[DebianGIS-dev] r1835 - packages/gpsdrive/trunk/debian/patches

2008-12-29 Thread nd-guest 
Author: nd-guest
Date: 2008-12-29 16:12:01 + (Mon, 29 Dec 2008)
New Revision: 1835

Added:
   packages/gpsdrive/trunk/debian/patches/101-signalposreq.dpatch
   packages/gpsdrive/trunk/debian/patches/102-unittest.dpatch
Modified:
   packages/gpsdrive/trunk/debian/patches/00list
Log:
add patches to fix several symlink vulnerabilites.


Modified: packages/gpsdrive/trunk/debian/patches/00list
===
--- packages/gpsdrive/trunk/debian/patches/00list   2008-12-27 15:33:32 UTC 
(rev 1834)
+++ packages/gpsdrive/trunk/debian/patches/00list   2008-12-29 16:12:01 UTC 
(rev 1835)
@@ -16,3 +16,5 @@
 98-mapnik-exception
 99-autobestmap
 100-fix-insecure-tempfiles
+101-signalposreq
+102-unittest

Added: packages/gpsdrive/trunk/debian/patches/101-signalposreq.dpatch
===
--- packages/gpsdrive/trunk/debian/patches/101-signalposreq.dpatch  
(rev 0)
+++ packages/gpsdrive/trunk/debian/patches/101-signalposreq.dpatch  
2008-12-29 16:12:01 UTC (rev 1835)
@@ -0,0 +1,70 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 101-signalposreq.dpatch by Andreas Putzo andr...@putzo.net
+##
+## DP: Remove signalposreq() from gpsdrive, vulnerable to symlink attacks.
+## DP: Remove weird deletion of temporary files.
+
+...@dpatch@
+diff -urNad gpsdrive-2.10~pre4-6.dfsg~/src/gpsdrive.c 
gpsdrive-2.10~pre4-6.dfsg/src/gpsdrive.c
+--- gpsdrive-2.10~pre4-6.dfsg~/src/gpsdrive.c  2008-12-28 18:10:54.0 
+
 gpsdrive-2.10~pre4-6.dfsg/src/gpsdrive.c   2008-12-28 18:11:27.0 
+
+@@ -3087,9 +3087,6 @@
+ /*  all default values must be set BEFORE readconfig! */
+ g_strlcpy (setpositionname, , sizeof (setpositionname));
+ 
+-/* setup signal handler */
+-signal (SIGUSR1, signalposreq);
+-
+ sql_load_lib();
+ /*  I18l */
+ 
+@@ -3419,9 +3416,6 @@
+ gdk_pixbuf_unref (friendspixbuf);
+ 
+ 
+-unlink (/tmp/cammain.pid);
+-unlink (/tmp/gpsdrivetext.out);
+-unlink (/tmp/gpsdrivepos);
+ if (local_config.savetrack)
+   savetrackfile (2);
+ sqlend ();
+diff -urNad gpsdrive-2.10~pre4-6.dfsg~/src/gpsproto.h 
gpsdrive-2.10~pre4-6.dfsg/src/gpsproto.h
+--- gpsdrive-2.10~pre4-6.dfsg~/src/gpsproto.h  2007-09-14 21:47:13.0 
+
 gpsdrive-2.10~pre4-6.dfsg/src/gpsproto.h   2008-12-28 18:11:32.0 
+
+@@ -75,7 +75,6 @@
+ gint settings_main_cb (GtkWidget *widget, guint datum);
+ gint sel_message_cb (GtkWidget * widget, guint datum);
+ gint setmessage_cb (GtkWidget * widget, guint datum);
+-void signalposreq ();
+ gint reinsertwp_cb (GtkWidget * widget, guint datum);
+ GdkPixbuf *create_pixbuf (const gchar * filename);
+ gint simulated_pos (GtkWidget * widget, guint * datum);
+diff -urNad gpsdrive-2.10~pre4-6.dfsg~/src/splash.c 
gpsdrive-2.10~pre4-6.dfsg/src/splash.c
+--- gpsdrive-2.10~pre4-6.dfsg~/src/splash.c2007-09-14 21:47:13.0 
+
 gpsdrive-2.10~pre4-6.dfsg/src/splash.c 2008-12-28 18:11:18.0 
+
+@@ -630,25 +630,3 @@
+ (gtk_widget_destroy), NULL);
+   return TRUE;
+ }
+-
+-
+-/* writes time and position to /tmp/gpsdrivepos */
+-void
+-signalposreq ()
+-{
+-  FILE *f;
+-  time_t t;
+-  struct tm *ts;
+-
+-  f = fopen (/tmp/gpsdrivepos, w);
+-  if (f == NULL)
+-  {
+-  perror (/tmp/gpsdrivepos);
+-  return;
+-  }
+-  time (t);
+-  ts = localtime (t);
+-  fprintf (f, asctime (ts));
+-  fprintf (f, POS %f %f\n, coords.current_lat, coords.current_lon);
+-  fclose (f);
+-}


