* [gentoo-commits] gentoo-x86 commit in app-text/uudeview/files: uudeview-0.5.20-man.patch uudeview-0.5.20-rename.patch uudeview-0.5.20-CVE-2004-2265.patch uudeview-0.5.20-CVE-2008-2266.patch uudeview-0.5.20-bugfixes.patch uudeview-0.5.18-optimize_size.patch
@ 2008-07-28 0:35 Robert Buchholz (rbu)
0 siblings, 0 replies; only message in thread
From: Robert Buchholz (rbu) @ 2008-07-28 0:35 UTC (permalink / raw
To: gentoo-commits
rbu 08/07/28 00:35:39
Added: uudeview-0.5.20-man.patch
uudeview-0.5.20-rename.patch
uudeview-0.5.20-CVE-2004-2265.patch
uudeview-0.5.20-CVE-2008-2266.patch
uudeview-0.5.20-bugfixes.patch
Removed: uudeview-0.5.18-optimize_size.patch
Log:
Non-maintainer bump
Pull in source patches from Debian
* Fix temporary file issue (CVE-2004-2265, CVE-2008-2266, bug #222275)
* Update uudeview man page, include uuwish man page
* Several bug fixes
Other changes:
* Remove dead 'debug' use flag
* Remove old patch
(Portage version: 2.1.4.4)
Revision Changes Path
1.1 app-text/uudeview/files/uudeview-0.5.20-man.patch
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/uudeview/files/uudeview-0.5.20-man.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/uudeview/files/uudeview-0.5.20-man.patch?rev=1.1&content-type=text/plain
Index: uudeview-0.5.20-man.patch
===================================================================
+uudeview (0.5.13-2.1) unstable; urgency=low
...
+ * Added man page for uuwish(1).
...
+ -- Roland Rosenfeld <roland@debian.org> Thu, 16 Sep 1999 18:48:47 +0200
+Thu Oct 24 22:12:01 1996 Martin Schulze <joey@finlandia.infodrom.north.de>
...
+ * Corrected some manpages
Index: uudeview-0.5.20/man/uudeview.1
===================================================================
--- uudeview-0.5.20.orig/man/uudeview.1
+++ uudeview-0.5.20/man/uudeview.1
@@ -164,6 +164,16 @@ delivered in have different subject line
verbosity. Normally, the program prints some status messages
while reading the input files, which can be very helpful if something
should go wrong. Use if these messages disturb you.
+Disables progress bars. See
+.B -n
+option.
+.TP
+.B -v
+(disables Verbosity) Disables verbose messages, i.e. notes are not
+displayed, but does not remove warnings and errors. Is not as quiet as
+the
+.B -q
+(Quiet) option.
.TP
.B -n
No progress bars. Normally, UUDeview prints ASCII bars crawling up
Index: uudeview-0.5.20/man/uuwish.1
===================================================================
--- /dev/null
+++ uudeview-0.5.20/man/uuwish.1
@@ -0,0 +1,45 @@
+.\" Copyright (c) 1999 Roland Rosenfeld <roland@spinnaker.de>
+.\" changes Copyright (c) 2001 Chris Hanson <cph@debian.org>
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc.,59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+.\"
+.\" This manual page is written especially for Debian Linux.
+.\"
+.TH UUWISH 1 "February 2001" "Debian Project" "Debian GNU/Linux"
+.SH NAME
+uuwish \- A minimal wish extended by the UU commands
+.SH SYNOPSIS
+.B uuwish
+is a minimal
+.BR wish (1)
+extended by the UU commands that are available in
+.BR uudeview (1)
+and
+.BR uuenview (1).
+.B uuwish
+isn't meant to be called directly; it is a Tcl/Tk script interpreter,
+which is meant to be used by
+.BR xdeview (1).
+.SH "SEE ALSO"
+.BR xdeview (1),
+.BR uudeview (1),
+.BR uuenview (1),
+.BR wish (1).
+.SH AUTHOR
+.B uuwish
+was written by Frank Pilhofer <fp@informatik.uni-frankfurt.de>.
+.PP
+This manual page was written by Roland Rosenfeld <roland@debian.org>,
+for the Debian GNU/Linux system (but may be used by others).
