[CVS] OpenPKG: OPENPKG_2_2_SOLID: openpkg-src/shtool/ shtool.patch sht...

Wed, 15 Jun 2005 04:22:25 -0700 

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /v/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-src                      Date:   15-Jun-2005 13:22:24
  Branch: OPENPKG_2_2_SOLID                Handle: 2005061512222400

  Added files:              (Branch: OPENPKG_2_2_SOLID)
    openpkg-src/shtool      shtool.patch
  Modified files:           (Branch: OPENPKG_2_2_SOLID)
    openpkg-src/shtool      shtool.spec

  Log:
    Apply Security Fixes (CAN-2005-1751, CAN-2005-1759)

  Summary:
    Revision    Changes     Path
    1.1.4.1     +109 -0     openpkg-src/shtool/shtool.patch
    1.31.2.2    +3  -1      openpkg-src/shtool/shtool.spec
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-src/shtool/shtool.patch
  ============================================================================
  $ cvs diff -u -r0 -r1.1.4.1 shtool.patch
  --- /dev/null 2005-06-15 13:22:11 +0200
  +++ shtool.patch      2005-06-15 13:22:24 +0200
  @@ -0,0 +1,109 @@
  +Index: sh.common
  +--- sh.common        7 Apr 2004 07:55:02 -0000       1.23
  ++++ sh.common        15 Jun 2005 08:11:16 -0000      1.24
  +@@ -161,6 +161,7 @@
  + 
  + #   establish a temporary file on request
  + if [ ".$gen_tmpfile" = .yes ]; then
  ++    #   create (explicitly) secure temporary directory
  +     if [ ".$TMPDIR" != . ]; then
  +         tmpdir="$TMPDIR"
  +     elif [ ".$TEMPDIR" != . ]; then
  +@@ -168,10 +169,19 @@
  +     else
  +         tmpdir="/tmp"
  +     fi
  +-    tmpfile="$tmpdir/.shtool.$$"
  +-    rm -f $tmpfile >/dev/null 2>&1
  +-    touch $tmpfile
  +-    chmod 600 $tmpfile
  ++    tmpdir="$tmpdir/.shtool.$$"
  ++    ( umask 077
  ++      rm -rf "$tmpdir" >/dev/null 2>&1 || true
  ++      mkdir  "$tmpdir" >/dev/null 2>&1
  ++      if [ $? -ne 0 ]; then
  ++          echo "$msgprefix:Error: failed to create temporary directory 
\`$tmpdir'" 1>&2
  ++          exit 1
  ++      fi
  ++    )
  ++
  ++    #   create (implicitly) secure temporary file
  ++    tmpfile="$tmpdir/shtool.tmp"
  ++    touch "$tmpfile"
  + fi
  + 
  + #   utility function: map string to lower case
  +@@ -188,7 +198,7 @@
  + shtool_exit () {
  +     rc="$1"
  +     if [ ".$gen_tmpfile" = .yes ]; then
  +-        rm -f $tmpfile >/dev/null 2>&1 || true
  ++        rm -rf "$tmpdir" >/dev/null 2>&1 || true
  +     fi
  +     exit $rc
  + }
  +Index: sh.arx
  +--- sh.arx   12 Feb 2004 16:06:26 -0000      1.21
  ++++ sh.arx   15 Jun 2005 08:11:16 -0000      1.22
  +@@ -34,7 +34,7 @@
  + files="$*"
  + 
  + #   walk through the file list and expand archives members
  +-tmpdir=`echo $archive | sed -e 's;[^/]*$;.arx;'`
  ++ar_tmpdir=`echo $archive | sed -e 's;[^/]*$;.arx;'`
  + nfiles=''
  + if [ ".$files" != . ]; then
  +     for file in $files; do
  +@@ -44,13 +44,13 @@
  +         fi
  +         case $file in
  +             *.a )
  +-                if [ ! -d $tmpdir ]; then
  ++                if [ ! -d $ar_tmpdir ]; then
  +                     if [ ".$opt_t" = .yes ]; then
  +-                        echo "mkdir $tmpdir" 1>&2
  ++                        echo "mkdir $ar_tmpdir" 1>&2
  +                     fi
  +-                    mkdir $tmpdir
  ++                    mkdir $ar_tmpdir
  +                 fi
  +-                case $tmpdir in
  ++                case $ar_tmpdir in
  +                      .arx )
  +                          from="../$file"
  +                          ;;
  +@@ -61,16 +61,16 @@
  +                          ;;
  +                 esac
  +                 if [ ".$opt_t" = .yes ]; then
  +-                    echo "(cd $tmpdir && $ar_prg x $from)" 1>&2
  ++                    echo "(cd $ar_tmpdir && $ar_prg x $from)" 1>&2
  +                 fi
  +-                (cd $tmpdir && eval $ar_prg x $from)
  ++                (cd $ar_tmpdir && eval $ar_prg x $from)
  +                 if [ $? -ne 0 ]; then
  +                     echo "$msgprefix:Error: member extraction failed for 
archive: $file" 1>&2
  +                     shtool_exit 1
  +                 fi
  +                 for member in - `eval $ar_prg t $file | sed -e 
'/_\.SYMDEF/d'`; do
  +                     [ ".$member" = .- ] && continue
  +-                    nfiles="$nfiles $tmpdir/$member"
  ++                    nfiles="$nfiles $ar_tmpdir/$member"
  +                 done
  +                 ;;
  +             * )
  +@@ -91,11 +91,11 @@
  + fi
  + 
  + #   cleanup and die gracefully
  +-if [ -d $tmpdir ]; then
  ++if [ -d $ar_tmpdir ]; then
  +     if [ ".$opt_t" = .yes ]; then
  +-        echo "rm -rf $tmpdir" 1>&2
  ++        echo "rm -rf $ar_tmpdir" 1>&2
  +     fi
  +-    rm -rf $tmpdir
  ++    rm -rf $ar_tmpdir
  + fi
  + 
  + shtool_exit 0
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-src/shtool/shtool.spec
  ============================================================================
  $ cvs diff -u -r1.31.2.1 -r1.31.2.2 shtool.spec
  --- openpkg-src/shtool/shtool.spec    11 Oct 2004 18:58:58 -0000      1.31.2.1
  +++ openpkg-src/shtool/shtool.spec    15 Jun 2005 11:22:24 -0000      1.31.2.2
  @@ -34,13 +34,14 @@
   Group:        Development
   License:      GPL
   Version:      2.0.1
  -Release:      2.2.0
  +Release:      2.2.1
   
   #   package options
   %option       with_shtoolize  yes
   
   #   list of sources
   Source0:      ftp://ftp.gnu.org/gnu/shtool/shtool-%{version}.tar.gz
  +Patch0:       shtool.patch
   
   #   build information
   Prefix:       %{l_prefix}
  @@ -71,6 +72,7 @@
   
   %prep
       %setup -q
  +    %patch -p0
   
   %build
       ./configure \
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     openpkg-cvs@openpkg.org

Reply via email to