[pkgsrc/trunk]: pkgsrc/editors/xemacs Fix xemacs vcdiff insecure temp file cr...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/editors/xemacs Fix xemacs vcdiff insecure temp file cr...
From: tonnerre <tonnerre%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 06:06:43 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/82a42e7d4a47
branches:  trunk
changeset: 542002:82a42e7d4a47
user:      tonnerre <tonnerre%pkgsrc.org@localhost>
date:      Tue Apr 29 14:07:15 2008 +0000

description:
Fix xemacs vcdiff insecure temp file creation vulnerability (CVE-2008-1694).
Approved-by: joerg

diffstat:

 editors/xemacs/Makefile         |    4 +-
 editors/xemacs/distinfo         |    9 +-
 editors/xemacs/patches/patch-ag |  111 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 118 insertions(+), 6 deletions(-)

diffs (160 lines):

diff -r 6d20bdd631a3 -r 82a42e7d4a47 editors/xemacs/Makefile
--- a/editors/xemacs/Makefile   Tue Apr 29 13:54:55 2008 +0000
+++ b/editors/xemacs/Makefile   Tue Apr 29 14:07:15 2008 +0000
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.87 2008/04/25 17:58:24 tron Exp $
+# $NetBSD: Makefile,v 1.88 2008/04/29 14:07:15 tonnerre Exp $
 
 PKGNAME?=      ${DISTNAME}
 COMMENT?=      XEmacs text editor version 21
 
 DISTNAME=      xemacs-21.4.17
-PKGREVISION=   4
+PKGREVISION=   5
 CATEGORIES=    editors
 MASTER_SITES=  ${MASTER_SITE_XEMACS:=${DISTNAME:C/[.][^.]*$//}/}
 DISTFILES=     ${DISTNAME}.tar.gz ${DISTNAME}-elc.tar.gz \
diff -r 6d20bdd631a3 -r 82a42e7d4a47 editors/xemacs/distinfo
--- a/editors/xemacs/distinfo   Tue Apr 29 13:54:55 2008 +0000
+++ b/editors/xemacs/distinfo   Tue Apr 29 14:07:15 2008 +0000
@@ -1,20 +1,21 @@
-$NetBSD: distinfo,v 1.12 2008/04/24 15:32:15 jlam Exp $
+$NetBSD: distinfo,v 1.13 2008/04/29 14:07:15 tonnerre Exp $
 