Index: uudeview-0.5.20/configure.in
===================================================================
--- uudeview-0.5.20.orig/configure.in
+++ uudeview-0.5.20/configure.in
@@ -607,7 +607,7 @@ if test "x$have_minews" = "xyes" ; then
fi
if test "x$have_tk" != "xno" ; then
PROGS="$PROGS xdeview"
- MPAGES="$MPAGES xdeview.1"
+ MPAGES="$MPAGES xdeview.1 uuwish.1"
DOINST="$DOINST install-tcl"
fi
1.1 app-text/uudeview/files/uudeview-0.5.20-rename.patch
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/uudeview/files/uudeview-0.5.20-rename.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/uudeview/files/uudeview-0.5.20-rename.patch?rev=1.1&content-type=text/plain
Index: uudeview-0.5.20-rename.patch
===================================================================
+uudeview (0.5.19+beta20030413-1) unstable; urgency=low
...
+ * Use rename() in preference to copy if possible.
+ (closes: Bug#166040)
...
+ -- Chris Hanson <cph@debian.org> Sun, 7 Sep 2003 01:05:07 -0400
Index: uudeview-0.5.20/uulib/uulib.c
===================================================================
--- uudeview-0.5.20.orig/uulib/uulib.c
+++ uudeview-0.5.20/uulib/uulib.c
@@ -872,7 +872,10 @@ UUDecodeToTemp (uulist *thefile)
}
/*
- * decode file first to temp file, then copy it to a final location
+ * Decode file first to temp file, then copy it to a final location.
+ * A move is preferable to a copy. If the file is on the same
+ * partition, no copy is performed. This is important for large
+ * files.
*/
int UUEXPORT
@@ -978,6 +981,12 @@ UUDecodeFile (uulist *thefile, char *des
return UURET_IOERR;
}
+ if (rename(thefile->binfile, uugen_fnbuffer) == 0) {
+ fclose(source);
+ close(fildes);
+ goto finish_ok;
+ }
+
if ((target = fdopen (fildes, "wb")) == NULL) {
progress.action = 0;
UUMessage (uulib_id, __LINE__, UUMSG_ERROR,
@@ -1042,6 +1051,8 @@ UUDecodeFile (uulist *thefile, char *des
thefile->binfile,
strerror (uu_errno = errno));
}
+
+ finish_ok:
_FP_free (thefile->binfile);
thefile->binfile = NULL;
thefile->state &= ~UUFILE_TMPFILE;
@@ -1103,9 +1114,9 @@ UUInfoFile (uulist *thefile, void *opaqu
while (!feof (inpfile) &&
(uu_fast_scanning || ftell(inpfile) < maxpos)) {
- if (_FP_fgets (uugen_inbuffer, 511, inpfile) == NULL)
+ if (_FP_fgets (uugen_inbuffer, 1023, inpfile) == NULL)
break;
- uugen_inbuffer[511] = '\0';
+ uugen_inbuffer[1023] = '\0';
if (ferror (inpfile))
break;
1.1 app-text/uudeview/files/uudeview-0.5.20-CVE-2004-2265.patch
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/uudeview/files/uudeview-0.5.20-CVE-2004-2265.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/uudeview/files/uudeview-0.5.20-CVE-2004-2265.patch?rev=1.1&content-type=text/plain
Index: uudeview-0.5.20-CVE-2004-2265.patch
===================================================================
+uudeview (0.5.20-2.1) unstable; urgency=low
+
+ * Fix possible (but highly unlikely) race in temporary file generation
+ (CAN-2004-2265), by passing the "x" (O_EXCL) flag to fopen when opening
+ such files. (Closes: #320541)
+
+ -- Steinar H. Gunderson <sesse@debian.org> Wed, 14 Jun 2006 18:44:05 +0200
+
Index: uudeview-0.5.20/unix/uudeview.c
===================================================================
--- uudeview-0.5.20.orig/unix/uudeview.c
