diff options
author | Martin Ehmsen <ehmsen@gentoo.org> | 2006-02-17 12:25:03 +0000 |
---|---|---|
committer | Martin Ehmsen <ehmsen@gentoo.org> | 2006-02-17 12:25:03 +0000 |
commit | 072100344b45c258d76f6ab381f8c564a98e2206 (patch) | |
tree | c3cf94bc71105dacc094f7c17c17c4714bb1ce7a /app-text/noweb | |
parent | Version bump. (diff) | |
download | gentoo-2-072100344b45c258d76f6ab381f8c564a98e2206.tar.gz gentoo-2-072100344b45c258d76f6ab381f8c564a98e2206.tar.bz2 gentoo-2-072100344b45c258d76f6ab381f8c564a98e2206.zip |
Fix insecure temporary file creation (CVE-2005-3342), bug #122705.
(Portage version: 2.1_pre4-r1)
Diffstat (limited to 'app-text/noweb')
-rw-r--r-- | app-text/noweb/ChangeLog | 12 | ||||
-rw-r--r-- | app-text/noweb/Manifest | 30 | ||||
-rw-r--r-- | app-text/noweb/files/digest-noweb-2.9-r3 | 1 | ||||
-rw-r--r-- | app-text/noweb/files/digest-noweb-2.9-r4 | 1 | ||||
-rw-r--r-- | app-text/noweb/files/digest-noweb-2.9-r5 | 3 | ||||
-rw-r--r-- | app-text/noweb/files/digest-noweb-2.9-r6 | 3 | ||||
-rw-r--r-- | app-text/noweb/files/noweb-2.9-security.patch | 151 | ||||
-rw-r--r-- | app-text/noweb/noweb-2.9-r5.ebuild (renamed from app-text/noweb/noweb-2.9-r3.ebuild) | 4 | ||||
-rw-r--r-- | app-text/noweb/noweb-2.9-r6.ebuild (renamed from app-text/noweb/noweb-2.9-r4.ebuild) | 4 |
9 files changed, 146 insertions, 63 deletions
diff --git a/app-text/noweb/ChangeLog b/app-text/noweb/ChangeLog index 42a36869f510..42b7b4102e72 100644 --- a/app-text/noweb/ChangeLog +++ b/app-text/noweb/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for app-text/noweb -# Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-text/noweb/ChangeLog,v 1.18 2005/01/01 16:27:47 eradicator Exp $ +# Copyright 2002-2006 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/app-text/noweb/ChangeLog,v 1.19 2006/02/17 12:25:03 ehmsen Exp $ + +*noweb-2.9-r6 (17 Feb 2006) +*noweb-2.9-r5 (17 Feb 2006) + + 17 Feb 2006; Martin Ehmsen <ehmsen@gentoo.org> + files/noweb-2.9-security.patch, -noweb-2.9-r3.ebuild, + -noweb-2.9-r4.ebuild, +noweb-2.9-r5.ebuild, +noweb-2.9-r6.ebuild: + Fix insecure temporary file creation (CVE-2005-3342), bug #122705. 02 Sep 2004; Mamoru KOMACHI <usata@gentoo.org> noweb-2.9-r3.ebuild, noweb-2.9-r4.ebuild: diff --git a/app-text/noweb/Manifest b/app-text/noweb/Manifest index 8ca1fed563a3..9d8d65129cdf 100644 --- a/app-text/noweb/Manifest +++ b/app-text/noweb/Manifest @@ -1,8 +1,24 @@ -MD5 75941fdbbd7bee8de885941c7e602d80 ChangeLog 2448 -MD5 c472f5fd1646eb8bca71d8df5cb2bdcc metadata.xml 164 -MD5 d848396ca0d31458c3331d9a8a9c9add noweb-2.9-r3.ebuild 1596 -MD5 dcba3464c5092b4ee5736024b164dc7c noweb-2.9-r4.ebuild 1828 -MD5 813fb3ed94d03e89220c6e9b9a77a5f3 files/digest-noweb-2.9-r3 65 +MD5 2670cd18e0a525915a3b30ae95dd0c86 ChangeLog 2748 +RMD160 9664d64e72681f2779d3dfa21836a264b7c89794 ChangeLog 2748 +SHA256 52eba15a6c6ed962e4ddbce5a07a327e0a4daed8250821482de4a1b257783219 ChangeLog 2748 +MD5 4f821dc861c7d479660d04a8b551b86b files/digest-noweb-2.9-r5 241 +RMD160 705d0be384d85fc4dee21634fbc9d67c9f01064d