pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/multimedia/mpeg_encode Security fixes for SA17008:
details: https://anonhg.NetBSD.org/pkgsrc/rev/3415b343f183
branches: trunk
changeset: 500280:3415b343f183
user: salo <salo%pkgsrc.org@localhost>
date: Wed Oct 05 11:45:46 2005 +0000
description:
Security fixes for SA17008:
"Vulnerabilities in Berkeley MPEG Tools can be exploited by malicious, local
users to perform certain actions on a vulnerable system with escalated
privileges. The vulnerabilities are caused due to temporary files being
created insecurely in "/tmp."
http://secunia.com/advisories/17008/
http://www.gentoo.org/security/en/glsa/glsa-200510-02.xml
Patches from Gentoo.
diffstat:
multimedia/mpeg_encode/Makefile | 4 +-
multimedia/mpeg_encode/distinfo | 11 ++++++-
multimedia/mpeg_encode/patches/patch-ae | 6 ++--
multimedia/mpeg_encode/patches/patch-ah | 46 ++++++++++++++++++++++++++++++
multimedia/mpeg_encode/patches/patch-ai | 22 ++++++++++++++
multimedia/mpeg_encode/patches/patch-aj | 44 +++++++++++++++++++++++++++++
multimedia/mpeg_encode/patches/patch-ak | 44 +++++++++++++++++++++++++++++
multimedia/mpeg_encode/patches/patch-al | 31 ++++++++++++++++++++
multimedia/mpeg_encode/patches/patch-am | 46 ++++++++++++++++++++++++++++++
multimedia/mpeg_encode/patches/patch-an | 49 +++++++++++++++++++++++++++++++++
10 files changed, 296 insertions(+), 7 deletions(-)
diffs (truncated from 362 to 300 lines):
diff -r dc0c5444d52d -r 3415b343f183 multimedia/mpeg_encode/Makefile
--- a/multimedia/mpeg_encode/Makefile Wed Oct 05 11:35:11 2005 +0000
+++ b/multimedia/mpeg_encode/Makefile Wed Oct 05 11:45:46 2005 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.8 2005/06/17 04:49:47 jlam Exp $
+# $NetBSD: Makefile,v 1.9 2005/10/05 11:45:46 salo Exp $
#
DISTNAME= mpeg_encode-1.5b-src
PKGNAME= ${DISTNAME:S/-src//}
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= multimedia net
MASTER_SITES= ftp://mm-ftp.cs.berkeley.edu/pub/multimedia/mpeg/encode/
diff -r dc0c5444d52d -r 3415b343f183 multimedia/mpeg_encode/distinfo
--- a/multimedia/mpeg_encode/distinfo Wed Oct 05 11:35:11 2005 +0000
+++ b/multimedia/mpeg_encode/distinfo Wed Oct 05 11:45:46 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.3 2005/04/06 16:30:18 wiz Exp $
+$NetBSD: distinfo,v 1.4 2005/10/05 11:45:46 salo Exp $
SHA1 (mpeg_encode-1.5b-src.tar.gz) = 853cd175f73b8064ce28deb256e4b81159a684ed
RMD160 (mpeg_encode-1.5b-src.tar.gz) = 24c0a1090076630c292936639c5fb275778f6470
@@ -7,5 +7,12 @@
SHA1 (patch-ab) = f2cdf02d49b726b4fb7fb210074e7ba53b9b380b
SHA1 (patch-ac) = 8f89257bd93584cd028b659bb8c3379d713339da
SHA1 (patch-ad) = 670a244680d09cb9f558a8777ec8f189145342f8
-SHA1 (patch-ae) = e591c1399d51175295731b2c8947c03c19ede486
+SHA1 (patch-ae) = 414b8c45c65892b9e161c285c5c0327103f8f474
