Fix CVE-2008-0386 using patch from upstream repository.

Patch created by Makoto Fujiwara.

Bump PKGREVISION, set LICENSE.

4 files changed, 73 insertions, 2 deletions

diff --git a/misc/xdg-utils/Makefile b/misc/xdg-utils/Makefile
index 8422570c568..8ee945597df 100644
--- a/misc/xdg-utils/Makefile
+++ b/misc/xdg-utils/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.2 2010/02/04 16:47:54 joerg Exp $
+# $NetBSD: Makefile,v 1.3 2011/04/05 09:13:42 wiz Exp $
 #
 
 DISTNAME=	xdg-utils-1.0.2
+PKGREVISION=	1
 CATEGORIES=	sysutils
 MASTER_SITES=	http://portland.freedesktop.org/download/
 EXTRACT_SUFX=	.tgz
@@ -9,6 +10,7 @@ EXTRACT_SUFX=	.tgz
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://portland.freedesktop.org/
 COMMENT=	Tools to assist applications with various desktop integration tasks
+LICENSE=	mit
 
 PKG_DESTDIR_SUPPORT=	user-destdir
 
diff --git a/misc/xdg-utils/distinfo b/misc/xdg-utils/distinfo
index a009207ba38..b8c6a1b8dbf 100644
--- a/misc/xdg-utils/distinfo
+++ b/misc/xdg-utils/distinfo
@@ -1,5 +1,7 @@
-$NetBSD: distinfo,v 1.1.1.1 2008/12/09 15:04:56 wiz Exp $
+$NetBSD: distinfo,v 1.2 2011/04/05 09:13:42 wiz Exp $
 
 SHA1 (xdg-utils-1.0.2.tgz) = e41a04cbf9ff8d743397a2bc23c6ca82e8b59d2c
 RMD160 (xdg-utils-1.0.2.tgz) = 344482917e8c780613ec20b103f8e51322540c04
 Size (xdg-utils-1.0.2.tgz) = 282262 bytes
+SHA1 (patch-aa) = 2e615a88a2e564acc5ae2494bff5996b3a854b2a
+SHA1 (patch-ab) = 3fbfb21f4b1d774de446d899327db7404ef746b3
diff --git a/misc/xdg-utils/patches/patch-aa b/misc/xdg-utils/patches/patch-aa
new file mode 100644
index 00000000000..da993821cd5
--- /dev/null
+++ b/misc/xdg-utils/patches/patch-aa
@@ -0,0 +1,47 @@
+$NetBSD: patch-aa,v 1.1 2011/04/05 09:13:43 wiz Exp $
+
+ 2008-01-24 Kevin Krammer <kevin.krammer@gmx.at>
+     * Fixing security issue in xdg-email and xdg-open at replacing
+       parameter in $BROWSER
+
+diff --git a/scripts/xdg-email b/scripts/xdg-email
+index 87f0fc0..3b07f5d 100755
+--- a/scripts/xdg-email
++++ ./scripts/xdg-email
+@@ -435,7 +435,8 @@ open_generic()
+     for browser in $BROWSER; do
+         if [ x"$browser" != x"" ]; then
+ 
+-            browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
++            IFS=' '
++            browser_with_arg=${browser//'%s'/"$1"}
+ 
+             if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
+             else $browser_with_arg;
+@@ -495,7 +496,7 @@ while [ $# -gt 0 ] ; do
+             exit_failure_syntax "email address argument missing for --to"
+         fi
+         url_encode "$1"
+-        options="${options}to=${result}&" 
++        options="${options}to=${result}&"
+         shift
+         ;;
+ 
+@@ -531,7 +532,7 @@ while [ $# -gt 0 ] ; do
+             exit_failure_syntax "text argument missing for --body option"
+         fi
+         url_encode "$1"
+-        options="${options}body=${result}&" 
++        options="${options}body=${result}&"
+         shift
+         ;;
+ 
+@@ -575,7 +576,7 @@ done
+ 
+ if [ -z "${mailto}" ] ; then
+     # TO address is optional
+-    mailto="mailto:?"    
++    mailto="mailto:?"
+ fi
+ 
+ case $mailto in
diff --git a/misc/xdg-utils/patches/patch-ab b/misc/xdg-utils/patches/patch-ab
new file mode 100644
index 00000000000..50333edc6cf
--- /dev/null
+++ b/misc/xdg-utils/patches/patch-ab
@@ -0,0 +1,20 @@
+$NetBSD: patch-ab,v 1.1 2011/04/05 09:13:43 wiz Exp $
+
+ 2008-01-24 Kevin Krammer <kevin.krammer@gmx.at>
+     * Fixing security issue in xdg-email and xdg-open at replacing
+       parameter in $BROWSER
+
+diff --git a/scripts/xdg-open b/scripts/xdg-open
+index b124d6b..1456b7e 100755
+--- a/scripts/xdg-open
++++ ./scripts/xdg-open
+@@ -382,7 +382,8 @@ open_generic()
+     for browser in $BROWSER; do
+         if [ x"$browser" != x"" ]; then
+ 
+-            browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
++            IFS=' '
++            browser_with_arg=${browser//'%s'/"$1"}
+ 
+             if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
+             else $browser_with_arg;