aboutsummaryrefslogtreecommitdiff
path: root/multimedia/winff
diff options
context:
space:
mode:
Diffstat (limited to 'multimedia/winff')
-rw-r--r--multimedia/winff/changelog30
-rw-r--r--multimedia/winff/winff.SlackBuild27
2 files changed, 43 insertions, 14 deletions
diff --git a/multimedia/winff/changelog b/multimedia/winff/changelog
index 6da305c6fba7..87fd59ce0f28 100644
--- a/multimedia/winff/changelog
+++ b/multimedia/winff/changelog
@@ -70,3 +70,33 @@ in slackware.
This build removes all other localization files except english
since it contains outdated links and may pose security risk.
Bumped the build no.
+
+20/01/2023:
+
+Fixed $ARCH issue for 32-bit systems. freepascal supports i386
+only. The SlackBuild is modified to reflect that.Bumped the
+build no.
+
+Users of WinFF must be aware of these two security issues that are
+still unresolved upstream.
+
+a. The first one is due to the way filenames are inserted in the
+temporary shell scripts generated to convert the media. Due to the
+lack of character escaping, it is possible to insert system command using
+specially crafted filename such as 'aaa";xcalc;".avi' or "aaa$(xcalc).mp4'
+Thus leading to an arbitrary command execution.
+
+b. The second issue is related to the permission of this temporary shell
+script. every users can access to them and modify them. Even if those files
+are only temporary and launched right after generation, it leads to a
+race-condition case where another user may try to replace the script content
+before its execution in order to execute its own command with the winff
+user permission.
+
+you can read about this issue here:
+https://github.com/WinFF/winff/issues/242
+
+As for first issue check the filename before converting otherwise it
+will compromise your system and don't download from untrusted sources.
+For the second I have no clue and this is beyond my abilities.If you have
+a patch for these issue feel free to send it to me.
diff --git a/multimedia/winff/winff.SlackBuild b/multimedia/winff/winff.SlackBuild
index 8f7b6ace1040..f97fc8396bd1 100644
--- a/multimedia/winff/winff.SlackBuild
+++ b/multimedia/winff/winff.SlackBuild
@@ -28,7 +28,7 @@ cd $(dirname $0) ; CWD=$(pwd)
PRGNAM=winff
VERSION=${VERSION:-20220903_8e4491b}
LONGNAM=${LONGNAM:-8e4491be149031916053378d859ce156cf9b43d3}
-BUILD=${BUILD:-2}
+BUILD=${BUILD:-3}
TAG=${TAG:-_SBo}
PKGTYPE=${PKGTYPE:-tgz}
@@ -43,6 +43,7 @@ fi
# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
# the name of the created package would be, and then exit. This information
# could be useful to other scripts.
+
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE"
exit 0
@@ -52,19 +53,17 @@ TMP=${TMP:-/tmp/SBo}
PKG=$TMP/package-$PRGNAM
OUTPUT=${OUTPUT:-/tmp}
-if [ "$ARCH" = "i586" ]; then
- SLKCFLAGS="-O2 -march=i586 -mtune=i686"
- LIBDIRSUFFIX=""
-elif [ "$ARCH" = "i686" ]; then
- SLKCFLAGS="-O2 -march=i686 -mtune=i686"
- LIBDIRSUFFIX=""
-elif [ "$ARCH" = "x86_64" ]; then
- SLKCFLAGS="-O2 -fPIC"
- LIBDIRSUFFIX="64"
-else
- SLKCFLAGS="-O2"
- LIBDIRSUFFIX=""
-fi
+case "$ARCH" in
+ i?86) ARCH="i386"
+ LIBDIRSUFFIX=""
+ ;;
+ x86_64) ARCH="x86_64"
+ LIBDIRSUFFIX="64"
+ ;;
+ *) printf "$ARCH is not supported...\n"
+ exit 1
+ ;;
+esac
set -e
trap 'echo "$0 FAILED at line $LINENO!" | tee -a $OUTPUT/error-${PRGNAM}.log' ERR