pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/print/teTeX-bin xdvizilla had unsafe temporary file us...
details: https://anonhg.NetBSD.org/pkgsrc/rev/eb22263f138d
branches: trunk
changeset: 482216:eb22263f138d
user: kei <kei%pkgsrc.org@localhost>
date: Fri Oct 22 12:49:02 2004 +0000
description:
xdvizilla had unsafe temporary file usage. fixes (diffs between 1.2 and
1.10) are pulled from its CVS repository.
closes pkga22940 by Jeremy C. Reed.
diffstat:
print/teTeX-bin/distinfo | 3 +-
print/teTeX-bin/patches/patch-ag | 196 +++++++++++++++++++++++++++++++++++++++
2 files changed, 198 insertions(+), 1 deletions(-)
diffs (216 lines):
diff -r b23374d8c88a -r eb22263f138d print/teTeX-bin/distinfo
--- a/print/teTeX-bin/distinfo Fri Oct 22 10:48:01 2004 +0000
+++ b/print/teTeX-bin/distinfo Fri Oct 22 12:49:02 2004 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.5 2004/10/11 04:54:05 minskim Exp $
+$NetBSD: distinfo,v 1.6 2004/10/22 12:49:02 kei Exp $
SHA1 (teTeX/tetex-src-2.0.2.tar.gz) = 6445206b14d659458ee352df78d2c2daf8e88ab3
Size (teTeX/tetex-src-2.0.2.tar.gz) = 11745933 bytes
@@ -8,5 +8,6 @@
SHA1 (patch-ad) = 377f52b45ea66b88f682aaa7f0dd72dee8f986fb
SHA1 (patch-ae) = 68825699db129b82f476c37ba3b6e20a8831ad6e
SHA1 (patch-af) = d5fd0e1b30b1ea9fd96fe5983088df5a723f04b7
+SHA1 (patch-ag) = 9dd4ce8fc1dad6555a59fd3734364ebf9117b4f5
SHA1 (patch-ap) = 40543e9a2fb87d296557f3a8bd9a7207b2331a8e
SHA1 (patch-aq) = f90ed07b2de340c55c6d987fdaa59d7ed6d46e0f
diff -r b23374d8c88a -r eb22263f138d print/teTeX-bin/patches/patch-ag
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/print/teTeX-bin/patches/patch-ag Fri Oct 22 12:49:02 2004 +0000
@@ -0,0 +1,196 @@
+$NetBSD: patch-ag,v 1.3 2004/10/22 12:49:02 kei Exp $
+
+This diff is taken from the url below:
+http://cvs.sourceforge.net/viewcvs.py/xdvi/xdvik/texk/xdvik/xdvizilla?r1=text&tr1=1.2&r2=text&tr2=1.10&diff_format=u
+
+===================================================================
+RCS file: /cvsroot/xdvi/xdvik/texk/xdvik/xdvizilla,v
+retrieving revision 1.2
+retrieving revision 1.10
+diff -u -r1.2 -r1.10
+--- xdvi/xdvik/texk/xdvik/xdvizilla 2002/10/12 13:29:17 1.2
++++ xdvi/xdvik/texk/xdvik/xdvizilla 2004/02/24 22:37:37 1.10
+@@ -1,11 +1,68 @@
+ #! /bin/sh
+-
++#
+ # This is a kludge to fix helper apps in mozilla. See mozilla bugs #57420
+ # and also #78919.
+-
++#
+ # It's also useful for tar files with Netscape 4.x
++#
++# Copyright (c) 2002-2004 Paul Vojta
++#
++# Permission is hereby granted, free of charge, to any person obtaining a copy
++# of this software and associated documentation files (the "Software"), to
++# deal in the Software without restriction, including without limitation the
++# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
++# sell copies of the Software, and to permit persons to whom the Software is
++# furnished to do so, subject to the following conditions:
++#
++# The above copyright notice and this permission notice shall be included in
++# all copies or substantial portions of the Software.
++#
++# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
++# IN NO EVENT SHALL PAUL VOJTA OR ANY OTHER AUTHOR OF OR CONTRIBUTOR TO
++# THIS SOFTWARE BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
++# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
++# IN THE SOFTWARE.
++
++# Some changes suggested by Thomas Esser included by
++# <stefanulrich%users.sourceforge.net@localhost>.
+
++IN_FILE=
+ NO_RM=
++TMP_DIR=
++progname=xdvizilla
++
++do_cleanup()
++{
++ exitval=$?