Property changes on: 
packages/gpsdrive/trunk/debian/patches/101-signalposreq.dpatch
___
Name: svn:executable
   + *

Added: packages/gpsdrive/trunk/debian/patches/102-unittest.dpatch
===
--- packages/gpsdrive/trunk/debian/patches/102-unittest.dpatch  
(rev 0)
+++ packages/gpsdrive/trunk/debian/patches/102-unittest.dpatch  2008-12-29 
16:12:01 UTC (rev 1835)
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 102-unittest.dpatch by Andreas Putzo andr...@putzo.net
+##
+## DP: Use mkdtemp to avoid a potential symlink attack.
+
+...@dpatch@
+diff -urNad gpsdrive-2.10~pre4-6.dfsg~/src/unit_test.c 
gpsdrive-2.10~pre4-6.dfsg/src/unit_test.c
+--- gpsdrive-2.10~pre4-6.dfsg~/src/unit_test.c 2007-09-15 15:12:03.0 
+
 gpsdrive-2.10~pre4-6.dfsg/src/unit_test.c  2008-12-29 15:33:26.0 
+
+@@ -649,10 +649,12 @@
+ gchar fn[500];
+ gint response;
+ 
+-
+-g_snprintf (dir_proc, sizeof (dir_proc), /tmp/gpsdrive-unit-test);
+-mkdir (dir_proc, 0777);
+-g_snprintf (dir_proc, sizeof (dir_proc), /tmp/gpsdrive-unit-test/proc);
++strncpy(dir_proc, /tmp/gpsdrive-unit-test.XX, sizeof(dir_proc));
++if (mkdtemp(dir_proc) ==

[DebianGIS-dev] r1836 - packages/gpsdrive/trunk/debian/patches

2008-12-29 Thread nd-guest 
Author: nd-guest
Date: 2008-12-29 16:12:45 + (Mon, 29 Dec 2008)
New Revision: 1836

Modified:
   packages/gpsdrive/trunk/debian/patches/100-fix-insecure-tempfiles.dpatch
Log:
update patch for geo-code to fix a potential race condition


