Security bump: Fix temporary file handling, CVE-2008-5137, bug #247540. Thanks to Steven Susbauer.

(Portage version: 2.1.6.13/cvs/Linux x86_64)
author: Robert Buchholz <rbu@gentoo.org> 2009-07-13 00:49:44 +0000
committer: Robert Buchholz <rbu@gentoo.org> 2009-07-13 00:49:44 +0000
commit: 68a4be0f850ab36d905ca0c4fd7c5e1dfdecdd6e (patch)
tree: 59edd38326ca963c8ad14b4d591b5de57eb3d40d
parent: Version bump (diff)
download: gentoo-2-68a4be0f850ab36d905ca0c4fd7c5e1dfdecdd6e.tar.gz
gentoo-2-68a4be0f850ab36d905ca0c4fd7c5e1dfdecdd6e.tar.bz2
gentoo-2-68a4be0f850ab36d905ca0c4fd7c5e1dfdecdd6e.zip
5 files changed, 305 insertions, 21 deletions
diff --git a/app-text/tkman/ChangeLog b/app-text/tkman/ChangeLog
index 1a6281962cab..0943176a0f48 100644
--- a/app-text/tkman/ChangeLog
+++ b/app-text/tkman/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for app-text/tkman
-# Copyright 2002-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-text/tkman/ChangeLog,v 1.18 2007/05/14 20:13:36 bangert Exp $
+# Copyright 2002-2009 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/app-text/tkman/ChangeLog,v 1.19 2009/07/13 00:49:43 rbu Exp $
+
+*tkman-2.2-r1 (13 Jul 2009)
+
+  13 Jul 2009; Robert Buchholz <rbu@gentoo.org>
+  +files/tkman-CVE-2008-5137.diff, files/tkman.desktop, tkman-2.1-r1.ebuild,
+  -tkman-2.2.ebuild, +tkman-2.2-r1.ebuild:
+  Security bump: Fix temporary file handling, CVE-2008-5137, bug #247540. Thanks
+  to Steven Susbauer.
 
