I'm NMUing f2c for unstable, using a version of the diff the security team used to fix stable. The diff is attached.
-- see shy jo
diff --new-file -ur old/f2c-20020621/debian/changelog
f2c-20020621/debian/changelog
--- old/f2c-20020621/debian/changelog 2005-02-04 13:36:25.000000000 -0500
+++ f2c-20020621/debian/changelog 2005-02-04 13:44:18.000000000 -0500
@@ -1,3 +1,14 @@
+f2c (20020621-3.1) unstable; urgency=HIGH
+
+ * NMU for security issues. Closes: #292792
+ * Corrected creating of temporary files f2c [CAN-2005-0017]
+ * Added patch by Javier Fernandez-Sanguino Pe�a to fix temporary file
+ problem in fc [CAN-2005-0018]
+ * Removed xsum comparison since it prevents security updates
+ from being applied [src/makefile]
+
+ -- Joey Hess <[EMAIL PROTECTED]> Fri, 4 Feb 2005 13:28:26 -0500
+
f2c (20020621-2) unstable; urgency=low
* fixed longstanding errors in manpage with reference to the f2c
libraries, closing bug #167660
diff --new-file -ur old/f2c-20020621/fc f2c-20020621/fc
--- old/f2c-20020621/fc 2005-02-04 13:36:25.000000000 -0500
+++ f2c-20020621/fc 2005-02-04 13:36:29.000000000 -0500
@@ -81,8 +81,9 @@
# -U def passed to C compiler (for .c files)
# or to cpp (for .F files) to remove def
-s=/tmp/stderr_$$
-t=/tmp/f77_$$.o
+s=`tempfile --prefix=stderr` || { echo "$0: Cannot create temporary file" ;
exit 1; }
+t=`tempfile --suffix=.o --prefix=f77` || { echo "$0: Cannot create temporary
file"; exit 1; }
+trap "rm -f $s $t; exit \$rc" 0
### On some systems (e.g., IRIX), -common prevents complaints
### about multiple definitions of COMMON blocks.
#CC=${CC_f2c:-'cc -common'}
@@ -95,7 +96,6 @@
F2CFLAGS=${F2CFLAGS:='-ARw8 -Nn802 -Nq300 -Nx400'}
CPP=${CPP:-/lib/cpp}
rc=0
-trap "rm -f $s $t; exit \$rc" 0
OUTF=a.out
OUTO=
cOPT=1
diff --new-file -ur old/f2c-20020621/src/makefile f2c-20020621/src/makefile
--- old/f2c-20020621/src/makefile 2001-03-05 11:54:40.000000000 -0500
+++ f2c-20020621/src/makefile 2005-02-04 13:35:36.000000000 -0500
@@ -98,8 +98,9 @@
#Check validity of transmitted source...
xsum.out: xsum $b
- ./xsum $b >xsum1.out
- cmp xsum0.out xsum1.out && mv xsum1.out xsum.out
+ @echo xsum comparison disabled since it prevents security updates
+# ./xsum $b >xsum1.out
+# cmp xsum0.out xsum1.out && mv xsum1.out xsum.out
#On non-Unix systems that end lines with carriage-return/newline pairs,
#use "make xsumr.out" rather than "make xsum.out". The -r flag ignores
diff --new-file -ur old/f2c-20020621/src/sysdep.c f2c-20020621/src/sysdep.c
--- old/f2c-20020621/src/sysdep.c 2000-07-04 18:54:54.000000000 -0400
+++ f2c-20020621/src/sysdep.c 2005-02-04 13:36:29.000000000 -0500
@@ -22,6 +22,7 @@
****************************************************************/
#include "defs.h"
#include "usignal.h"
+#include <stdlib.h>
char binread[] = "rb", textread[] = "r";
char binwrite[] = "wb", textwrite[] = "w";
@@ -107,6 +108,7 @@
void
set_tmp_names(Void)
{
+#ifdef MSDOS
int k;
if (debugflag == 1)
return;
@@ -118,6 +120,15 @@
p1_file = blkdfname + k;
p1_bakfile = p1_file + k;
sortfname = p1_bakfile + k;
+#else
+ char c_functions[] = TMPDIR "/f2c_func_XXXXXX";
+ char initfname[] = TMPDIR "/f2c_rc_XXXXXX";
+ char initbname[] = TMPDIR "/f2c_rc.b_XXXXXX";
+ char blkdfname[] = TMPDIR "/f2c_blkd_XXXXXX";
+ char p1_file[] = TMPDIR "/f2c_p1f_XXXXXX";
+ char p1_bakfile[] = TMPDIR "/f2c_p1fb_XXXXXX";
+ char sortfname[] = TMPDIR "/f2c_sort_XXXXXX";
+#endif
{
#ifdef MSDOS
char buf[64], *s, *t;
@@ -156,16 +167,21 @@
sprintf(p1_file, "%s%sp1f", t, f2c);
sprintf(p1_bakfile, "%s%sp1fb", t, f2c);
sprintf(sortfname, "%s%ssort", t, f2c);
+ sprintf(initbname, "%s.b", initfname);
#else
- long pid = getpid();
- sprintf(c_functions, "%s/f2c%ld_func", tmpdir, pid);
- sprintf(initfname, "%s/f2c%ld_rd", tmpdir, pid);
- sprintf(blkdfname, "%s/f2c%ld_blkd", tmpdir, pid);
- sprintf(p1_file, "%s/f2c%ld_p1f", tmpdir, pid);
- sprintf(p1_bakfile, "%s/f2c%ld_p1fb", tmpdir, pid);
- sprintf(sortfname, "%s/f2c%ld_sort", tmpdir, pid);
+
+ if (mkstemp(c_functions) == -1
+ || mkstemp(initfname) == -1
+ || mkstemp(initbname) == -1
+ || mkstemp(blkdfname) == -1
+ || mkstemp(p1_file) == -1
+ || mkstemp(p1_bakfile) == -1
+ || mkstemp(sortfname) == -1) {
+ fprintf(stderr, "Cannot create temporary files\n");
+ Un_link_all(0);
+ exit(1);
+ }
#endif
- sprintf(initbname, "%s.b", initfname);
}
if (debugflag)
fprintf(diagfile, "%s %s %s %s %s %s\n", c_functions,
signature.asc
Description: Digital signature
