From 1251f5bfed6ee45ef8c416be86b4818f1a1407f3 Mon Sep 17 00:00:00 2001 From: tonnerre Date: Sun, 4 May 2008 22:27:07 +0000 Subject: Fix vcdiff insecure temp file creation vulnerability (CVE-2008-1694) for xemacs-current as well. --- editors/xemacs-current/Makefile | 4 +- editors/xemacs-current/distinfo | 3 +- editors/xemacs-current/patches/patch-am | 111 ++++++++++++++++++++++++++++++++ 3 files changed, 115 insertions(+), 3 deletions(-) create mode 100644 editors/xemacs-current/patches/patch-am (limited to 'editors') diff --git a/editors/xemacs-current/Makefile b/editors/xemacs-current/Makefile index 1c84fb66bfa..1e68a0adbdc 100644 --- a/editors/xemacs-current/Makefile +++ b/editors/xemacs-current/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.64 2008/04/24 21:32:47 jlam Exp $ +# $NetBSD: Makefile,v 1.65 2008/05/04 22:27:07 tonnerre Exp $ PKGNAME?= ${DISTNAME} COMMENT?= *BETA* XEmacs text editor version ${PKGVERSION_NOREV} @@ -6,7 +6,7 @@ COMMENT?= *BETA* XEmacs text editor version ${PKGVERSION_NOREV} DISTNAME= xemacs-21.5.27 EMACSVERSION= 21.5-b27 EMACS_DISTNAME= xemacs-${EMACSVERSION} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= editors MASTER_SITES= ${MASTER_SITE_XEMACS:=${DISTNAME:C/[.][^.]*$//}/} diff --git a/editors/xemacs-current/distinfo b/editors/xemacs-current/distinfo index 8b05efcd823..ea785cb3e5a 100644 --- a/editors/xemacs-current/distinfo +++ b/editors/xemacs-current/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.20 2008/04/24 21:32:47 jlam Exp $ +$NetBSD: distinfo,v 1.21 2008/05/04 22:27:07 tonnerre Exp $ SHA1 (xemacs-21.5.27.tar.gz) = 55fc3e9c8fe3cac92791ffe1a0870aeae1baf0b8 RMD160 (xemacs-21.5.27.tar.gz) = ee0caff8730c999d37aa3a19b19f23d5756837ad @@ -15,3 +15,4 @@ SHA1 (patch-ai) = ed24c7c0cc802386c0293c34842882d5ec770426 SHA1 (patch-aj) = aeebaec687a1ea2974d909404938fc060d5df75f SHA1 (patch-ak) = c8a3369efdd4af32b1a65cdb3d798724d63b3ed5 SHA1 (patch-al) = 33000a300de6358c0ba3260708d6d625dcd625a2 +SHA1 (patch-am) = 0ccbead4be5da92e73a15432ff1b063da13cf0b4 diff --git a/editors/xemacs-current/patches/patch-am b/editors/xemacs-current/patches/patch-am new file mode 100644 index 00000000000..e648ccec369 --- /dev/null +++ b/editors/xemacs-current/patches/patch-am @@ -0,0 +1,111 @@ +$NetBSD: patch-am,v 1.1 2008/05/04 22:27:07 tonnerre Exp $ + +--- lib-src/vcdiff.orig 1996-12-18 22:42:33.000000000 +0000 ++++ lib-src/vcdiff 2008-04-29 13:27:28.000000000 +0100 +@@ -1,23 +1,35 @@ +-#!/bin/sh ++#! /bin/sh + # + # Enhanced sccs diff utility for use with vc mode. + # This version is more compatible with rcsdiff(1). + # +-# !Id: vcdiff,v 1.4 1993/12/03 09:29:18 eggert Exp ! ++# Copyright (C) 1992, 1993, 1995, 1997, 2001, 2002, 2003, 2004, ++# 2005, 2006, 2007, 2008 Free Software Foundation, Inc. + # +-# Modified by: vladimir@Eng.Sun.COM on 95-06-07 +-# * Made sure that file arguments are specifed as s.. +-# * Switched the assignments to $f inside the 3rd and 4th case statements of +-# the first for-loop +-# * Removed the incorrect initialization of sid1 before the first for-loop. ++# This file is part of GNU Emacs. ++# ++# GNU Emacs is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3, or (at your option) ++# any later version. ++# ++# GNU Emacs is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GNU Emacs; see the file COPYING. If not, write to the ++# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, ++# Boston, MA 02110-1301, USA. + # + + DIFF="diff" + usage="$0: Usage: vcdiff [--brief] [-q] [-r] [-r] [diffopts] sccsfile..." + +-PATH=$PATH:/usr/ccs/bin:/usr/sccs # common SCCS hangouts ++PATH=$PATH:/usr/ccs/bin:/usr/sccs:/usr/xpg4/bin # common SCCS hangouts + +-echo= ++echo="echo" + sid1= sid2= + + for f +@@ -31,14 +43,14 @@ + echo=:;; + -r?*) + case $sid1 in +- -r*) +- sid2=$f ++ '') ++ sid1=$f + ;; +- *) ++ *) + case $sid2 in +- ?*) echo "$usage" >&2; exit 2 ;; ++ ?*) echo "$usage" >&2; exit 2 ;; + esac +- sid1=$f ++ sid2=$f + ;; + esac + ;; +@@ -67,31 +79,24 @@ + + for f + do +- s=2 +- +- # For files under SCCS control, fixup the file name to be the s. filename +- if [ -d SCCS ]; then +- if [ $f = `echo $f | sed -e 's|SCCS/s.||'` ]; then +- f="SCCS/s.$f" +- fi +- fi ++ s=2 + + case $f in + s.* | */s.*) + if +- rev1=/tmp/geta$$ ++ rev1=`mktemp /tmp/geta.XXXXXXXX` + get -s -p -k $sid1 "$f" > $rev1 && + case $sid2 in + '') + workfile=`expr " /$f" : '.*/s.\(.*\)'` + ;; + *) +- rev2=/tmp/getb$$ ++ rev2=`mktemp /tmp/getb.XXXXXXXX` + get -s -p -k $sid2 "$f" > $rev2 + workfile=$rev2 + esac + then +- $echo $DIFF $options $sid1 $sid2 $workfile >&2 ++ $echo $DIFF $options $rev1 $workfile >&2 + $DIFF $options $rev1 $workfile + s=$? + fi +@@ -104,3 +109,5 @@ + then status=$s + fi + done ++ ++# arch-tag: 4344ba3a-bcbe-4f77-971c-f43c1606953a -- cgit v1.2.3