   14 May 2007; Thilo Bangert <bangert@gentoo.org> metadata.xml:
   add <herd>no-herd</herd>
diff --git a/app-text/tkman/files/tkman-CVE-2008-5137.diff b/app-text/tkman/files/tkman-CVE-2008-5137.diff
new file mode 100644
index 000000000000..2e9bcc2828d6
--- /dev/null
+++ b/app-text/tkman/files/tkman-CVE-2008-5137.diff
@@ -0,0 +1,278 @@
+diff -urN tkman-2.2~/Makefile tkman-2.2/Makefile
+--- tkman-2.2~/Makefile	2003-04-01 17:31:38.000000000 -0600
++++ tkman-2.2/Makefile	2008-12-05 17:37:55.000000000 -0600
+@@ -97,7 +97,7 @@
+ # at the closest DPI in this list
+ dpis = "75 100"
+ 
+-
++manxlongtmp = [exec mktemp -p /tmp tkman.XXXXXXXXXX]
+ # # # MACHINE DEPENDENCIES # # #
+ 
+ #manformat = {tbl | neqn | nroff -man }
+@@ -113,7 +113,7 @@
+ # Lines are cached in .../man/cat<n>@<line-length>; 
+ #   that is, the line length is appended to the usual cache directory names
+ #manformat = {groff -te -Tascii -man /tmp/ll -}
+-manformat = {groff -te -Tlatin1 -man /tmp/ll -}
++manformat = "groff -te -Tlatin1 -mandoc $$manx(longtmp) -"
+ # Ultrix users should uncomment the following line (you don't have eqn)
+ #manformat = {tbl | nroff -man }
+ # HP-UX uses a number of macros that groff doesn't define, so use the builtin nroff
+@@ -362,6 +362,7 @@
+ 	echo 'set man(texinfodir) $(texinfodir)' >> tkman
+ 	echo 'set man(gzgrep) $(gzgrep)' >> tkman
+ 	echo 'set man(rfcdir) $(rfcdir)' >> tkman
++	echo 'set manx(longtmp) $(manxlongtmp)' >> tkman
+ 	echo 'set man(format) $(manformat)' >> tkman
+ 	echo 'set man(printers) $(printers)' >> tkman
+ 	echo 'set manx(dpis) $(dpis)' >> tkman
+diff -urN tkman-2.2~/contrib/outline.tcl tkman-2.2/contrib/outline.tcl
+--- tkman-2.2~/contrib/outline.tcl	2003-04-01 17:31:38.000000000 -0600
++++ tkman-2.2/contrib/outline.tcl	2008-12-05 17:37:55.000000000 -0600
+@@ -71,7 +71,7 @@
+ 
+ 	text [set t .inv] -font {Times 12 {}} -wrap word -borderwidth 3 -padx 5 -pady 5 -yscrollcommand "[set v .v] set"
+ 	set finv [expr 1-[catch {$t tag configure invis -elide 1}]]
+-	if !$finv { puts "you must apply the elided text patches first"; exit 0 }
++	if !$finv { puts "you must apply the elided text patches first"; CLEANUP; exit 0 }
+ 
+ 	scrollbar $v -orient vertical -command "$t yview"
+ 
+diff -urN tkman-2.2~/contrib/remote.tcl tkman-2.2/contrib/remote.tcl
+--- tkman-2.2~/contrib/remote.tcl	2003-04-01 17:31:38.000000000 -0600
++++ tkman-2.2/contrib/remote.tcl	2008-12-05 17:37:55.000000000 -0600
+@@ -26,6 +26,7 @@
+ 				if {$res=="1"} {set ready 1}
+ 			} elseif {[string match "*insecure*" info]} {
+ 				puts stderr "can't talk to an insecure server -- see send(n)"
++				CLEANUP
+ 				exit 1
+ 			}
+ 		}
+diff -urN tkman-2.2~/contrib/tkmanclient tkman-2.2/contrib/tkmanclient
+--- tkman-2.2~/contrib/tkmanclient	2003-04-01 17:31:38.000000000 -0600
++++ tkman-2.2/contrib/tkmanclient	2008-12-05 17:37:55.000000000 -0600
+@@ -60,7 +60,7 @@
+ }
+ 
+ set tkman [ check_for_tkman ]
+-if { $tkman == 0 } { puts stderr "couldnt start tkman!"; exit 1; }
++if { $tkman == 0 } { puts stderr "couldnt start tkman!"; CLEANUP; exit 1; }
+ 
+ set apropos 0
+ set instNew 0
