OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 15-Jun-2005 13:22:24 Branch: OPENPKG_2_2_SOLID Handle: 2005061512222400 Added files: (Branch: OPENPKG_2_2_SOLID) openpkg-src/shtool shtool.patch Modified files: (Branch: OPENPKG_2_2_SOLID) openpkg-src/shtool shtool.spec Log: Apply Security Fixes (CAN-2005-1751, CAN-2005-1759) Summary: Revision Changes Path 1.1.4.1 +109 -0 openpkg-src/shtool/shtool.patch 1.31.2.2 +3 -1 openpkg-src/shtool/shtool.spec ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-src/shtool/shtool.patch ============================================================================ $ cvs diff -u -r0 -r1.1.4.1 shtool.patch --- /dev/null 2005-06-15 13:22:11 +0200 +++ shtool.patch 2005-06-15 13:22:24 +0200 @@ -0,0 +1,109 @@ +Index: sh.common +--- sh.common 7 Apr 2004 07:55:02 -0000 1.23 ++++ sh.common 15 Jun 2005 08:11:16 -0000 1.24 +@@ -161,6 +161,7 @@ + + # establish a temporary file on request + if [ ".$gen_tmpfile" = .yes ]; then ++ # create (explicitly) secure temporary directory + if [ ".$TMPDIR" != . ]; then + tmpdir="$TMPDIR" + elif [ ".$TEMPDIR" != . ]; then +@@ -168,10 +169,19 @@ + else + tmpdir="/tmp" + fi +- tmpfile="$tmpdir/.shtool.$$" +- rm -f $tmpfile >/dev/null 2>&1 +- touch $tmpfile +- chmod 600 $tmpfile ++ tmpdir="$tmpdir/.shtool.$$" ++ ( umask 077 ++ rm -rf "$tmpdir" >/dev/null 2>&1 || true ++ mkdir "$tmpdir" >/dev/null 2>&1 ++ if [ $? -ne 0 ]; then ++ echo "$msgprefix:Error: failed to create temporary directory \`$tmpdir'" 1>&2 ++ exit 1 ++ fi ++ ) ++ ++ # create (implicitly) secure temporary file ++ tmpfile="$tmpdir/shtool.tmp" ++ touch "$tmpfile" + fi + + # utility function: map string to lower case +@@ -188,7 +198,7 @@ + shtool_exit () { + rc="$1" + if [ ".$gen_tmpfile" = .yes ]; then +- rm -f $tmpfile >/dev/null 2>&1 || true ++ rm -rf "$tmpdir" >/dev/null 2>&1 || true + fi + exit $rc + } +Index: sh.arx +--- sh.arx 12 Feb 2004 16:06:26 -0000 1.21 ++++ sh.arx 15 Jun 2005 08:11:16 -0000 1.22 +@@ -34,7 +34,7 @@ + files="$*" + + # walk through the file list and expand archives members +-tmpdir=`echo $archive | sed -e 's;[^/]*$;.arx;'` ++ar_tmpdir=`echo $archive | sed -e 's;[^/]*$;.arx;'` + nfiles='' + if [ ".$files" != . ]; then + for file in $files; do +@@ -44,13 +44,13 @@ + fi + case $file in + *.a ) +- if [ ! -d $tmpdir ]; then ++ if [ ! -d $ar_tmpdir ]; then + if [ ".$opt_t" = .yes ]; then +- echo "mkdir $tmpdir" 1>&2 ++ echo "mkdir $ar_tmpdir" 1>&2 + fi +- mkdir $tmpdir ++ mkdir $ar_tmpdir + fi +- case $tmpdir in ++ case $ar_tmpdir in + .arx ) + from="../$file" + ;; +@@ -61,16 +61,16 @@ + ;; + esac + if [ ".$opt_t" = .yes ]; then +- echo "(cd $tmpdir && $ar_prg x $from)" 1>&2 ++ echo "(cd $ar_tmpdir && $ar_prg x $from)" 1>&2 + fi +- (cd $tmpdir && eval $ar_prg x $from) ++ (cd $ar_tmpdir && eval $ar_prg x $from) + if [ $? -ne 0 ]; then + echo "$msgprefix:Error: member extraction failed for archive: $file" 1>&2 + shtool_exit 1 + fi + for member in - `eval $ar_prg t $file | sed -e '/_\.SYMDEF/d'`; do + [ ".$member" = .- ] && continue +- nfiles="$nfiles $tmpdir/$member" ++ nfiles="$nfiles $ar_tmpdir/$member" + done + ;; + * ) +@@ -91,11 +91,11 @@ + fi + + # cleanup and die gracefully +-if [ -d $tmpdir ]; then ++if [ -d $ar_tmpdir ]; then + if [ ".$opt_t" = .yes ]; then +- echo "rm -rf $tmpdir" 1>&2 ++ echo "rm -rf $ar_tmpdir" 1>&2 + fi +- rm -rf $tmpdir ++ rm -rf $ar_tmpdir + fi + + shtool_exit 0 @@ . patch -p0 <<'@@ .' Index: openpkg-src/shtool/shtool.spec ============================================================================ $ cvs diff -u -r1.31.2.1 -r1.31.2.2 shtool.spec --- openpkg-src/shtool/shtool.spec 11 Oct 2004 18:58:58 -0000 1.31.2.1 +++ openpkg-src/shtool/shtool.spec 15 Jun 2005 11:22:24 -0000 1.31.2.2 @@ -34,13 +34,14 @@ Group: Development License: GPL Version: 2.0.1 -Release: 2.2.0 +Release: 2.2.1 # package options %option with_shtoolize yes # list of sources Source0: ftp://ftp.gnu.org/gnu/shtool/shtool-%{version}.tar.gz +Patch0: shtool.patch # build information Prefix: %{l_prefix} @@ -71,6 +72,7 @@ %prep %setup -q + %patch -p0 %build ./configure \ @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org