Modified: 
packages/gpsdrive/trunk/debian/patches/100-fix-insecure-tempfiles.dpatch
===
--- packages/gpsdrive/trunk/debian/patches/100-fix-insecure-tempfiles.dpatch
2008-12-29 16:12:01 UTC (rev 1835)
+++ packages/gpsdrive/trunk/debian/patches/100-fix-insecure-tempfiles.dpatch
2008-12-29 16:12:45 UTC (rev 1836)
@@ -7,7 +7,7 @@
 @DPATCH@
 diff -urNad gpsdrive-2.10~pre4-6.dfsg~/scripts/geo-code 
gpsdrive-2.10~pre4-6.dfsg/scripts/geo-code
 --- gpsdrive-2.10~pre4-6.dfsg~/scripts/geo-code2007-09-14 
21:47:07.0 +
-+++ gpsdrive-2.10~pre4-6.dfsg/scripts/geo-code 2008-08-31 21:51:50.0 
+
 gpsdrive-2.10~pre4-6.dfsg/scripts/geo-code 2008-12-28 17:47:39.0 
+
 @@ -83,6 +83,7 @@
  #
  error() {
@@ -37,15 +37,23 @@
do
[ -f $i ]  rm -f $i
done
-@@ -248,7 +250,7 @@
+@@ -248,11 +250,11 @@
  #
  # Main Program
  #
 -TMP=/tmp/geo$$
-+TMP=`mktemp`
- STYLE=${TMP}.style
- COORDS=${TMP}.coords
- OUTWAY=${TMP}.way
+-STYLE=${TMP}.style
+-COORDS=${TMP}.coords
+-OUTWAY=${TMP}.way
+-MAP=${TMP}.gif
++TMP=`mktemp -d`
++STYLE=${TMP}/style
++COORDS=${TMP}/coords
++OUTWAY=${TMP}/way
++MAP=${TMP}/gif
+ UA=Mozilla/5.0
+ 
+ if [ $GURL !=  ]; then
 @@ -269,7 +271,6 @@
| head -n1 \
`


___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel

[DebianGIS-dev] r1837 - packages/gpsdrive/trunk/debian

2008-12-29 Thread nd-guest 
Author: nd-guest
Date: 2008-12-29 19:36:48 + (Mon, 29 Dec 2008)
New Revision: 1837

Modified:
   packages/gpsdrive/trunk/debian/examples
Log:
remove gpssmswatch from examples


Modified: packages/gpsdrive/trunk/debian/examples
===
--- packages/gpsdrive/trunk/debian/examples 2008-12-29 16:12:45 UTC (rev 
1836)
+++ packages/gpsdrive/trunk/debian/examples 2008-12-29 19:36:48 UTC (rev 
1837)
@@ -1,6 +1,5 @@
 scripts/gpssql_backup.sh
 scripts/gpssql_restore.sh
-scripts/gpssmswatch
 scripts/nasaconv.sh
 scripts/wp2sql
 scripts/wpcvt


___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel

[DebianGIS-dev] r1838 - packages/gpsdrive/trunk/debian

2008-12-29 Thread nd-guest 
Author: nd-guest
Date: 2008-12-29 19:42:07 + (Mon, 29 Dec 2008)
New Revision: 1838

Modified:
   packages/gpsdrive/trunk/debian/changelog
Log:
add changelog


Modified: packages/gpsdrive/trunk/debian/changelog
===
--- packages/gpsdrive/trunk/debian/changelog2008-12-29 19:36:48 UTC (rev 
1837)
+++ packages/gpsdrive/trunk/debian/changelog2008-12-29 19:42:07 UTC (rev 
1838)
@@ -1,3 +1,17 @@
+gpsdrive (2.10~pre4-6.dfsg-2) unstable; urgency=low
+
+  * Remove example script gpssmswatch. Prone to symlink attacks
+and removed upstream.
+  * Added 101-signalposreq.dpatch to remove signalposreq() from
+gpsdrive to fix a potential symlink vulnerability. Removed
+unused unlinks of temporary files (Closes: #508597,#508596).
+  * Added 102-unittest.dpatch to use mkdtemp in src/unit_test.c to
+fix a symlink vulnerability.
+  * Updated patch for geo-code to avoid a potential race condition
+(CVE-2008-5380).
+
+ -- Andreas Putzo andr...@putzo.net  Mon, 29 Dec 2008 16:08:22 +
+
 gpsdrive (2.10~pre4-6.dfsg-1) unstable; urgency=low
 
   * Added .dfsg to version to allow a sourceful upload


___
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-grass-devel