summaryrefslogtreecommitdiff
path: root/textproc/groff
diff options
context:
space:
mode:
authortez <tez>2011-07-19 21:09:38 +0000
committertez <tez>2011-07-19 21:09:38 +0000
commit5e90f5e1d0ba02fca2df2c417ed278ddcc7e0725 (patch)
tree48812fd7ba580839a73013860662d50d8b05381e /textproc/groff
parent90a877fb9213bfb4307ba691415f031e5d4b1df0 (diff)
downloadpkgsrc-5e90f5e1d0ba02fca2df2c417ed278ddcc7e0725.tar.gz
Fix many temporary file handling issues, including in pdfroff
(resolves CVE-2009-5044 / SA44999) Patches copied from: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2 Modified for pkgsrc and excluded a documentaion change to doc/groff.texinfo that changes a `makeinfo' is too old warning into a fatal error. Added patch to make pdfroff.sh use -dSAFER See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538338 for details.
Diffstat (limited to 'textproc/groff')
-rw-r--r--textproc/groff/Makefile6
-rw-r--r--textproc/groff/distinfo16
-rw-r--r--textproc/groff/patches/patch-config.guess28
-rw-r--r--textproc/groff/patches/patch-configure49
-rw-r--r--textproc/groff/patches/patch-contrib_eqn2graph_eqn2graph.sh20
-rw-r--r--textproc/groff/patches/patch-contrib_gdiffmk_tests_runtests.in23
-rw-r--r--textproc/groff/patches/patch-contrib_grap2graph_grap2graph.sh20
-rw-r--r--textproc/groff/patches/patch-contrib_groffer_perl_groffer.pl37
-rw-r--r--textproc/groff/patches/patch-contrib_groffer_perl_roff2.pl20
-rw-r--r--textproc/groff/patches/patch-contrib_pdfmark_pdfroff.man42
-rw-r--r--textproc/groff/patches/patch-contrib_pdfmark_pdfroff.sh52
-rw-r--r--textproc/groff/patches/patch-contrib_pic2graph_pic2graph.sh20
-rw-r--r--textproc/groff/patches/patch-doc_fixinfo.sh22
-rw-r--r--textproc/groff/patches/patch-doc_groff.info-224
-rw-r--r--textproc/groff/patches/patch-gendef.sh35
-rw-r--r--textproc/groff/patches/patch-src_roff_groff_pipeline.c19
16 files changed, 430 insertions, 3 deletions
diff --git a/textproc/groff/Makefile b/textproc/groff/Makefile
index 98e1317ccb1..a7c8b650ee7 100644
--- a/textproc/groff/Makefile
+++ b/textproc/groff/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.57 2011/04/26 12:07:14 obache Exp $
