From 4d723746003ad1ecde2c86463efac0f42a42a302 Mon Sep 17 00:00:00 2001 From: Martin Ehmsen Date: Fri, 17 Feb 2006 12:25:03 +0000 Subject: [PATCH] Fix insecure temporary file creation (CVE-2005-3342), bug #122705. Package-Manager: portage-2.1_pre4-r1 --- app-text/noweb/ChangeLog | 12 +- app-text/noweb/Manifest | 30 +++- app-text/noweb/files/digest-noweb-2.9-r3 | 1 - app-text/noweb/files/digest-noweb-2.9-r4 | 1 - app-text/noweb/files/digest-noweb-2.9-r5 | 3 + app-text/noweb/files/digest-noweb-2.9-r6 | 3 + app-text/noweb/files/noweb-2.9-security.patch | 151 ++++++++++++------ ...oweb-2.9-r3.ebuild => noweb-2.9-r5.ebuild} | 4 +- ...oweb-2.9-r4.ebuild => noweb-2.9-r6.ebuild} | 4 +- 9 files changed, 146 insertions(+), 63 deletions(-) delete mode 100644 app-text/noweb/files/digest-noweb-2.9-r3 delete mode 100644 app-text/noweb/files/digest-noweb-2.9-r4 create mode 100644 app-text/noweb/files/digest-noweb-2.9-r5 create mode 100644 app-text/noweb/files/digest-noweb-2.9-r6 rename app-text/noweb/{noweb-2.9-r3.ebuild => noweb-2.9-r5.ebuild} (90%) rename app-text/noweb/{noweb-2.9-r4.ebuild => noweb-2.9-r6.ebuild} (91%) diff --git a/app-text/noweb/ChangeLog b/app-text/noweb/ChangeLog index 42a36869f510..42b7b4102e72 100644 --- a/app-text/noweb/ChangeLog +++ b/app-text/noweb/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for app-text/noweb -# Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-text/noweb/ChangeLog,v 1.18 2005/01/01 16:27:47 eradicator Exp $ +# Copyright 2002-2006 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/app-text/noweb/ChangeLog,v 1.19 2006/02/17 12:25:03 ehmsen Exp $ + +*noweb-2.9-r6 (17 Feb 2006) +*noweb-2.9-r5 (17 Feb 2006) + + 17 Feb 2006; Martin Ehmsen + files/noweb-2.9-security.patch, -noweb-2.9-r3.ebuild, + -noweb-2.9-r4.ebuild, +noweb-2.9-r5.ebuild, +noweb-2.9-r6.ebuild: + Fix insecure temporary file creation (CVE-2005-3342), bug #122705. 02 Sep 2004; Mamoru KOMACHI noweb-2.9-r3.ebuild, noweb-2.9-r4.ebuild: diff --git a/app-text/noweb/Manifest b/app-text/noweb/Manifest index 8ca1fed563a3..8835d80bfca7 100644 --- a/app-text/noweb/Manifest +++ b/app-text/noweb/Manifest @@ -1,8 +1,24 @@ -MD5 75941fdbbd7bee8de885941c7e602d80 ChangeLog 2448 -MD5 c472f5fd1646eb8bca71d8df5cb2bdcc metadata.xml 164 -MD5 d848396ca0d31458c3331d9a8a9c9add noweb-2.9-r3.ebuild 1596 -MD5 dcba3464c5092b4ee5736024b164dc7c noweb-2.9-r4.ebuild 1828 -MD5 813fb3ed94d03e89220c6e9b9a77a5f3 files/digest-noweb-2.9-r3 65 +MD5 321614451bda0a8426451b6748ba79ba ChangeLog 2744 +RMD160 e0e0f83a63ef6e748f30c157561db68e04220e25 ChangeLog 2744 +SHA256 62de7f94701ad0fe86aa8aa7796ee811cc11643d5d0167119a7e0cd2594b8514 ChangeLog 2744 +MD5 4f821dc861c7d479660d04a8b551b86b files/digest-noweb-2.9-r5 241 +RMD160 705d0be384d85fc4dee21634fbc9d67c9f01064d files/digest-noweb-2.9-r5 241 +SHA256 76668f6f6d4345a830caea58117f1409b93e24384685e05e1cab305bd1d65bf3 files/digest-noweb-2.9-r5 241 +MD5 4f821dc861c7d479660d04a8b551b86b files/digest-noweb-2.9-r6 241 +RMD160 