diff options
Diffstat (limited to 'app-text/uudeview/files')
5 files changed, 465 insertions, 0 deletions
diff --git a/app-text/uudeview/files/uudeview-0.5.20-CVE-2004-2265.patch b/app-text/uudeview/files/uudeview-0.5.20-CVE-2004-2265.patch new file mode 100644 index 000000000000..ac1f39410e4b --- /dev/null +++ b/app-text/uudeview/files/uudeview-0.5.20-CVE-2004-2265.patch @@ -0,0 +1,47 @@ ++uudeview (0.5.20-2.1) unstable; urgency=low ++ ++ * Fix possible (but highly unlikely) race in temporary file generation ++ (CAN-2004-2265), by passing the "x" (O_EXCL) flag to fopen when opening ++ such files. (Closes: #320541) ++ ++ -- Steinar H. Gunderson <sesse@debian.org> Wed, 14 Jun 2006 18:44:05 +0200 ++ + +Index: uudeview-0.5.20/unix/uudeview.c +=================================================================== +--- uudeview-0.5.20.orig/unix/uudeview.c ++++ uudeview-0.5.20/unix/uudeview.c +@@ -454,7 +454,7 @@ proc_stdin (void) + return 0; + } + +- if ((target = fopen (stdfile, "wb")) == NULL) { ++ if ((target = fopen (stdfile, "wbx")) == NULL) { + fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n", + stdfile, strerror (errno)); + _FP_free (stdfile); +Index: uudeview-0.5.20/uulib/uunconc.c +=================================================================== +--- uudeview-0.5.20.orig/uulib/uunconc.c ++++ uudeview-0.5.20/uulib/uunconc.c +@@ -1325,9 +1325,9 @@ UUDecode (uulist *data) + return UURET_NODATA; + + if (data->uudet == PT_ENCODED) +- mode = "wt"; /* open text files in text mode */ ++ mode = "wtx"; /* open text files in text mode */ + else +- mode = "wb"; /* otherwise in binary */ ++ mode = "wbx"; /* otherwise in binary */ + + if ((data->binfile = tempnam (NULL, "uu")) == NULL) { + UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, +@@ -1502,7 +1502,7 @@ UUDecode (uulist *data) + progress.action = 0; + return UURET_NOMEM; + } +- if ((datain = fopen (data->binfile, "rb")) == NULL) { ++ if ((datain = fopen (data->binfile, "rbx")) == NULL) { + UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, + uustring (S_NOT_OPEN_FILE), + data->binfile, strerror (uu_errno = errno)); diff --git a/app-text/uudeview/files/uudeview-0.5.20-CVE-2008-2266.patch b/app-text/uudeview/files/uudeview-0.5.20-CVE-2008-2266.patch new file mode 100644 index 000000000000..ba0de28dcacc --- /dev/null +++ b/app-text/uudeview/files/uudeview-0.5.20-CVE-2008-2266.patch @@ -0,0 +1,166 @@ ++uudeview (0.5.20-3.1) unstable; urgency=high +... ++ * Fixed a classical tempfile symlink attack vulnerability in libuu. ++ Thanks to Nico Golde for the patch. (Closes: #480972) +... ++ -- Marco d'Itri <md@linux.it> Wed, 21 May 2008 01:34:35 +0200 + +Index: uudeview-0.5.20/unix/uudeview.c +=================================================================== +--- uudeview-0.5.20.orig/unix/uudeview.c ++++ uudeview-0.5.20/unix/uudeview.c +@@ -443,18 +443,46 @@ proc_stdin (void) + FILE *target; + size_t bytes; + int res; ++#define HAVE_MKSTEMP ++#ifdef HAVE_MKSTEMP ++ int tmpfd; ++ const char *tmpprefix = "uuXXXXXX"; ++ char *tmpdir = NULL; ++#endif /* HAVE_MKSTEMP */ + + if (stdinput) { + fprintf (stderr, "proc_stdin: cannot process stdin