Security fixes for SA17008:

"Vulnerabilities in Berkeley MPEG Tools can be exploited by malicious, local
users to perform certain actions on a vulnerable system with escalated
privileges. The vulnerabilities are caused due to temporary files being
created insecurely in "/tmp."

http://secunia.com/advisories/17008/
http://www.gentoo.org/security/en/glsa/glsa-200510-02.xml

Patches from Gentoo.

8 files changed, 285 insertions, 3 deletions

diff --git a/multimedia/mpeg_encode/patches/patch-ae b/multimedia/mpeg_encode/patches/patch-ae
index d304801cdc7..14ae906fd68 100644
--- a/multimedia/mpeg_encode/patches/patch-ae
+++ b/multimedia/mpeg_encode/patches/patch-ae
@@ -1,7 +1,7 @@
-$NetBSD: patch-ae,v 1.1.1.1 2004/02/24 21:47:25 jmmv Exp $
+$NetBSD: patch-ae,v 1.2 2005/10/05 11:45:46 salo Exp $
 
---- convert/jmovie2jpeg.c.orig	1995-01-20 00:29:24.000000000 +0000
-+++ convert/jmovie2jpeg.c
+--- ../convert/jmovie2jpeg.c.orig	1995-01-20 00:29:24.000000000 +0000
++++ ../convert/jmovie2jpeg.c
 @@ -283,12 +283,12 @@ static char inbuffer[300000] = {    
      if (fread (&(image_offset),sizeof(int),1,inFile) != 1)
      {
diff --git a/multimedia/mpeg_encode/patches/patch-ah b/multimedia/mpeg_encode/patches/patch-ah
new file mode 100644
index 00000000000..b187426010c
--- /dev/null
+++ b/multimedia/mpeg_encode/patches/patch-ah
@@ -0,0 +1,46 @@
+$NetBSD: patch-ah,v 1.1 2005/10/05 11:45:46 salo Exp $
+
+Fix for SA17008, from Gentoo.
+
+--- ../convert/eyuvtojpeg.c.orig	1995-04-14 23:16:52.000000000 +0200
++++ ../convert/eyuvtojpeg.c	2005-10-05 13:20:02.000000000 +0200
+@@ -24,6 +24,7 @@
+  *==============*/
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <unistd.h>
+ #include <malloc.h>
+ 
+ typedef unsigned char uint8;
+@@ -46,8 +47,9 @@
+ void	main(int argc, char **argv)
+ {
+     FILE *fpointer;
+-    char command[256];
+-    char src[256], dest[256];
++    char command[4096];
++    char src[4096], dest[4096], tempfile[4096];
++    int ret;
+ 
+     if ((strcmp(argv[1],"-?") == 0) ||
+ 	(strcmp(argv[1],"-h") == 0) ||
+@@ -98,13 +100,16 @@
+     YUVtoPPM();
+ 
+     fprintf(stdout, "Writing PPM\n");
+-    fpointer = fopen("/tmp/foobar", "w");
++    sprintf(tempfile, "%s.tmp", dest);
++    fpointer = fopen(tempfile, "w");
+     WritePPM(fpointer);
+     fclose(fpointer);
+ 
+     fprintf(stdout, "Converting to JPEG %s\n", dest);
+-    sprintf(command, "cjpeg /tmp/foobar > %s", dest);
+-    system(command);
++    sprintf(command, "cjpeg %s > %s", tempfile, dest);
++    ret = system(command);
++    unlink(tempfile);
++    return ret;
+ }
+ 
+ 
diff --git a/multimedia/mpeg_encode/patches/patch-ai b/multimedia/mpeg_encode/patches/patch-ai
new file mode 100644
index 00000000000..9a004a58f60
--- /dev/null
+++ b/multimedia/mpeg_encode/patches/patch-ai
@@ -0,0 +1,22 @@
+$NetBSD: patch-ai,v 1.1 2005/10/05 11:45:46 salo Exp $
+
+Fix for SA17008, from Gentoo.
+
+--- ../convert/eyuvtoppm.c.orig	1995-04-14 23:16:52.000000000 +0200
++++ ../convert/eyuvtoppm.c	2005-10-05 13:16:27.000000000 +0200
+@@ -99,13 +99,9 @@
+     fpointer = fopen(dest, "w");
+     if (fpointer == NULL) {
+       fprintf(stderr, "Problems opening %s!\n", dest);
+-      fprintf(stderr, "Trying /tmp/foobar instead\n");
+-      strcpy(dest, "/tmp/foobar");
+-      fpointer = fopen(dest, "w");
+-      if (fpointer == NULL) {
+-	fprintf(stderr, "Nope, exiting.\n");
++      perror("");
+ 	exit(1);
+-      }}
++    }
+ 
+     WritePPM(fpointer);
+     fclose(fpointer);
diff --git a/multimedia/mpeg_encode/patches/patch-aj b/multimedia/mpeg_encode/patches/patch-aj
