[pkgsrc/pkgsrc-2005Q3]: pkgsrc/devel/gtexinfo Pullup ticket 821 - requested b...

[snj <snj%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/ba1087825a28
branches:  pkgsrc-2005Q3
changeset: 499582:ba1087825a28
user:      snj <snj%pkgsrc.org@localhost>
date:      Wed Oct 12 03:56:19 2005 +0000

description:
Pullup ticket 821 - requested by Lubomir Sedlacik
security fix for gtexinfo

Revisions pulled up:
- pkgsrc/devel/gtexinfo/Makefile                1.58
- pkgsrc/devel/gtexinfo/distinfo                1.22
- pkgsrc/devel/gtexinfo/patches/patch-al        1.1

   Module Name:    pkgsrc
   Committed By:   salo
   Date:           Mon Oct 10 15:14:49 UTC 2005

   Modified Files:
           pkgsrc/devel/gtexinfo: Makefile distinfo
   Added Files:
           pkgsrc/devel/gtexinfo/patches: patch-al

   Log Message:
   Security fix for CAN-2005-3011:

   "texindex in texinfo 4.8 and earlier allows local users to overwrite
   arbitrary files via a symlink attack on temporary files."

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3011

   Patch from Ubuntu.

diffstat:

 devel/gtexinfo/Makefile         |   3 ++-
 devel/gtexinfo/distinfo         |   3 ++-
 devel/gtexinfo/patches/patch-al |  34 ++++++++++++++++++++++++++++++++++
 3 files changed, 38 insertions(+), 2 deletions(-)

diffs (65 lines):

diff -r 884e70841abd -r ba1087825a28 devel/gtexinfo/Makefile
--- a/devel/gtexinfo/Makefile   Sun Oct 09 23:02:56 2005 +0000
+++ b/devel/gtexinfo/Makefile   Wed Oct 12 03:56:19 2005 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.57 2005/04/11 21:45:24 tv Exp $
+# $NetBSD: Makefile,v 1.57.4.1 2005/10/12 03:56:19 snj Exp $
 
 DISTNAME=              texinfo-4.8
 PKGNAME=               g${DISTNAME}
+PKGREVISION=           1
 CATEGORIES=            devel
 MASTER_SITES=          ${MASTER_SITE_GNU:=texinfo/}
 EXTRACT_SUFX=          .tar.bz2
diff -r 884e70841abd -r ba1087825a28 devel/gtexinfo/distinfo
--- a/devel/gtexinfo/distinfo   Sun Oct 09 23:02:56 2005 +0000
+++ b/devel/gtexinfo/distinfo   Wed Oct 12 03:56:19 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.21 2005/02/28 13:06:46 wiz Exp $
+$NetBSD: distinfo,v 1.21.6.1 2005/10/12 03:56:19 snj Exp $
 
 SHA1 (texinfo-4.8.tar.bz2) = b19e906f7220294c1e8b087d583c50f5c4d7c420
 RMD160 (texinfo-4.8.tar.bz2) = 5cb82cd240d1f22da813c7142df8828b4f6f1ea4
@@ -9,3 +9,4 @@
 SHA1 (patch-ad) = c5c3374322eb8a2c8dfc7871971b73194ab1b14c
 SHA1 (patch-aj) = d9071c62c993550d253c9e1889880d4fccf7d278
 SHA1 (patch-ak) = 2cef2ae464ddb5324acae000420017d4faf7b145
+SHA1 (patch-al) = 5d50cfe1c783b91d5983e67e8fe8a33a0476b531
diff -r 884e70841abd -r ba1087825a28 devel/gtexinfo/patches/patch-al
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/devel/gtexinfo/patches/patch-al   Wed Oct 12 03:56:19 2005 +0000
@@ -0,0 +1,34 @@
+$NetBSD: patch-al,v 1.1.2.2 2005/10/12 03:56:19 snj Exp $
+
+Security fix for CAN-2005-3011, from Ubuntu.
+
+--- util/texindex.c.orig       2004-04-11 19:56:47.000000000 +0200
++++ util/texindex.c    2005-10-10 16:46:44.000000000 +0200
+@@ -390,11 +390,12 @@
+ maketempname (int count)
+ {
+   static char *tempbase = NULL;
++  char *tempname;
+   char tempsuffix[10];
++  int fd;
+ 
+   if (!tempbase)
+     {
+-      int fd;
+       tempbase = concat (tempdir, "txidxXXXXXX");
+ 
+       fd = mkstemp (tempbase);
+@@ -403,7 +404,12 @@
+     }
+ 
+   sprintf (tempsuffix, ".%d", count);
+-  return concat (tempbase, tempsuffix);
++  tempname = concat (tempbase, tempsuffix);
++  fd = open (tempname, O_CREAT|O_EXCL|O_WRONLY, 0600);
++  if (fd == -1)
++    pfatal_with_name (tempname);
++  close (fd);
++  return tempname;
+ }
+ 
+