files/digest-noweb-2.9-r5 241 +SHA256 76668f6f6d4345a830caea58117f1409b93e24384685e05e1cab305bd1d65bf3 files/digest-noweb-2.9-r5 241 +MD5 4f821dc861c7d479660d04a8b551b86b files/digest-noweb-2.9-r6 241 +RMD160 705d0be384d85fc4dee21634fbc9d67c9f01064d files/digest-noweb-2.9-r6 241 +SHA256 76668f6f6d4345a830caea58117f1409b93e24384685e05e1cab305bd1d65bf3 files/digest-noweb-2.9-r6 241 MD5 802981b1fbeeebbfb88f7edf918dbdc7 files/noweb-2.9-gentoo.diff 14029 -MD5 02040e5c05a1b7bc5339a3dd35e9bd84 files/noweb-2.9-security.patch 3624 -MD5 813fb3ed94d03e89220c6e9b9a77a5f3 files/digest-noweb-2.9-r4 65 +RMD160 5b2f0566ccfa04d87dbff87ddd0a81cfb1ebc855 files/noweb-2.9-gentoo.diff 14029 +SHA256 63edbfd245396c5fa9f8e0ffac544ab6e872f49036c228ac7e6101789340f8a4 files/noweb-2.9-gentoo.diff 14029 +MD5 3f3f3474fca36841669767b45acb83dc files/noweb-2.9-security.patch 6558 +RMD160 df2613a2278b13f032a74af62b553495e1b11786 files/noweb-2.9-security.patch 6558 +SHA256 45492023f74919efbf32806fd891c68697a00526eac9c924af2ef26b43477746 files/noweb-2.9-security.patch 6558 +MD5 c472f5fd1646eb8bca71d8df5cb2bdcc metadata.xml 164 +RMD160 698422e821458386b8da17baa6014296f8284e0b metadata.xml 164 +SHA256 7bd4d93c657a26aa9af1dea4232520c0d388cc92115dd9ca0eb04259228e044f metadata.xml 164 +MD5 6fa0790385ba8f0a5ae0e512dd13d43a noweb-2.9-r5.ebuild 1495 +RMD160 0dde56100f60924dd2a3b5c03295dccd7194cdc0 noweb-2.9-r5.ebuild 1495 +SHA256 ddec03f4b30c63c604dbf8f7b48535d66d3d872d9786e14692cd89125588176a noweb-2.9-r5.ebuild 1495 +MD5 64814deaa58b0311c8def5e47ce807e5 noweb-2.9-r6.ebuild 1728 +RMD160 e0be141aefbaff93316be1fe22ba0c464c74a9a1 noweb-2.9-r6.ebuild 1728 +SHA256 d0b8a66821896ec22b14c5cc4b939ac2b8dbb5ad47fe5faf9dbec47eeadf1bc3 noweb-2.9-r6.ebuild 1728 diff --git a/app-text/noweb/files/digest-noweb-2.9-r3 b/app-text/noweb/files/digest-noweb-2.9-r3 deleted file mode 100644 index 4dbe3957e8a8..000000000000 --- a/app-text/noweb/files/digest-noweb-2.9-r3 +++ /dev/null @@ -1 +0,0 @@ -MD5 fd88e1b4746661ebbdb1a558ab8510e7 noweb-src-2.9.tar.gz 457749 diff --git a/app-text/noweb/files/digest-noweb-2.9-r4 b/app-text/noweb/files/digest-noweb-2.9-r4 deleted file mode 100644 index 4dbe3957e8a8..000000000000 --- a/app-text/noweb/files/digest-noweb-2.9-r4 +++ /dev/null @@ -1 +0,0 @@ -MD5 fd88e1b4746661ebbdb1a558ab8510e7 noweb-src-2.9.tar.gz 457749 diff --git a/app-text/noweb/files/digest-noweb-2.9-r5 b/app-text/noweb/files/digest-noweb-2.9-r5 new file mode 100644 index 000000000000..7624bc90b63b --- /dev/null +++ b/app-text/noweb/files/digest-noweb-2.9-r5 @@ -0,0 +1,3 @@ +MD5 fd88e1b4746661ebbdb1a558ab8510e7 noweb-src-2.9.tar.gz 457749 +RMD160 737d18acc361a88cc857a87e75de46f00bdb3608 noweb-src-2.9.tar.gz 457749 +SHA256 e955f69eb159981d6796070114c26fc966722950823d8d828051caa54162be7e noweb-src-2.9.tar.gz 457749 diff --git a/app-text/noweb/files/digest-noweb-2.9-r6 b/app-text/noweb/files/digest-noweb-2.9-r6 new file mode 100644 index 000000000000..7624bc90b63b --- /dev/null +++ b/app-text/noweb/files/digest-noweb-2.9-r6 @@ -0,0 +1,3 @@ +MD5 