+# $NetBSD: Makefile,v 1.58 2011/07/19 21:09:38 tez Exp $
#
DISTNAME= groff-1.20.1
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= textproc
MASTER_SITES= ${MASTER_SITE_GNU:=groff/}
@@ -61,10 +61,12 @@ CONFIGURE_ENV+= PAGE=${PAPERSIZE:Q}
# "operating-system" is for the default .Os value (operating system
# and version/release) and is usually displayed at bottom of man page.
# XXX Use "pkgsrc" as default .Os value.
+# Also, avoid having pre-patched groff.info-2 installed (install uses wildcard)
post-patch:
${SED} -e "s,@@VOLUME_OPERATING_SYSTEM@@,${OPSYS},g" \
-e "s,@@OPERATING_SYSTEM@@,pkgsrc,g" \
${FILESDIR}/mdoc.local > ${WRKDIR}/mdoc.local
+ @${RM} ${WRKSRC}/doc/groff.info-2.orig
# Groff installs its own man and ms macros as mgan and mgs if the
# configure script thinks replacing the system ones is not safe. Since
diff --git a/textproc/groff/distinfo b/textproc/groff/distinfo
index 78f5d4cb921..86f29d54f22 100644
--- a/textproc/groff/distinfo
+++ b/textproc/groff/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.14 2009/10/21 16:51:46 tnn Exp $
+$NetBSD: distinfo,v 1.15 2011/07/19 21:09:38 tez Exp $
SHA1 (groff-1.20.1.tar.gz) = 3066587d73df73c2bda235034f4515cf52d22549
RMD160 (groff-1.20.1.tar.gz) = ec311727206d183fb04f1b4bd01c1284142fdb52
@@ -7,3 +7,17 @@ SHA1 (patch-aa) = 3c74f1b8e809da5359d4702f0f5f299593601209
SHA1 (patch-ab) = 35f8a7f724ab13bedda8ad8bc54bcbede37f12c7
SHA1 (patch-ac) = 7c29e3ca0c0a2e5389ff436ff5c15c9a0a4d7581
SHA1 (patch-ae) = 777b9b4d5f39da5acf8d79616ae9d42025772fc5
+SHA1 (patch-config.guess) = 212dccdaed0d96c5d3c7fb126caeba3c3c20f006
+SHA1 (patch-configure) = 55900f2d427729fe913fe27abbbaec8b728949a7
+SHA1 (patch-contrib_eqn2graph_eqn2graph.sh) = 88b8f06f29448dabed66922cc494412662b15431
+SHA1 (patch-contrib_gdiffmk_tests_runtests.in) = 791c07909912a8ff0c98f6846f14de1fbc0fb7b0
+SHA1 (patch-contrib_grap2graph_grap2graph.sh) = 5b5a5ac958edc8d4f5e828b57198178bda8bb970
+SHA1 (patch-contrib_groffer_perl_groffer.pl) = 2583145fe594a11619cf237ca38a20bbbfee17f1
+SHA1 (patch-contrib_groffer_perl_roff2.pl) = 8ee9d4bba3c25a391b406e4dfac6352d414f7263
+SHA1 (patch-contrib_pdfmark_pdfroff.man) = c2a48a9f16650044a493d23192d9c00c2dabbc67
+SHA1 (patch-contrib_pdfmark_pdfroff.sh) = 0f23f02561913aaf9fabd2f41236de62b79bdf71
+SHA1 (patch-contrib_pic2graph_pic2graph.sh) = 447e25325f3c26be1e5fa8b6cd0bc05d9f99474e
+SHA1 (patch-doc_fixinfo.sh) = 7ad376be722b712b129f736804b9c8c30789da2d
+SHA1 (patch-doc_groff.info-2) = a5e366af0bc9ee018664d2ba9192b136980af6ce
+SHA1 (patch-gendef.sh) = c5cbd81faa496764816d538913cb560376ead218
+SHA1 (patch-src_roff_groff_pipeline.c) = 1ce068b8548240a8a6bbd0095fb15b5792b9d0f1
diff --git a/textproc/groff/patches/patch-config.guess b/textproc/groff/patches/patch-config.guess
new file mode 100644
index 00000000000..574ee47bd1a
--- /dev/null
+++ b/textproc/groff/patches/patch-config.guess
@@ -0,0 +1,28 @@
+$NetBSD: patch-config.guess,v 1.1 2011/07/19 21:09:38 tez Exp $
+
+Fix many temporary file handling issues, including in pdfroff
+(resolves CVE-2009-5044 / SA44999)
+Patches copied from:
+ http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2
+Modified for pkgsrc and excluded a documentaion change to doc/groff.texinfo
+that changes a `makeinfo' is too old warning into a fatal error.
+
+--- config.guess.orig 2009-01-09 14:25:52.000000000 +0000
++++ config.guess
+@@ -104,13 +104,9 @@ trap 'exit 1' 1 2 15
+ # Portable tmp directory creation inspired by the Autoconf team.