++ if [ -z "$NO_RM" -a -n "$IN_FILE" ] ; then
++ rm -f "$IN_FILE"
++ fi
++ test -n "$TMP_DIR" && rm -rf "$TMP_DIR"
++ exit $exitval
++}
++
++do_abort()
++{
++ xmessage -nearmouse "$progname: $1"
++ do_cleanup
++ exit 1
++}
++
++usage()
++{
++ xmessage -nearmouse "Usage: $progname [-no-rm] <file>"
++ do_cleanup
++ exit 1
++}
++
++trap 'do_cleanup' 1 2 3 7 13 15
++
++### create a temporary directory only read/writable by user
++TMP_DIR=${TMP-/tmp}/$progname.$$
++(umask 077; mkdir "$TMP_DIR") || do_abort "Could not create directory \`$TMP_DIR'"
+
+ if [ $# -gt 1 -a "x$1" = "x-no-rm" ]; then
+ NO_RM=y
+@@ -13,8 +70,7 @@
+ fi
+
+ if [ $# -ne 1 ]; then
+- xmessage -nearmouse 'Usage: xdvizilla [-no-rm] <file>'
+- exit 1
++ usage
+ fi
+
+ DIR=`dirname "$0"`
+@@ -27,55 +83,52 @@
+ DIR=
+ fi
+
+-FILE=$1
+-FILETYPE=`file "$FILE"`
+-
+-case "$FILETYPE" in
+-
+- *"gzip compressed data"*)
+- FILE=/tmp/xdvizilla$$
+- gunzip -c "$1" > $FILE
+- [ -n "$NO_RM" ] || rm -f -- "$1"
+- NO_RM=
+- FILETYPE=`file "$FILE"`
+- ;;
+-
+- *"compressed data"* | *"compress'd data"*)
+- FILE=/tmp/xdvizilla$$
+- uncompress -c "$1" > $FILE
+- [ -n "$NO_RM" ] || rm -f -- "$1"
+- NO_RM=
+- FILETYPE=`file "$FILE"`
+- ;;
+-
+- "$1: empty")
+- xmessage -nearmouse "$1 is an empty file
+-(this is a bug in Mozilla)"
+- [ -n "$NO_RM" ] || rm -f -- "$1"
+- exit 1
+- ;;
+-
+-esac
+-
+-case "$FILETYPE" in
+-
+- *" tar archive")
+- TARDIR=/tmp/xdvitar$$
+- mkdir $TARDIR
+- cat "$FILE" | (cd $TARDIR; tar xf -)
+- DVINAME=`tar tf "$FILE" | grep '\.dvi$' | head -1`
+- [ -n "$NO_RM" ] || rm -f -- "$FILE"
+- if [ -z "$DVINAME" ]; then
+- xmessage -nearmouse "Tar file does not contain a dvi file"
+- else
+- (cd $TARDIR; "$DIR"xdvi -safer "$DVINAME")
+- fi
+- rm -rf $TARDIR
+- ;;
++# need to preserve IN_FILE for eventual deletion
++IN_FILE="$1"
++TMP_FILE="$IN_FILE"
++
++while [ 1 ]; do
++ [ -f "$TMP_FILE" ] || do_abort "$TMP_FILE: File not found."
++ FILETYPE=`file "$TMP_FILE"`
++ case "$FILETYPE" in
++ *"gzip compressed data"*)
++ out="$TMP_DIR"/tmp-gz
++ gunzip -c "$TMP_FILE" > "$out"
++ TMP_FILE="$out"
++ ;;
++ *"compressed data"* | *"compress'd data"*)
++ out="$TMP_DIR"/tmp-compress
++ uncompress -c "$TMP_FILE" > "$out"
++ TMP_FILE="$out"
++ ;;
++ "$TMP_FILE: empty")
++ do_abort "$TMP_FILE is an empty file
++(probably a bug in Mozilla?)"
++ ;;
++ *" tar archive")
++ ### do sanity checks on the tar archive, to avoid overwriting user files:
++ dangerous=`tar tf "$TMP_FILE" | egrep '^(/|.*\.\./)'`
++ [ -z "$dangerous" ] || do_abort "Tar file contains files with absolute paths or \`../' components,
++which may overwrite user files. Not unpacking it."
++ ### also check for gzipped DVI files inside the archive ...
++ out="$TMP_DIR"/`tar tf "$TMP_FILE" | egrep '\.(dvi|dvi.gz|dvi.Z)$' | head -1`
++ if [ -z "$out" ]; then
++ do_abort "Tar file does not contain a dvi file."
++ else
++ cat "$TMP_FILE" | (cd "$TMP_DIR"; tar xf -)
++ TMP_FILE="$out"
++ fi
++ ;;
++ *"DVI file"*)
++ "$DIR"xdvi -safer "$TMP_FILE"
++ break
++ ;;
++ *)
++ do_abort "$TMP_FILE: Unrecognized file format!"
++ ;;
++ esac
++done
+
+- *)
+- "$DIR"xdvi -safer "$FILE"
+- [ -n "$NO_RM" ] || rm -f -- "$FILE"
+- ;;
++do_cleanup
+
+-esac
++exit 0
Home |
Main Index |
Thread Index |
Old Index