pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/audio/id3lib fix unsafe temp file creation (CVE-2007-4...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/7dd3c48e112f
branches:  trunk
changeset: 532907:7dd3c48e112f
user:      drochner <drochner%pkgsrc.org@localhost>
date:      Tue Sep 04 09:58:20 2007 +0000

description:
fix unsafe temp file creation (CVE-2007-4460), patch from Debian
bump PKGREVISION

diffstat:

 audio/id3lib/Makefile         |   4 +-
 audio/id3lib/distinfo         |   4 +-
 audio/id3lib/patches/patch-aj |  44 +++++++++++++++++++++++++++++++++++++++---
 3 files changed, 44 insertions(+), 8 deletions(-)

diffs (86 lines):

diff -r 027e496e568e -r 7dd3c48e112f audio/id3lib/Makefile
--- a/audio/id3lib/Makefile     Tue Sep 04 09:47:38 2007 +0000
+++ b/audio/id3lib/Makefile     Tue Sep 04 09:58:20 2007 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.26 2006/09/23 13:26:24 wiz Exp $
+# $NetBSD: Makefile,v 1.27 2007/09/04 09:58:20 drochner Exp $
 #
 
 DISTNAME=      id3lib-3.8.3
-PKGREVISION=   3
+PKGREVISION=   4
 CATEGORIES=    audio
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=id3lib/}
 
diff -r 027e496e568e -r 7dd3c48e112f audio/id3lib/distinfo
--- a/audio/id3lib/distinfo     Tue Sep 04 09:47:38 2007 +0000
+++ b/audio/id3lib/distinfo     Tue Sep 04 09:58:20 2007 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.14 2007/01/20 01:04:04 rillig Exp $
+$NetBSD: distinfo,v 1.15 2007/09/04 09:58:20 drochner Exp $
 
 SHA1 (id3lib-3.8.3.tar.gz) = c92c880da41d1ec0b242745a901702ae87970838
 RMD160 (id3lib-3.8.3.tar.gz) = bfa2499ec649ed40815ad0a370c78eb1517952c4
@@ -8,4 +8,4 @@
 SHA1 (patch-ag) = a047fe90d83c88e0f6d0a6a0595a440ef49276e3
 SHA1 (patch-ah) = 42a04014cc839565063daa395884b757214eb911
 SHA1 (patch-ai) = c0521a6d62d17826c9b1f35f6be51e1b72c48e7c
-SHA1 (patch-aj) = cbffa394ef07e59e3036788f265b3319bbdf2c39
+SHA1 (patch-aj) = 626952e7bbddbcf5db66a0509f62d588ccaed17a
diff -r 027e496e568e -r 7dd3c48e112f audio/id3lib/patches/patch-aj
--- a/audio/id3lib/patches/patch-aj     Tue Sep 04 09:47:38 2007 +0000
+++ b/audio/id3lib/patches/patch-aj     Tue Sep 04 09:58:20 2007 +0000
@@ -1,9 +1,36 @@
-$NetBSD: patch-aj,v 1.3 2007/01/20 01:04:04 rillig Exp $
-
-char and unsigned char are different data types.
+$NetBSD: patch-aj,v 1.4 2007/09/04 09:58:20 drochner Exp $
 
 --- src/tag_file.cpp.orig      2003-03-02 01:23:00.000000000 +0100
-+++ src/tag_file.cpp   2007-01-10 21:57:03.513247016 +0100
++++ src/tag_file.cpp
+@@ -242,8 +242,8 @@ size_t RenderV2ToFile(const ID3_TagImpl&
+     strcpy(sTempFile, filename.c_str());
+     strcat(sTempFile, sTmpSuffix.c_str());
+ 
+-#if ((defined(__GNUC__) && __GNUC__ >= 3  ) || !defined(HAVE_MKSTEMP))
+-    // This section is for Windows folk && gcc 3.x folk
++#if !defined(HAVE_MKSTEMP)
++    // This section is for Windows folk
+     fstream tmpOut;
+     createFile(sTempFile, tmpOut);
+ 
+@@ -257,7 +257,7 @@ size_t RenderV2ToFile(const ID3_TagImpl&
+       tmpOut.write((char *)tmpBuffer, nBytes);
+     }
+ 
+-#else //((defined(__GNUC__) && __GNUC__ >= 3  ) || !defined(HAVE_MKSTEMP))
++#else //!defined(HAVE_MKSTEMP)
+ 
+     // else we gotta make a temp file, copy the tag into it, copy the
+     // rest of the old file after the tag, delete the old file, rename
+@@ -270,7 +270,7 @@ size_t RenderV2ToFile(const ID3_TagImpl&
+       //ID3_THROW_DESC(ID3E_NoFile, "couldn't open temp file");
+     }
+ 
+-    ofstream tmpOut(fd);
++    ofstream tmpOut(sTempFile);
+     if (!tmpOut)
+     {
+       tmpOut.close();
 @@ -282,7 +282,7 @@ size_t RenderV2ToFile(const ID3_TagImpl&
  
      tmpOut.write(tagData, tagSize);
@@ -13,3 +40,12 @@
      while (file)
      {
        file.read(tmpBuffer, BUFSIZ);
+@@ -292,7 +292,7 @@ size_t RenderV2ToFile(const ID3_TagImpl&
+ 
+     close(fd); //closes the file
+ 
+-#endif ////((defined(__GNUC__) && __GNUC__ >= 3  ) || !defined(HAVE_MKSTEMP))
++#endif ////!defined(HAVE_MKSTEMP)
+ 
+     tmpOut.close();
+     file.close();



Home | Main Index | Thread Index | Old Index