705d0be384d85fc4dee21634fbc9d67c9f01064d files/digest-noweb-2.9-r6 241 +SHA256 76668f6f6d4345a830caea58117f1409b93e24384685e05e1cab305bd1d65bf3 files/digest-noweb-2.9-r6 241 MD5 802981b1fbeeebbfb88f7edf918dbdc7 files/noweb-2.9-gentoo.diff 14029 -MD5 02040e5c05a1b7bc5339a3dd35e9bd84 files/noweb-2.9-security.patch 3624 -MD5 813fb3ed94d03e89220c6e9b9a77a5f3 files/digest-noweb-2.9-r4 65 +RMD160 5b2f0566ccfa04d87dbff87ddd0a81cfb1ebc855 files/noweb-2.9-gentoo.diff 14029 +SHA256 63edbfd245396c5fa9f8e0ffac544ab6e872f49036c228ac7e6101789340f8a4 files/noweb-2.9-gentoo.diff 14029 +MD5 3f3f3474fca36841669767b45acb83dc files/noweb-2.9-security.patch 6558 +RMD160 df2613a2278b13f032a74af62b553495e1b11786 files/noweb-2.9-security.patch 6558 +SHA256 45492023f74919efbf32806fd891c68697a00526eac9c924af2ef26b43477746 files/noweb-2.9-security.patch 6558 +MD5 c472f5fd1646eb8bca71d8df5cb2bdcc metadata.xml 164 +RMD160 698422e821458386b8da17baa6014296f8284e0b metadata.xml 164 +SHA256 7bd4d93c657a26aa9af1dea4232520c0d388cc92115dd9ca0eb04259228e044f metadata.xml 164 +MD5 a01665e0e5a92b4cf832e6545a8b7056 noweb-2.9-r5.ebuild 1591 +RMD160 50f3e3f32ae47df906e72b9e8ea5c065ededbc88 noweb-2.9-r5.ebuild 1591 +SHA256 0241e929ad726d67be6c48c0ccd4d6e90a9505a893f7f8a79d7cda08ab6a79ee noweb-2.9-r5.ebuild 1591 +MD5 ba09cd41c76f6b11519345754a592862 noweb-2.9-r6.ebuild 1824 +RMD160 06eb4545b122bbe9c5c0881b6db69650155867c9 noweb-2.9-r6.ebuild 1824 +SHA256 4e83a3442049b2913f304a15c95ab06b80a9ad82a00fcf596b270c7c672b0037 noweb-2.9-r6.ebuild 1824 diff --git a/app-text/noweb/files/digest-noweb-2.9-r3 b/app-text/noweb/files/digest-noweb-2.9-r3 deleted file mode 100644 index 4dbe3957e8a8..000000000000 --- a/app-text/noweb/files/digest-noweb-2.9-r3 +++ /dev/null @@ -1 +0,0 @@ -MD5 fd88e1b4746661ebbdb1a558ab8510e7 noweb-src-2.9.tar.gz 457749 diff --git a/app-text/noweb/files/digest-noweb-2.9-r4 b/app-text/noweb/files/digest-noweb-2.9-r4 deleted file mode 100644 index 4dbe3957e8a8..000000000000 --- a/app-text/noweb/files/digest-noweb-2.9-r4 +++ /dev/null @@ -1 +0,0 @@ -MD5 fd88e1b4746661ebbdb1a558ab8510e7 noweb-src-2.9.tar.gz 457749 diff --git a/app-text/noweb/files/digest-noweb-2.9-r5 b/app-text/noweb/files/digest-noweb-2.9-r5 new file mode 100644 index 000000000000..7624bc90b63b --- /dev/null +++ b/app-text/noweb/files/digest-noweb-2.9-r5 @@ -0,0 +1,3 @@ +MD5 fd88e1b4746661ebbdb1a558ab8510e7 noweb-src-2.9.tar.gz 457749 +RMD160 737d18acc361a88cc857a87e75de46f00bdb3608 noweb-src-2.9.tar.gz 457749 +SHA256 e955f69eb159981d6796070114c26fc966722950823d8d828051caa54162be7e noweb-src-2.9.tar.gz 457749 diff --git a/app-text/noweb/files/digest-noweb-2.9-r6 b/app-text/noweb/files/digest-noweb-2.9-r6 new file mode 100644 index 000000000000..7624bc90b63b --- /dev/null +++ b/app-text/noweb/files/digest-noweb-2.9-r6 @@ -0,0 +1,3 @@ +MD5 fd88e1b4746661ebbdb1a558ab8510e7 noweb-src-2.9.tar.gz 457749 +RMD160 737d18acc361a88cc857a87e75de46f00bdb3608 noweb-src-2.9.tar.gz 457749 +SHA256 