+++ uudeview-0.5.20/unix/uudeview.c
@@ -454,7 +454,7 @@ proc_stdin (void)
return 0;
}
- if ((target = fopen (stdfile, "wb")) == NULL) {
+ if ((target = fopen (stdfile, "wbx")) == NULL) {
fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n",
stdfile, strerror (errno));
_FP_free (stdfile);
Index: uudeview-0.5.20/uulib/uunconc.c
===================================================================
--- uudeview-0.5.20.orig/uulib/uunconc.c
+++ uudeview-0.5.20/uulib/uunconc.c
@@ -1325,9 +1325,9 @@ UUDecode (uulist *data)
return UURET_NODATA;
if (data->uudet == PT_ENCODED)
- mode = "wt"; /* open text files in text mode */
+ mode = "wtx"; /* open text files in text mode */
else
- mode = "wb"; /* otherwise in binary */
+ mode = "wbx"; /* otherwise in binary */
if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
@@ -1502,7 +1502,7 @@ UUDecode (uulist *data)
progress.action = 0;
return UURET_NOMEM;
}
- if ((datain = fopen (data->binfile, "rb")) == NULL) {
+ if ((datain = fopen (data->binfile, "rbx")) == NULL) {
UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
uustring (S_NOT_OPEN_FILE),
data->binfile, strerror (uu_errno = errno));
1.1 app-text/uudeview/files/uudeview-0.5.20-CVE-2008-2266.patch
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/uudeview/files/uudeview-0.5.20-CVE-2008-2266.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/uudeview/files/uudeview-0.5.20-CVE-2008-2266.patch?rev=1.1&content-type=text/plain
Index: uudeview-0.5.20-CVE-2008-2266.patch
===================================================================
+uudeview (0.5.20-3.1) unstable; urgency=high
...
+ * Fixed a classical tempfile symlink attack vulnerability in libuu.
+ Thanks to Nico Golde for the patch. (Closes: #480972)
...
+ -- Marco d'Itri <md@linux.it> Wed, 21 May 2008 01:34:35 +0200
Index: uudeview-0.5.20/unix/uudeview.c
===================================================================
--- uudeview-0.5.20.orig/unix/uudeview.c
+++ uudeview-0.5.20/unix/uudeview.c
@@ -443,18 +443,46 @@ proc_stdin (void)
FILE *target;
size_t bytes;
int res;
+#define HAVE_MKSTEMP
+#ifdef HAVE_MKSTEMP
+ int tmpfd;
+ const char *tmpprefix = "uuXXXXXX";
+ char *tmpdir = NULL;
+#endif /* HAVE_MKSTEMP */
if (stdinput) {
fprintf (stderr, "proc_stdin: cannot process stdin twice\n");
return 0;
}
+#ifdef HAVE_MKSTEMP
+ if ((getuid()==geteuid()) && (getgid()==getegid())) {
+ tmpdir=getenv("TMPDIR");
+ }
+
+ if (!tmpdir) {
+ tmpdir = "/tmp";
+ }
+ stdfile = malloc(strlen(tmpdir)+strlen(tmpprefix)+2);
+
+ if (!stdfile) {
+#else
if ((stdfile = tempnam (NULL, "uu")) == NULL) {
+#endif
fprintf (stderr, "proc_stdin: cannot get temporary file\n");
return 0;
}
+#ifdef HAVE_MKSTEMP
+ strcpy(stdfile, tmpdir);
+ strcat(stdfile, "/");
+ strcat(stdfile, tmpprefix);
+
+ if ((tmpfd = mkstemp(stdfile)) == -1 ||
+ (target = fdopen(tmpfd, "wbx")) == NULL) {
+#else
if ((target = fopen (stdfile, "wbx")) == NULL) {
+#endif
fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n",
stdfile, strerror (errno));
_FP_free (stdfile);
Index: uudeview-0.5.20/uulib/uunconc.c
===================================================================
--- uudeview-0.5.20.orig/uulib/uunconc.c
+++ uudeview-0.5.20/uulib/uunconc.c
@@ -1311,6 +1311,12 @@ UUDecode (uulist *data)
char *mode, *ntmp;
uufile *iter;