+
+ set_cc_for_build='
+-trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
+-trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
+-: ${TMPDIR=/tmp} ;
+- { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
+- { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
+- { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
+- { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
++trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" EXIT ;
++trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" PIPE HUP INT QUIT TERM ;
++tmp="`mktemp -dt cg.XXXXXXXXXX`" || exit ;
+ dummy=$tmp/dummy ;
+ tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
+ case $CC_FOR_BUILD,$HOST_CC,$CC in
diff --git a/textproc/groff/patches/patch-configure b/textproc/groff/patches/patch-configure
new file mode 100644
index 00000000000..37187b0f4f3
--- /dev/null
+++ b/textproc/groff/patches/patch-configure
@@ -0,0 +1,49 @@
+$NetBSD: patch-configure,v 1.1 2011/07/19 21:09:38 tez Exp $
+
+Fix many temporary file handling issues, including in pdfroff
+(resolves CVE-2009-5044 / SA44999)
+Patches copied from:
+ http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2
+Modified for pkgsrc and excluded a documentaion change to doc/groff.texinfo
+that changes a `makeinfo' is too old warning into a fatal error.
+
+--- configure.orig 2009-01-09 14:25:52.000000000 +0000
++++ configure
+@@ -12937,33 +12937,12 @@ if $ac_need_defaults; then
+ test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers
+ fi
+
+-# Have a temporary directory for convenience. Make it in the build tree
+-# simply because there is no reason against having it here, and in addition,
+-# creating and moving files from /tmp can sometimes cause problems.
+-# Hook for its removal unless debugging.
+-# Note that there is a small window in which the directory will not be cleaned:
+-# after its creation but before its name has been assigned to `$tmp'.
++# Create a temporary directory, and hook for its removal unless debugging.
++tmp="`mktemp -dt cs.XXXXXXXXXX`" || exit
+ $debug ||
+ {
+- tmp=
+- trap 'exit_status=$?
+- { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
+-' 0
+- trap '{ (exit 1); exit 1; }' 1 2 13 15
+-}
+-# Create a (secure) tmp directory for tmp files.
+-
+-{
+- tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
+- test -n "$tmp" && test -d "$tmp"
+-} ||
+-{
+- tmp=./conf$$-$RANDOM
+- (umask 077 && mkdir "$tmp")
+-} ||
+-{
+- $as_echo "$as_me: cannot create a temporary directory in ." >&2
+- { (exit 1); exit 1; }
++ trap 'exit_status=$?; rm -rf -- "$tmp" && exit $exit_status' EXIT
++ trap '{ (exit $?); exit $?; }' HUP INT QUIT PIPE TERM
+ }
+
+ # Set up the scripts for CONFIG_FILES section.
diff --git a/textproc/groff/patches/patch-contrib_eqn2graph_eqn2graph.sh b/textproc/groff/patches/patch-contrib_eqn2graph_eqn2graph.sh
new file mode 100644
index 00000000000..d7f336c5142
--- /dev/null
+++ b/textproc/groff/patches/patch-contrib_eqn2graph_eqn2graph.sh
@@ -0,0 +1,20 @@
+$NetBSD: patch-contrib_eqn2graph_eqn2graph.sh,v 1.1 2011/07/19 21:09:38 tez Exp $
+
+Fix many temporary file handling issues, including in pdfroff
+(resolves CVE-2009-5044 / SA44999)
+Patches copied from:
+ http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2
+Modified for pkgsrc and excluded a documentaion change to doc/groff.texinfo
+that changes a `makeinfo' is too old warning into a fatal error.