e955f69eb159981d6796070114c26fc966722950823d8d828051caa54162be7e noweb-src-2.9.tar.gz 457749 diff --git a/app-text/noweb/files/noweb-2.9-security.patch b/app-text/noweb/files/noweb-2.9-security.patch index a07445ea9f7b..951af7968ae7 100644 --- a/app-text/noweb/files/noweb-2.9-security.patch +++ b/app-text/noweb/files/noweb-2.9-security.patch @@ -1,16 +1,6 @@ ---- noweb-2.9a.orig/src/awkname -+++ noweb-2.9a/src/awkname -@@ -5,7 +5,7 @@ - esac - - rc=0 --new=/tmp/$$.new; old=/tmp/$$.old -+new=$(tempfile -p new); old=$(tempfile -p old) - - for file in lib/emptydefn lib/unmarkup lib/toascii \ - awk/noidx awk/totex awk/tohtml awk/noindex \ ---- noweb-2.9a.orig/src/awk/totex.nw -+++ noweb-2.9a/src/awk/totex.nw +diff -urN noweb-2.9.orig/src/awk/totex.nw noweb-2.9/src/awk/totex.nw +--- noweb-2.9.orig/src/awk/totex.nw 2000-03-27 02:00:00.000000000 +0200 ++++ noweb-2.9/src/awk/totex.nw 2006-02-17 12:47:05.000000000 +0100 @@ -24,7 +24,7 @@ @ On an ugly system, we have to put it in a file. @@ -20,8 +10,21 @@ trap 'rm -f $awkfile; exit 1' 0 1 2 15 # clean up files cat > $awkfile << 'EOF' <> ---- noweb-2.9a.orig/src/lib/toascii -+++ noweb-2.9a/src/lib/toascii +diff -urN noweb-2.9.orig/src/awkname noweb-2.9/src/awkname +--- noweb-2.9.orig/src/awkname 2000-06-23 12:56:00.000000000 +0200 ++++ noweb-2.9/src/awkname 2006-02-17 12:47:05.000000000 +0100 +@@ -5,7 +5,7 @@ + esac + + rc=0 +-new=/tmp/$$.new; old=/tmp/$$.old ++new=$(tempfile -p new); old=$(tempfile -p old) + + for file in lib/emptydefn lib/unmarkup lib/toascii lib/btdefn \ + awk/noidx awk/totex awk/tohtml awk/noindex \ +diff -urN noweb-2.9.orig/src/lib/toascii noweb-2.9/src/lib/toascii +--- noweb-2.9.orig/src/lib/toascii 2001-03-28 15:49:00.000000000 +0200 ++++ noweb-2.9/src/lib/toascii 2006-02-17 12:47:05.000000000 +0100 @@ -7,9 +7,9 @@ *) echo "This can't happen -- $i passed to toascii" 1>&2 ; exit 1 ;; esac @@ -35,8 +38,25 @@ export awkfile textfile tagsfile trap 'rm -f $awkfile $textfile $tagsfile' 0 1 2 10 14 15 nawk 'BEGIN { textfile=ENVIRON["textfile"] ---- noweb-2.9a.orig/src/shell/cpif -+++ noweb-2.9a/src/shell/cpif +diff -urN noweb-2.9.orig/src/lib/toascii.nw noweb-2.9/src/lib/toascii.nw +--- noweb-2.9.orig/src/lib/toascii.nw 2000-03-27 02:00:00.000000000 +0200 ++++ noweb-2.9/src/lib/toascii.nw 2006-02-17 12:48:20.000000000 +0100 +@@ -28,9 +28,9 @@ + Also arranged here is a temporary file for storage of the awk program on an + ugly system, as discussed below. + <>= +-awkfile="tmp/awk$$.tmp" +-textfile="/tmp/text$$.tmp" +-tagsfile="/tmp/tags$$.tmp" ++awkfile=$(tempfile -p awk -s .tmp) || { echo "$0: Cannot create temporary file" >&2; exit 1; } ++textfile=$(tempfile -p text -s .tmp) || { echo "$0: Cannot create temporary file" >&2; exit 1; } ++tagsfile=$(tempfile -p tags -s .tmp) || { echo "$0: Cannot create temporary file" >&2; exit 1; } + export awkfile textfile tagsfile + trap 'rm -f $awkfile $textfile $tagsfile' 0 1 2 10 14 15 + @ %def textfile tagsfile awkfile +diff -urN noweb-2.9.orig/src/shell/cpif