pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2010Q2]: pkgsrc/audio/pulseaudio Pullup ticket 3182 - requeste...
details: https://anonhg.NetBSD.org/pkgsrc/rev/bba65b784593
branches: pkgsrc-2010Q2
changeset: 576918:bba65b784593
user: spz <spz%pkgsrc.org@localhost>
date: Sun Jul 25 13:16:12 2010 +0000
description:
Pullup ticket 3182 - requested by tron
security patch
Revisions pulled up:
- pkgsrc/audio/pulseaudio/Makefile 1.38
- pkgsrc/audio/pulseaudio/distinfo 1.21
Files added:
pkgsrc/audio/pulseaudio/patches/patch-ba
pkgsrc/audio/pulseaudio/patches/patch-bb
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Sat Jul 24 12:51:09 UTC 2010
Modified Files:
pkgsrc/audio/pulseaudio: Makefile distinfo
Added Files:
pkgsrc/audio/pulseaudio/patches: patch-ba patch-bb
Log Message:
Add fix for symlink race reported in CVE-2009-1299 taken from
Lennart Poettering's GIT repository.
To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 pkgsrc/audio/pulseaudio/Makefile
cvs rdiff -u -r1.20 -r1.21 pkgsrc/audio/pulseaudio/distinfo
cvs rdiff -u -r0 -r1.6 pkgsrc/audio/pulseaudio/patches/patch-ba
cvs rdiff -u -r0 -r1.5 pkgsrc/audio/pulseaudio/patches/patch-bb
diffstat:
audio/pulseaudio/Makefile | 4 +-
audio/pulseaudio/distinfo | 4 +-
audio/pulseaudio/patches/patch-ba | 17 +++++++++
audio/pulseaudio/patches/patch-bb | 67 +++++++++++++++++++++++++++++++++++++++
4 files changed, 89 insertions(+), 3 deletions(-)
diffs (126 lines):
diff -r 5dedc7b359c3 -r bba65b784593 audio/pulseaudio/Makefile
--- a/audio/pulseaudio/Makefile Sun Jul 25 11:56:16 2010 +0000
+++ b/audio/pulseaudio/Makefile Sun Jul 25 13:16:12 2010 +0000
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.37 2010/06/15 16:25:42 obache Exp $
+# $NetBSD: Makefile,v 1.37.2.1 2010/07/25 13:16:12 spz Exp $
# NOTE: Please send a copy of any patches that are not pkgsrc-specific
# to <pulseaudio-discuss%mail.0pointer.de@localhost>
PULSEAUDIO_VER= 0.9.21
-PKGREVISION= 2
+PKGREVISION= 3
DISTNAME= pulseaudio-${PULSEAUDIO_VER}
CATEGORIES= audio
MASTER_SITES= http://0pointer.de/lennart/projects/pulseaudio/
diff -r 5dedc7b359c3 -r bba65b784593 audio/pulseaudio/distinfo
--- a/audio/pulseaudio/distinfo Sun Jul 25 11:56:16 2010 +0000
+++ b/audio/pulseaudio/distinfo Sun Jul 25 13:16:12 2010 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.19 2010/02/02 12:39:14 jmcneill Exp $
+$NetBSD: distinfo,v 1.19.4.1 2010/07/25 13:16:12 spz Exp $
SHA1 (pulseaudio-0.9.21.tar.gz) = 0309c97f7e0812e243c1bb80a4b74dc26369ac22
RMD160 (pulseaudio-0.9.21.tar.gz) = 6db0725253228b673a78cbfae4824fadce2198ed
@@ -10,6 +10,8 @@
SHA1 (patch-ae) = 5e6957e73ffd96d2e63e5ea4eb9b0ca9ea016b30
SHA1 (patch-af) = e11fb419787e3cd1f305b66c995915f11276770e
SHA1 (patch-ag) = 523743b49476a219f76b108a605b2b57ea63098a
+SHA1 (patch-ba) = d05d290d90120986654aa86f090b6c20c68e8594
+SHA1 (patch-bb) = e6f4095eb460c605b8dcc02980c5cff0cd0715a8