size_t bytes;
+#define HAVE_MKSTEMP
+#ifdef HAVE_MKSTEMP
+ int tmpfd;
+ const char *tmpprefix = "uuXXXXXX";
+ char *tmpdir = NULL;
+#endif /* HAVE_MKSTEMP */
if (data == NULL || data->thisfile == NULL)
return UURET_ILLVAL;
@@ -1329,13 +1335,35 @@ UUDecode (uulist *data)
else
mode = "wbx"; /* otherwise in binary */
+#ifdef HAVE_MKSTEMP
+ if ((getuid()==geteuid()) && (getgid()==getegid())) {
+ tmpdir=getenv("TMPDIR");
+ }
+
+ if (!tmpdir) {
+ tmpdir = "/tmp";
+ }
+ data->binfile = malloc(strlen(tmpdir)+strlen(tmpprefix)+2);
+
+ if (!data->binfile) {
+#else
if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
+#endif /* HAVE_MKSTEMP */
UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
uustring (S_NO_TEMP_NAME));
return UURET_NOMEM;
}
+#ifdef HAVE_MKSTEMP
+ strcpy(data->binfile, tmpdir);
+ strcat(data->binfile, "/");
+ strcat(data->binfile, tmpprefix);
+
+ if ((tmpfd = mkstemp(data->binfile)) == -1 ||
+ (dataout = fdopen(tmpfd, mode)) == NULL) {
+#else
if ((dataout = fopen (data->binfile, mode)) == NULL) {
+#endif /* HAVE_MKSTEMP */
/*
* we couldn't create a temporary file. Usually this means that TMP
* and TEMP aren't set
@@ -1343,6 +1371,12 @@ UUDecode (uulist *data)
UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
uustring (S_WR_ERR_TARGET),
data->binfile, strerror (uu_errno = errno));
+#ifdef HAVE_MKSTEMP
+ if (tmpfd != -1) {
+ unlink(data->binfile);
+ close(tmpfd);
+ }
+#endif /* HAVE_MKSTEMP */
_FP_free (data->binfile);
data->binfile = NULL;
uu_errno = errno;
@@ -1499,7 +1533,13 @@ UUDecode (uulist *data)
*/
if (data->uudet == BH_ENCODED && data->binfile) {
+#ifdef HAVE_MKSTEMP
+ ntmp = malloc(strlen(tmpdir)+strlen(tmpprefix)+2);
+
+ if (ntmp == NULL) {
+#else
if ((ntmp = tempnam (NULL, "uu")) == NULL) {
+#endif /* HAVE_MKSTEMP */
UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
uustring (S_NO_TEMP_NAME));
progress.action = 0;
@@ -1513,12 +1553,27 @@ UUDecode (uulist *data)
free (ntmp);
return UURET_IOERR;
}
+
+#ifdef HAVE_MKSTEMP
+ strcpy(ntmp, tmpdir);
+ strcat(ntmp, "/");
+ strcat(ntmp, tmpprefix);
+ if ((tmpfd = mkstemp(ntmp)) == -1 ||
+ (dataout = fdopen(tmpfd, "wb")) == NULL) {
+#else
if ((dataout = fopen (ntmp, "wb")) == NULL) {
+#endif /* HAVE_MKSTEMP */
UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
uustring (S_NOT_OPEN_TARGET),
ntmp, strerror (uu_errno = errno));
progress.action = 0;
fclose (datain);
+#ifdef HAVE_MKSTEMP
+ if (tmpfd != -1) {
+ unlink(ntmp);
+ close(tmpfd);
+ }
+#endif /* HAVE_MKSTEMP */
free (ntmp);
return UURET_IOERR;
}
1.1 app-text/uudeview/files/uudeview-0.5.20-bugfixes.patch
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/uudeview/files/uudeview-0.5.20-bugfixes.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/uudeview/files/uudeview-0.5.20-bugfixes.patch?rev=1.1&content-type=text/plain
Index: uudeview-0.5.20-bugfixes.patch
===================================================================
+uudeview (0.5.20-3) unstable; urgency=low
+
+ * Ack NMU. (closes: Bug#373630)
+ * Don't force overwrite mode if auto-rename enabled. (closes: Bug#378076)
+ * Don't ignore special chars when parsing MIME. (closes: Bug#341440)
+ * Fix for #320541 also fixes #242999. (closes: Bug#242999)
+ * Incorporate suspicious-file patch from Peter Muir. (closes: Bug#166077)
...
