Fix insecure tmpfile usage #209927

(Portage version: 2.1.4.4)

3 files changed, 138 insertions, 2 deletions

diff --git a/dev-lang/wml/ChangeLog b/dev-lang/wml/ChangeLog
index 13bf1688e620..95f78cdaa41b 100644
--- a/dev-lang/wml/ChangeLog
+++ b/dev-lang/wml/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for dev-lang/wml
-# Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-lang/wml/ChangeLog,v 1.37 2007/12/23 13:14:16 graaff Exp $
+# Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/dev-lang/wml/ChangeLog,v 1.38 2008/02/29 15:31:49 graaff Exp $
+
+*wml-2.0.11-r3 (29 Feb 2008)
+
+  29 Feb 2008; Hans de Graaff <graaff@gentoo.org>
+  +files/wml-2.0.11-tmpfile.patch, +wml-2.0.11-r3.ebuild:
+  Fix insecure temporary file usage (CVE-2008-0665, CVE-2008-0666), Gentoo bug
+  #209927, based on a patch by Debian.
 
 *wml-2.0.11-r2 (23 Dec 2007)
 
diff --git a/dev-lang/wml/files/wml-2.0.11-tmpfile.patch b/dev-lang/wml/files/wml-2.0.11-tmpfile.patch
new file mode 100644
index 000000000000..d8cfccd9e442
--- /dev/null
+++ b/dev-lang/wml/files/wml-2.0.11-tmpfile.patch
@@ -0,0 +1,68 @@
+This patch fixes insecure tmpfile usage as mentioned in #209927. It is
+essentially the debian patch mentioned in that bug report.
+
+diff -u wml-2.0.11/wml_contrib/wmg.cgi wml-2.0.11/wml_contrib/wmg.cgi
+--- wml-2.0.11/wml_contrib/wmg.cgi
++++ wml-2.0.11/wml_contrib/wmg.cgi
+@@ -366,14 +366,7 @@
+         ($w, $h, $t) = Image::Size::imgsize(\$contents);
+         if ($w*$h == 1) {
+             #   read image into GD
+-            $tmpfile = "/tmp/pe.tmp.$$";
+-            unlink($tmpfile);
+-            open(TMP, ">$tmpfile");
+-            print TMP $contents;
+-            close(TMP);
+-            open(TMP, "<$tmpfile");
+-            $tmpimg = newFromGif GD::Image(TMP);
+-            close(TMP);
++            $tmpimg = newFromGifData GD::Image($contents);
+             unlink($tmpfile);
+             if ($tmpimg->transparent != -1) {
+                 my $im = new GD::Image($w, $h);
+diff -u wml-2.0.11/wml_backend/p1_ipp/ipp.src wml-2.0.11/wml_backend/p1_ipp/ipp.src
+--- wml-2.0.11/wml_backend/p1_ipp/ipp.src	2005-12-01 18:50:13.000000000 +0100
++++ wml-2.0.11/wml_backend/p1_ipp/ipp.src	2008-02-29 16:06:15.000000000 +0100
+@@ -17,6 +17,7 @@
+ use Getopt::Long 2.13;
+ use IO::Handle 1.15;
+ use IO::File 1.06;
++use File::Temp qw/ mkdtemp /;
+ 
+ #
+ #   help functions
+@@ -564,8 +565,8 @@
+ #
+ #   process the pre-loaded include files
+ #
+-$tmpdir = $ENV{'TMPDIR'} || '/tmp';
+-$tmpfile = $tmpdir . "/ipp.$$.tmp";
++my $tmpldir = ($ENV{'TMPDIR'} || '/tmp') . '/ipp.XXXXXX';
++$tmpdir = mkdtemp($tmpldir) or die "Unable to create temporary directory: $!\n";$tmpfile = $tmpdir . "/ipp.$$.tmp";
+ unlink($tmpfile);
+ $tmp = new IO::File;
+ $tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!");
+--- wml-2.0.11.orig/wml_backend/p3_eperl/eperl_sys.c
++++ wml-2.0.11/wml_backend/p3_eperl/eperl_sys.c
+@@ -211,13 +211,20 @@
+ {
+     char ca[1024];
+     char *cp, *tmpdir;
++	char tmpfile[] = "eperl_sourceXXXXXX";
+     int i;
++	int fd = -1;
+ 
+     tmpdir = getenv ("TMPDIR");
+     if (tmpdir == (char *) NULL)
+         tmpdir="/tmp";
+ 
+-    snprintf(ca, sizeof(ca), "%s/%s.%d.tmp%d", tmpdir, id, (int)getpid(), mytmpfilecnt++);
++	snprintf(ca, sizeof(ca), "%s/%s", tmpdir, tmpfile);
++	if ((fd = mkstemp(ca)) == -1) {
++		perror("Cannot create tmpfile");
++		return NULL;
++	}
++	close(fd);
+     ca[sizeof(ca)-1] = NUL;
+     cp = strdup(ca);
+     for (i = 0; mytmpfiles[i] != NULL; i++)
diff --git a/dev-lang/wml/wml-2.0.11-r3.ebuild b/dev-lang/wml/wml-2.0.11-r3.ebuild
new file mode 100644
index 000000000000..1d32b98a10d9
--- /dev/null
+++ b/dev-lang/wml/wml-2.0.11-r3.ebuild
@@ -0,0 +1,61 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-lang/wml/wml-2.0.11-r3.ebuild,v 1.1 2008/02/29 15:31:49 graaff Exp $
+
+inherit fixheadtails eutils autotools multilib
+
+DESCRIPTION="Website META Language"
+HOMEPAGE="http://thewml.org/"
+SRC_URI="http://thewml.org/distrib/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ia64 ~ppc ~s390 ~sparc ~x86"
+IUSE=""
+
+DEPEND="dev-libs/libpcre
+	dev-lang/perl"
+
+src_unpack() {
+	unpack ${A}
+	ht_fix_all
+	cd "${S}"
+
+	epatch "${FILESDIR}/wml-2.0.9-gcc41.patch"
+	epatch "${FILESDIR}/wml-2.0.9-autotools-update.patch"
+	epatch "${FILESDIR}/wml-2.0.11-tmpfile.patch"
+
+	einfo "Patching Makefile.in files to fix various problems"
+	# Patch Makefile to avoid stripping binaries
+	for m in $(find "${S}" -name Makefile.in -print); do
+		sed -i -e "s/-m 755 -s/-m 755/" "${m}" || die "Could not run sed on ${m}"
+		sed -i -e "/^libdir.*/s::libdir = \$(prefix)/$(get_libdir)\$(libsubdir):" "${m}" || die "Could not run sed on ${m}"
+	done
+
+	# Patch Makefile to avoid a dependency on lynx just for documentation
+	sed -i -e "s/lynx -dump -nolist -width=72/cat/" wml_aux/tidy/Makefile.in || die
+
+	for d in $(find "${S}" \( -name configure.ac -o -name configure.in \) -exec dirname {} \;); do
+		pushd ${d} &>/dev/null
+		AT_NOELIBTOOLIZE="yes" eautoreconf
+		popd &>/dev/null
+	done
+
+	elibtoolize
+}
+
+src_compile() {
+	econf --libdir=/usr/$(get_libdir) || die "./configure failed"
+	emake || die "emake failed"
+}
+
+# The default src_test first checks if 'make test' is possible using the '-n'
+# option of make, but this messes up the tests completely.
+src_test() {
+	emake -j1 test
+}
+
+src_install() {
+	einstall || die
+	dodoc ANNOUNCE BUGREPORT C* INSTALL MANIFEST README* SUPPORT VERSION*
+}