+diff -urN tkman-2.2~/database.tcl tkman-2.2/database.tcl
+--- tkman-2.2~/database.tcl	2003-04-01 17:31:38.000000000 -0600
++++ tkman-2.2/database.tcl	2008-12-05 17:37:55.000000000 -0600
+@@ -41,6 +41,7 @@
+ 	if {![llength $manx(manList)]} {
+ 		puts stderr "Can't find any man pages!"
+ 		puts stderr "MANPATH = $env(MANPATH)"
++		CLEANUP
+ 		exit 1
+ 	}
+ 
+diff -urN tkman-2.2~/gui.tcl tkman-2.2/gui.tcl
+--- tkman-2.2~/gui.tcl	2003-04-01 17:31:38.000000000 -0600
++++ tkman-2.2/gui.tcl	2008-12-05 17:37:55.000000000 -0600
+@@ -66,7 +66,7 @@
+ 		wm protocol $w WM_SAVE_YOURSELF "manSave"
+ 		wm command $w [concat $argv0 $argv]
+ 		# aborts without saving .tkman
+-		wm protocol $w WM_DELETE_WINDOW {exit 0}
++		wm protocol $w WM_DELETE_WINDOW {CLEANUP; exit 0}
+ 
+ 		# some braindead window managers ignore iconposition requests after window is iconified, so special setting here
+ 		if {[regexp $manx(posnregexp) $manx(iconposition) all x y]} {wm iconposition $w $x $y}
+@@ -221,7 +221,7 @@
+ 		-command "incr stat(checkpoint); manSave; manWinstdout \$curwin {[bolg $manx(startup) ~] updated}"
+ #	if {!$dup} { ... but menu shared!
+ 		$m add separator
+-		$m add command -label "Quit, don't update $manx(startup-short)" -command "exit 0"
++		$m add command -label "Quit, don't update $manx(startup-short)" -command "CLEANUP; exit 0"
+ #	}
+ 	}
+ 
+@@ -537,8 +537,8 @@
+ 		"
+ 
+ 	### quit
+-	button $w.quit -text "Quit" -command "manSave; exit 0" -padx 4
+-	if {!$manx(quit)} {$w.quit configure -command "exit 0"}
++	button $w.quit -text "Quit" -command "manSave; CLEANUP; exit 0" -padx 4
++	if {!$manx(quit)} {$w.quit configure -command "CLEANUP; exit 0"}
+ 	if {$dup} {
+ 		$w.quit configure -text "Close" -command "
+ 			destroy $w; incr manx(outcnt) -1; manOutput
+diff -urN tkman-2.2~/manpath.tcl tkman-2.2/manpath.tcl
+--- tkman-2.2~/manpath.tcl	2003-04-01 17:31:38.000000000 -0600
++++ tkman-2.2/manpath.tcl	2008-12-05 17:37:55.000000000 -0600
+@@ -138,6 +138,7 @@
+ 	if {![llength $manx(paths)]} {
+ 		if {$manx(manpath-warnings) ne ""} {puts stderr $manx(manpath-warnings)}
+ 		puts stderr "NO VALID DIRECTORIES IN MANPATH!\a"
++		CLEANUP
+ 		exit 1
+ 	}
+ }
+diff -urN tkman-2.2~/prefs.tcl tkman-2.2/prefs.tcl
+--- tkman-2.2~/prefs.tcl	2003-04-01 17:31:38.000000000 -0600
++++ tkman-2.2/prefs.tcl	2008-12-05 17:37:55.000000000 -0600
+@@ -365,7 +365,7 @@
+ 	pack $g.nroffsave $g.columns $g.fsstnd-always $g.texinfodir $g.recentdays $g.preferTexinfo $g.tryfuzzy $g.preferGNU \
+ 		$g.maxglimpse $g.maxglimpseexcerpt $g.indexglimpse $g.glimpsestrays $g.indexalso \
+ 		-fill x -pady 3 -padx 4
+-	if {![string match "*groff*/tmp/ll -*" $man(format)]} {pack forget $g.columns}
++	if {![string match "*groff*$manx(longtmp) -*" $man(format)]} {pack forget $g.columns}
+ 
+ 
+ 
+@@ -791,7 +791,7 @@
+ 		bold {set weight "bold"}
+ 		italics {set slant "italic"}
+ 		bold-italics {set weight "bold"; set slant "italic"}
+-		default {puts stderr "nonexistent style: $style"; exit 1}
++		default {puts stderr "nonexistent style: $style"; CLEANUP; exit 1}
+ 	}
+ 
+ 	# specify s,m,l within small,medium,large; or set absolute point size