SHA1 (patch-ag) = 8cc4ffab9263f33e4a7da6779cdbbb59d010b475
+SHA1 (patch-ah) = 3df51a25ecc5abdb1821958183e087a9a9345e8a
+SHA1 (patch-ai) = 62f74749d2d4652222c1d0d96c1136af25ffae2e
+SHA1 (patch-aj) = 56031b467679ce4e2ae6bcddbdb129cd8cead479
+SHA1 (patch-ak) = f28929b16bb804c691565adbe3f4c1814154ced7
+SHA1 (patch-al) = be13795b7db10224974f222ce174fb1305d0e582
+SHA1 (patch-am) = 983546e7384fc96f0f182ae23bf5ddd19f7a0008
+SHA1 (patch-an) = 69e70b75b558637b3a2afb612871f7d4a8538c92
diff -r dc0c5444d52d -r 3415b343f183 multimedia/mpeg_encode/patches/patch-ae
--- a/multimedia/mpeg_encode/patches/patch-ae Wed Oct 05 11:35:11 2005 +0000
+++ b/multimedia/mpeg_encode/patches/patch-ae Wed Oct 05 11:45:46 2005 +0000
@@ -1,7 +1,7 @@
-$NetBSD: patch-ae,v 1.1.1.1 2004/02/24 21:47:25 jmmv Exp $
+$NetBSD: patch-ae,v 1.2 2005/10/05 11:45:46 salo Exp $
---- convert/jmovie2jpeg.c.orig 1995-01-20 00:29:24.000000000 +0000
-+++ convert/jmovie2jpeg.c
+--- ../convert/jmovie2jpeg.c.orig 1995-01-20 00:29:24.000000000 +0000
++++ ../convert/jmovie2jpeg.c
@@ -283,12 +283,12 @@ static char inbuffer[300000] = {
if (fread (&(image_offset),sizeof(int),1,inFile) != 1)
{
diff -r dc0c5444d52d -r 3415b343f183 multimedia/mpeg_encode/patches/patch-ah
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/multimedia/mpeg_encode/patches/patch-ah Wed Oct 05 11:45:46 2005 +0000
@@ -0,0 +1,46 @@
+$NetBSD: patch-ah,v 1.1 2005/10/05 11:45:46 salo Exp $
+
+Fix for SA17008, from Gentoo.
+
+--- ../convert/eyuvtojpeg.c.orig 1995-04-14 23:16:52.000000000 +0200
++++ ../convert/eyuvtojpeg.c 2005-10-05 13:20:02.000000000 +0200
+@@ -24,6 +24,7 @@
+ *==============*/
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <unistd.h>
+ #include <malloc.h>
+
+ typedef unsigned char uint8;
+@@ -46,8 +47,9 @@
+ void main(int argc, char **argv)
+ {
+ FILE *fpointer;
+- char command[256];
+- char src[256], dest[256];
++ char command[4096];
++ char src[4096], dest[4096], tempfile[4096];
++ int ret;
+
+ if ((strcmp(argv[1],"-?") == 0) ||
+ (strcmp(argv[1],"-h") == 0) ||
+@@ -98,13 +100,16 @@
+ YUVtoPPM();
+
+ fprintf(stdout, "Writing PPM\n");
+- fpointer = fopen("/tmp/foobar", "w");
++ sprintf(tempfile, "%s.tmp", dest);
++ fpointer = fopen(tempfile, "w");
+ WritePPM(fpointer);
+ fclose(fpointer);
+
+ fprintf(stdout, "Converting to JPEG %s\n", dest);
+- sprintf(command, "cjpeg /tmp/foobar > %s", dest);
+- system(command);
++ sprintf(command, "cjpeg %s > %s", tempfile, dest);
++ ret = system(command);
++ unlink(tempfile);
++ return ret;
+ }
+
+
diff -r dc0c5444d52d -r 3415b343f183 multimedia/mpeg_encode/patches/patch-ai
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/multimedia/mpeg_encode/patches/patch-ai Wed Oct 05 11:45:46 2005 +0000
@@ -0,0 +1,22 @@
+$NetBSD: patch-ai,v 1.1 2005/10/05 11:45:46 salo Exp $
+
+Fix for SA17008, from Gentoo.
