_mkwrapdir (path, safe_file, sizeof (safe_file),
++			safe_dir, sizeof (safe_dir)) == -1)
++      return -1;
++    
++    if ((fd = open (safe_file, flags, 0600)) < 0)
++    {
++      rmdir (safe_dir);
++      return fd;
++    }
++    
++    if (mutt_put_file_in_place (path, safe_file, safe_dir) == -1)
++    {
++      close (fd);
++      return -1;
++    }
++  }
++  else
++  {
+   if ((fd = open (path, flags, 0600)) < 0)
+     return fd;
++  }
  
    /* make sure the file is not symlink */
    if (lstat (path, &osb) < 0 || fstat (fd, &nsb) < 0 ||
-@@ -363,6 +363,13 @@
-     return (-1);
-   }
- 
-+  /* Make sure the file is owned by us and has save permissions. */
-+  if (nsb.st_uid != geteuid() ||
-+      (nsb.st_mode & (S_IRWXG|S_IRWXO)) != 0) {
-+    close (fd);
-+    return (-1);
-+  }
-+
-   return (fd);
- }
-
author	salo <salo@pkgsrc.org>	2006-12-11 12:47:13 +0000
committer	salo <salo@pkgsrc.org>	2006-12-11 12:47:13 +0000
commit	4027aab42d855115f4b50175bf30ed53461f7ebd (patch)
tree	7becdd11433f76bc988e5f6759eed82235860dff /mail
parent	9c7d1b525ffd6e1005f03e13337bc6c2ba981643 (diff)
download	pkgsrc-4027aab42d855115f4b50175bf30ed53461f7ebd.tar.gz