new file mode 100644
index 00000000000..20ab82b2d9a
--- /dev/null
+++ b/multimedia/mpeg_encode/patches/patch-aj
@@ -0,0 +1,44 @@
+$NetBSD: patch-aj,v 1.1 2005/10/05 11:45:46 salo Exp $
+
+Fix for SA17008, from Gentoo.
+
+--- ../convert/vidtoeyuv.c.orig	1995-01-20 04:25:39.000000000 +0100
++++ ../convert/vidtoeyuv.c	2005-10-05 13:16:27.000000000 +0200
+@@ -125,9 +125,9 @@
+   XImage *ximage;
+   char *tdata;
+   char *obase;
+-  char ofname[256];
++  char ofname[4096], tempfile[4096];
+   int height, width;
+-  char command[256];
++  char command[4096];
+   int nth;
+ 
+   if ((argc != 7) && (argc != 8))usage (argv[0]);
+@@ -223,9 +223,11 @@
+ 
+ 
+     sprintf(ofname, "%s%d.yuv", obase, i);
+-    outFile = fopen("/tmp/foobar", "w");
++    sprintf(tempfile, "%s%d.yuv.tmp", obase, i);
++    outFile = fopen(tempfile, "w");
+     if (!outFile) {
+       perror("Couldn't open output file.");
++      exit(1);
+     }
+ 
+     for (r=0; r<height; r++) {
+@@ -241,9 +243,10 @@
+ 
+     free(tdata);
+ 
+-    sprintf(command, "rawtoppm %d %d < /tmp/foobar | ppmtoyuv > %s",
+-	    width, height, ofname);
++    sprintf(command, "rawtoppm %d %d < %s | ppmtoyuv > %s",
++	    width, height, tempfile, ofname);
+     system(command);
++    unlink(tempfile);
+ 
+       for (j=0; j<nth-1; j++) {
+ 	if (read (fd, &image, sizeof(image)) != sizeof(image)) {
diff --git a/multimedia/mpeg_encode/patches/patch-ak b/multimedia/mpeg_encode/patches/patch-ak
new file mode 100644
index 00000000000..1febc77357c
--- /dev/null
+++ b/multimedia/mpeg_encode/patches/patch-ak
@@ -0,0 +1,44 @@
+$NetBSD: patch-ak,v 1.1 2005/10/05 11:45:46 salo Exp $
+
+Fix for SA17008, from Gentoo.
+
+--- ../convert/vidtojpeg.c.orig	1995-01-20 04:25:40.000000000 +0100
++++ ../convert/vidtojpeg.c	2005-10-05 13:16:27.000000000 +0200
+@@ -123,9 +123,9 @@
+   XImage *ximage;
+   char *tdata;
+   char *obase;
+-  char ofname[256];
++  char ofname[4096], tempfile[4096];
+   int height, width;
+-  char command[256];
++  char command[4096];
+ 
+ 
+   if ((argc != 7) && (argc != 8))usage (argv[0]);
+@@ -221,9 +221,11 @@
+ 
+ 
+     sprintf(ofname, "%s.%d.jpeg", obase, i);
+-    outFile = fopen("/tmp/foobar", "w");
++    sprintf(tempfile, "%s.%d.jpeg.tmp", obase, i);
++    outFile = fopen(tempfile, "w");
+     if (!outFile) {
+       perror("Couldn't open output file.");
++      exit(1);
+     }
+ 
+     for (r=0; r<height; r++) {
+@@ -239,9 +241,10 @@
+ 
+     free(tdata);
+ 
+-    sprintf(command, "rawtoppm %d %d < /tmp/foobar | cjpeg > %s",
+-	    width, height, ofname);
++    sprintf(command, "rawtoppm %d %d < %s | cjpeg > %s",
++	    width, height, tempfile, ofname);
+     system(command);
++    unlink(tempfile);
+   }
+ }
+ 
diff --git a/multimedia/mpeg_encode/patches/patch-al b/multimedia/mpeg_encode/patches/patch-al
new file mode 100644
index 00000000000..e5aa0e7e014
--- /dev/null
+++ b/multimedia/mpeg_encode/patches/patch-al
@@ -0,0 +1,31 @@
+$NetBSD: patch-al,v 1.1 2005/10/05 11:45:46 salo Exp $
+
+Fix for SA17008, from Gentoo.
+
+--- ../convert/vidtoppm.c.orig	1995-01-20 04:25:40.000000000 +0100
++++ ../convert/vidtoppm.c	2005-10-05 13:16:27.000000000 +0200
+@@ -220,9 +220,11 @@
+ 
+ 
+     sprintf(ofname, "%s%d.ppm", obase, i);
+-    outFile = fopen("/tmp/foobar", "w");
++    sprintf(tempfile, "%s%d.ppm.tmp", obase, i);
++    outFile = fopen(tempfile, "w");
+     if (!outFile) {
+       perror("Couldn't open output file.");
++      exit(1);
+     }
+ 
+     for (r=0; r<height; r++) {
+@@ -238,8 +240,9 @@
+ 
+     free(tdata);
+ 