+
+--- ../convert/eyuvtoppm.c.orig 1995-04-14 23:16:52.000000000 +0200
++++ ../convert/eyuvtoppm.c 2005-10-05 13:16:27.000000000 +0200
+@@ -99,13 +99,9 @@
+ fpointer = fopen(dest, "w");
+ if (fpointer == NULL) {
+ fprintf(stderr, "Problems opening %s!\n", dest);
+- fprintf(stderr, "Trying /tmp/foobar instead\n");
+- strcpy(dest, "/tmp/foobar");
+- fpointer = fopen(dest, "w");
+- if (fpointer == NULL) {
+- fprintf(stderr, "Nope, exiting.\n");
++ perror("");
+ exit(1);
+- }}
++ }
+
+ WritePPM(fpointer);
+ fclose(fpointer);
diff -r dc0c5444d52d -r 3415b343f183 multimedia/mpeg_encode/patches/patch-aj
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/multimedia/mpeg_encode/patches/patch-aj Wed Oct 05 11:45:46 2005 +0000
@@ -0,0 +1,44 @@
+$NetBSD: patch-aj,v 1.1 2005/10/05 11:45:46 salo Exp $
+
+Fix for SA17008, from Gentoo.
+
+--- ../convert/vidtoeyuv.c.orig 1995-01-20 04:25:39.000000000 +0100
++++ ../convert/vidtoeyuv.c 2005-10-05 13:16:27.000000000 +0200
+@@ -125,9 +125,9 @@
+ XImage *ximage;
+ char *tdata;
+ char *obase;
+- char ofname[256];
++ char ofname[4096], tempfile[4096];
+ int height, width;
+- char command[256];
++ char command[4096];
+ int nth;
+
+ if ((argc != 7) && (argc != 8))usage (argv[0]);
+@@ -223,9 +223,11 @@
+
+
+ sprintf(ofname, "%s%d.yuv", obase, i);
+- outFile = fopen("/tmp/foobar", "w");
++ sprintf(tempfile, "%s%d.yuv.tmp", obase, i);
++ outFile = fopen(tempfile, "w");
+ if (!outFile) {
+ perror("Couldn't open output file.");
++ exit(1);
+ }
+
+ for (r=0; r<height; r++) {
+@@ -241,9 +243,10 @@
+
+ free(tdata);
+
+- sprintf(command, "rawtoppm %d %d < /tmp/foobar | ppmtoyuv > %s",
+- width, height, ofname);
++ sprintf(command, "rawtoppm %d %d < %s | ppmtoyuv > %s",
++ width, height, tempfile, ofname);
+ system(command);
++ unlink(tempfile);
+
+ for (j=0; j<nth-1; j++) {
+ if (read (fd, &image, sizeof(image)) != sizeof(image)) {
diff -r dc0c5444d52d -r 3415b343f183 multimedia/mpeg_encode/patches/patch-ak
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/multimedia/mpeg_encode/patches/patch-ak Wed Oct 05 11:45:46 2005 +0000
@@ -0,0 +1,44 @@
+$NetBSD: patch-ak,v 1.1 2005/10/05 11:45:46 salo Exp $
+
+Fix for SA17008, from Gentoo.