fd88e1b4746661ebbdb1a558ab8510e7 noweb-src-2.9.tar.gz 457749 +RMD160 737d18acc361a88cc857a87e75de46f00bdb3608 noweb-src-2.9.tar.gz 457749 +SHA256 e955f69eb159981d6796070114c26fc966722950823d8d828051caa54162be7e noweb-src-2.9.tar.gz 457749 diff --git a/app-text/noweb/files/noweb-2.9-security.patch b/app-text/noweb/files/noweb-2.9-security.patch index a07445ea9f7b..951af7968ae7 100644 --- a/app-text/noweb/files/noweb-2.9-security.patch +++ b/app-text/noweb/files/noweb-2.9-security.patch @@ -1,16 +1,6 @@ ---- noweb-2.9a.orig/src/awkname -+++ noweb-2.9a/src/awkname -@@ -5,7 +5,7 @@ - esac - - rc=0 --new=/tmp/$$.new; old=/tmp/$$.old -+new=$(tempfile -p new); old=$(tempfile -p old) - - for file in lib/emptydefn lib/unmarkup lib/toascii \ - awk/noidx awk/totex awk/tohtml awk/noindex \ ---- noweb-2.9a.orig/src/awk/totex.nw -+++ noweb-2.9a/src/awk/totex.nw +diff -urN noweb-2.9.orig/src/awk/totex.nw noweb-2.9/src/awk/totex.nw +--- noweb-2.9.orig/src/awk/totex.nw 2000-03-27 02:00:00.000000000 +0200 ++++ noweb-2.9/src/awk/totex.nw 2006-02-17 12:47:05.000000000 +0100 @@ -24,7 +24,7 @@ @ On an ugly system, we have to put it in a file. @@ -20,8 +10,21 @@ trap 'rm -f $awkfile; exit 1' 0 1 2 15 # clean up files cat > $awkfile << 'EOF' <<awk program for conversion to {\TeX}>> ---- noweb-2.9a.orig/src/lib/toascii -+++ noweb-2.9a/src/lib/toascii +diff -urN noweb-2.9.orig/src/awkname noweb-2.9/src/awkname +--- noweb-2.9.orig/src/awkname 2000-06-23 12:56:00.000000000 +0200 ++++ noweb-2.9/src/awkname 2006-02-17 12:47:05.000000000 +0100 +@@ -5,7 +5,7 @@ + esac + + rc=0 +-new=/tmp/$$.new; old=/tmp/$$.old ++new=$(tempfile -p new); old=$(tempfile -p old) + + for file in lib/emptydefn lib/unmarkup lib/toascii lib/btdefn \ + awk/noidx awk/totex awk/tohtml awk/noindex \ +diff -urN noweb-2.9.orig/src/lib/toascii noweb-2.9/src/lib/toascii +--- noweb-2.9.orig/src/lib/toascii 2001-03-28 15:49:00.000000000 +0200 ++++ noweb-2.9/src/lib/toascii 2006-02-17 12:47:05.000000000 +0100 @@ -7,9 +7,9 @@ *) echo "This can't happen -- $i passed to toascii" 1>&2 ; exit 1 ;; esac @@ -35,8 +38,25 @@ export awkfile textfile tagsfile trap 'rm -f $awkfile $textfile $tagsfile' 0 1 2 10 14 15 nawk 'BEGIN { textfile=ENVIRON["textfile"] ---- noweb-2.9a.orig/src/shell/cpif -+++ noweb-2.9a/src/shell/cpif +diff -urN noweb-2.9.orig/src/lib/toascii.nw noweb-2.9/src/lib/toascii.nw +--- noweb-2.9.orig/src/lib/toascii.nw 2000-03-27 02:00:00.000000000 +0200 ++++ noweb-2.9/src/lib/toascii.nw 2006-02-17 12:48:20.000000000 +0100 +@@ -28,9 +28,9 @@ + Also arranged here is a temporary file for storage of the awk program on an + ugly system, as discussed below. + <<arrange temporary files>>= +-awkfile="tmp/awk$$.tmp" +-textfile="/tmp/text$$.tmp" +-tagsfile="/tmp/tags$$.tmp" ++awkfile=$(tempfile -p awk -s .tmp) || { echo "$0: Cannot create temporary file" >&2; exit 1; } ++textfile=$(tempfile -p text -s .tmp) || { echo "$0: Cannot create temporary file" >&2; exit 1; } ++tagsfile=$(tempfile -p tags -s .tmp) || { echo "$0: Cannot create temporary file" >&2; exit 