+diff -urN tkman-2.2~/taputils.tcl tkman-2.2/taputils.tcl
+--- tkman-2.2~/taputils.tcl	2003-04-01 17:31:38.000000000 -0600
++++ tkman-2.2/taputils.tcl	2008-12-05 17:37:55.000000000 -0600
+@@ -98,7 +98,7 @@
+ proc assert {bool msg {boom 0}} {
+ 	if {!$bool} {
+ 		puts stderr $msg
+-		if {$boom} {exit 1}
++		if {$boom} {CLEANUP; exit 1}
+ 	}
+ }
+ 
+diff -urN tkman-2.2~/tkman.tcl tkman-2.2/tkman.tcl
+--- tkman-2.2~/tkman.tcl	2003-04-01 17:31:38.000000000 -0600
++++ tkman-2.2/tkman.tcl	2008-12-05 17:37:55.000000000 -0600
+@@ -539,7 +539,7 @@
+ proc manMenuFit {m} {
+ 	global man manx
+ 
+-	if {[winfo class $m]!="Menu"} {puts stderr "$m not of Menu class"; exit 1}
++	if {[winfo class $m]!="Menu"} {puts stderr "$m not of Menu class"; CLEANUP; exit 1}
+ 	if {[$m index last] eq "none"} return
+ 
+ 	set sh [winfo screenheight $m]
+@@ -1827,7 +1827,7 @@
+ 	if {$inx<[llength $manx(binvars)]} {
+ 		after 1000 manBinCheck $inx $err
+ 	} else {
+-		if {$err} {exit 1}
++		if {$err} {CLEANUP; exit 1}
+ 		.occ entryconfigure "Statistics*" -state normal
+ 	}
+ 
+@@ -1850,6 +1850,7 @@
+ 				}
+ 				puts -nonewline "tkman"
+ 				foreach line [split [textmanip::linebreak $helptxt 70] "\n"] { puts "\t$line" }
++				CLEANUP
+ 				exit 0
+ 			}
+ 			-M {set env(MANPATH) $val; incr i}
+@@ -1868,11 +1869,11 @@
+ 			-start* {set manx(startup) $val; incr i}
+ 			-data* {puts stderr "-database option obsolete: database kept in memory"; incr i}
+ 			--v* -
+-			-v* {puts stdout "TkMan v$manx(version) of $manx(date)"; exit 0}
++			-v* {puts stdout "TkMan v$manx(version) of $manx(date)"; CLEANUP; exit 0}
+ 			-t* {set manx(title) $val; incr i}
+ 			-d* {set manx(debug) 1; set manx(quit) 0; set manx(iconify) 0}
+ 			-nod* {set manx(debug) 0}
+-			-* {puts stdout "[file tail $argv0]: unrecognized option: $arg"; exit 1}
++			-* {puts stdout "[file tail $argv0]: unrecognized option: $arg"; CLEANUP; exit 1}
+ 			default {
+ 				after 2000 manShowMan $arg {{}} .man
+ 				# permit several???  add extras to History?
+@@ -1888,6 +1889,7 @@
+ proc ASSERT {args} {
+ 	if {![uplevel 1 eval $args]} {
+ 		puts "ASSERTION VIOLATED: $args"
++		CLEANUP
+ 		exit 1
+ 	}
+ }
+@@ -1906,7 +1908,10 @@
+ 	set manx(lastclick) $clicknow
+ }
+ 
+-
++proc CLEANUP {} {
++	global manx
++	if { [file exists $manx(longtmp)] == 1 } { file delete $manx(longtmp) }
++}
+ 
+ 
+ ##################################################
+@@ -1919,6 +1924,7 @@
+ if {[package vcompare [info tclversion] $manx(mintcl)]==-1 || [package vcompare $tk_version $manx(mintk)]==-1} {
+ 	puts -nonewline stderr "Tcl $manx(mintcl)/Tk $manx(mintk) minimum versions required.  "
+ 	puts stderr "You have Tcl [info tclversion]/Tk $tk_version"
++	CLEANUP
+ 	exit 1
+ } elseif {int([info tclversion])-int($manx(mintcl))>=1 || int($tk_version)-int($manx(mintk))>=1} {
+ 	puts stderr "New major versions of Tcl and/or Tk may have introduced\nincompatibilies in TkMan.\nCheck the TkMan home site for a possible new version.\n"
+@@ -2111,7 +2117,6 @@
+ set manx(line-scale) 1; set manx(screen-scale) 45; set manx(page-scale) [expr int(60*1.5)]