+
+--- ../convert/vidtojpeg.c.orig 1995-01-20 04:25:40.000000000 +0100
++++ ../convert/vidtojpeg.c 2005-10-05 13:16:27.000000000 +0200
+@@ -123,9 +123,9 @@
+ XImage *ximage;
+ char *tdata;
+ char *obase;
+- char ofname[256];
++ char ofname[4096], tempfile[4096];
+ int height, width;
+- char command[256];
++ char command[4096];
+
+
+ if ((argc != 7) && (argc != 8))usage (argv[0]);
+@@ -221,9 +221,11 @@
+
+
+ sprintf(ofname, "%s.%d.jpeg", obase, i);
+- outFile = fopen("/tmp/foobar", "w");
++ sprintf(tempfile, "%s.%d.jpeg.tmp", obase, i);
++ outFile = fopen(tempfile, "w");
+ if (!outFile) {
+ perror("Couldn't open output file.");
++ exit(1);
+ }
+
+ for (r=0; r<height; r++) {
+@@ -239,9 +241,10 @@
+
+ free(tdata);
+
+- sprintf(command, "rawtoppm %d %d < /tmp/foobar | cjpeg > %s",
+- width, height, ofname);
++ sprintf(command, "rawtoppm %d %d < %s | cjpeg > %s",
++ width, height, tempfile, ofname);
+ system(command);
++ unlink(tempfile);
+ }
+ }
+
diff -r dc0c5444d52d -r 3415b343f183 multimedia/mpeg_encode/patches/patch-al
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/multimedia/mpeg_encode/patches/patch-al Wed Oct 05 11:45:46 2005 +0000
@@ -0,0 +1,31 @@
+$NetBSD: patch-al,v 1.1 2005/10/05 11:45:46 salo Exp $
+
+Fix for SA17008, from Gentoo.
+
+--- ../convert/vidtoppm.c.orig 1995-01-20 04:25:40.000000000 +0100
++++ ../convert/vidtoppm.c 2005-10-05 13:16:27.000000000 +0200
+@@ -220,9 +220,11 @@
+
+
+ sprintf(ofname, "%s%d.ppm", obase, i);
+- outFile = fopen("/tmp/foobar", "w");
++ sprintf(tempfile, "%s%d.ppm.tmp", obase, i);
++ outFile = fopen(tempfile, "w");
+ if (!outFile) {
+ perror("Couldn't open output file.");
++ exit(1);
+ }
+
+ for (r=0; r<height; r++) {
+@@ -238,8 +240,9 @@
+
+ free(tdata);
+
+- sprintf(command, "rawtoppm %d %d < /tmp/foobar > %s",
+- width, height, ofname);
++ sprintf(command, "rawtoppm %d %d < %s > %s",
++ width, height, tempfile, ofname);
+ system(command);
++ unlink(tempfile);
+ }
+ }
diff -r dc0c5444d52d -r 3415b343f183 multimedia/mpeg_encode/patches/patch-am
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/multimedia/mpeg_encode/patches/patch-am Wed Oct 05 11:45:46 2005 +0000
@@ -0,0 +1,46 @@
+$NetBSD: patch-am,v 1.1 2005/10/05 11:45:46 salo Exp $
+
+Fix for SA17008, from Gentoo.
+
+--- parallel.c.orig 1995-08-16 20:22:11.000000000 +0200
++++ parallel.c 2005-10-05 13:25:40.000000000 +0200
+@@ -586,6 +586,8 @@
+ * SIDE EFFECTS: none
+ *
+ *===========================================================================*/
++/* internal hook into the ReadFrame function */
++void _ReadFrame(MpegFrame *frame, char *fileName, FILE *fileHook, char *conversion, boolean addPath);
+ void
+ GetRemoteFrame(frame, frameNumber)
+ MpegFrame *frame;
+@@ -615,8 +617,13 @@
+
+ if ( frameNumber != -1 ) {
+ if ( separateConversion ) {
+- sprintf(fileName, "/tmp/foobar%d", machineNumber);
+- filePtr = fopen(fileName, "wb");
++ int fd;
++ snprintf(fileName, sizeof(fileName), "/tmp/mpeg_encode_foobar%dXXXXXX", machineNumber);
++ fd = mkstemp(fileName);
++ if (fd == -1 || (filePtr = fdopen(fd, "wb")) == NULL) {
++ perror("ERROR: mpeg_encode->GetRemoteFrame");
++ exit(1);
++ }
+
+ /* read in stuff, SafeWrite to file, perform local conversion */
+ do {
+@@ -628,10 +635,12 @@
+ fwrite(smallBuffer, 1, numBytes, filePtr);
+ } while ( numBytes == 1000 );
+ fflush(filePtr);
+- fclose(filePtr);
++ rewind(filePtr);
Home |
Main Index |
Thread Index |
Old Index