+
+--- contrib/eqn2graph/eqn2graph.sh.orig 2009-01-09 14:25:52.000000000 +0000
++++ contrib/eqn2graph/eqn2graph.sh
+@@ -69,6 +69,8 @@ for d in "$GROFF_TMPDIR" "$TMPDIR" "$TMP
+
+ tmp=$d/eqn2graph$$-$RANDOM
+ (umask 077 && mkdir $tmp) 2> /dev/null && break
++
++ tmp=
+ done;
+ if test -z "$tmp"; then
+ echo "$0: cannot create temporary directory" >&2
diff --git a/textproc/groff/patches/patch-contrib_gdiffmk_tests_runtests.in b/textproc/groff/patches/patch-contrib_gdiffmk_tests_runtests.in
new file mode 100644
index 00000000000..fc3de4fe970
--- /dev/null
+++ b/textproc/groff/patches/patch-contrib_gdiffmk_tests_runtests.in
@@ -0,0 +1,23 @@
+$NetBSD: patch-contrib_gdiffmk_tests_runtests.in,v 1.1 2011/07/19 21:09:38 tez Exp $
+
+Fix many temporary file handling issues, including in pdfroff
+(resolves CVE-2009-5044 / SA44999)
+Patches copied from:
+ http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2
+Modified for pkgsrc and excluded a documentaion change to doc/groff.texinfo
+that changes a `makeinfo' is too old warning into a fatal error.
+
+--- contrib/gdiffmk/tests/runtests.in.orig 2009-01-09 14:25:53.000000000 +0000
++++ contrib/gdiffmk/tests/runtests.in
+@@ -56,8 +56,9 @@ function TestResult {
+ fi
+ }
+
+-tmpfile=/tmp/$$
+-trap 'rm -f ${tmpfile}' 0 1 2 3 15
++tmpfile="`mktemp -t gdiffmk-runtests.XXXXXXXXXX`" || exit
++trap 'rm -f -- "$tmpfile"' EXIT
++trap 'trap - EXIT; rm -f -- "$tmpfile"; exit 1' HUP INT QUIT TERM
+
+ # Run tests.
+
diff --git a/textproc/groff/patches/patch-contrib_grap2graph_grap2graph.sh b/textproc/groff/patches/patch-contrib_grap2graph_grap2graph.sh
new file mode 100644
index 00000000000..b7f8ff5bc5d
--- /dev/null
+++ b/textproc/groff/patches/patch-contrib_grap2graph_grap2graph.sh
@@ -0,0 +1,20 @@
+$NetBSD: patch-contrib_grap2graph_grap2graph.sh,v 1.1 2011/07/19 21:09:38 tez Exp $
+
+Fix many temporary file handling issues, including in pdfroff
+(resolves CVE-2009-5044 / SA44999)
+Patches copied from:
+ http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2
+Modified for pkgsrc and excluded a documentaion change to doc/groff.texinfo
+that changes a `makeinfo' is too old warning into a fatal error.
+
+--- contrib/grap2graph/grap2graph.sh.orig 2009-01-09 14:25:52.000000000 +0000
++++ contrib/grap2graph/grap2graph.sh
+@@ -65,6 +65,8 @@ for d in "$GROFF_TMPDIR" "$TMPDIR" "$TMP
+
+ tmp=$d/grap2graph$$-$RANDOM
+ (umask 077 && mkdir $tmp) 2> /dev/null && break
++
++ tmp=
+ done;
+ if test -z "$tmp"; then
+ echo "$0: cannot create temporary directory" >&2
diff --git a/textproc/groff/patches/patch-contrib_groffer_perl_groffer.pl b/textproc/groff/patches/patch-contrib_groffer_perl_groffer.pl
new file mode 100644
index 00000000000..fec7ac18893
--- /dev/null
+++ b/textproc/groff/patches/patch-contrib_groffer_perl_groffer.pl
@@ -0,0 +1,37 @@
+$NetBSD: patch-contrib_groffer_perl_groffer.pl,v 1.1 2011/07/19 21:09:38 tez Exp $
+
+Fix many temporary file handling issues, including in pdfroff
+(resolves CVE-2009-5044 / SA44999)
+Patches copied from:
+ http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2
+Modified for pkgsrc and excluded a documentaion change to doc/groff.texinfo
+that changes a `makeinfo' is too old warning into a fatal error.