-SHA1 (xemacs/xemacs-21.4.17.tar.gz) = 274812bee5f8010ca3d56b517026270d94415f33
-RMD160 (xemacs/xemacs-21.4.17.tar.gz) = d42ca370ba916f0147b368bd7db2cc6c523646ae
-Size (xemacs/xemacs-21.4.17.tar.gz) = 10626826 bytes
 SHA1 (xemacs/xemacs-21.4.17-elc.tar.gz) = 5e13cb3d2087d0ef56746b661da6b762533b3e58
 RMD160 (xemacs/xemacs-21.4.17-elc.tar.gz) = 37785dc82bbbbc7eba656c9edc099b425a885eae
 Size (xemacs/xemacs-21.4.17-elc.tar.gz) = 931709 bytes
 SHA1 (xemacs/xemacs-21.4.17-info.tar.gz) = 6a0319d8a5e29c6725d3973ee5f39360503ef681
 RMD160 (xemacs/xemacs-21.4.17-info.tar.gz) = 5894750e99d225e53e79bf2c6fa786b3fd13d7a5
 Size (xemacs/xemacs-21.4.17-info.tar.gz) = 1634004 bytes
+SHA1 (xemacs/xemacs-21.4.17.tar.gz) = 274812bee5f8010ca3d56b517026270d94415f33
+RMD160 (xemacs/xemacs-21.4.17.tar.gz) = d42ca370ba916f0147b368bd7db2cc6c523646ae
+Size (xemacs/xemacs-21.4.17.tar.gz) = 10626826 bytes
 SHA1 (patch-aa) = 933c2522fce7877d73c57cf0e153afcce78bdf7e
 SHA1 (patch-ab) = 1487edf8addea7971f4fcbcf57818090f32edef5
 SHA1 (patch-ac) = effbc40595b0c3b6e443588528113d907a6056c1
 SHA1 (patch-ad) = e2a70a64f0659ffda6dd27b37512e4dc5bd4ecf4
 SHA1 (patch-ae) = c3ad7249bb7eb51c509546fc88fe3efc5b70a6d7
 SHA1 (patch-af) = 97cd3d340f349a645a7be9a683879528d9f4c5f2
+SHA1 (patch-ag) = 0ccbead4be5da92e73a15432ff1b063da13cf0b4
 SHA1 (patch-ah) = 9a02b989a6d45cdfead22ea703acceca722cf313
 SHA1 (patch-ai) = ea752473a56d20907201763966ecdeaaeffac84a
 SHA1 (patch-ak) = bfbd285a1cc7d4e93a2fc884e03492dec9302e55
diff -r 6d20bdd631a3 -r 82a42e7d4a47 editors/xemacs/patches/patch-ag
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/editors/xemacs/patches/patch-ag   Tue Apr 29 14:07:15 2008 +0000
@@ -0,0 +1,111 @@
+$NetBSD: patch-ag,v 1.3 2008/04/29 14:07:15 tonnerre Exp $
+
+--- lib-src/vcdiff.orig        1996-12-18 22:42:33.000000000 +0000
++++ lib-src/vcdiff     2008-04-29 13:27:28.000000000 +0100
+@@ -1,23 +1,35 @@
+-#!/bin/sh
++#! /bin/sh
+ #
+ # Enhanced sccs diff utility for use with vc mode.
+ # This version is more compatible with rcsdiff(1).
+ #
+-#     !Id: vcdiff,v 1.4 1993/12/03 09:29:18 eggert Exp !
++# Copyright (C) 1992, 1993, 1995, 1997, 2001, 2002, 2003, 2004,
++#               2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+ #
+-# Modified by: vladimir%Eng.Sun.COM@localhost on 95-06-07
+-# * Made sure that file arguments are specifed as s.<filename>.
+-# * Switched the assignments to $f inside the 3rd and 4th case statements of
+-#   the first for-loop
+-# * Removed the incorrect initialization of sid1 before the first for-loop.
++# This file is part of GNU Emacs.
++#
++# GNU Emacs is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++#
++# GNU Emacs is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with GNU Emacs; see the file COPYING.  If not, write to the
++# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
++# Boston, MA 02110-1301, USA.
+ #
+ 
+ DIFF="diff"
+ usage="$0: Usage: vcdiff [--brief] [-q] [-r<sid1>] [-r<sid2>] [diffopts] sccsfile..."
+ 
+-PATH=$PATH:/usr/ccs/bin:/usr/sccs # common SCCS hangouts
++PATH=$PATH:/usr/ccs/bin:/usr/sccs:/usr/xpg4/bin # common SCCS hangouts
+ 
+-echo=
++echo="echo"
+ sid1= sid2=
+ 
+ for f
+@@ -31,14 +43,14 @@
+                       echo=:;;
+               -r?*)
+                       case $sid1 in
+-                      -r*)
+-                              sid2=$f
++                      '')
++                              sid1=$f
+                               ;;
+-                      *) 
++                      *)
+                               case $sid2 in
+-                                ?*) echo "$usage" >&2; exit 2 ;;
++                              ?*) echo "$usage" >&2; exit 2 ;;
+                               esac
+-                              sid1=$f
++                              sid2=$f
+                               ;;
+                       esac
+                       ;;
+@@ -67,31 +79,24 @@
+ 
+ for f
+ do
+-  s=2
+-
+-  # For files under SCCS control, fixup the file name to be the s. filename
+-  if [ -d SCCS ]; then
+-    if [ $f = `echo $f | sed -e 's|SCCS/s.||'` ]; then
+-      f="SCCS/s.$f"
+-    fi
+-  fi 
++      s=2
+ 
+       case $f in
+       s.* | */s.*)
+               if
+-                      rev1=/tmp/geta$$
++                      rev1=`mktemp /tmp/geta.XXXXXXXX`
+                       get -s -p -k $sid1 "$f" > $rev1 &&
+                       case $sid2 in
+                       '')
+                               workfile=`expr " /$f" : '.*/s.\(.*\)'`
+                               ;;
+                       *)
+-                              rev2=/tmp/getb$$
++                              rev2=`mktemp /tmp/getb.XXXXXXXX`
+                               get -s -p -k $sid2 "$f" > $rev2
+                               workfile=$rev2
+                       esac
+               then
+-                      $echo $DIFF $options $sid1 $sid2 $workfile >&2
++                      $echo $DIFF $options $rev1 $workfile >&2
+                       $DIFF $options $rev1 $workfile
+                       s=$?
+               fi
+@@ -104,3 +109,5 @@
+       then status=$s
+       fi
+ done
++
++# arch-tag: 4344ba3a-bcbe-4f77-971c-f43c1606953a

Prev by Date: [pkgsrc/trunk]: pkgsrc/doc Note revision bump of pidgin to 2.
Next by Date: [pkgsrc/trunk]: pkgsrc/doc Updated editors/xemacs to 21.4.17nb5
Previous by Thread: [pkgsrc/trunk]: pkgsrc/doc Note revision bump of pidgin to 2.
Next by Thread: [pkgsrc/trunk]: pkgsrc/doc Updated editors/xemacs to 21.4.17nb5
Indexes:

Home | Main Index | Thread Index | Old Index