+ set man(error-effect) "bell & flash"; set manx(error-effect-v) [set manx(error-effect-t) {"bell & flash" "bell" "flash" "none"}]
+ set man(columns) 65; set manx(columns-v) {65 90 130 5000}; set manx(columns-t) {"65 (most compatible)" 90 130 "wrap to screen width"}; # no one would want shorter lines
+-set manx(longtmp) /tmp/ll
+ set man(volcol) 4.0c; set manx(volcol-v) {0 1.5c 2.0c 2.5c 3.0c 3.5c 4.0c 4.5c 5.0c 7.5c 10.0c}; set manx(volcol-t) {"no columns" "1.5 cm" "2 cm" "2.5 cm/~1 inch" "3 cm" "3.5 cm" "4 cm" "4.5 cm" "5.0 cm/~2 inches" "7.5 cm" "10 cm"}
+ set man(apropostab) "4.5c"; set manx(apropostab-v) {0 3.0c 4.0c 4.5c 5.0c 5.5c 6.0c 7.5c 10.0c}; set manx(apropostab-t) {"none" "3 cm" "4 cm" "4.5 cm" "5 cm" "5.5 cm" "6 cm" "7.5 cm" "10 cm"}
+ #set man(showoutsub) ""
+@@ -2258,7 +2263,7 @@
+ regexp {(\d\d\d\d)/(\d\d)/(\d\d)} {$Date: 2003/04/01 23:02:52 $} manx(date) y m d
+ set manx(mtime) [clock scan "$m/$d/$y"]
+ set manx(stray-warnings) ""
+-if {[catch {set default(manList) 0}]} {puts "\aBLT conflicts with TkMan."; exit 1}
++if {[catch {set default(manList) 0}]} {puts "\aBLT conflicts with TkMan."; CLEANUP; exit 1}
+ set manx(manList) $man(manList)
+ set manx(manTitleList) $man(manTitleList)
+ set manx(userconfig) "### your additions go below"
+@@ -2385,6 +2390,7 @@
+ 	if {[string match "#!*" [gets $fid line]]} {
+ 		puts stderr "$manx(startup) looks like an executable."
+ 		puts stderr "You should delete it, probably."
++		CLEANUP
+ 		exit 1
+ 	}
+ 
+@@ -2613,6 +2619,7 @@
+ 
+ if {[llength $man(manList)]!=[llength $man(manTitleList)]} {
+ 	puts stderr "Length of section abbreviations differs from length of section titles:\n\nlength [llength $man(manList)]:\t$man(manList)\n\nlength [llength $man(manTitleList)]:\t$man(manTitleList)"
++	CLEANUP
+ 	exit 1
+ }
+ 
+diff -urN tkman-2.2~/tkmandesc.tcl tkman-2.2/tkmandesc.tcl
+--- tkman-2.2~/tkmandesc.tcl	2003-04-01 17:31:38.000000000 -0600
++++ tkman-2.2/tkmandesc.tcl	2008-12-05 17:37:55.000000000 -0600
+@@ -152,6 +152,7 @@
+ 	foreach n [concat $from $to] {
+ 		if {[lsearch $mani(manList) $n]==-1} {
+ 			puts stderr "$cmd: Section letter `$n' doesn't exist."
++			CLEANUP
+ 			exit 1
+ 		}
+ 	}
+diff -urN tkman-2.2~/version.tcl tkman-2.2/version.tcl
+--- tkman-2.2~/version.tcl	2003-04-01 17:31:38.000000000 -0600
++++ tkman-2.2/version.tcl	2008-12-05 17:37:55.000000000 -0600
+@@ -80,7 +80,7 @@
+ 
+ 		### collect diffs
+ 		# diff needs at least one of them to be a real file.  want text of previous version around anyhow
+-		set tmpf /tmp/tkman[pid]
++		set tmpf [exec mktemp -p /tmp tkman.XXXXXXXXXX]
+ # $man(changeleft) $man(zaphy) -- obsolete options
+ 		set format "$man(format) | $manx(rman) -f ASCII -N"
+ #puts "creating $tmpf (old)"
diff --git a/app-text/tkman/files/tkman.desktop b/app-text/tkman/files/tkman.desktop
index 3c34d5808df6..322af4bde940 100644
--- a/app-text/tkman/files/tkman.desktop
+++ b/app-text/tkman/files/tkman.desktop
@@ -5,5 +5,5 @@ Exec=tkman
 Icon=TkMan.gif
 Terminal=false
 Type=Application
-Categories=Application;Utility
+Categories=Application;Utility;
 
