OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Michael Schloh
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 17-Dec-2004 16:41:55
Branch: HEAD Handle: 2004121715415400
Modified files:
openpkg-src/gettext gettext.patch gettext.spec
Log:
modifying package: gettext-0.14.1 20041006 -> 20041217
Summary:
Revision Changes Path
1.6 +102 -0 openpkg-src/gettext/gettext.patch
1.48 +1 -1 openpkg-src/gettext/gettext.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/gettext/gettext.patch
============================================================================
$ cvs diff -u -r1.5 -r1.6 gettext.patch
--- openpkg-src/gettext/gettext.patch 28 May 2004 13:03:42 -0000 1.5
+++ openpkg-src/gettext/gettext.patch 17 Dec 2004 15:41:54 -0000 1.6
@@ -54,3 +54,105 @@
sigset_t blocked_signals;
posix_spawn_file_actions_t actions;
bool actions_allocated;
+
+OpenPKG-SA-2004.054-gettext and CAN-2004-0966
+The autopoint and gettextize scripts in GNU gettext 0.14.1
+and older allow local users to overwrite files via a symlink
+attack on temporary files.
+
+Except for the unportable BSD mktemp(1), the following patch blocks
+for autopoint.in and gettextize.in are taken from Red Hat Bug #136323.
+ https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323
+
+Index: gettext-tools/misc/autopoint.in
+diff -Nau gettext-tools/misc/autopoint.in.orig
gettext-tools/misc/autopoint.in
+--- gettext-tools/misc/autopoint.in.orig 2004-01-29 20:17:27.000000000
+0100
++++ gettext-tools/misc/autopoint.in 2004-09-20 10:26:14.000000000 +0200
+@@ -39,14 +39,7 @@
+ */* | *\\*) ;;
+ *) # Need to look in the PATH.
+ if test "${PATH_SEPARATOR+set}" != set; then
+- { echo "#! /bin/sh"; echo "exit 0"; } > /tmp/conf$$.sh
+- chmod +x /tmp/conf$$.sh
+- if (PATH="/nonexistent;/tmp"; conf$$.sh) >/dev/null 2>&1; then
+- PATH_SEPARATOR=';'
+- else
+- PATH_SEPARATOR=:
+- fi
+- rm -f /tmp/conf$$.sh
++ PATH_SEPARATOR=:
+ fi
+ save_IFS="$IFS"; IFS="$PATH_SEPARATOR"
+ for dir in $PATH; do
+@@ -318,7 +311,15 @@
+ cvs_dir=tmpcvs$$
+ work_dir=tmpwrk$$
+ mkdir "$cvs_dir"
++if [ $? -ne 0 ]; then
++ echo "ERROR making $cvs_dir"
++ exit 1
++fi
+ mkdir "$work_dir"
++if [ $? -ne 0 ]; then
++ echo "ERROR making $work_dir"
++ exit 1
++fi
+ CVSROOT="$srcdir/$cvs_dir"
+ export CVSROOT
+ unset CVS_CLIENT_LOG
+@@ -384,8 +385,6 @@
+ # original - too great risk of version mismatch.
+ if test -z "$force"; then
+ mismatch=
+- mismatchfile="${TMPDIR-/tmp}"/autopoint$$.diff
+- rm -f "$mismatchfile"
+ for file in `find "$work_dir/archive" -type f -print | sed -e
"s,^$work_dir/archive/,," | LC_ALL=C sort`; do
+ func_destfile "$file"
+ if test -n "$destfile"; then
+@@ -395,14 +394,13 @@
+ else
+ echo "autopoint: File $destfile has been locally modified." 1>&2
+ mismatch=yes
+- diff -c "$work_dir/archive/$file" "$destfile" | sed -e
"1s,$work_dir/archive/,," >> "$mismatchfile"
+ fi
+ fi
+ fi
+ done
+ if test -n "$mismatch"; then
+ rm -rf "$cvs_dir" "$work_dir"
+- func_fatal_error "Some files have been locally modified. Not
overwriting them because --force has not been specified. For your convenience,
you find the local modifications in the file '$mismatchfile'."
++ func_fatal_error "Some files have been locally modified. Not
overwriting them because --force has not been specified. For a summary of the
local modifications use: 'diff -c $work_dir/archive/$file $destfile'"
+ fi
+ fi
+
+@@ -417,6 +417,10 @@
+ # Recompute base. It was clobbered by the recursive call.
+ base=`echo "$1" | sed -e 's,/[^/]*$,,'`
+ test -d "$base" || { echo "Creating directory $base"; mkdir "$base"; }
++ if [ $? -ne 0 ]; then
++ echo "ERROR making directory $base"
++ exit 1
++ fi
+ fi
+ }
+
+Index: gettext-tools/misc/gettextize.in
+diff -Nau gettext-tools/misc/gettextize.in.orig
gettext-tools/misc/gettextize.in
+--- gettext-tools/misc/gettextize.in.orig 2004-01-20 12:30:06.000000000
+0100
++++ gettext-tools/misc/gettextize.in 2004-09-20 10:22:39.000000000 +0200
+@@ -39,14 +39,7 @@
+ */* | *\\*) ;;
+ *) # Need to look in the PATH.
+ if test "${PATH_SEPARATOR+set}" != set; then
+- { echo "#! /bin/sh"; echo "exit 0"; } > /tmp/conf$$.sh
+- chmod +x /tmp/conf$$.sh
+- if (PATH="/nonexistent;/tmp"; conf$$.sh) >/dev/null 2>&1; then
+- PATH_SEPARATOR=';'
+- else
+- PATH_SEPARATOR=:
+- fi
+- rm -f /tmp/conf$$.sh
++ PATH_SEPARATOR=:
+ fi
+ save_IFS="$IFS"; IFS="$PATH_SEPARATOR"
+ for dir in $PATH; do
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/gettext/gettext.spec
============================================================================
$ cvs diff -u -r1.47 -r1.48 gettext.spec
--- openpkg-src/gettext/gettext.spec 6 Oct 2004 13:05:41 -0000 1.47
+++ openpkg-src/gettext/gettext.spec 17 Dec 2004 15:41:54 -0000 1.48
@@ -34,7 +34,7 @@
Group: Converter
License: GPL
Version: 0.14.1
-Release: 20041006
+Release: 20041217
# list of sources
Source0: ftp://ftp.gnu.org/gnu/gettext/gettext-%{version}.tar.gz
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