noweb-2.9/src/shell/cpif +--- noweb-2.9.orig/src/shell/cpif 2000-03-27 02:00:00.000000000 +0200 ++++ noweb-2.9/src/shell/cpif 2006-02-17 12:47:05.000000000 +0100 @@ -17,7 +17,7 @@ 0) echo 'Usage: '`basename $0`' [ -eq -ne ] file...' 1>&2; exit 2 esac @@ -46,8 +66,9 @@ trap 'rm -f $new; exit 1' 1 2 15 # clean up files cat >$new ---- noweb-2.9a.orig/src/shell/nonu -+++ noweb-2.9a/src/shell/nonu +diff -urN noweb-2.9.orig/src/shell/nonu noweb-2.9/src/shell/nonu +--- noweb-2.9.orig/src/shell/nonu 2000-03-27 02:00:00.000000000 +0200 ++++ noweb-2.9/src/shell/nonu 2006-02-17 12:47:05.000000000 +0100 @@ -2,7 +2,7 @@ LIB=/usr/public/pkg/noweb/lib # attempt to convert nuweb to noweb using sam @@ -57,18 +78,10 @@ trap '/bin/rm -f $tmp; exit 1' 1 2 15 # clean up files cp $1 $tmp || exit 1 ---- noweb-2.9a.orig/src/shell/roff.nw -+++ noweb-2.9a/src/shell/roff.nw -@@ -80,7 +80,7 @@ - other, and quoting each quote is ugly. The pragmatic solution is to - copy the awk program into a temporary file, using a shell here-document. - <>= --awkfile="/tmp/noweb$$.awk" -+awkfile=$(tempfile -p noweb -s .awk) - trap 'rm -f $awkfile' 0 1 2 10 14 15 - cat > $awkfile << 'EOF' - <> -@@ -662,12 +662,13 @@ +diff -urN noweb-2.9.orig/src/shell/noroff noweb-2.9/src/shell/noroff +--- noweb-2.9.orig/src/shell/noroff 2001-03-28 15:49:00.000000000 +0200 ++++ noweb-2.9/src/shell/noroff 2006-02-17 12:47:05.000000000 +0100 +@@ -35,9 +35,10 @@ base="`basename $1 | sed '/\./s/\.[^.]*$//'`" tagsfile="$base.nwt" @@ -77,17 +90,64 @@ if [ -r "$tagsfile" ]; then - cp $tagsfile /tmp/tags.$$ + cp $tagsfile $tmpfile - $AWK '<> -- <>' /tmp/tags.$$ + $AWK '{ + if (sub(/^###TAG### / , "")) tags[$1] = $2 + else if (sub(/^###BEGINCHUNKS###/, "")) printf ".de CLIST\n.CLISTBEGIN\n" +@@ -88,8 +89,8 @@ + # print str3 + # print convquote(str3) + # } +- function tag(s) { if (s in tags) return tags[s]; else return "???" }' /tmp/tags.$$ - rm -f /tmp/tags.$$ -+ <>' $tmpfile ++ function tag(s) { if (s in tags) return tags[s]; else return "???" }' $tmpfile + rm -f $tmpfile fi cat "$@") | ($ROFF $opts 2>$tagsfile) ---- noweb-2.9a.orig/src/shell/noroff -+++ noweb-2.9a/src/shell/noroff -@@ -35,9 +35,10 @@ +diff -urN noweb-2.9.orig/src/shell/roff.mm noweb-2.9/src/shell/roff.mm +--- noweb-2.9.orig/src/shell/roff.mm 2000-03-27 02:00:00.000000000 +0200 ++++ noweb-2.9/src/shell/roff.mm 2006-02-17 12:48:20.000000000 +0100 +@@ -214,7 +214,7 @@ + .ADDLIST 1a + .PRINTLIST + +-awkfile="/tmp/noweb$$.awk" ++awkfile=$(tempfile -p noweb -s .awk) || { echo "$0: Cannot create temporary file" >&2; exit 1; } + trap 'rm -f $awkfile' 0 1 2 10 14 15 + cat > $awkfile \&<< 'EOF' + \c +@@ -1628,14 +1628,15 @@ + tagsfile="$base.nwt" + (echo ".so $macrodir/tmac.w" + if [ -r "$tagsfile" ]; then +- cp $tagsfile /tmp/tags.$$ ++ tagstemp=$(tempfile -p tags) || { echo "$0: Cannot create temporary file" >&2; exit 1; } ++ cp $tagsfile $tagstemp + $AWK '\c + .USE "action for \*[BEGINCONVQUOTE]tags\*[ENDCONVQUOTE] line" 11c + \& + \c + .USE "functions" 8a +-\&' /tmp/tags.