From c548ac93e28157be16d37160049509246200ab20 Mon Sep 17 00:00:00 2001 From: Alexis Ballier Date: Sat, 26 Jan 2008 10:38:19 +0000 Subject: Add a patch for temporary file vulnerablilty (CVE-2007-6061), bug #199751. It will set the default temporary file location to the user home directory add discard preferences if it is in /tmp. (Portage version: 2.1.4) --- media-sound/audacity/ChangeLog | 10 ++- media-sound/audacity/audacity-1.3.4-r1.ebuild | 97 ++++++++++++++++++++++ media-sound/audacity/files/CVE-2007-6061.patch | 22 +++++ .../audacity/files/digest-audacity-1.3.4-r1 | 3 + 4 files changed, 131 insertions(+), 1 deletion(-) create mode 100644 media-sound/audacity/audacity-1.3.4-r1.ebuild create mode 100644 media-sound/audacity/files/CVE-2007-6061.patch create mode 100644 media-sound/audacity/files/digest-audacity-1.3.4-r1 (limited to 'media-sound/audacity') diff --git a/media-sound/audacity/ChangeLog b/media-sound/audacity/ChangeLog index e0c9c5d03799..5acd324cdf1f 100644 --- a/media-sound/audacity/ChangeLog +++ b/media-sound/audacity/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for media-sound/audacity # Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/media-sound/audacity/ChangeLog,v 1.78 2008/01/13 19:34:46 aballier Exp $ +# $Header: /var/cvsroot/gentoo-x86/media-sound/audacity/ChangeLog,v 1.79 2008/01/26 10:38:18 aballier Exp $ + +*audacity-1.3.4-r1 (26 Jan 2008) + + 26 Jan 2008; Alexis Ballier + +files/CVE-2007-6061.patch, +audacity-1.3.4-r1.ebuild: + Add a patch for temporary file vulnerablilty (CVE-2007-6061), bug #199751. + It will set the default temporary file location to the user home directory + add discard preferences if it is in /tmp. 13 Jan 2008; Alexis Ballier audacity-1.3.2-r1.ebuild, audacity-1.3.4.ebuild: diff --git a/media-sound/audacity/audacity-1.3.4-r1.ebuild b/media-sound/audacity/audacity-1.3.4-r1.ebuild new file mode 100644 index 000000000000..771c1ce77438 --- /dev/null +++ b/media-sound/audacity/audacity-1.3.4-r1.ebuild @@ -0,0 +1,97 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/media-sound/audacity/audacity-1.3.4-r1.ebuild,v 1.1 2008/01/26 10:38:18 aballier Exp $ + +inherit eutils wxwidgets + +IUSE="flac id3tag ladspa libsamplerate mp3 soundtouch twolame unicode vamp vorbis" + +MY_P="${PN}-src-${PV}" +DESCRIPTION="Free crossplatform audio editor" +HOMEPAGE="http://audacity.sourceforge.net/" +SRC_URI="mirror://sourceforge/${PN}/${MY_P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~ppc ~ppc64 ~sparc ~x86" +RESTRICT="test" + +COMMON_DEPEND="=x11-libs/wxGTK-2.6* + >=app-arch/zip-2.3 + dev-libs/expat + >=media-libs/libsndfile-1.0.0 + soundtouch? ( >=media-libs/libsoundtouch-1.3.1 ) + vorbis? ( >=media-libs/libvorbis-1.0 ) + mp3? ( >=media-libs/libmad-0.14.2b ) + id3tag? ( media-libs/libid3tag ) + flac? ( media-libs/flac ) + libsamplerate? ( >=media-libs/libsamplerate-0.1.2 ) + vamp? ( media-libs/vamp-plugin-sdk ) + twolame? ( media-sound/twolame )" +RDEPEND="${COMMON_DEPEND} + mp3? ( >=media-sound/lame-3.70 )" +DEPEND="${COMMON_DEPEND} + dev-util/pkgconfig" + +S="${WORKDIR}/${MY_P}-beta" + +pkg_setup() { + if