Add patches for wml privilege escalation (CVE-2008-0665 and CVE-2008-0666).

5 files changed, 65 insertions, 3 deletions

diff --git a/www/wml/Makefile b/www/wml/Makefile
index 720eaf42236..9caf7e7bfdf 100644
--- a/www/wml/Makefile
+++ b/www/wml/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.27 2007/09/29 21:23:12 heinz Exp $
+# $NetBSD: Makefile,v 1.28 2008/07/13 20:35:46 tonnerre Exp $
 #
 
 DISTNAME=	wml-2.0.9
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	www perl5
 MASTER_SITES=	http://thewml.org/distrib/
 
diff --git a/www/wml/distinfo b/www/wml/distinfo
index 0f657ec79b9..fefbf8c53b3 100644
--- a/www/wml/distinfo
+++ b/www/wml/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2007/09/29 21:23:12 heinz Exp $
+$NetBSD: distinfo,v 1.9 2008/07/13 20:35:46 tonnerre Exp $
 
 SHA1 (wml-2.0.9.tar.gz) = ce95ad9c55fd52e2028099d391858d88cffd5d9f
 RMD160 (wml-2.0.9.tar.gz) = bf14a4c09bdd850c5bad5f48f712717a13b13412
@@ -12,3 +12,6 @@ SHA1 (patch-af) = e7dcb9287066e962d3fedafcea4302c71fbf0dce
 SHA1 (patch-ag) = 642371cb755e993118f5cc6a16abeaa62ec8d163
 SHA1 (patch-ah) = 8195a53d0a514b9ed1bd8e9460c8c3e77a1d0d8d
 SHA1 (patch-ai) = c376fe6308bd9defb66719a53a0e0da3953e2016
+SHA1 (patch-aj) = 1675e8778a01c66f8a91306532216fd859eb0ca3
+SHA1 (patch-ak) = 43419f8799888262c2365f9014fa4ed9dd89d030
+SHA1 (patch-al) = 0360574b0ec6df025efc14cd9d99bd5ab43a9537
diff --git a/www/wml/patches/patch-aj b/www/wml/patches/patch-aj
new file mode 100644
index 00000000000..55c017eb4af
--- /dev/null
+++ b/www/wml/patches/patch-aj
@@ -0,0 +1,20 @@
+$NetBSD: patch-aj,v 1.1 2008/07/13 20:35:46 tonnerre Exp $
+
+--- work/wml-2.0.9/wml_contrib/wmg.cgi.orig	1999-05-20 13:39:28.000000000 +0200
++++ work/wml-2.0.9/wml_contrib/wmg.cgi
+@@ -367,14 +367,7 @@ if ($level >= 1) {
+         ($w, $h, $t) = Image::Size::imgsize(\$contents);
+         if ($w*$h == 1) {
+             #   read image into GD
+-            $tmpfile = "/tmp/pe.tmp.$$";
+-            unlink($tmpfile);
+-            open(TMP, ">$tmpfile");
+-            print TMP $contents;
+-            close(TMP);
+-            open(TMP, "<$tmpfile");
+-            $tmpimg = newFromGif GD::Image(TMP);
+-            close(TMP);
++            $tmpimg = newFromGifData GD::Image($contents);
+             unlink($tmpfile);
+             if ($tmpimg->transparent != -1) {
+                 my $im = new GD::Image($w, $h);
diff --git a/www/wml/patches/patch-ak b/www/wml/patches/patch-ak
new file mode 100644
index 00000000000..7eef0733a7c
--- /dev/null
+++ b/www/wml/patches/patch-ak
@@ -0,0 +1,13 @@
+$NetBSD: patch-ak,v 1.1 2008/07/13 20:35:46 tonnerre Exp $
+
+--- work/wml-2.0.9/wml_backend/p1_ipp/ipp.src.orig	2002-04-20 23:26:19.000000000 +0200
++++ work/wml-2.0.9/wml_backend/p1_ipp/ipp.src
+@@ -565,6 +565,8 @@ foreach $str (@opt_D) {
+ #   process the pre-loaded include files
+ #
+ $tmpdir = $ENV{'TMPDIR'} || '/tmp';
++my $tmpldir = ($ENV{'TMPDIR'} || '/tmp') . '/ipp.XXXXXX';
++$tmpdir = mkdtemp($tmpldir) or die "Unable to create temporary directory: $!\n";
+ $tmpfile = $tmpdir . "/ipp.$$.tmp";
+ unlink($tmpfile);
+ $tmp = new IO::File;
diff --git a/www/wml/patches/patch-al b/www/wml/patches/patch-al
new file mode 100644
index 00000000000..8f3a6c606bb
--- /dev/null
+++ b/www/wml/patches/patch-al
@@ -0,0 +1,26 @@
+$NetBSD: patch-al,v 1.1 2008/07/13 20:35:46 tonnerre Exp $
+
+--- work/wml-2.0.9/wml_backend/p3_eperl/eperl_sys.c.orig	2002-08-08 23:56:26.000000000 +0200
++++ work/wml-2.0.9/wml_backend/p3_eperl/eperl_sys.c
+@@ -211,13 +211,20 @@ char *mytmpfile(char *id)
+ {
+     char ca[1024];
+     char *cp, *tmpdir;
++    char tmpfile[]="eperl_sourceXXXXXX";
+     int i;
++    int fd=-1;
+ 
+     tmpdir = getenv ("TMPDIR");
+     if (tmpdir == (char *) NULL)
+         tmpdir="/tmp";
+ 
+-    snprintf(ca, sizeof(ca), "%s/%s.%d.tmp%d", tmpdir, id, (int)getpid(), mytmpfilecnt++);
++    snprintf(ca, sizeof(ca), "%s/%s", tmpdir, tmpfile);
++    if((fd = mkstemp(tmpfile)) == -1){
++        perror("can not create tmpfile");
++        return NULL;
++    }
++    close(fd);
+     ca[sizeof(ca)-1] = NUL;
+     cp = strdup(ca);
+     for (i = 0; mytmpfiles[i] != NULL; i++)