twice\n"); + return 0; + } + ++#ifdef HAVE_MKSTEMP ++ if ((getuid()==geteuid()) && (getgid()==getegid())) { ++ tmpdir=getenv("TMPDIR"); ++ } ++ ++ if (!tmpdir) { ++ tmpdir = "/tmp"; ++ } ++ stdfile = malloc(strlen(tmpdir)+strlen(tmpprefix)+2); ++ ++ if (!stdfile) { ++#else + if ((stdfile = tempnam (NULL, "uu")) == NULL) { ++#endif + fprintf (stderr, "proc_stdin: cannot get temporary file\n"); + return 0; + } + ++#ifdef HAVE_MKSTEMP ++ strcpy(stdfile, tmpdir); ++ strcat(stdfile, "/"); ++ strcat(stdfile, tmpprefix); ++ ++ if ((tmpfd = mkstemp(stdfile)) == -1 || ++ (target = fdopen(tmpfd, "wbx")) == NULL) { ++#else + if ((target = fopen (stdfile, "wbx")) == NULL) { ++#endif + fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n", + stdfile, strerror (errno)); + _FP_free (stdfile); +Index: uudeview-0.5.20/uulib/uunconc.c +=================================================================== +--- uudeview-0.5.20.orig/uulib/uunconc.c ++++ uudeview-0.5.20/uulib/uunconc.c +@@ -1311,6 +1311,12 @@ UUDecode (uulist *data) + char *mode, *ntmp; + uufile *iter; + size_t bytes; ++#define HAVE_MKSTEMP ++#ifdef HAVE_MKSTEMP ++ int tmpfd; ++ const char *tmpprefix = "uuXXXXXX"; ++ char *tmpdir = NULL; ++#endif /* HAVE_MKSTEMP */ + + if (data == NULL || data->thisfile == NULL) + return UURET_ILLVAL; +@@ -1329,13 +1335,35 @@ UUDecode (uulist *data) + else + mode = "wbx"; /* otherwise in binary */ + ++#ifdef HAVE_MKSTEMP ++ if ((getuid()==geteuid()) && (getgid()==getegid())) { ++ tmpdir=getenv("TMPDIR"); ++ } ++ ++ if (!tmpdir) { ++ tmpdir = "/tmp"; ++ } ++ data->binfile = malloc(strlen(tmpdir)+strlen(tmpprefix)+2); ++ ++ if (!data->binfile) { ++#else + if ((data->binfile = tempnam (NULL, "uu")) == NULL) { ++#endif /* HAVE_MKSTEMP */ + UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, + uustring (S_NO_TEMP_NAME)); + return UURET_NOMEM; + } + ++#ifdef HAVE_MKSTEMP ++ strcpy(data->binfile, tmpdir); ++ strcat(data->binfile, "/"); ++ strcat(data->binfile, tmpprefix); ++ ++ if ((tmpfd = mkstemp(data->binfile)) == -1 || ++ (dataout = fdopen(tmpfd, mode)) == NULL) { ++#else + if ((dataout = fopen (data->binfile, mode)) == NULL) { ++#endif /* HAVE_MKSTEMP */ + /* + * we couldn't create a temporary file. Usually this means that TMP + * and TEMP aren't set +@@ -1343,6 +1371,12 @@ UUDecode (uulist *data) + UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, + uustring (S_WR_ERR_TARGET), + data->binfile, strerror (uu_errno = errno)); ++#ifdef HAVE_MKSTEMP ++ if (tmpfd != -1) { ++ unlink(data->binfile); ++ close(tmpfd); ++ } ++#endif /* HAVE_MKSTEMP */ + _FP_free (data->binfile); + data->binfile = NULL; + uu_errno = errno; +@@ -1499,7 +1533,13 @@ UUDecode (uulist *data) + */ + + if (data->uudet == BH_ENCODED && data->binfile) { ++#ifdef HAVE_MKSTEMP ++ ntmp = malloc(strlen(tmpdir)+strlen(tmpprefix)+2); ++ ++ if (ntmp == NULL) { ++#else + if ((ntmp = tempnam (NULL, "uu")) == NULL) { ++#endif /* HAVE_MKSTEMP */ + UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, + uustring (S_NO_TEMP_NAME)); + progress.action = 0; +@@ -1513,12 +1553,27 @@ UUDecode (uulist *data) + free (ntmp); + return UURET_IOERR; + } ++ ++#ifdef HAVE_MKSTEMP ++ strcpy(ntmp, tmpdir); ++ strcat(ntmp, "/"); ++ strcat(ntmp, tmpprefix); ++ if ((tmpfd = mkstemp(ntmp)) == -1 || ++ (dataout = fdopen(tmpfd, "wb")) == NULL) { ++#else + if ((dataout = fopen (ntmp, "wb")) == NULL) { ++#endif /* HAVE_MKSTEMP */ + UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, + uustring (S_NOT_OPEN_TARGET), + ntmp, strerror (uu_errno = errno)); + progress.action = 0; + fclose (datain); ++#ifdef HAVE_MKSTEMP ++ if (tmpfd != -1) { ++ unlink(ntmp); ++ close(tmpfd); ++ } ++#endif /* HAVE_MKSTEMP */ + free (ntmp); + return UURET_IOERR; + } diff --git a/app-text/uudeview/files/uudeview-0.5.20-bugfixes.patch b/app-text/uudeview/files/uudeview-0.5.20-bugfixes.patch new file mode 100644 index 000000000000..3056dd2af59b --- /dev/null +++ b/app-text/uudeview/files/uudeview-0.5.20-bugfixes.patch @@ -0,0 +1,100 @@ ++uudeview (0.5.20-3) unstable; urgency=low ++ ++ * Ack NMU. (closes: Bug#373630) ++ * Don't force overwrite mode if auto-rename enabled. (closes: Bug#378076) ++ * Don't ignore special chars when parsing MIME. (closes: Bug#341440) ++ * Fix for #320541 also fixes #242999. (closes: Bug#242999) ++ * Incorporate suspicious-file patch from Peter Muir. (closes: Bug#166077) +... + ++ -- Chris Hanson <cph@debian.org> Tue, 15 Aug 2006 00:40:50 -0400 + +Index: uudeview-0.5.20/unix/uudeview.c +=================================================================== +--- uudeview-0.5.20.orig/unix/uudeview.c ++++ uudeview-0.5.20/unix/uudeview.c +@@ -657,9 +657,6 @@ work_comline (int argc, char *argv[]) + else switch (*(argv[number] + 1)) { + case '\0': + interact = 0; +- if (overwrite == 0) { +- overwrite = 1; +- } + proc_stdin (); + break; + case 'a': +@@ -699,10 +696,7 @@ work_comline (int argc, char *argv[]) + fprintf (stderr, "WARNING: cannot interact when reading from stdin\n"); + } + else { +- interact = (*argv[number] == '+') ? 1 : 0; +- if (overwrite == 0 && *argv[number] == '-') { +- overwrite = 1; +- } ++ interact = (*argv[number] == '+') ? 1 : 0; + } + break; + case 'm': +@@ -773,6 +767,8 @@ work_comline (int argc, char *argv[]) + break; + } + } ++ if (overwrite == 0 && interact == 0 && autoren == 0) ++ overwrite = 1; + + return 1; + } +Index: uudeview-0.5.20/uulib/uunconc.c +=================================================================== +--- uudeview-0.5.20.orig/uulib/uunconc.c ++++ uudeview-0.5.20/uulib/uunconc.c +@@ -1437,6 +1437,9 @@ UUDecode (uulist *data) + res = UURET_IOERR; + break; + } ++ UUMessage (uunconc_id, __LINE__, UUMSG_MESSAGE, ++ uustring (S_OPEN_FILE), ++ iter->data->sfname); + _FP_strncpy (uugen_fnbuffer, iter->data->sfname, 1024); + } + +Index: uudeview-0.5.20/uulib/uuscan.c +=================================================================== +--- uudeview-0.5.20.orig/uulib/uuscan.c ++++ uudeview-0.5.20/uulib/uuscan.c +@@ -387,10 +387,10 @@ ParseValue (char *attribute) + *attribute != '(' && *attribute != ')' && + *attribute != '<' && *attribute != '>' && + *attribute != '@' && *attribute != ',' && +- /* *attribute != ';' && */ *attribute != ':' && +- *attribute != '\\' &&*attribute != '"' && +- *attribute != '/' && /* *attribute != '[' && +- *attribute != ']' && */ *attribute != '?' && ++ *attribute != ';' && *attribute != ':' && ++ *attribute != '\\' && *attribute != '"' && ++ *attribute != '/' && *attribute != '[' && ++ *attribute != ']' && *attribute != '?' && + *attribute != '=' && length < 255) { + *ptr++ = *attribute++; + length++; +Index: uudeview-0.5.20/uulib/uustring.c +=================================================================== +--- uudeview-0.5.20.orig/uulib/uustring.c ++++ uudeview-0.5.20/uulib/uustring.c +@@ -107,6 +107,7 @@ static stringmap messages[] = { + { S_MIME_B_NOT_FOUND, "Boundary expected on Multipart message but found EOF" }, + { S_MIME_MULTI_DEPTH, "Multipart message nested too deep" }, + { S_MIME_PART_MULTI, "Handling partial multipart message as plain text" }, ++ { S_OPEN_FILE, "Opened file %s" }, + + { 0, "" } + }; +Index: uudeview-0.5.20/uulib/uustring.h +=================================================================== +--- uudeview-0.5.20.orig/uulib/uustring.h ++++ uudeview-0.5.20/uulib/uustring.h +@@ -36,3 +36,4 @@ + #define S_MIME_B_NOT_FOUND 35 + #define S_MIME_MULTI_DEPTH 36 + #define S_MIME_PART_MULTI 37 ++#define S_OPEN_FILE 38 diff --git a/app-text/uudeview/files/uudeview-0.5.20-man.patch b/app-text/uudeview/files/uudeview-0.5.20-man.patch new file mode 100644 index 000000000000..b03e15a5a5f2 --- /dev/null +++ b/app-text/uudeview/files/uudeview-0.5.20-man.patch @@ -0,0 +1,95 @@ ++uudeview (0.5.13-2.1) unstable; urgency=low +... ++ * Added man page for uuwish(1). +... ++ -- Roland Rosenfeld <roland@debian.org> Thu, 16 Sep 1999 18:48:47 +0200 + + ++Thu Oct 24 22:12:01 1996 Martin Schulze <joey@finlandia.infodrom.north.de> +... ++ * Corrected some manpages + +Index: uudeview-0.5.20/man/uudeview.1 +=================================================================== +--- uudeview-0.5.20.orig/man/uudeview.1 ++++ uudeview-0.5.20/man/uudeview.1 +@@ -164,6 +164,16 @@ delivered in have different subject line + verbosity. Normally, the program prints some status messages + while reading the input files, which can be very helpful if something + should go wrong. Use if these messages disturb you. ++Disables progress bars. See ++.B -n ++option. ++.TP ++.B -v ++(disables Verbosity) Disables verbose messages, i.e. notes are not ++displayed, but does not remove warnings and errors. Is not as quiet as ++the ++.B -q ++(Quiet) option. + .TP + .B -n + No progress bars. Normally, UUDeview prints ASCII bars crawling up +Index: uudeview-0.5.20/man/uuwish.1 +=================================================================== +--- /dev/null ++++ uudeview-0.5.20/man/uuwish.1 +@@ -0,0 +1,45 @@ ++.\" Copyright (c) 1999 Roland Rosenfeld <roland@spinnaker.de> ++.\" changes Copyright (c) 2001 Chris Hanson <cph@debian.org> ++.\" ++.\" This program is free software; you can redistribute it and/or modify ++.\" it under the terms of the GNU General Public License as published by ++.\" the Free Software Foundation; either version 2 of the License, or ++.\" (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc.,59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ++.\" ++.\" This manual page is written especially for Debian Linux. ++.