From 6580891cf31a76256a9a396450350792f0e7b738 Mon Sep 17 00:00:00 2001 From: dholland Date: Sun, 1 Jun 2008 21:46:37 +0000 Subject: Fix insecure-temporary-files, as reported in Debian bug 480972. PKGREVISION++. --- converters/uudeview/Makefile | 4 +- converters/uudeview/distinfo | 3 +- converters/uudeview/patches/patch-ac | 42 ++++++++++++++++++ converters/uulib/Makefile | 4 +- converters/uulib/distinfo | 4 +- converters/uulib/patches/patch-ab | 17 ++++++++ converters/uulib/patches/patch-ac | 83 ++++++++++++++++++++++++++++++++++++ 7 files changed, 151 insertions(+), 6 deletions(-) create mode 100644 converters/uudeview/patches/patch-ac create mode 100644 converters/uulib/patches/patch-ab create mode 100644 converters/uulib/patches/patch-ac (limited to 'converters') diff --git a/converters/uudeview/Makefile b/converters/uudeview/Makefile index 89551f0fc61..2e1c70fc8b6 100644 --- a/converters/uudeview/Makefile +++ b/converters/uudeview/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.27 2007/02/22 19:26:15 wiz Exp $ +# $NetBSD: Makefile,v 1.28 2008/06/01 21:49:56 dholland Exp $ # DISTNAME= uudeview-0.5.20 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= converters MASTER_SITES= http://www.fpx.de/fp/Software/UUDeview/download/ diff --git a/converters/uudeview/distinfo b/converters/uudeview/distinfo index 74e21c16797..d2cf2ce47a8 100644 --- a/converters/uudeview/distinfo +++ b/converters/uudeview/distinfo @@ -1,7 +1,8 @@ -$NetBSD: distinfo,v 1.7 2005/02/23 16:12:35 agc Exp $ +$NetBSD: distinfo,v 1.8 2008/06/01 21:49:56 dholland Exp $ SHA1 (uudeview-0.5.20.tar.gz) = 2c6ab7d355b545218bd0877d598bd5327d9fd125 RMD160 (uudeview-0.5.20.tar.gz) = 9bb52fa3ad4979383ff16d1e8d8a302c5c794c66 Size (uudeview-0.5.20.tar.gz) = 261574 bytes SHA1 (patch-aa) = bf7e281b7e0e2ceae6bc8c19c9e64cdb7d5a9d64 SHA1 (patch-ab) = bdd62a84d0f62c697dd4440df861c343ffeb683a +SHA1 (patch-ac) = 2ae6579816e2ee1273c2c8db6bf82b8954a3d16c diff --git a/converters/uudeview/patches/patch-ac b/converters/uudeview/patches/patch-ac new file mode 100644 index 00000000000..13b4606fc7c --- /dev/null +++ b/converters/uudeview/patches/patch-ac @@ -0,0 +1,42 @@ +$NetBSD: patch-ac,v 1.5 2008/06/01 21:49:56 dholland Exp $ + +--- unix/uudeview.c.orig 2003-04-12 19:33:55.000000000 -0400 ++++ unix/uudeview.c 2008-06-01 17:02:31.000000000 -0400 +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + #ifdef HAVE_FCNTL_H + #include +@@ -440,6 +441,7 @@ + { + static char buffer[1024]; + char *stdfile; ++ int targetfd; + FILE *target; + size_t bytes; + int res; +@@ -449,11 +451,20 @@ + return 0; + } + +- if ((stdfile = tempnam (NULL, "uu")) == NULL) { ++ if ((stdfile = strdup (_PATH_TMP "uu.XXXXXX")) == NULL) { + fprintf (stderr, "proc_stdin: cannot get temporary file\n"); + return 0; + } + ++ if ((targetfd = mkstemp (stdfile)) < 0) { ++ fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n", ++ stdfile, strerror (errno)); ++ _FP_free (stdfile); ++ return 0; ++ } ++ ++ /* file now safely exists, reopen it with the right mode */ ++ close(targetfd); + if ((target = fopen (stdfile, "wb")) == NULL) { + fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n", + stdfile, strerror (errno)); diff --git a/converters/uulib/Makefile b/converters/uulib/Makefile index 1ccac90a098..2a7252bb31d 100644 --- a/converters/uulib/Makefile +++ b/converters/uulib/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.41 2007/09/18 19:44:40 heinz Exp $ +# $NetBSD: Makefile,v 1.42 2008/06/01 21:46:37 dholland Exp $ # DISTNAME= uudeview-0.5.20 PKGNAME= uulib-0.5.20 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= converters MASTER_SITES= http://www.fpx.de/fp/Software/UUDeview/download/ diff --git a/converters/uulib/distinfo b/converters/uulib/distinfo index 