+
+--- contrib/groffer/perl/groffer.pl.orig 2009-01-09 14:25:52.000000000 +0000
++++ contrib/groffer/perl/groffer.pl
+@@ -1380,7 +1380,7 @@ sub _check_prog_on_list {
+ ########################################################################
+
+ sub main_temp {
+- my $template = 'groffer_' . "$$" . '_XXXX';
++ my $template = 'groffer_' . "$$" . '_XXXXXXXXXX';
+ foreach ($ENV{'GROFF_TMPDIR'}, $ENV{'TMPDIR'}, $ENV{'TMP'}, $ENV{'TEMP'},
+ $ENV{'TEMPDIR'}, File::Spec->catfile($ENV{'HOME'}, 'tmp')) {
+ if ($_ && -d $_ && -w $_) {
+@@ -1411,12 +1411,12 @@ sub main_temp {
+
+ # further argument: SUFFIX => '.sh'
+ if ($Debug{'KEEP'}) {
+- ($fh_cat, $tmp_cat) = tempfile(',cat_XXXX', DIR => $tmpdir);
+- ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXX', DIR => $tmpdir);
++ ($fh_cat, $tmp_cat) = tempfile(',cat_XXXXXXXXXX', DIR => $tmpdir);
++ ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXXXXXXXX', DIR => $tmpdir);
+ } else {
+- ($fh_cat, $tmp_cat) = tempfile(',cat_XXXX', UNLINK => 1,
++ ($fh_cat, $tmp_cat) = tempfile(',cat_XXXXXXXXXX', UNLINK => 1,
+ DIR => $tmpdir);
+- ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXX', UNLINK => 1,
++ ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXXXXXXXX', UNLINK => 1,
+ DIR => $tmpdir);
+ }
+ } # main_temp()
diff --git a/textproc/groff/patches/patch-contrib_groffer_perl_roff2.pl b/textproc/groff/patches/patch-contrib_groffer_perl_roff2.pl
new file mode 100644
index 00000000000..6cb0bc9c3d1
--- /dev/null
+++ b/textproc/groff/patches/patch-contrib_groffer_perl_roff2.pl
@@ -0,0 +1,20 @@
+$NetBSD: patch-contrib_groffer_perl_roff2.pl,v 1.1 2011/07/19 21:09:39 tez Exp $
+
+Fix many temporary file handling issues, including in pdfroff
+(resolves CVE-2009-5044 / SA44999)
+Patches copied from:
+ http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2
+Modified for pkgsrc and excluded a documentaion change to doc/groff.texinfo
+that changes a `makeinfo' is too old warning into a fatal error.
+
+--- contrib/groffer/perl/roff2.pl.orig 2009-01-09 14:25:52.000000000 +0000
++++ contrib/groffer/perl/roff2.pl
+@@ -124,7 +124,7 @@ if ($Has_Groffer) {
+ last;
+ }
+ }
+- my $template = $Name . '_XXXX';
++ my $template = $Name . '_XXXXXXXXXX';
+ my ($fh, $stdin);
+ if ($tempdir) {
+ ($fh, $stdin) = tempfile($template, UNLINK => 1, DIR => $tempdir) ||
diff --git a/textproc/groff/patches/patch-contrib_pdfmark_pdfroff.man b/textproc/groff/patches/patch-contrib_pdfmark_pdfroff.man
new file mode 100644
index 00000000000..a648938d0ec
--- /dev/null
+++ b/textproc/groff/patches/patch-contrib_pdfmark_pdfroff.man
@@ -0,0 +1,42 @@
+$NetBSD: patch-contrib_pdfmark_pdfroff.man,v 1.1 2011/07/19 21:09:39 tez Exp $
+
+Fix many temporary file handling issues, including in pdfroff
+(resolves CVE-2009-5044 / SA44999)
+Patches copied from:
+ http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2
+Modified for pkgsrc and excluded a documentaion change to doc/groff.texinfo
+that changes a `makeinfo' is too old warning into a fatal error.
+
+Added patch to make pdfroff.sh use -dSAFER
+See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538338 for why.
