Add a patch for temporary file vulnerablilty (CVE-2007-6061), bug #199751. It will set the default temporary file location to the user home directory add discard preferences if it is in /tmp.

(Portage version: 2.1.4)

4 files changed, 131 insertions, 1 deletions

diff --git a/media-sound/audacity/ChangeLog b/media-sound/audacity/ChangeLog
index e0c9c5d03799..5acd324cdf1f 100644
--- a/media-sound/audacity/ChangeLog
+++ b/media-sound/audacity/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for media-sound/audacity
 # Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-sound/audacity/ChangeLog,v 1.78 2008/01/13 19:34:46 aballier Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-sound/audacity/ChangeLog,v 1.79 2008/01/26 10:38:18 aballier Exp $
+
+*audacity-1.3.4-r1 (26 Jan 2008)
+
+  26 Jan 2008; Alexis Ballier <aballier@gentoo.org>
+  +files/CVE-2007-6061.patch, +audacity-1.3.4-r1.ebuild:
+  Add a patch for temporary file vulnerablilty (CVE-2007-6061), bug #199751.
+  It will set the default temporary file location to the user home directory
+  add discard preferences if it is in /tmp.
 
   13 Jan 2008; Alexis Ballier <aballier@gentoo.org>
   audacity-1.3.2-r1.ebuild, audacity-1.3.4.ebuild:
diff --git a/media-sound/audacity/audacity-1.3.4-r1.ebuild b/media-sound/audacity/audacity-1.3.4-r1.ebuild
new file mode 100644
index 000000000000..771c1ce77438
--- /dev/null
+++ b/media-sound/audacity/audacity-1.3.4-r1.ebuild
@@ -0,0 +1,97 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-sound/audacity/audacity-1.3.4-r1.ebuild,v 1.1 2008/01/26 10:38:18 aballier Exp $
+
+inherit eutils wxwidgets
+
+IUSE="flac id3tag ladspa libsamplerate mp3 soundtouch twolame unicode vamp vorbis"
+
+MY_P="${PN}-src-${PV}"
+DESCRIPTION="Free crossplatform audio editor"
+HOMEPAGE="http://audacity.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${MY_P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~ppc64 ~sparc ~x86"
+RESTRICT="test"
+
+COMMON_DEPEND="=x11-libs/wxGTK-2.6*
+	>=app-arch/zip-2.3
+	dev-libs/expat
+	>=media-libs/libsndfile-1.0.0
+	soundtouch? ( >=media-libs/libsoundtouch-1.3.1 )
+	vorbis? ( >=media-libs/libvorbis-1.0 )
+	mp3? ( >=media-libs/libmad-0.14.2b )
+	id3tag? ( media-libs/libid3tag )
+	flac? ( media-libs/flac )
+	libsamplerate? ( >=media-libs/libsamplerate-0.1.2 )
+	vamp? ( media-libs/vamp-plugin-sdk )
+	twolame? ( media-sound/twolame )"
+RDEPEND="${COMMON_DEPEND}
+	mp3? ( >=media-sound/lame-3.70 )"
+DEPEND="${COMMON_DEPEND}
+	dev-util/pkgconfig"
+
+S="${WORKDIR}/${MY_P}-beta"
+
+pkg_setup() {
+	if use flac && ! built_with_use --missing true media-libs/flac cxx; then
+		eerror "To build ${PN} with flac support you need the C++ bindings for flac."
+		eerror "Please enable the cxx USE flag for media-libs/flac"
+		die "Missing FLAC C++ bindings."
+	fi
+}
+
+src_unpack() {
+	unpack ${A}
+
+	cd "${S}"
+
+	epatch "${FILESDIR}/${P}-nolibfailure.patch"
+	epatch "${FILESDIR}/CVE-2007-6061.patch"
+}
+
+src_compile() {
+	WX_GTK_VER="2.6"
+
+	if use unicode; then
+		need-wxwidgets unicode
+	else
+		need-wxwidgets gtk2
+	fi
+
+	econf \
+		--with-libexpat=system \
+		$(use_enable unicode) \
+		$(use_with ladspa) \
+		$(use_with vorbis) \
+		$(use_with mp3 libmad) \
+		$(use_with id3tag) \
+		$(use_with flac libflac) \
+		$(use_enable vamp) \
+		$(use_with twolame libtwolame) \
+		$(use_with soundtouch) \
+		$(use_with libsamplerate) \
+		|| die
+
+	emake || die
+}
+
+src_install() {
+	emake DESTDIR="${D}" install || die
+
+	# Remove bad doc install
+	rm -rf "${D}"/usr/share/doc
+
+	# Install our docs
+	dodoc README.txt
+}
+
+pkg_postinst() {
+	ewarn "For security reasons, audacity temporary directory"
+	ewarn "has been moved to your home directory."
+	ewarn "This version will not allow you to set it in /tmp"
+	ewarn "and will discard your preferences if it is there."
+	ewarn "See bug #199751 for more information."
+}
diff --git a/media-sound/audacity/files/CVE-2007-6061.patch b/media-sound/audacity/files/CVE-2007-6061.patch
new file mode 100644
index 000000000000..d80ae681ffb1
--- /dev/null
+++ b/media-sound/audacity/files/CVE-2007-6061.patch
@@ -0,0 +1,22 @@
+Index: audacity-src-1.3.4-beta/src/AudacityApp.cpp
+===================================================================
+--- audacity-src-1.3.4-beta.orig/src/AudacityApp.cpp
++++ audacity-src-1.3.4-beta/src/AudacityApp.cpp
+@@ -573,7 +573,7 @@ bool AudacityApp::OnInit()
+    // * The user's .audacity-files directory in their home directory
+    // * The "share" and "share/doc" directories in their install path
+    #ifdef __WXGTK__
+-   defaultTempDir.Printf(wxT("/tmp/audacity%d.%d-%s"), 
++   defaultTempDir.Printf(wxT("%s/.audacity%d.%d-%s"), home.c_str(),
+                          AUDACITY_VERSION, AUDACITY_RELEASE, wxGetUserId().c_str());
+    
+    wxString pathVar = wxGetenv(wxT("AUDACITY_PATH"));
+@@ -996,7 +996,7 @@ bool AudacityApp::InitTempDir()
+    wxString temp = wxT("");
+ 
+    #ifdef __WXGTK__
+-   if (tempFromPrefs.GetChar(0) != wxT('/'))
++   if (tempFromPrefs.GetChar(0) != wxT('/') || tempFromPrefs.compare(0,4, wxT("/tmp")) == 0)
+       tempFromPrefs = wxT("");
+    #endif
+ 
diff --git a/media-sound/audacity/files/digest-audacity-1.3.4-r1 b/media-sound/audacity/files/digest-audacity-1.3.4-r1
new file mode 100644
index 000000000000..2d4ac9d624db
--- /dev/null
+++ b/media-sound/audacity/files/digest-audacity-1.3.4-r1
@@ -0,0 +1,3 @@
+MD5 6c4ada9085f916b5ae1675eaa4754442 audacity-src-1.3.4.tar.bz2 4349381
+RMD160 754d81fb0e660d697e7c315c41f28584917e0a9e audacity-src-1.3.4.tar.bz2 4349381
+SHA256 102d60e48e1928f3fd995a214ed9ba872929c6365cf5f784f107f351b42499f9 audacity-src-1.3.4.tar.bz2 4349381