[pkgsrc/trunk]: pkgsrc/print/a2ps Security fix for CAN-2004-1377:

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/print/a2ps Security fix for CAN-2004-1377:
From: salo <salo%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 01:56:20 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/43879e924bc0
branches:  trunk
changeset: 495427:43879e924bc0
user:      salo <salo%pkgsrc.org@localhost>
date:      Thu Jun 09 14:53:49 2005 +0000

description:
Security fix for CAN-2004-1377:

"The fixps and psmandup scripts in a2ps allow local users to overwrite
 arbitrary files via a symlink attack on temporary files."

Patches from Gentoo with few minor issues corrected.

diffstat:

 print/a2ps/Makefile         |  10 ++++++++--
 print/a2ps/distinfo         |   4 +++-
 print/a2ps/patches/patch-ad |  31 +++++++++++++++++++++++++++++++
 print/a2ps/patches/patch-ae |  32 ++++++++++++++++++++++++++++++++
 4 files changed, 74 insertions(+), 3 deletions(-)

diffs (113 lines):

diff -r a26e21f32dc6 -r 43879e924bc0 print/a2ps/Makefile
--- a/print/a2ps/Makefile       Thu Jun 09 14:25:49 2005 +0000
+++ b/print/a2ps/Makefile       Thu Jun 09 14:53:49 2005 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.53 2005/05/22 20:08:27 jlam Exp $
+# $NetBSD: Makefile,v 1.54 2005/06/09 14:53:49 salo Exp $
 
 DISTNAME=              a2ps-4.13b
 PKGNAME=               a2ps-4.13.0.2
-PKGREVISION=           6
+PKGREVISION=           7
 CATEGORIES=            print
 MASTER_SITES=          ${MASTER_SITE_GNU:=a2ps/} \
                        ftp://ftp.enst.fr/pub/unix/a2ps/
@@ -14,6 +14,12 @@
 DEPENDS+=              papersize>=1.0.2:../../print/papersize
 DEPENDS+=              psutils>=1.17:../../print/psutils
 
+.include "../../mk/bsd.prefs.mk"
+
+.if empty(OPSYS:M*BSD)
+DEPENDS+=              mktemp>=1.5:../../sysutils/mktemp
+.endif
+
 WRKSRC=                        ${WRKDIR}/a2ps-4.13
 STRIP=                 # empty
 
diff -r a26e21f32dc6 -r 43879e924bc0 print/a2ps/distinfo
--- a/print/a2ps/distinfo       Thu Jun 09 14:25:49 2005 +0000
+++ b/print/a2ps/distinfo       Thu Jun 09 14:53:49 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2005/02/24 12:51:41 agc Exp $
+$NetBSD: distinfo,v 1.9 2005/06/09 14:53:49 salo Exp $
 
 SHA1 (a2ps-4.13b.tar.gz) = cfc79a3e54115e569f667fa3fd2c2ec16d22b31a
 RMD160 (a2ps-4.13b.tar.gz) = affc47a7487f2459184be0be76e49b1e185fc53d
@@ -6,3 +6,5 @@
 SHA1 (patch-aa) = 67f0c9ddf6e9829aeecb3de596c925d451990877
 SHA1 (patch-ab) = ba7446a32733d60910036190be957045d4ec1218
 SHA1 (patch-ac) = 5daaedd3866c731206b829124d8a3f4741512d17
+SHA1 (patch-ad) = a9ed67aeb2723153e1023980ff69086bca0f1f59
+SHA1 (patch-ae) = 34b45a6c37b721547d23c1d65e51b6e919cb3671
diff -r a26e21f32dc6 -r 43879e924bc0 print/a2ps/patches/patch-ad
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/a2ps/patches/patch-ad       Thu Jun 09 14:53:49 2005 +0000
@@ -0,0 +1,31 @@
+$NetBSD: patch-ad,v 1.4 2005/06/09 14:53:49 salo Exp $
+
+Fix for CAN-2004-1377
+
+--- contrib/fixps.in.orig      2000-02-21 09:16:15.000000000 +0100
++++ contrib/fixps.in   2005-06-09 16:45:42.000000000 +0200
+@@ -38,7 +38,6 @@
+ run_gs=0
+ # What action to perform: fixps, cat, check, and gs
+ task=fixps
+-tmpdir=/tmp/$program.$$
+ verbose=echo
+ 
+ # The version/usage strings
+@@ -183,6 +182,8 @@
+       exit 1;;
+ esac
+ 
++tmpdir=`mktemp -d -t fixps.XXXXXX` || { echo "$program: Cannot create temporary directory!" >&2 ; exit 1; }
++
+ if test -n "$debug"; then
+   # Set -x now if debugging
+   set -x
+@@ -191,7 +192,6 @@
+   trap "/bin/rm -rf $tmpdir" 0 1 2 3 13 15
+ fi
+ 
+-mkdir $tmpdir
+ fixps_sed=$tmpdir/fixps.sed
+ 
+ # If printing from stdin, save into a tmp file
diff -r a26e21f32dc6 -r 43879e924bc0 print/a2ps/patches/patch-ae
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/a2ps/patches/patch-ae       Thu Jun 09 14:53:49 2005 +0000
@@ -0,0 +1,32 @@
+$NetBSD: patch-ae,v 1.4 2005/06/09 14:53:49 salo Exp $
+
+Fix for CAN-2004-1377
+
+--- contrib/psmandup.in.orig   1999-10-24 15:06:42.000000000 +0200
++++ contrib/psmandup.in        2005-06-09 16:46:24.000000000 +0200
+@@ -36,7 +36,6 @@
+ message=
+ psselect=${PSSELECT:-psselect}
+ psset=${PSSET:-psset}
+-tmpdir=/tmp/$program.$$
+ 
+ # These two must be kept in synch.  They are opposed.
+ verbose=echo
+@@ -177,6 +176,8 @@
+       exit 1;;
+ esac
+ 
++tmpdir=`mktemp -d -t psmandup.XXXXXX` || { echo "$program: Cannot create temporary directory!" >&2 ; exit 1; }
++
+ if test -n "$debug"; then
+   # Set -x now if debugging
+   set -x
+@@ -185,8 +186,6 @@
+   trap "/bin/rm -rf $tmpdir" 0 1 2 3 13 15
+ fi
+ 
+-mkdir $tmpdir
+-
+ # If printing from stdin, save into a tmp file
+ if test $file = '-'; then
+   file=$tmpdir/stdin.ps

Prev by Date: [pkgsrc/trunk]: pkgsrc/doc + leafnode-1.11.3
Next by Date: [pkgsrc/trunk]: pkgsrc/mk/wrapper Forgot the strip the comma when removing "-...
Previous by Thread: [pkgsrc/trunk]: pkgsrc/doc + leafnode-1.11.3
Next by Thread: [pkgsrc/trunk]: pkgsrc/mk/wrapper Forgot the strip the comma when removing "-...
Indexes:

Home | Main Index | Thread Index | Old Index