+
+--- contrib/pdfmark/pdfroff.man.orig 2009-01-09 14:25:52.000000000 +0000
++++ contrib/pdfmark/pdfroff.man
+@@ -521,7 +521,7 @@ defaults to
+ .IP
+ .I
+ .ad l
+-.NH gs \-dBATCH \-dQUIET \-dNOPAUSE \-sDEVICE=pdfwrite \-sOutputFile=\-
++.NH gs \-dBATCH \-dQUIET \-dNOPAUSE \-dSAFER \-sDEVICE=pdfwrite \-sOutputFile=\-
+ .ad
+ .RE
+ .
+@@ -529,7 +529,7 @@ defaults to
+ .B GROFF_TMPDIR
+ Identifies the directory in which
+ .B pdfroff
+-should create temporary files.
++should create a subdirectory for its temporary files.
+ If
+ .B \%GROFF_TMPDIR
+ is
+@@ -541,7 +541,8 @@ and
+ .B TEMP
+ are considered in turn, as possible temporary file repositories.
+ If none of these are set, then temporary files are created
+-in the current directory.
++in a subdirectory of
++.BR /tmp .
+ .
+ .TP
+ .B GROFF_GHOSTSCRIPT_INTERPRETER
diff --git a/textproc/groff/patches/patch-contrib_pdfmark_pdfroff.sh b/textproc/groff/patches/patch-contrib_pdfmark_pdfroff.sh
new file mode 100644
index 00000000000..0b8a53a2fc5
--- /dev/null
+++ b/textproc/groff/patches/patch-contrib_pdfmark_pdfroff.sh
@@ -0,0 +1,52 @@
+$NetBSD: patch-contrib_pdfmark_pdfroff.sh,v 1.1 2011/07/19 21:09:39 tez Exp $
+
+Fix many temporary file handling issues, including in pdfroff
+(resolves CVE-2009-5044 / SA44999)
+Patches copied from:
+ http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2
+Modified for pkgsrc and excluded a documentaion change to doc/groff.texinfo
+that changes a `makeinfo' is too old warning into a fatal error.
+
+Added patch to make pdfroff.sh use -dSAFER
+See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538338 for why.
+
+--- contrib/pdfmark/pdfroff.sh.orig 2009-01-09 14:25:52.000000000 +0000
++++ contrib/pdfmark/pdfroff.sh
+@@ -137,7 +137,15 @@
+ #
+ # Set up temporary/intermediate file locations.
+ #
+- WRKFILE=${GROFF_TMPDIR=${TMPDIR-${TMP-${TEMP-"."}}}}/pdf$$.tmp
++ MYTMPDIR=${GROFF_TMPDIR-${TMPDIR-${TMP-${TEMP-"/tmp"}}}}
++ WRKDIR="`unset TMPDIR && mktemp -dp "$MYTMPDIR" groff-pdfroff.XXXXXXXXXX`" || exit
++
++ trap 'rm -rf -- "$WRKDIR"' EXIT
++ trap 'trap - EXIT; rm -rf -- "$WRKDIR"; exit 1' HUP INT QUIT PIPE TERM
++
++ GROFF_TMPDIR=${WRKDIR}
++
++ WRKFILE=${GROFF_TMPDIR}/pdf$$.tmp
+ #
+ REFCOPY=${GROFF_TMPDIR}/pdf$$.cmp
+ REFFILE=${GROFF_TMPDIR}/pdf$$.ref
+@@ -146,11 +154,6 @@
+ TC_DATA=${GROFF_TMPDIR}/pdf$$.tc
+ BD_DATA=${GROFF_TMPDIR}/pdf$$.ps
+ #
+-# Set a trap, to delete temporary files on exit.
+-# (FIXME: may want to include other signals, in released version).
+-#
+- trap "rm -f ${GROFF_TMPDIR}/pdf$$.*" 0
+-#
+ # Initialise 'groff' format control settings,
+ # to discriminate table of contents and document body formatting passes.