$$ +- rm -f /tmp/tags.$$ ++\&' $tagstemp ++ rm -f $tagstemp + fi + cat "$@") | + ($ROFF $opts 2>$tagsfile) +diff -urN noweb-2.9.orig/src/shell/roff.nw noweb-2.9/src/shell/roff.nw +--- noweb-2.9.orig/src/shell/roff.nw 2000-03-27 02:00:00.000000000 +0200 ++++ noweb-2.9/src/shell/roff.nw 2006-02-17 12:47:05.000000000 +0100 +@@ -80,7 +80,7 @@ + other, and quoting each quote is ugly. The pragmatic solution is to + copy the awk program into a temporary file, using a shell here-document. + <>= +-awkfile="/tmp/noweb$$.awk" ++awkfile=$(tempfile -p noweb -s .awk) + trap 'rm -f $awkfile' 0 1 2 10 14 15 + cat > $awkfile << 'EOF' + <> +@@ -662,12 +662,13 @@ base="`basename $1 | sed '/\./s/\.[^.]*$//'`" tagsfile="$base.nwt" @@ -96,22 +156,17 @@ if [ -r "$tagsfile" ]; then - cp $tagsfile /tmp/tags.$$ + cp $tagsfile $tmpfile - $AWK '{ - if (sub(/^###TAG### / , "")) tags[$1] = $2 - else if (sub(/^###BEGINCHUNKS###/, "")) printf ".de CLIST\n.CLISTBEGIN\n" -@@ -88,8 +89,8 @@ - # print str3 - # print convquote(str3) - # } -- function tag(s) { if (s in tags) return tags[s]; else return "???" }' /tmp/tags.$$ + $AWK '<> +- <>' /tmp/tags.$$ - rm -f /tmp/tags.$$ -+ function tag(s) { if (s in tags) return tags[s]; else return "???" }' $tmpfile ++ <>' $tmpfile + rm -f $tmpfile fi cat "$@") | ($ROFF $opts 2>$tagsfile) ---- noweb-2.9a.orig/src/shell/toroff -+++ noweb-2.9a/src/shell/toroff +diff -urN noweb-2.9.orig/src/shell/toroff noweb-2.9/src/shell/toroff +--- noweb-2.9.orig/src/shell/toroff 2001-03-28 15:49:00.000000000 +0200 ++++ noweb-2.9/src/shell/toroff 2006-02-17 12:47:05.000000000 +0100 @@ -9,7 +9,7 @@ exit 1;; esac diff --git a/app-text/noweb/noweb-2.9-r3.ebuild b/app-text/noweb/noweb-2.9-r5.ebuild similarity index 90% rename from app-text/noweb/noweb-2.9-r3.ebuild rename to app-text/noweb/noweb-2.9-r5.ebuild index 7905bfb2bfe5..0c461a244b43 100644 --- a/app-text/noweb/noweb-2.9-r3.ebuild +++ b/app-text/noweb/noweb-2.9-r5.ebuild @@ -1,6 +1,6 @@ -# Copyright 1999-2005 Gentoo Foundation +# Copyright 1999-2006 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-text/noweb/noweb-2.9-r3.ebuild,v 1.12 2005/01/01 16:27:47 eradicator Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-text/noweb/noweb-2.9-r5.ebuild,v 1.1 2006/02/17 12:25:03 ehmsen Exp $ inherit eutils diff --git a/app-text/noweb/noweb-2.9-r4.ebuild b/app-text/noweb/noweb-2.9-r6.ebuild similarity index 91% rename from app-text/noweb/noweb-2.9-r4.ebuild rename to app-text/noweb/noweb-2.9-r6.ebuild index d7fae808682c..5b2665cb6d8c 100644 --- a/app-text/noweb/noweb-2.9-r4.ebuild +++ b/app-text/noweb/noweb-2.9-r6.ebuild @@ -1,6 +1,6 @@ -# Copyright 1999-2005 Gentoo Foundation +# Copyright 1999-2006 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-text/noweb/noweb-2.9-r4.ebuild,v 1.3 2005/01/01 16:27:47 eradicator Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-text/noweb/noweb-2.9-r6.ebuild,v 1.1 2006/02/17 12:25:03 ehmsen Exp $ inherit eutils -- 2.26.2