diff --git a/app-text/tkman/tkman-2.1-r1.ebuild b/app-text/tkman/tkman-2.1-r1.ebuild
index 02d05613c16d..b789807ecc4b 100644
--- a/app-text/tkman/tkman-2.1-r1.ebuild
+++ b/app-text/tkman/tkman-2.1-r1.ebuild
@@ -1,6 +1,6 @@
-# Copyright 1999-2005 Gentoo Foundation
+# Copyright 1999-2009 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-text/tkman/tkman-2.1-r1.ebuild,v 1.12 2005/01/01 16:38:51 eradicator Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-text/tkman/tkman-2.1-r1.ebuild,v 1.13 2009/07/13 00:49:43 rbu Exp $
 
 inherit eutils
 
@@ -16,16 +16,17 @@ IUSE=""
 DEPEND=">=app-text/rman-3.0.9
 	>=dev-lang/tcl-8.3.3
 	>=dev-lang/tk-8.3.3"
+RDEPEND="${DEPEND}"
 
 src_unpack() {
 	unpack ${A}
-	cd ${WORKDIR}
-	epatch ${FILESDIR}/${PF}-gentoo.diff
+	cd "${WORKDIR}"
+	epatch "${FILESDIR}"/${PF}-gentoo.diff
 
 	# A workaround until app-text/rman-3.1 is stable
 	has_version '>=sys-apps/groff-1.18' \
 		has_version '<app-text/rman-3.1' \
-		&& sed -i -e "s:groff -te -Tlatin1:groff -P -c -te -Tlatin1:" ${S}/Makefile
+		&& sed -i -e "s:groff -te -Tlatin1:groff -P -c -te -Tlatin1:" "${S}"/Makefile
 }
 
 src_compile() {
diff --git a/app-text/tkman/tkman-2.2.ebuild b/app-text/tkman/tkman-2.2-r1.ebuild
index 4e8182b7e572..98939b5c89e5 100644
--- a/app-text/tkman/tkman-2.2.ebuild
+++ b/app-text/tkman/tkman-2.2-r1.ebuild
@@ -1,7 +1,8 @@
-# Copyright 1999-2005 Gentoo Foundation
+# Copyright 1999-2009 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-text/tkman/tkman-2.2.ebuild,v 1.7 2005/01/01 16:38:51 eradicator Exp $
+# $Header: 
 
+EAPI=2
 inherit eutils
 
 DESCRIPTION="TkMan man and info page browser"
@@ -10,26 +11,22 @@ SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
 
 LICENSE="Artistic"
 SLOT="0"
-KEYWORDS="~x86 ~ppc ~sparc"
+KEYWORDS="~amd64 ~ppc ~sparc ~x86"
 IUSE=""
 
 DEPEND=">=app-text/rman-3.1
 	>=dev-lang/tcl-8.4
 	>=dev-lang/tk-8.4"
+RDEPEND="${DEPEND}"
 
-src_unpack() {
-	unpack ${A}
-	cd ${WORKDIR}
-	epatch ${FILESDIR}/${PF}-gentoo.diff
-}
-
-src_compile() {
-	emake || die
+src_prepare() {
+	epatch "${FILESDIR}"/${PN}-2.2-gentoo.diff
+	epatch "${FILESDIR}"/${PN}-CVE-2008-5137.diff #bug 247540
 }
 
 src_install() {
 	dodir /usr/bin
-	make DESTDIR=${D} install || die
+	make DESTDIR="${D}" install || die
 
 	dodoc ANNOUNCE-tkman.txt CHANGES README-tkman manual.html
 
@@ -37,5 +34,5 @@ src_install() {
 	doins contrib/TkMan.gif
 
 	insinto /usr/share/applications
-	doins ${FILESDIR}/tkman.desktop
+	doins "${FILESDIR}"/tkman.desktop
 }
author	Robert Buchholz <rbu@gentoo.org>	2009-07-13 00:49:44 +0000
committer	Robert Buchholz <rbu@gentoo.org>	2009-07-13 00:49:44 +0000
commit	68a4be0f850ab36d905ca0c4fd7c5e1dfdecdd6e (patch)
tree	59edd38326ca963c8ad14b4d591b5de57eb3d40d
parent	Version bump (diff)
download	gentoo-2-68a4be0f850ab36d905ca0c4fd7c5e1dfdecdd6e.tar.gz gentoo-2-68a4be0f850ab36d905ca0c4fd7c5e1dfdecdd6e.tar.bz2 gentoo-2-68a4be0f850ab36d905ca0c4fd7c5e1dfdecdd6e.zip