1; } + export awkfile textfile tagsfile + trap 'rm -f $awkfile $textfile $tagsfile' 0 1 2 10 14 15 + @ %def textfile tagsfile awkfile +diff -urN noweb-2.9.orig/src/shell/cpif noweb-2.9/src/shell/cpif +--- noweb-2.9.orig/src/shell/cpif 2000-03-27 02:00:00.000000000 +0200 ++++ noweb-2.9/src/shell/cpif 2006-02-17 12:47:05.000000000 +0100 @@ -17,7 +17,7 @@ 0) echo 'Usage: '`basename $0`' [ -eq -ne ] file...' 1>&2; exit 2 esac @@ -46,8 +66,9 @@ trap 'rm -f $new; exit 1' 1 2 15 # clean up files cat >$new ---- noweb-2.9a.orig/src/shell/nonu -+++ noweb-2.9a/src/shell/nonu +diff -urN noweb-2.9.orig/src/shell/nonu noweb-2.9/src/shell/nonu +--- noweb-2.9.orig/src/shell/nonu 2000-03-27 02:00:00.000000000 +0200 ++++ noweb-2.9/src/shell/nonu 2006-02-17 12:47:05.000000000 +0100 @@ -2,7 +2,7 @@ LIB=/usr/public/pkg/noweb/lib # attempt to convert nuweb to noweb using sam @@ -57,18 +78,10 @@ trap '/bin/rm -f $tmp; exit 1' 1 2 15 # clean up files cp $1 $tmp || exit 1 ---- noweb-2.9a.orig/src/shell/roff.nw -+++ noweb-2.9a/src/shell/roff.nw -@@ -80,7 +80,7 @@ - other, and quoting each quote is ugly. The pragmatic solution is to - copy the awk program into a temporary file, using a shell here-document. - <<invoke awk program>>= --awkfile="/tmp/noweb$$.awk" -+awkfile=$(tempfile -p noweb -s .awk) - trap 'rm -f $awkfile' 0 1 2 10 14 15 - cat > $awkfile << 'EOF' - <<awk program>> -@@ -662,12 +662,13 @@ +diff -urN noweb-2.9.orig/src/shell/noroff noweb-2.9/src/shell/noroff +--- noweb-2.9.orig/src/shell/noroff 2001-03-28 15:49:00.000000000 +0200 ++++ noweb-2.9/src/shell/noroff 2006-02-17 12:47:05.000000000 +0100 +@@ -35,9 +35,10 @@ base="`basename $1 | sed '/\./s/\.[^.]*$//'`" tagsfile="$base.nwt" @@ -77,17 +90,64 @@ if [ -r "$tagsfile" ]; then - cp $tagsfile /tmp/tags.$$ + cp $tagsfile $tmpfile - $AWK '<<action for [[tags]] line>> -- <<functions>>' /tmp/tags.$$ + $AWK '{ + if (sub(/^###TAG### / , "")) tags[$1] = $2 + else if (sub(/^###BEGINCHUNKS###/, "")) printf ".de CLIST\n.CLISTBEGIN\n" +@@ -88,8 +89,8 @@ + # print str3 + # print convquote(str3) + # } +- function tag(s) { if (s in tags) return tags[s]; else return "???" }' /tmp/tags.$$ - rm -f /tmp/tags.$$ -+ <<functions>>' $tmpfile ++ function tag(s) { if (s in tags) return tags[s]; else return "???" }' $tmpfile + rm -f $tmpfile fi cat "$@") | ($ROFF $opts 2>$tagsfile) ---- noweb-2.9a.orig/src/shell/noroff -+++ noweb-2.9a/src/shell/noroff -@@ -35,9 +35,10 @@ +diff -urN noweb-2.9.orig/src/shell/roff.mm noweb-2.9/src/shell/roff.mm +--- noweb-2.9.orig/src/shell/roff.mm 2000-03-27 02:00:00.000000000 +0200 ++++ noweb-2.9/src/shell/roff.mm 2006-02-17 12:48:20.000000000 +0100 +@@ -214,7 +214,7 @@ + .ADDLIST 1a + .PRINTLIST + +-awkfile="/tmp/noweb$$.awk" ++awkfile=$(tempfile -p noweb -s .awk) || { echo "$0: Cannot create temporary file" >&2; exit 1; } + trap 'rm -f $awkfile' 0 1 2 10 14 15 + cat > $awkfile \&<< 'EOF' + \c +@@ -1628,14 +1628,15 @@ + tagsfile="$base.nwt" + (echo ".so $macrodir/tmac.w" + if [ -r "$tagsfile" ]; then +- cp $tagsfile /tmp/tags.