use flac && ! built_with_use --missing true media-libs/flac cxx; then + eerror "To build ${PN} with flac support you need the C++ bindings for flac." + eerror "Please enable the cxx USE flag for media-libs/flac" + die "Missing FLAC C++ bindings." + fi +} + +src_unpack() { + unpack ${A} + + cd "${S}" + + epatch "${FILESDIR}/${P}-nolibfailure.patch" + epatch "${FILESDIR}/CVE-2007-6061.patch" +} + +src_compile() { + WX_GTK_VER="2.6" + + if use unicode; then + need-wxwidgets unicode + else + need-wxwidgets gtk2 + fi + + econf \ + --with-libexpat=system \ + $(use_enable unicode) \ + $(use_with ladspa) \ + $(use_with vorbis) \ + $(use_with mp3 libmad) \ + $(use_with id3tag) \ + $(use_with flac libflac) \ + $(use_enable vamp) \ + $(use_with twolame libtwolame) \ + $(use_with soundtouch) \ + $(use_with libsamplerate) \ + || die + + emake || die +} + +src_install() { + emake DESTDIR="${D}" install || die + + # Remove bad doc install + rm -rf "${D}"/usr/share/doc + + # Install our docs + dodoc README.txt +} + +pkg_postinst() { + ewarn "For security reasons, audacity temporary directory" + ewarn "has been moved to your home directory." + ewarn "This version will not allow you to set it in /tmp" + ewarn "and will discard your preferences if it is there." + ewarn "See bug #199751 for more information." +} diff --git a/media-sound/audacity/files/CVE-2007-6061.patch b/media-sound/audacity/files/CVE-2007-6061.patch new file mode 100644 index 000000000000..d80ae681ffb1 --- /dev/null +++ b/media-sound/audacity/files/CVE-2007-6061.patch @@ -0,0 +1,22 @@ +Index: audacity-src-1.3.4-beta/src/AudacityApp.cpp +=================================================================== +--- audacity-src-1.3.4-beta.orig/src/AudacityApp.cpp ++++ audacity-src-1.3.4-beta/src/AudacityApp.cpp +@@ -573,7 +573,7 @@ bool AudacityApp::OnInit() + // * The user's .audacity-files directory in their home directory + // * The "share" and "share/doc" directories in their install path + #ifdef __WXGTK__ +- defaultTempDir.Printf(wxT("/tmp/audacity%d.%d-%s"), ++ defaultTempDir.Printf(wxT("%s/.audacity%d.%d-%s"), home.c_str(), + AUDACITY_VERSION, AUDACITY_RELEASE, wxGetUserId().c_str()); + + wxString pathVar = wxGetenv(wxT("AUDACITY_PATH")); +@@ -996,7 +996,7 @@ bool AudacityApp::InitTempDir() + wxString temp = wxT(""); + + #ifdef __WXGTK__ +- if (tempFromPrefs.GetChar(0) != wxT('/')) ++ if (tempFromPrefs.GetChar(0) != wxT('/') || tempFromPrefs.compare(0,4, wxT("/tmp")) == 0) + tempFromPrefs = wxT(""); + #endif + diff --git a/media-sound/audacity/files/digest-audacity-1.3.4-r1 b/media-sound/audacity/files/digest-audacity-1.3.4-r1 new file mode 100644 index 000000000000..2d4ac9d624db --- /dev/null +++ b/media-sound/audacity/files/digest-audacity-1.3.4-r1 @@ -0,0 +1,3 @@ +MD5 6c4ada9085f916b5ae1675eaa4754442 audacity-src-1.3.4.tar.bz2 4349381 +RMD160 754d81fb0e660d697e7c315c41f28584917e0a9e audacity-src-1.3.4.tar.bz2 4349381 +SHA256 102d60e48e1928f3fd995a214ed9ba872929c6365cf5f784f107f351b42499f9 audacity-src-1.3.4.tar.bz2 4349381 -- cgit v1.2.3-65-gdbad