Author: randy
Date: 2006-04-12 07:03:21 -0600 (Wed, 12 Apr 2006)
New Revision: 1476
Added:
trunk/enscript/
trunk/enscript/enscript-1.6.4-security_fixes-1.patch
Log:
Added Enscript security vulnerabilities patch
Added: trunk/enscript/enscript-1.6.4-security_fixes-1.patch
===================================================================
--- trunk/enscript/enscript-1.6.4-security_fixes-1.patch
(rev 0)
+++ trunk/enscript/enscript-1.6.4-security_fixes-1.patch 2006-04-12
13:03:21 UTC (rev 1476)
@@ -0,0 +1,187 @@
+Submitted By: Alexander E. Patrakov
<alexander_at_linuxfromscratch_dot_org>
+Date: 2006-04-12
+Initial Package Version: 1.6.4
+Upstream Status: Unknown
+Origin: Debian, the descriptions of the vulnerabilities can be
+ retrieved from
+ http://wiki.linuxfromscratch.org/blfs/wiki/Enscript
+ rediffed by Randy McMurchy
+Description: See Origin; fixes CAN-2004-1184, CAN-2004-1185 and
+ CAN-2004-1186
+
+
+diff -Naur enscript-1.6.4-orig/src/gsint.h enscript-1.6.4/src/gsint.h
+--- enscript-1.6.4-orig/src/gsint.h 2003-03-05 07:37:06.000000000 +0000
++++ enscript-1.6.4/src/gsint.h 2006-04-12 11:11:33.000000000 +0000
+@@ -701,4 +701,9 @@
+ */
+ void printer_close ___P ((void *context));
+
++/*
++ * Escape filenames for shell usage
++ */
++char *shell_escape ___P ((const char *fn));
++
+ #endif /* not GSINT_H */
+
+diff -Naur enscript-1.6.4-orig/src/main.c enscript-1.6.4/src/main.c
+--- enscript-1.6.4-orig/src/main.c 2003-03-05 07:36:32.000000000 +0000
++++ enscript-1.6.4/src/main.c 2006-04-12 11:11:33.000000000 +0000
+@@ -1546,9 +1546,13 @@
+ buffer_append (&cmd, intbuf);
+ buffer_append (&cmd, " ");
+
+- buffer_append (&cmd, "-Ddocument_title=\"");
+- buffer_append (&cmd, title);
+- buffer_append (&cmd, "\" ");
++ buffer_append (&cmd, "-Ddocument_title=\'");
++ if ((cp = shell_escape (title)) != NULL)
++ {
++ buffer_append (&cmd, cp);
++ free (cp);
++ }
++ buffer_append (&cmd, "\' ");
+
+ buffer_append (&cmd, "-Dtoc=");
+ buffer_append (&cmd, toc ? "1" : "0");
+@@ -1565,8 +1569,14 @@
+ /* Append input files. */
+ for (i = optind; i < argc; i++)
+ {
+- buffer_append (&cmd, " ");
+- buffer_append (&cmd, argv[i]);
++ char *cp;
++ if ((cp = shell_escape (argv[i])) != NULL)
++ {
++ buffer_append (&cmd, " \'");
++ buffer_append (&cmd, cp);
++ buffer_append (&cmd, "\'");
++ free (cp);
++ }
+ }
+
+ /* And do the job. */
+@@ -1627,7 +1637,7 @@
+ buffer_ptr (opts), buffer_len (opts));
+ }
+
+- buffer_append (&buffer, " \"%s\"");
++ buffer_append (&buffer, " \'%s\'");
+
+ input_filter = buffer_copy (&buffer);
+ input_filter_stdin = "-";
+
+diff -Naur enscript-1.6.4-orig/src/psgen.c enscript-1.6.4/src/psgen.c
+--- enscript-1.6.4-orig/src/psgen.c 2003-03-05 07:36:53.000000000 +0000
++++ enscript-1.6.4/src/psgen.c 2006-04-12 11:11:33.000000000 +0000
+@@ -2034,8 +2034,9 @@
+ else
+ {
+ ftail++;
+- strncpy (buf, fname, ftail - fname);
+- buf[ftail - fname] = '\0';
++ i = ftail - fname >= sizeof (buf)-1 ? sizeof (buf)-1 : ftail - fname;
++ strncpy (buf, fname, i);
++ buf[i] = '\0';
+ }
+
+ if (nup > 1)
+@@ -2385,9 +2386,10 @@
+ MESSAGE (2, (stderr, "[EMAIL PROTECTED]"%s\"\n", token->u.epsf.filename));
+
+ i = strlen (token->u.epsf.filename);
++ /*
+ if (i > 0 && token->u.epsf.filename[i - 1] == '|')
+ {
+- /* Read EPS data from pipe. */
++ / * Read EPS data from pipe. * /
+ token->u.epsf.pipe = 1;
+ token->u.epsf.filename[i - 1] = '\0';
+ token->u.epsf.fp = popen (token->u.epsf.filename, "r");
+@@ -2400,6 +2402,7 @@
+ }
+ }
+ else
++ */
+ {
+ char *filename;
+
+diff -Naur enscript-1.6.4-orig/src/util.c enscript-1.6.4/src/util.c
+--- enscript-1.6.4-orig/src/util.c 2003-03-05 07:26:32.000000000 +0000
++++ enscript-1.6.4/src/util.c 2006-04-12 11:11:33.000000000 +0000
+@@ -1239,6 +1239,8 @@
+
+ /* Create result. */
+ cp = xmalloc (len + 1);
++ if (cp == NULL)
++ return NULL;
+ for (i = 0, j = 0; string[i]; i++)
+ switch (string[i])
+ {
+@@ -1879,6 +1881,7 @@
+ char *cmd = NULL;
+ int cmdlen;
+ int i, pos;
++ char *cp;
+
+ is->is_pipe = 1;
+
+@@ -1902,12 +1905,16 @@
+ {
+ case 's':
+ /* Expand cmd-buffer. */
+- cmdlen += strlen (fname);
+- cmd = xrealloc (cmd, cmdlen);
++ if ((cp = shell_escape (fname)) != NULL)
++ {
++ cmdlen += strlen (cp);
++ cmd = xrealloc (cmd, cmdlen);
+
+- /* Paste filename. */
+- strcpy (cmd + pos, fname);
+- pos += strlen (fname);
++ /* Paste filename. */
++ strcpy (cmd + pos, cp);
++ pos += strlen (cp);
++ free (cp);
++ }
+
+ i++;
+ break;
+@@ -2116,3 +2123,36 @@
+ {
+ return buffer->len;
+ }
++
++/*
++ * Escapes the name of a file so that the shell groks it in 'single'
++ * quotation marks. The resulting pointer has to be free()ed when not
++ * longer used.
++*/
++char *
++shell_escape(const char *fn)
++{
++ size_t len = 0;
++ const char *inp;
++ char *retval, *outp;
++
++ for(inp = fn; *inp; ++inp)
++ switch(*inp)
++ {
++ case '\'': len += 4; break;
++ default: len += 1; break;
++ }
++
++ outp = retval = malloc(len + 1);
++ if(!outp)
++ return NULL; /* perhaps one should do better error handling here */
++ for(inp = fn; *inp; ++inp)
++ switch(*inp)
++ {
++ case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ =
'\''; break;
++ default: *outp++ = *inp; break;
++ }
++ *outp = 0;
++
++ return retval;
++}
--
http://linuxfromscratch.org/mailman/listinfo/patches
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