3a560196768..55da6ddf364 100644 --- a/converters/uulib/distinfo +++ b/converters/uulib/distinfo @@ -1,6 +1,8 @@ -$NetBSD: distinfo,v 1.9 2005/11/03 20:05:54 rillig Exp $ +$NetBSD: distinfo,v 1.10 2008/06/01 21:46:37 dholland Exp $ SHA1 (uudeview-0.5.20.tar.gz) = 2c6ab7d355b545218bd0877d598bd5327d9fd125 RMD160 (uudeview-0.5.20.tar.gz) = 9bb52fa3ad4979383ff16d1e8d8a302c5c794c66 Size (uudeview-0.5.20.tar.gz) = 261574 bytes SHA1 (patch-aa) = 8ea37995ef4426bcd008246b1465ad5428da7bd8 +SHA1 (patch-ab) = f23ca7945a0697dc8e49ba9c7765bfa655ed8566 +SHA1 (patch-ac) = 7322b738ba427515a508eff41cce4139d4fda86e diff --git a/converters/uulib/patches/patch-ab b/converters/uulib/patches/patch-ab new file mode 100644 index 00000000000..5fd392348ce --- /dev/null +++ b/converters/uulib/patches/patch-ab @@ -0,0 +1,17 @@ +$NetBSD: patch-ab,v 1.3 2008/06/01 21:46:37 dholland Exp $ + +--- uulib/fptools.c.orig 2004-02-23 19:05:32.000000000 -0500 ++++ uulib/fptools.c 2008-06-01 16:08:35.000000000 -0400 +@@ -517,6 +517,7 @@ + return number; + } + ++#if 0 /* insecure */ + /* + * tempnam is not ANSI, but tmpnam is. Ignore the prefix here. + */ +@@ -526,3 +527,4 @@ + { + return _FP_strdup (tmpnam (NULL)); + } ++#endif diff --git a/converters/uulib/patches/patch-ac b/converters/uulib/patches/patch-ac new file mode 100644 index 00000000000..dd4eadfa8a0 --- /dev/null +++ b/converters/uulib/patches/patch-ac @@ -0,0 +1,83 @@ +$NetBSD: patch-ac,v 1.1 2008/06/01 21:46:37 dholland Exp $ + +--- uulib/uunconc.c.orig 2004-03-01 17:52:27.000000000 -0500 ++++ uulib/uunconc.c 2008-06-01 17:05:57.000000000 -0400 +@@ -49,6 +49,7 @@ + #include + #endif + ++#include + #include + #include + #include +@@ -1306,6 +1307,7 @@ + { + int state=BEGIN, part=-1, res=0, hb; + long rsize, dsize, numbytes; ++ int dataoutfd; + FILE *datain, *dataout; + unsigned char r[8]; + char *mode, *ntmp; +@@ -1329,13 +1331,13 @@ + else + mode = "wb"; /* otherwise in binary */ + +- if ((data->binfile = tempnam (NULL, "uu")) == NULL) { ++ if ((data->binfile = strdup (_PATH_TMP "uu.XXXXXX")) == NULL) { + UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, + uustring (S_NO_TEMP_NAME)); + return UURET_NOMEM; + } + +- if ((dataout = fopen (data->binfile, mode)) == NULL) { ++ if ((dataoutfd = mkstemp (data->binfile)) < 0) { + /* + * we couldn't create a temporary file. Usually this means that TMP + * and TEMP aren't set +@@ -1348,6 +1350,19 @@ + uu_errno = errno; + return UURET_IOERR; + } ++ ++ /* file now safely exists, reopen it using the right mode */ ++ close (dataoutfd); ++ if ((dataout = fopen (data->binfile, mode)) < 0) { ++ UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, ++ uustring (S_WR_ERR_TARGET), ++ data->binfile, strerror (uu_errno = errno)); ++ _FP_free (data->binfile); ++ data->binfile = NULL; ++ uu_errno = errno; ++ return UURET_IOERR; ++ } ++ + /* + * we don't have begin lines in Base64 or plain text files. + */ +@@ -1496,7 +1511,7 @@ + */ + + if (data->uudet == BH_ENCODED && data->binfile) { +- if ((ntmp = tempnam (NULL, "uu")) == NULL) { ++ if ((ntmp = strdup (_PATH_TMP "uu.XXXXXX")) == NULL) { + UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, + uustring (S_NO_TEMP_NAME)); + progress.action = 0; +@@ -1510,6 +1525,17 @@ + free (ntmp); + return UURET_IOERR; + } ++ if ((dataoutfd = mkstemp (ntmp)) < 0) { ++ UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, ++ uustring (S_NOT_OPEN_TARGET), ++ ntmp, strerror (uu_errno = errno)); ++ progress.action = 0; ++ fclose (datain); ++ free (ntmp); ++ return UURET_IOERR; ++ } ++ /* file now safely exists; reopen it with the right mode */ ++ close (dataoutfd); + if ((dataout = fopen (ntmp, "wb")) == NULL) { + UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, + uustring (S_NOT_OPEN_TARGET), -- cgit v1.2.3