[pkgsrc/pkgsrc-2008Q1]: pkgsrc/converters/uulib Pullup ticket #2406 - request...

[tron <tron%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/822014749b0c
branches:  pkgsrc-2008Q1
changeset: 540394:822014749b0c
user:      tron <tron%pkgsrc.org@localhost>
date:      Mon Jun 02 09:40:36 2008 +0000

description:
Pullup ticket #2406 - requested by dholland
Security patch for uulib

Revisions pulled up:
- converters/uulib/Makefile             1.42
- converters/uulib/distinfo             1.10
- converters/uulib/patches/patch-ab     1.3
- converters/uulib/patches/patch-ac     1.1
---
    Module Name:        pkgsrc
    Committed By:       dholland
    Date:               Sun Jun  1 21:46:37 UTC 2008

    Modified Files:
        pkgsrc/converters/uulib: Makefile distinfo
    Added Files:
        pkgsrc/converters/uulib/patches: patch-ab patch-ac

    Log Message:
    Fix insecure-temporary-files, as reported in Debian bug 480972.
    PKGREVISION++.

diffstat:

 converters/uulib/Makefile         |   4 +-
 converters/uulib/distinfo         |   4 +-
 converters/uulib/patches/patch-ab |  17 +++++++
 converters/uulib/patches/patch-ac |  83 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 105 insertions(+), 3 deletions(-)

diffs (136 lines):

diff -r c60e86e01a33 -r 822014749b0c converters/uulib/Makefile
--- a/converters/uulib/Makefile Mon Jun 02 09:17:39 2008 +0000
+++ b/converters/uulib/Makefile Mon Jun 02 09:40:36 2008 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.41 2007/09/18 19:44:40 heinz Exp $
+# $NetBSD: Makefile,v 1.41.6.1 2008/06/02 09:40:36 tron Exp $
 #
 
 DISTNAME=      uudeview-0.5.20
 PKGNAME=       uulib-0.5.20
-PKGREVISION=   3
+PKGREVISION=   4
 CATEGORIES=    converters
 MASTER_SITES=  http://www.fpx.de/fp/Software/UUDeview/download/
 
diff -r c60e86e01a33 -r 822014749b0c converters/uulib/distinfo
--- a/converters/uulib/distinfo Mon Jun 02 09:17:39 2008 +0000
+++ b/converters/uulib/distinfo Mon Jun 02 09:40:36 2008 +0000
@@ -1,6 +1,8 @@
-$NetBSD: distinfo,v 1.9 2005/11/03 20:05:54 rillig Exp $
+$NetBSD: distinfo,v 1.9.20.1 2008/06/02 09:40:36 tron Exp $
 
 SHA1 (uudeview-0.5.20.tar.gz) = 2c6ab7d355b545218bd0877d598bd5327d9fd125
 RMD160 (uudeview-0.5.20.tar.gz) = 9bb52fa3ad4979383ff16d1e8d8a302c5c794c66
 Size (uudeview-0.5.20.tar.gz) = 261574 bytes
 SHA1 (patch-aa) = 8ea37995ef4426bcd008246b1465ad5428da7bd8
+SHA1 (patch-ab) = f23ca7945a0697dc8e49ba9c7765bfa655ed8566
+SHA1 (patch-ac) = 7322b738ba427515a508eff41cce4139d4fda86e
diff -r c60e86e01a33 -r 822014749b0c converters/uulib/patches/patch-ab
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/converters/uulib/patches/patch-ab Mon Jun 02 09:40:36 2008 +0000
@@ -0,0 +1,17 @@
+$NetBSD: patch-ab,v 1.2.36.1 2008/06/02 09:40:36 tron Exp $
+
+--- uulib/fptools.c.orig       2004-02-23 19:05:32.000000000 -0500
++++ uulib/fptools.c    2008-06-01 16:08:35.000000000 -0400
+@@ -517,6 +517,7 @@
+   return number;
+ }
+ 
++#if 0 /* insecure */
+ /*
+  * tempnam is not ANSI, but tmpnam is. Ignore the prefix here.
+  */
+@@ -526,3 +527,4 @@
+ {
+   return _FP_strdup (tmpnam (NULL));
+ }
++#endif
diff -r c60e86e01a33 -r 822014749b0c converters/uulib/patches/patch-ac
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/converters/uulib/patches/patch-ac Mon Jun 02 09:40:36 2008 +0000
@@ -0,0 +1,83 @@
+$NetBSD: patch-ac,v 1.1.2.2 2008/06/02 09:40:37 tron Exp $
+
+--- uulib/uunconc.c.orig       2004-03-01 17:52:27.000000000 -0500
++++ uulib/uunconc.c    2008-06-01 17:05:57.000000000 -0400
+@@ -49,6 +49,7 @@
+ #include <errno.h>
+ #endif
+ 
++#include <paths.h>
+ #include <crc32.h>
+ #include <uudeview.h>
+ #include <uuint.h>
+@@ -1306,6 +1307,7 @@
+ {
+   int state=BEGIN, part=-1, res=0, hb;
+   long rsize, dsize, numbytes;
++  int dataoutfd;
+   FILE *datain, *dataout;
+   unsigned char r[8];
+   char *mode, *ntmp;
+@@ -1329,13 +1331,13 @@
+   else
+     mode = "wb";      /* otherwise in binary          */
+ 
+-  if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
++  if ((data->binfile = strdup (_PATH_TMP "uu.XXXXXX")) == NULL) {
+     UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
+              uustring (S_NO_TEMP_NAME));
+     return UURET_NOMEM;
+   }
+ 
+-  if ((dataout = fopen (data->binfile, mode)) == NULL) {
++  if ((dataoutfd = mkstemp (data->binfile)) < 0) {
+     /*
+      * we couldn't create a temporary file. Usually this means that TMP
+      * and TEMP aren't set
+@@ -1348,6 +1350,19 @@
+     uu_errno = errno;
+     return UURET_IOERR;
+   }
++
++  /* file now safely exists, reopen it using the right mode */
++  close (dataoutfd);
++  if ((dataout = fopen (data->binfile, mode)) < 0) {
++    UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
++             uustring (S_WR_ERR_TARGET),
++             data->binfile, strerror (uu_errno = errno));
++    _FP_free (data->binfile);
++    data->binfile = NULL;
++    uu_errno = errno;
++    return UURET_IOERR;
++  }
++
+   /*
+    * we don't have begin lines in Base64 or plain text files.
+    */
+@@ -1496,7 +1511,7 @@
+    */
+ 
+   if (data->uudet == BH_ENCODED && data->binfile) {
+-    if ((ntmp = tempnam (NULL, "uu")) == NULL) {
++    if ((ntmp = strdup (_PATH_TMP "uu.XXXXXX")) == NULL) {
+       UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
+                uustring (S_NO_TEMP_NAME));
+       progress.action = 0;
+@@ -1510,6 +1525,17 @@
+       free (ntmp);
+       return UURET_IOERR;
+     }
++    if ((dataoutfd = mkstemp (ntmp)) < 0) {
++      UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
++               uustring (S_NOT_OPEN_TARGET),
++               ntmp, strerror (uu_errno = errno));
++      progress.action = 0;
++      fclose (datain);
++      free   (ntmp);
++      return UURET_IOERR;
++    }
++    /* file now safely exists; reopen it with the right mode */
++    close (dataoutfd);
+     if ((dataout = fopen (ntmp, "wb")) == NULL) {
+       UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
+                uustring (S_NOT_OPEN_TARGET),