+ -- Chris Hanson <cph@debian.org> Tue, 15 Aug 2006 00:40:50 -0400
Index: uudeview-0.5.20/unix/uudeview.c
===================================================================
--- uudeview-0.5.20.orig/unix/uudeview.c
+++ uudeview-0.5.20/unix/uudeview.c
@@ -657,9 +657,6 @@ work_comline (int argc, char *argv[])
else switch (*(argv[number] + 1)) {
case '\0':
interact = 0;
- if (overwrite == 0) {
- overwrite = 1;
- }
proc_stdin ();
break;
case 'a':
@@ -699,10 +696,7 @@ work_comline (int argc, char *argv[])
fprintf (stderr, "WARNING: cannot interact when reading from stdin\n");
}
else {
- interact = (*argv[number] == '+') ? 1 : 0;
- if (overwrite == 0 && *argv[number] == '-') {
- overwrite = 1;
- }
+ interact = (*argv[number] == '+') ? 1 : 0;
}
break;
case 'm':
@@ -773,6 +767,8 @@ work_comline (int argc, char *argv[])
break;
}
}
+ if (overwrite == 0 && interact == 0 && autoren == 0)
+ overwrite = 1;
return 1;
}
Index: uudeview-0.5.20/uulib/uunconc.c
===================================================================
--- uudeview-0.5.20.orig/uulib/uunconc.c
+++ uudeview-0.5.20/uulib/uunconc.c
@@ -1437,6 +1437,9 @@ UUDecode (uulist *data)
res = UURET_IOERR;
break;
}
+ UUMessage (uunconc_id, __LINE__, UUMSG_MESSAGE,
+ uustring (S_OPEN_FILE),
+ iter->data->sfname);
_FP_strncpy (uugen_fnbuffer, iter->data->sfname, 1024);
}
Index: uudeview-0.5.20/uulib/uuscan.c
===================================================================
--- uudeview-0.5.20.orig/uulib/uuscan.c
+++ uudeview-0.5.20/uulib/uuscan.c
@@ -387,10 +387,10 @@ ParseValue (char *attribute)
*attribute != '(' && *attribute != ')' &&
*attribute != '<' && *attribute != '>' &&
*attribute != '@' && *attribute != ',' &&
- /* *attribute != ';' && */ *attribute != ':' &&
- *attribute != '\\' &&*attribute != '"' &&
- *attribute != '/' && /* *attribute != '[' &&
- *attribute != ']' && */ *attribute != '?' &&
+ *attribute != ';' && *attribute != ':' &&
+ *attribute != '\\' && *attribute != '"' &&
+ *attribute != '/' && *attribute != '[' &&
+ *attribute != ']' && *attribute != '?' &&
*attribute != '=' && length < 255) {
*ptr++ = *attribute++;
length++;
Index: uudeview-0.5.20/uulib/uustring.c
===================================================================
--- uudeview-0.5.20.orig/uulib/uustring.c
+++ uudeview-0.5.20/uulib/uustring.c
@@ -107,6 +107,7 @@ static stringmap messages[] = {
{ S_MIME_B_NOT_FOUND, "Boundary expected on Multipart message but found EOF" },
{ S_MIME_MULTI_DEPTH, "Multipart message nested too deep" },
{ S_MIME_PART_MULTI, "Handling partial multipart message as plain text" },
+ { S_OPEN_FILE, "Opened file %s" },
{ 0, "" }
};
Index: uudeview-0.5.20/uulib/uustring.h
===================================================================
--- uudeview-0.5.20.orig/uulib/uustring.h
+++ uudeview-0.5.20/uulib/uustring.h
@@ -36,3 +36,4 @@
#define S_MIME_B_NOT_FOUND 35
#define S_MIME_MULTI_DEPTH 36
#define S_MIME_PART_MULTI 37
+#define S_OPEN_FILE 38
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2008-07-28 0:35 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-07-28 0:35 [gentoo-commits] gentoo-x86 commit in app-text/uudeview/files: uudeview-0.5.20-man.patch uudeview-0.5.20-rename.patch uudeview-0.5.20-CVE-2004-2265.patch uudeview-0.5.20-CVE-2008-2266.patch uudeview-0.5.20-bugfixes.patch uudeview-0.5.18-optimize_size.patch Robert Buchholz (rbu)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox