diff options
-rw-r--r-- | network/uudeview/patches/025_CAN-2004-2265.diff | 42 | ||||
-rw-r--r-- | network/uudeview/patches/034_do_not_ignore_special_chars.diff | 22 | ||||
-rw-r--r-- | network/uudeview/patches/037_CVE-2008-2266_symlink.diff | 182 | ||||
-rw-r--r-- | network/uudeview/patches/043_string_format_issue.diff | 24 | ||||
-rw-r--r-- | network/uudeview/patches/049_glibc_2.27.diff | 20 | ||||
-rw-r--r-- | network/uudeview/uudeview.SlackBuild | 27 |
6 files changed, 308 insertions, 9 deletions
diff --git a/network/uudeview/patches/025_CAN-2004-2265.diff b/network/uudeview/patches/025_CAN-2004-2265.diff new file mode 100644 index 0000000000000..d89ef9a0980bf --- /dev/null +++ b/network/uudeview/patches/025_CAN-2004-2265.diff @@ -0,0 +1,42 @@ +Description: CAN-2004-2265 + Fix possible (but highly unlikely) race in temporary file generation + (CAN-2004-2265), by passing the "x" (O_EXCL) flag to fopen when opening + such files. (Closes: #320541) + 0.5.20-2.1 +Author: Steinar H. Gunderson <sesse@debian.org> +Bug-Debian: http://bugs.debian.org/320541 + +--- a/unix/uudeview.c ++++ b/unix/uudeview.c +@@ -454,7 +454,7 @@ proc_stdin (void) + return 0; + } + +- if ((target = fopen (stdfile, "wb")) == NULL) { ++ if ((target = fopen (stdfile, "wbx")) == NULL) { + fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n", + stdfile, strerror (errno)); + _FP_free (stdfile); +--- a/uulib/uunconc.c ++++ b/uulib/uunconc.c +@@ -1325,9 +1325,9 @@ UUDecode (uulist *data) + return UURET_NODATA; + + if (data->uudet == PT_ENCODED) +- mode = "wt"; /* open text files in text mode */ ++ mode = "wtx"; /* open text files in text mode */ + else +- mode = "wb"; /* otherwise in binary */ ++ mode = "wbx"; /* otherwise in binary */ + + if ((data->binfile = tempnam (NULL, "uu")) == NULL) { + UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, +@@ -1502,7 +1502,7 @@ UUDecode (uulist *data) + progress.action = 0; + return UURET_NOMEM; + } +- if ((datain = fopen (data->binfile, "rb")) == NULL) { ++ if ((datain = fopen (data->binfile, "rbx")) == NULL) { + UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, + uustring (S_NOT_OPEN_FILE), + data->binfile, strerror (uu_errno = errno)); diff --git a/network/uudeview/patches/034_do_not_ignore_special_chars.diff b/network/uudeview/patches/034_do_not_ignore_special_chars.diff new file mode 100644 index 0000000000000..4ee32469fb392 --- /dev/null +++ b/network/uudeview/patches/034_do_not_ignore_special_chars.diff @@ -0,0 +1,22 @@ +Description: Don't ignore special chars when parsing MIME. + 0.5.20-3 +Author: Chris Hanson +Bug-Debian: https://bugs.debian.org/341440 + +--- a/uulib/uuscan.c ++++ b/uulib/uuscan.c +@@ -387,10 +387,10 @@ ParseValue (char *attribute) + *attribute != '(' && *attribute != ')' && + *attribute != '<' && *attribute != '>' && + *attribute != '@' && *attribute != ',' && +- /* *attribute != ';' && */ *attribute != ':' && +- *attribute != '\\' &&*attribute != '"' && +- *attribute != '/' && /* *attribute != '[' && +- *attribute != ']' && */ *attribute != '?' && ++ *attribute != ';' && *attribute != ':' && ++ *attribute != '\\' && *attribute != '"' && ++ *attribute != '/' && *attribute != '[' && ++ *attribute != ']' && *attribute != '?' && + *attribute != '=' && length < 255) { + *ptr++ = *attribute++; + length++; diff --git a/network/uudeview/patches/037_CVE-2008-2266_symlink.diff b/network/uudeview/patches/037_CVE-2008-2266_symlink.diff new file mode 100644 index 0000000000000..7a74e4792c950 --- /dev/null +++ b/network/uudeview/patches/037_CVE-2008-2266_symlink.diff @@ -0,0 +1,182 @@ +Description: Fixed a classical tempfile symlink attack vulnerability in libuu. + See Version: 0.5.20-3.1. +Author: Nico Golde <nion@debian.org> +Bug-Debian: http://bugs.debian.org/480972 + +--- a/uulib/uunconc.c ++++ b/uulib/uunconc.c +@@ -1311,6 +1311,11 @@ UUDecode (uulist *data) + char *mode, *ntmp; + uufile *iter; + size_t bytes; ++#ifdef HAVE_MKSTEMP ++ int tmpfd; ++ const char *tmpprefix = "uuXXXXXX"; ++ char *tmpdir = NULL; ++#endif /* HAVE_MKSTEMP */ + + if (data == NULL || data->thisfile == NULL) + return UURET_ILLVAL; +@@ -1329,13 +1334,35 @@ UUDecode (uulist *data) + else + mode = "wbx"; /* otherwise in binary */ + ++#ifdef HAVE_MKSTEMP ++ if ((getuid()==geteuid()) && (getgid()==getegid())) { ++ tmpdir=getenv("TMPDIR"); ++ } ++ ++ if (!tmpdir) { ++ tmpdir = "/tmp"; ++ } ++ data->binfile = malloc(strlen(tmpdir)+strlen(tmpprefix)+2); ++ ++ if (!data->binfile) { ++#else + if ((data->binfile = tempnam (NULL, "uu")) == NULL) { ++#endif /* HAVE_MKSTEMP */ + UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, + uustring (S_NO_TEMP_NAME)); + return UURET_NOMEM; + } + ++#ifdef HAVE_MKSTEMP ++ strcpy(data->binfile, tmpdir); ++ strcat(data->binfile, "/"); ++ strcat(data->binfile, tmpprefix); ++ ++ if ((tmpfd = mkstemp(data->binfile)) == -1 || ++ (dataout = fdopen(tmpfd, mode)) == NULL) { ++#else + if ((dataout = fopen (data->binfile, mode)) == NULL) { ++#endif /* HAVE_MKSTEMP */ + /* + * we couldn't create a temporary file. Usually this means that TMP + * and TEMP aren't set +@@ -1343,6 +1370,12 @@ UUDecode (uulist *data) + UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, + uustring (S_WR_ERR_TARGET), + data->binfile, strerror (uu_errno = errno)); ++#ifdef HAVE_MKSTEMP ++ if (tmpfd != -1) { ++ unlink(data->binfile); ++ close(tmpfd); ++ } ++#endif /* HAVE_MKSTEMP */ + _FP_free (data->binfile); + data->binfile = NULL; + uu_errno = errno; +@@ -1499,7 +1532,13 @@ UUDecode (uulist *data) + */ + + if (data->uudet == BH_ENCODED && data->binfile) { ++#ifdef HAVE_MKSTEMP ++ ntmp = malloc(strlen(tmpdir)+strlen(tmpprefix)+2); ++ ++ if (ntmp == NULL) { ++#else + if ((ntmp = tempnam (NULL, "uu")) == NULL) { ++#endif /* HAVE_MKSTEMP */ + UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, + uustring (S_NO_TEMP_NAME)); + progress.action = 0; +@@ -1513,15 +1552,31 @@ UUDecode (uulist *data) + free (ntmp); + return UURET_IOERR; + } ++ ++#ifdef HAVE_MKSTEMP ++ strcpy(ntmp, tmpdir); ++ strcat(ntmp, "/"); ++ strcat(ntmp, tmpprefix); ++ if ((tmpfd = mkstemp(ntmp)) == -1 || ++ (dataout = fdopen(tmpfd, "wb")) == NULL) { ++#else + if ((dataout = fopen (ntmp, "wb")) == NULL) { ++#endif /* HAVE_MKSTEMP */ + UUMessage (uunconc_id, __LINE__, UUMSG_ERROR, + uustring (S_NOT_OPEN_TARGET), + ntmp, strerror (uu_errno = errno)); + progress.action = 0; + fclose (datain); ++#ifdef HAVE_MKSTEMP ++ if (tmpfd != -1) { ++ unlink(ntmp); ++ close(tmpfd); ++ } ++#endif /* HAVE_MKSTEMP */ + free (ntmp); + return UURET_IOERR; + } ++ + /* + * read fork lengths. remember they're in Motorola format + */ +--- a/uulib/configure.in ++++ b/uulib/configure.in +@@ -41,6 +41,7 @@ AC_CHECK_HEADERS(io.h sys/time.h) + AC_CHECK_FUNCS(gettimeofday) + + AC_CHECK_FUNC(tempnam,,AC_DEFINE(tempnam,_FP_tempnam)) ++AC_CHECK_FUNCS([mkstemp]) + + # + # strerror might be internally defined. this would cause a +--- a/unix/uudeview.c ++++ b/unix/uudeview.c +@@ -443,18 +443,45 @@ proc_stdin (void) + FILE *target; + size_t bytes; + int res; ++#ifdef HAVE_MKSTEMP ++ int tmpfd; ++ const char *tmpprefix = "uuXXXXXX"; ++ char *tmpdir = NULL; ++#endif /* HAVE_MKSTEMP */ + + if (stdinput) { + fprintf (stderr, "proc_stdin: cannot process stdin twice\n"); + return 0; + } + ++#ifdef HAVE_MKSTEMP ++ if ((getuid()==geteuid()) && (getgid()==getegid())) { ++ tmpdir=getenv("TMPDIR"); ++ } ++ ++ if (!tmpdir) { ++ tmpdir = "/tmp"; ++ } ++ stdfile = malloc(strlen(tmpdir)+strlen(tmpprefix)+2); ++ ++ if (!stdfile) { ++#else + if ((stdfile = tempnam (NULL, "uu")) == NULL) { ++#endif + fprintf (stderr, "proc_stdin: cannot get temporary file\n"); + return 0; + } + ++#ifdef HAVE_MKSTEMP ++ strcpy(stdfile, tmpdir); ++ strcat(stdfile, "/"); ++ strcat(stdfile, tmpprefix); ++ ++ if ((tmpfd = mkstemp(stdfile)) == -1 || ++ (target = fdopen(tmpfd, "wbx")) == NULL) { ++#else + if ((target = fopen (stdfile, "wbx")) == NULL) { ++#endif + fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n", + stdfile, strerror (errno)); + _FP_free (stdfile); +--- a/configure.in ++++ b/configure.in +@@ -510,6 +510,7 @@ AC_CHECK_HEADERS(io.h sys/time.h) + AC_CHECK_FUNCS(getcwd popen gettimeofday isatty) + + AC_CHECK_FUNC(tempnam,,AC_DEFINE(tempnam,_FP_tempnam)) ++AC_CHECK_FUNCS([mkstemp]) + + # + # strerror might be internally defined. this would cause a diff --git a/network/uudeview/patches/043_string_format_issue.diff b/network/uudeview/patches/043_string_format_issue.diff new file mode 100644 index 0000000000000..7cbc584f5b478 --- /dev/null +++ b/network/uudeview/patches/043_string_format_issue.diff @@ -0,0 +1,24 @@ +Description: Fix potential security issue (arbitrary string being passed + as a format string to fprintf). +Author: Andrew Shadura <andrewsh@debian.org> + +--- a/unix/uuenview.c ++++ b/unix/uuenview.c +@@ -310,7 +310,7 @@ SendMkCommand (char **rcptlist, char *to + } + + if ((*rcptlist = (char *) malloc (strlen (towhom) + 16)) == NULL) { +- fprintf (stderr, "error: Out of memory allocating %d bytes\n", ++ fprintf (stderr, "error: Out of memory allocating %zd bytes\n", + strlen (towhom)+16); + _FP_free (command); + return NULL; +@@ -483,7 +483,7 @@ AttachFiles (char *towhom, char *subject + if (_FP_stristr (input, "multipart") != NULL) { + /* it is already a multipart