OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Herbert Schmid
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 17-Jan-2005 12:43:05
Branch: OPENPKG_2_1_SOLID Handle: 2005011711430500
Added files: (Branch: OPENPKG_2_1_SOLID)
openpkg-src/a2ps a2ps.patch
Modified files: (Branch: OPENPKG_2_1_SOLID)
openpkg-src/a2ps a2ps.spec
Log:
patch implemented for security issue CAN-2004-1170
OpenPKG-SA-2005.003-a2ps
Summary:
Revision Changes Path
1.2.4.1 +62 -0 openpkg-src/a2ps/a2ps.patch
1.27.4.2 +3 -1 openpkg-src/a2ps/a2ps.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/a2ps/a2ps.patch
============================================================================
$ cvs diff -u -r0 -r1.2.4.1 a2ps.patch
--- /dev/null 2005-01-17 12:43:05 +0100
+++ a2ps.patch 2005-01-17 12:43:05 +0100
@@ -0,0 +1,62 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1170
+ a2ps 4.13 allows remote attackers to execute arbitrary commands via
+ shell metacharacters in the filename.
+source:
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain
+
+--- src/select.c.orig Thu Dec 16 02:04:56 1999
++++ src/select.c Sat Aug 21 12:05:31 2004
+@@ -131,6 +131,36 @@
+ return 1;
+ }
+ �
++/* escapes the name of a file so that the shell groks it in 'single'
q.marks.
++ The resulting pointer has to be free()ed when not longer used. */
++char *
++shell_escape(const char *fn)
++{
++ size_t len = 0;
++ const char *inp;
++ char *retval, *outp;
++
++ for(inp = fn; *inp; ++inp)
++ switch(*inp)
++ {
++ case '\'': len += 4; break;
++ default: len += 1; break;
++ }
++
++ outp = retval = malloc(len + 1);
++ if(!outp)
++ return NULL; /* perhaps one should do better error handling here */
++ for(inp = fn; *inp; ++inp)
++ switch(*inp)
++ {
++ case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ =
'\''; break;
++ default: *outp++ = *inp; break;
++ }
++ *outp = 0;
++
++ return retval;
++}
++�
+ /* What says file about the type of a file (result is malloc'd). NULL
+ if could not be run. */
+
+@@ -144,11 +174,15 @@
+ if (IS_EMPTY (job->file_command))
+ return NULL;
+
++ filename = shell_escape(filename);
++ if(filename == NULL)
++ return NULL;
+ /* Call file(1) with the correct option */
+- command = ALLOCA (char, (2
++ command = ALLOCA (char, (4
+ + strlen (job->file_command)
+ + ustrlen (filename)));
+- sprintf (command, "%s %s", job->file_command, (const char *) filename);
++ sprintf (command, "%s '%s'", job->file_command, (const char *) filename);
++ free(filename);
+ message (msg_tool, (stderr, "Reading pipe: `%s'\n", command));
+ file_out = popen (command, "r");
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/a2ps/a2ps.spec
============================================================================
$ cvs diff -u -r1.27.4.1 -r1.27.4.2 a2ps.spec
--- openpkg-src/a2ps/a2ps.spec 2 Jul 2004 15:23:39 -0000 1.27.4.1
+++ openpkg-src/a2ps/a2ps.spec 17 Jan 2005 11:43:05 -0000 1.27.4.2
@@ -38,10 +38,11 @@
Group: Converter
License: GPL
Version: %{V_major}%{V_minor}
-Release: 2.1.0
+Release: 2.1.1
# list of sources
Source0:
ftp://ftp.enst.fr/pub/unix/a2ps/a2ps-%{V_major}%{V_minor}.tar.gz
+Patch0: a2ps.patch
# build information
Prefix: %{l_prefix}
@@ -67,6 +68,7 @@
%prep
%setup -q -n a2ps-%{V_major}
+ %patch -p0
%build
CC="%{l_cc}" \
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