+ #
+@@ -597,7 +600,7 @@
+ $SAY >&2 $n "Writing PDF output ..$c"
+ if test -z "$PDFROFF_POSTPROCESSOR_COMMAND"
+ then
+- PDFROFF_POSTPROCESSOR_COMMAND="$GS -dQUIET -dBATCH -dNOPAUSE
++ PDFROFF_POSTPROCESSOR_COMMAND="$GS -dQUIET -dBATCH -dNOPAUSE -dSAFER
+ -sDEVICE=pdfwrite -sOutputFile="${PDF_OUTPUT-"-"}
+
+ elif test -n "$PDF_OUTPUT"
diff --git a/textproc/groff/patches/patch-contrib_pic2graph_pic2graph.sh b/textproc/groff/patches/patch-contrib_pic2graph_pic2graph.sh
new file mode 100644
index 00000000000..b98a4e1c9d3
--- /dev/null
+++ b/textproc/groff/patches/patch-contrib_pic2graph_pic2graph.sh
@@ -0,0 +1,20 @@
+$NetBSD: patch-contrib_pic2graph_pic2graph.sh,v 1.1 2011/07/19 21:09:39 tez Exp $
+
+Fix many temporary file handling issues, including in pdfroff
+(resolves CVE-2009-5044 / SA44999)
+Patches copied from:
+ http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2
+Modified for pkgsrc and excluded a documentaion change to doc/groff.texinfo
+that changes a `makeinfo' is too old warning into a fatal error.
+
+--- contrib/pic2graph/pic2graph.sh.orig 2009-01-09 14:25:52.000000000 +0000
++++ contrib/pic2graph/pic2graph.sh
+@@ -80,6 +80,8 @@ for d in "$GROFF_TMPDIR" "$TMPDIR" "$TMP
+ tmp=$d/pic2graph$$-$RANDOM
+ (umask 077 && mkdir $tmp) 2> /dev/null \
+ && break
++
++ tmp=
+ done;
+ if test -z "$tmp"; then
+ echo "$0: cannot create temporary directory" >&2
diff --git a/textproc/groff/patches/patch-doc_fixinfo.sh b/textproc/groff/patches/patch-doc_fixinfo.sh
new file mode 100644
index 00000000000..2a6ee7870c4
--- /dev/null
+++ b/textproc/groff/patches/patch-doc_fixinfo.sh
@@ -0,0 +1,22 @@
+$NetBSD: patch-doc_fixinfo.sh,v 1.1 2011/07/19 21:09:39 tez Exp $
+
+Fix many temporary file handling issues, including in pdfroff
+(resolves CVE-2009-5044 / SA44999)
+Patches copied from:
+ http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2
+Modified for pkgsrc and excluded a documentaion change to doc/groff.texinfo
+that changes a `makeinfo' is too old warning into a fatal error.
+
+--- doc/fixinfo.sh.orig 2009-01-09 14:25:52.000000000 +0000
++++ doc/fixinfo.sh
+@@ -21,7 +21,9 @@
+ # groff.texinfo macro code. Hopefully, a new texinfo version makes it
+ # unnecessary.
+
+-t=${TMPDIR-.}/gro$$.tmp
++t="`mktemp -t groff-fixinfo.XXXXXXXXXX`" || exit
++trap 'rm -f -- "$t"' EXIT
++trap 'trap - EXIT; rm -f -- "$t"; exit 1' HUP INT QUIT TERM
+
+ cat $1 | sed '
+ 1 {
diff --git a/textproc/groff/patches/patch-doc_groff.info-2 b/textproc/groff/patches/patch-doc_groff.info-2
new file mode 100644
index 00000000000..023d7003b0e
--- /dev/null
+++ b/textproc/groff/patches/patch-doc_groff.info-2
@@ -0,0 +1,24 @@
+$NetBSD: patch-doc_groff.info-2,v 1.1 2011/07/19 21:09:39 tez Exp $
+
+Fix many temporary file handling issues, including in pdfroff
+(resolves CVE-2009-5044 / SA44999)
+Patches copied from:
+ http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2
+Modified for pkgsrc and excluded a documentaion change to doc/groff.texinfo
+that changes a `makeinfo' is too old warning into a fatal error.