SHA1 (patch-ca) = 3016b290943c006392bff01d6eae75a432a7e171
SHA1 (patch-da) = d56957d37bec15bd41d77b99ce60bcdea0ef4f20
SHA1 (patch-db) = e1e48577618b4eb2586d8b37953b2474e2dcc864
diff -r 5dedc7b359c3 -r bba65b784593 audio/pulseaudio/patches/patch-ba
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/pulseaudio/patches/patch-ba Sun Jul 25 13:16:12 2010 +0000
@@ -0,0 +1,17 @@
+$NetBSD: patch-ba,v 1.6.2.2 2010/07/25 13:16:12 spz Exp $
+
+Fix for security vulnerability reported in CVE-2009-1299, taken from here:
+
+http://git.0pointer.de/?p=pulseaudio.git;a=patch;h=d3efa43d85ac132c6a5a416a2b6f2115f5d577ee
+
+--- configure.ac.orig 2009-11-23 04:06:47.000000000 +0000
++++ configure.ac 2010-07-24 13:33:30.000000000 +0100
+@@ -424,7 +424,7 @@
+ AC_FUNC_FORK
+ AC_FUNC_GETGROUPS
+ AC_FUNC_SELECT_ARGTYPES
+-AC_CHECK_FUNCS_ONCE([chmod chown clock_gettime getaddrinfo getgrgid_r getgrnam_r \
++AC_CHECK_FUNCS_ONCE([chmod chown fstat fchown fchmod clock_gettime getaddrinfo getgrgid_r getgrnam_r \
+ getpwnam_r getpwuid_r gettimeofday getuid inet_ntop inet_pton mlock nanosleep \
+ pipe posix_fadvise posix_madvise posix_memalign setpgid setsid shm_open \
+ sigaction sleep sysconf pthread_setaffinity_np])
diff -r 5dedc7b359c3 -r bba65b784593 audio/pulseaudio/patches/patch-bb
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/pulseaudio/patches/patch-bb Sun Jul 25 13:16:12 2010 +0000
@@ -0,0 +1,67 @@
+$NetBSD: patch-bb,v 1.5.2.2 2010/07/25 13:16:12 spz Exp $
+
+Fix for security vulnerability reported in CVE-2009-1299, taken from here:
+
+http://git.0pointer.de/?p=pulseaudio.git;a=patch;h=d3efa43d85ac132c6a5a416a2b6f2115f5d577ee
+
+--- src/pulsecore/core-util.c.orig 2009-11-23 03:57:07.000000000 +0000
++++ src/pulsecore/core-util.c 2010-07-24 13:33:30.000000000 +0100
+@@ -196,7 +196,7 @@
+ /** Creates a directory securely */
+ int pa_make_secure_dir(const char* dir, mode_t m, uid_t uid, gid_t gid) {
+ struct stat st;
+- int r, saved_errno;
++ int r, saved_errno, fd;
+
+ pa_assert(dir);
+
+@@ -214,16 +214,45 @@
+ if (r < 0 && errno != EEXIST)
+ return -1;
+
+-#ifdef HAVE_CHOWN
++#ifdef HAVE_FSTAT
++ if ((fd = open(dir,
++#ifdef O_CLOEXEC
++ O_CLOEXEC|
++#endif
++#ifdef O_NOCTTY
++ O_NOCTTY|
++#endif
++#ifdef O_NOFOLLOW
++ O_NOFOLLOW|
++#endif
++ O_RDONLY)) < 0)
++ goto fail;
++
++ if (fstat(fd, &st) < 0) {
++ pa_assert_se(pa_close(fd) >= 0);
++ goto fail;
++ }
++
++ if (!S_ISDIR(st.st_mode)) {
++ pa_assert_se(pa_close(fd) >= 0);
++ errno = EEXIST;
++ goto fail;
++ }
++
++#ifdef HAVE_FCHOWN
+ if (uid == (uid_t)-1)
+ uid = getuid();
+ if (gid == (gid_t)-1)
+ gid = getgid();
+- (void) chown(dir, uid, gid);
++ (void) fchown(fd, uid, gid);
++#endif
++
++#ifdef HAVE_FCHMOD
++ (void) fchmod(fd, m);
+ #endif
+
+-#ifdef HAVE_CHMOD
+- chmod(dir, m);
++ pa_assert_se(pa_close(fd) >= 0);
++
+ #endif
+
+ #ifdef HAVE_LSTAT
Home |
Main Index |
Thread Index |
Old Index