posting. grab the boundary */ + if ((ptr = _FP_stristr (input, "boundary=")) != NULL) { +- fprintf(thepipe, input); ++ fprintf(thepipe, "%s", input); + strcpy (boundary, ParseValue (ptr)); + hadmulti = 1; + } diff --git a/network/uudeview/patches/049_glibc_2.27.diff b/network/uudeview/patches/049_glibc_2.27.diff new file mode 100644 index 0000000000000..1c41fd5c3c7c7 --- /dev/null +++ b/network/uudeview/patches/049_glibc_2.27.diff @@ -0,0 +1,20 @@ +Description: Remove a hack for Sun that causes FTBFS with glibc >= 2.27 +Author: Adrian Bunk <bunk@debian.org> + +--- uudeview-0.5.20.orig/tcl/uutcl.c ++++ uudeview-0.5.20/tcl/uutcl.c +@@ -48,14 +48,6 @@ + #include <tcl.h> + #endif + +-/* +- * The following variable is a special hack that is needed in order for +- * Sun shared libraries to be used for Tcl. +- */ +- +-extern int matherr(); +-int *tclDummyMathPtr = (int *) matherr; +- + #include <uudeview.h> + #include <uuint.h> + #include <fptools.h> diff --git a/network/uudeview/uudeview.SlackBuild b/network/uudeview/uudeview.SlackBuild index 3953172277b51..f9b72291bee70 100644 --- a/network/uudeview/uudeview.SlackBuild +++ b/network/uudeview/uudeview.SlackBuild @@ -7,25 +7,27 @@ # Released into the public domain # V1 - Slackware 13.37 - November 13, 2011 +# 20220319 bkw: Modified by SlackBuilds.org, BUILD=2: +# - fix build on 32-bit. +# - fix Tcl/Tk autodetection on 64-bit. +# - add some security patches from Debian. + cd $(dirname $0) ; CWD=$(pwd) PRGNAM=uudeview VERSION=${VERSION:-0.5.20} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} TAG=${TAG:-_SBo} PKGTYPE=${PKGTYPE:-tgz} if [ -z "$ARCH" ]; then case "$( uname -m )" in - i?86) ARCH=i486 ;; + i?86) ARCH=i586 ;; arm*) ARCH=arm ;; *) ARCH=$( uname -m ) ;; esac fi -# If the variable PRINT_PACKAGE_NAME is set, then this script will report what -# the name of the created package would be, and then exit. This information -# could be useful to other scripts. if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE" exit 0 @@ -35,8 +37,8 @@ TMP=${TMP:-/tmp/SBo} PKG=$TMP/package-$PRGNAM OUTPUT=${OUTPUT:-/tmp} -if [ "$ARCH" = "i486" ]; then - SLKCFLAGS="-O2 -march=i486 -mtune=i686" +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" LIBDIRSUFFIX="" elif [ "$ARCH" = "i686" ]; then SLKCFLAGS="-O2 -march=i686 -mtune=i686" @@ -60,9 +62,14 @@ cd $PRGNAM-$VERSION chown -R root:root . find -L . \ \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 -o -perm 511 \) \ - -exec chmod 755 {} \; -o \ + -exec chmod 755 {} \+ -o \ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ - -exec chmod 644 {} \; + -exec chmod 644 {} \+ + +# 20220319 bkw: These patches came from: https://packages.debian.org/sid/uudeview +for i in $CWD/patches/*.diff; do + patch -p1 < $i +done # NOTE - uudeview does not honor the DESTDIR variable, which is why the $PKG # location is prefixed below when running configure @@ -72,6 +79,8 @@ CXXFLAGS="$SLKCFLAGS" \ ./configure \ --prefix=$PKG/usr \ --mandir=$PKG/usr/man \ + --enable-tcl=/usr/lib$LIBDIRSUFFIX \ + --enable-tk=/usr/lib$LIBDIRSUFFIX \ --build=$ARCH-slackware-linux make |