+
+--- doc/groff.info-2 2009-01-09 14:25:55.000000000 +0000
++++ doc/groff.info-2
+@@ -1516,9 +1516,9 @@ not there, `groff' would not know when t
+
+
+ .sy perl -e 'printf ".nr H %d\\n.nr M %d\\n.nr S %d\\n",\
+- (localtime(time))[2,1,0]' > /tmp/x\n[$$]
+- .so /tmp/x\n[$$]
+- .sy rm /tmp/x\n[$$]
++ (localtime(time))[2,1,0]' > timefile\n[$$]
++ .so timefile\n[$$]
++ .sy rm timefile\n[$$]
+ \nH:\nM:\nS
+
+ Note that this works by having the `perl' script (run by `sy')
diff --git a/textproc/groff/patches/patch-gendef.sh b/textproc/groff/patches/patch-gendef.sh
new file mode 100644
index 00000000000..328472728e3
--- /dev/null
+++ b/textproc/groff/patches/patch-gendef.sh
@@ -0,0 +1,35 @@
+$NetBSD: patch-gendef.sh,v 1.1 2011/07/19 21:09:40 tez Exp $
+
+Fix many temporary file handling issues, including in pdfroff
+(resolves CVE-2009-5044 / SA44999)
+Patches copied from:
+ http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2
+Modified for pkgsrc and excluded a documentaion change to doc/groff.texinfo
+that changes a `makeinfo' is too old warning into a fatal error.
+
+--- gendef.sh.orig 2009-01-09 14:25:52.000000000 +0000
++++ gendef.sh
+@@ -34,11 +34,9 @@ do
+ #define $def"
+ done
+
+-# Use $TMPDIR if defined. Default to cwd, for non-Unix systems
+-# which don't have /tmp on each drive (we are going to remove
+-# the file before we exit anyway). Put the PID in the basename,
+-# since the extension can only hold 3 characters on MS-DOS.
+-t=${TMPDIR-.}/gro$$.tmp
++t="`mktemp -t groff-gendef.XXXXXXXXXX`" || exit
++trap 'rm -f -- "$t"' EXIT
++trap 'trap - EXIT; rm -f -- "$t"; exit 1' HUP INT QUIT TERM
+
+ sed -e 's/=/ /' >$t <<EOF
+ $defs
+@@ -46,8 +44,6 @@ EOF
+
+ test -r $file && cmp -s $t $file || cp $t $file
+
+-rm -f $t
+-
+ exit 0
+
+ # eof
diff --git a/textproc/groff/patches/patch-src_roff_groff_pipeline.c b/textproc/groff/patches/patch-src_roff_groff_pipeline.c
new file mode 100644
index 00000000000..bd429e64454
--- /dev/null
+++ b/textproc/groff/patches/patch-src_roff_groff_pipeline.c
@@ -0,0 +1,19 @@
+$NetBSD: patch-src_roff_groff_pipeline.c,v 1.1 2011/07/19 21:09:40 tez Exp $
+
+Fix many temporary file handling issues, including in pdfroff
+(resolves CVE-2009-5044 / SA44999)
+Patches copied from:
+ http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2
+Modified for pkgsrc and excluded a documentaion change to doc/groff.texinfo
+that changes a `makeinfo' is too old warning into a fatal error.
+
+--- src/roff/groff/pipeline.c.orig 2009-01-09 14:25:52.000000000 +0000
++++ src/roff/groff/pipeline.c
+@@ -378,6 +378,7 @@ int run_pipeline(int ncommands, char ***
+ /* Don't use `tmpnam' here: Microsoft's implementation yields unusable
+ file names if current directory is on network share with read-only
+ root. */
++#error AUDIT: This code is only compiled under DOS
+ tmpfiles[0] = tempnam(tmpdir, NULL);
+ tmpfiles[1] = tempnam(tmpdir, NULL);
+