+-    sprintf(command, "rawtoppm %d %d < /tmp/foobar > %s",
+-	    width, height, ofname);
++    sprintf(command, "rawtoppm %d %d < %s > %s",
++	    width, height, tempfile, ofname);
+     system(command);
++    unlink(tempfile);
+   }
+ }
diff --git a/multimedia/mpeg_encode/patches/patch-am b/multimedia/mpeg_encode/patches/patch-am
new file mode 100644
index 00000000000..80d50d42c86
--- /dev/null
+++ b/multimedia/mpeg_encode/patches/patch-am
@@ -0,0 +1,46 @@
+$NetBSD: patch-am,v 1.1 2005/10/05 11:45:46 salo Exp $
+
+Fix for SA17008, from Gentoo.
+
+--- parallel.c.orig	1995-08-16 20:22:11.000000000 +0200
++++ parallel.c	2005-10-05 13:25:40.000000000 +0200
+@@ -586,6 +586,8 @@
+  * SIDE EFFECTS:    none
+  *
+  *===========================================================================*/
++/* internal hook into the ReadFrame function */
++void _ReadFrame(MpegFrame *frame, char *fileName, FILE *fileHook, char *conversion, boolean addPath);
+ void
+   GetRemoteFrame(frame, frameNumber)
+ MpegFrame *frame;
+@@ -615,8 +617,13 @@
+ 
+   if ( frameNumber != -1 ) {
+     if ( separateConversion ) {
+-      sprintf(fileName, "/tmp/foobar%d", machineNumber);
+-      filePtr = fopen(fileName, "wb");
++      int fd;
++      snprintf(fileName, sizeof(fileName), "/tmp/mpeg_encode_foobar%dXXXXXX", machineNumber);
++      fd = mkstemp(fileName);
++      if (fd == -1 || (filePtr = fdopen(fd, "wb")) == NULL) {
++	perror("ERROR: mpeg_encode->GetRemoteFrame");
++	exit(1);
++      }
+ 
+       /* read in stuff, SafeWrite to file, perform local conversion */
+       do {
+@@ -628,10 +635,12 @@
+ 	fwrite(smallBuffer, 1, numBytes, filePtr);
+       } while ( numBytes == 1000 );
+       fflush(filePtr);
+-      fclose(filePtr);
++      rewind(filePtr);
+ 
+       /* now do slave conversion */
+-      ReadFrame(frame, fileName, slaveConversion, FALSE);
++      _ReadFrame(frame, NULL, filePtr, slaveConversion, FALSE);
++      /* _ReadFrame() will close the file pointer for us */
++      /* fclose(filePtr); */
+     } else {
+       Frame_AllocYCC(frame);
+ 
diff --git a/multimedia/mpeg_encode/patches/patch-an b/multimedia/mpeg_encode/patches/patch-an
new file mode 100644
index 00000000000..041ec73ba89
--- /dev/null
+++ b/multimedia/mpeg_encode/patches/patch-an
@@ -0,0 +1,49 @@
+$NetBSD: patch-an,v 1.1 2005/10/05 11:45:46 salo Exp $
+
+Fix for SA17008, from Gentoo.
+
+--- readframe.c.orig	1995-08-15 00:31:58.000000000 +0200
++++ readframe.c	2005-10-05 13:25:40.000000000 +0200
+@@ -227,14 +227,22 @@
+  * SIDE EFFECTS:    none
+  *
+  *===========================================================================*/
++void _ReadFrame(MpegFrame *frame, char *fileName, FILE *fileHook, char *conversion, boolean addPath);
++
++void ReadFrame(MpegFrame *frame, char *fileName, char *conversion, boolean addPath)
++{
++    _ReadFrame(frame, fileName, NULL, conversion, addPath);
++}
++
+ void
+-ReadFrame(frame, fileName, conversion, addPath)
++_ReadFrame(frame, fileName, fileHook, conversion, addPath)
+     MpegFrame *frame;
+     char *fileName;
++    FILE *fileHook;
+     char *conversion;
+     boolean addPath;
+ {
+-    FILE    *ifp;
++    FILE    *ifp = fileHook;
+     char    command[1024];
+     char    fullFileName[1024];
+     MpegFrame    tempFrame;
+@@ -274,6 +282,9 @@
+     }
+ #endif
+ 
++    if (fileHook)
++      goto file_is_already_opened;
++
+     if ( fileType == ANY_FILE_TYPE ) {
+     char *convertPtr, *commandPtr, *charPtr;
+ 
+@@ -325,6 +336,7 @@
+       exit(1);
+     }
+ 
++file_is_already_opened:
+     switch(baseFormat) {
+     case YUV_FILE_TYPE:
+