\" ++.TH UUWISH 1 "February 2001" "Debian Project" "Debian GNU/Linux" ++.SH NAME ++uuwish \- A minimal wish extended by the UU commands ++.SH SYNOPSIS ++.B uuwish ++is a minimal ++.BR wish (1) ++extended by the UU commands that are available in ++.BR uudeview (1) ++and ++.BR uuenview (1). ++.B uuwish ++isn't meant to be called directly; it is a Tcl/Tk script interpreter, ++which is meant to be used by ++.BR xdeview (1). ++.SH "SEE ALSO" ++.BR xdeview (1), ++.BR uudeview (1), ++.BR uuenview (1), ++.BR wish (1). ++.SH AUTHOR ++.B uuwish ++was written by Frank Pilhofer <fp@informatik.uni-frankfurt.de>. ++.PP ++This manual page was written by Roland Rosenfeld <roland@debian.org>, ++for the Debian GNU/Linux system (but may be used by others). +Index: uudeview-0.5.20/configure.in +=================================================================== +--- uudeview-0.5.20.orig/configure.in ++++ uudeview-0.5.20/configure.in +@@ -607,7 +607,7 @@ if test "x$have_minews" = "xyes" ; then + fi + if test "x$have_tk" != "xno" ; then + PROGS="$PROGS xdeview" +- MPAGES="$MPAGES xdeview.1" ++ MPAGES="$MPAGES xdeview.1 uuwish.1" + DOINST="$DOINST install-tcl" + fi + diff --git a/app-text/uudeview/files/uudeview-0.5.20-rename.patch b/app-text/uudeview/files/uudeview-0.5.20-rename.patch new file mode 100644 index 000000000000..c62c64c70eb3 --- /dev/null +++ b/app-text/uudeview/files/uudeview-0.5.20-rename.patch @@ -0,0 +1,57 @@ ++uudeview (0.5.19+beta20030413-1) unstable; urgency=low +... ++ * Use rename() in preference to copy if possible. ++ (closes: Bug#166040) +... ++ -- Chris Hanson <cph@debian.org> Sun, 7 Sep 2003 01:05:07 -0400 + +Index: uudeview-0.5.20/uulib/uulib.c +=================================================================== +--- uudeview-0.5.20.orig/uulib/uulib.c ++++ uudeview-0.5.20/uulib/uulib.c +@@ -872,7 +872,10 @@ UUDecodeToTemp (uulist *thefile) + } + + /* +- * decode file first to temp file, then copy it to a final location ++ * Decode file first to temp file, then copy it to a final location. ++ * A move is preferable to a copy. If the file is on the same ++ * partition, no copy is performed. This is important for large ++ * files. + */ + + int UUEXPORT +@@ -978,6 +981,12 @@ UUDecodeFile (uulist *thefile, char *des + return UURET_IOERR; + } + ++ if (rename(thefile->binfile, uugen_fnbuffer) == 0) { ++ fclose(source); ++ close(fildes); ++ goto finish_ok; ++ } ++ + if ((target = fdopen (fildes, "wb")) == NULL) { + progress.action = 0; + UUMessage (uulib_id, __LINE__, UUMSG_ERROR, +@@ -1042,6 +1051,8 @@ UUDecodeFile (uulist *thefile, char *des + thefile->binfile, + strerror (uu_errno = errno)); + } ++ ++ finish_ok: + _FP_free (thefile->binfile); + thefile->binfile = NULL; + thefile->state &= ~UUFILE_TMPFILE; +@@ -1103,9 +1114,9 @@ UUInfoFile (uulist *thefile, void *opaqu + + while (!feof (inpfile) && + (uu_fast_scanning || ftell(inpfile) < maxpos)) { +- if (_FP_fgets (uugen_inbuffer, 511, inpfile) == NULL) ++ if (_FP_fgets (uugen_inbuffer, 1023, inpfile) == NULL) + break; +- uugen_inbuffer[511] = '\0'; ++ uugen_inbuffer[1023] = '\0'; + + if (ferror (inpfile)) + break; |