imagemagick...

Thomas Lotterer Thu, 10 Jul 2003 07:20:00 -0700

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________


  Server: cvs.openpkg.org                  Name:   Thomas Lotterer
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-src openpkg-web          Date:   10-Jul-2003 16:21:14
  Branch: OPENPKG_1_2_SOLID HEAD           Handle: 2003071015211202

  Added files:              (Branch: OPENPKG_1_2_SOLID)
    openpkg-src/imagemagick imagemagick.patch
  Modified files:
    openpkg-web             news.txt
  Modified files:           (Branch: OPENPKG_1_2_SOLID)
    openpkg-src/imagemagick imagemagick.spec

  Log:
    SA-2003.034-imagemagick; CAN-2003-0455

  Summary:
    Revision    Changes     Path
    1.1.2.1     +50 -0      openpkg-src/imagemagick/imagemagick.patch
    1.83.2.1.2.2+3  -1      openpkg-src/imagemagick/imagemagick.spec
    1.5508      +1  -0      openpkg-web/news.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-src/imagemagick/imagemagick.patch
  ============================================================================
  $ cvs diff -u -r0 -r1.1.2.1 imagemagick.patch
  --- /dev/null 2003-07-10 16:21:14.000000000 +0200
  +++ imagemagick.patch 2003-07-10 16:21:14.000000000 +0200
  @@ -0,0 +1,50 @@
  +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0455
  +    The imagemagick libmagick library 5.5 and earlier creates temporary
  +    files insecurely, which allows local users to create or overwrite
  +    arbitrary files.
  +
  +this patch based on Daniel Kobras code to fix insecure temporary
  +file creation which is mentioned in http://www.debian.org/security/2003/dsa-331
  +ported because added randomness just makes the race condition harder to
  +achieve, but not impossible.
  +
  +--- magick/utility.c.orig    Fri Dec 13 16:34:24 2002
  ++++ magick/utility.c Thu Jul 10 15:20:20 2003
  +@@ -3258,7 +3258,37 @@
  + %      name is returned in this array.
  + %
  + */
  ++
  ++/* Attention: this creates an additional 
  ++ * intermediate directory for security reasons,
  ++ * but unfortunately it is never deleted.
  ++ */
  ++static void TemporaryFilenameHelper(char *);
  + MagickExport void TemporaryFilename(char *path)
  ++{
  ++    static char *mSafeTmpdir = NULL;
  ++    char *name;
  ++
  ++    path[0] = '\0';
  ++    if (mSafeTmpdir == NULL) {
  ++        do {
  ++            TemporaryFilenameHelper(path);
  ++            if (mkdir(path, S_IRWXU) == 0) {
  ++                mSafeTmpdir = strdup(path);
  ++                break;
  ++            }
  ++        } while (errno == EEXIST);
  ++    }
  ++    if (mSafeTmpdir == NULL)
  ++        return;
  ++    if ((name = tempnam(mSafeTmpdir, (char *)NULL)) == NULL)
  ++        return;
  ++    (void)strncpy(path, name, MaxTextExtent-1);
  ++    free(name);
  ++    return;
  ++}
  ++
  ++static void TemporaryFilenameHelper(char *path)
  + {
  + #define RandomKeyExtent  6
  + 
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-src/imagemagick/imagemagick.spec
  ============================================================================
  $ cvs diff -u -r1.83.2.1.2.1 -r1.83.2.1.2.2 imagemagick.spec
  --- openpkg-src/imagemagick/imagemagick.spec  18 Jan 2003 17:20:08 -0000      
1.83.2.1.2.1
  +++ openpkg-src/imagemagick/imagemagick.spec  10 Jul 2003 14:21:14 -0000      
1.83.2.1.2.2
  @@ -42,7 +42,7 @@
   Group:        Graphics
   License:      GPL
   Version:      %{V_major}.%{V_minor}
  -Release:      1.2.0
  +Release:      1.2.1
   
   #   package options
   %option       with_perl   no
  @@ -50,6 +50,7 @@
   
   #   list of sources
   Source0:      ftp://ftp.imagemagick.org/pub/ImageMagick/ImageMagick-%{V_dist}.tar.gz
  +Patch0:       imagemagick.patch
   
   #   build information
   Prefix:       %{l_prefix}
  @@ -85,6 +86,7 @@
           -e 's/\/magick -lMagick/\/magick\/.libs -lMagick/' \
           -e 's/^\(MagickLibSubdir="\)[^"]*\("\)/\1imagemagick\2/' \
           configure
  +    %patch -p0
   
   %build
       CC="%{l_cc}" \
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-web/news.txt
  ============================================================================
  $ cvs diff -u -r1.5507 -r1.5508 news.txt
  --- openpkg-web/news.txt      10 Jul 2003 14:05:08 -0000      1.5507
  +++ openpkg-web/news.txt      10 Jul 2003 14:21:12 -0000      1.5508
  @@ -1,3 +1,4 @@
  +10-Jul-2003: Upgraded package: P<imagemagick-5.5.3.2-1.2.1>
   10-Jul-2003: Upgraded package: P<nessus-libs-2.0.7-20030710>
   10-Jul-2003: Upgraded package: P<gnutls-0.8.9-20030710>
   10-Jul-2003: Upgraded package: P<gcc34-3.4s20030709-20030710>
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

[CVS] OpenPKG: OPENPKG_1_2_SOLID: openpkg-src/imagemagick/ imagemagick...

Reply via email to