$$ ++ tagstemp=$(tempfile -p tags) || { echo "$0: Cannot create temporary file" >&2; exit 1; } ++ cp $tagsfile $tagstemp + $AWK '\c + .USE "action for \*[BEGINCONVQUOTE]tags\*[ENDCONVQUOTE] line" 11c + \& + \c + .USE "functions" 8a +-\&' /tmp/tags.$$ +- rm -f /tmp/tags.$$ ++\&' $tagstemp ++ rm -f $tagstemp + fi + cat "$@") | + ($ROFF $opts 2>$tagsfile) +diff -urN noweb-2.9.orig/src/shell/roff.nw noweb-2.9/src/shell/roff.nw +--- noweb-2.9.orig/src/shell/roff.nw 2000-03-27 02:00:00.000000000 +0200 ++++ noweb-2.9/src/shell/roff.nw 2006-02-17 12:47:05.000000000 +0100 +@@ -80,7 +80,7 @@ + other, and quoting each quote is ugly. The pragmatic solution is to + copy the awk program into a temporary file, using a shell here-document. + <<invoke awk program>>= +-awkfile="/tmp/noweb$$.awk" ++awkfile=$(tempfile -p noweb -s .awk) + trap 'rm -f $awkfile' 0 1 2 10 14 15 + cat > $awkfile << 'EOF' + <<awk program>> +@@ -662,12 +662,13 @@ base="`basename $1 | sed '/\./s/\.[^.]*$//'`" tagsfile="$base.nwt" @@ -96,22 +156,17 @@ if [ -r "$tagsfile" ]; then - cp $tagsfile /tmp/tags.$$ + cp $tagsfile $tmpfile - $AWK '{ - if (sub(/^###TAG### / , "")) tags[$1] = $2 - else if (sub(/^###BEGINCHUNKS###/, "")) printf ".de CLIST\n.CLISTBEGIN\n" -@@ -88,8 +89,8 @@ - # print str3 - # print convquote(str3) - # } -- function tag(s) { if (s in tags) return tags[s]; else return "???" }' /tmp/tags.$$ + $AWK '<<action for [[tags]] line>> +- <<functions>>' /tmp/tags.$$ - rm -f /tmp/tags.$$ -+ function tag(s) { if (s in tags) return tags[s]; else return "???" }' $tmpfile ++ <<functions>>' $tmpfile + rm -f $tmpfile fi cat "$@") | ($ROFF $opts 2>$tagsfile) ---- noweb-2.9a.orig/src/shell/toroff -+++ noweb-2.9a/src/shell/toroff +diff -urN noweb-2.9.orig/src/shell/toroff noweb-2.9/src/shell/toroff +--- noweb-2.9.orig/src/shell/toroff 2001-03-28 15:49:00.000000000 +0200 ++++ noweb-2.9/src/shell/toroff 2006-02-17 12:47:05.000000000 +0100 @@ -9,7 +9,7 @@ exit 1;; esac diff --git a/app-text/noweb/noweb-2.9-r3.ebuild b/app-text/noweb/noweb-2.9-r5.ebuild index 7905bfb2bfe5..0c461a244b43 100644 --- a/app-text/noweb/noweb-2.9-r3.ebuild +++ b/app-text/noweb/noweb-2.9-r5.ebuild @@ -1,6 +1,6 @@ -# Copyright 1999-2005 Gentoo Foundation +# Copyright 1999-2006 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-text/noweb/noweb-2.9-r3.ebuild,v 1.12 2005/01/01 16:27:47 eradicator Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-text/noweb/noweb-2.9-r5.ebuild,v 1.1 2006/02/17 12:25:03 ehmsen Exp $ inherit eutils diff --git a/app-text/noweb/noweb-2.9-r4.ebuild b/app-text/noweb/noweb-2.9-r6.ebuild index d7fae808682c..5b2665cb6d8c 100644 --- a/app-text/noweb/noweb-2.9-r4.ebuild +++ b/app-text/noweb/noweb-2.9-r6.ebuild @@ -1,6 +1,6 @@ -# Copyright 1999-2005 Gentoo Foundation +# Copyright 1999-2006 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-text/noweb/noweb-2.9-r4.ebuild,v 1.3 2005/01/01 16:27:47 eradicator Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-text/noweb/noweb-2.9-r6.ebuild,v 1.1 2006/02/17 12:25:03 ehmsen Exp $ inherit eutils |