Bug#408623: Patch for NMU

Sat, 27 Jan 2007 04:35:49 -0800 

Package: hinfo
Version: 1.02-3
Severity: normal
Tags: patch

Please find attached patch for recent NMU for hinfo

Thanks,
Neil

diff -u hinfo-1.02/debian/changelog hinfo-1.02/debian/changelog
--- hinfo-1.02/debian/changelog
+++ hinfo-1.02/debian/changelog
@@ -1,3 +1,11 @@
+hinfo (1.02-3.1) unstable; urgency=high
+
+  * Non-maintainer upload by security team
+  * Added checking for a correctly formatted perl file and stops pager
+    variable being parsed from the /var/lib files (Closes: #402316)
+
+ -- Neil McGovern <[EMAIL PROTECTED]>  Sat, 27 Jan 2007 11:10:13 +0000
+
 hinfo (1.02-3) unstable; urgency=medium
 
   * Fix purge if ucf or deluser unavailable.  (Closes: #389969)
only in patch2:
unchanged:
--- hinfo-1.02.orig/hinfo-update
+++ hinfo-1.02/hinfo-update
@@ -2,6 +2,7 @@
 # script to fetch current dnsbl.ins.pl and whois.ins.pl
 #
 
+use File::Copy;
 use strict;
 
 my $libdir = '/var/lib/hinfo';
@@ -30,13 +31,14 @@
 
 my $capt = '';
 if (-e $wget && -d $libdir) {
-    my $c = "$wget -r -N -nd $verbose -P $libdir $options";
+       foreach (@getlist) {
+               my $c = "$wget -N -nd $verbose -P $libdir $options";
     foreach (@ARGV) {
         $c .= " $_";
     }
-    foreach (@getlist) {
-        $c .= " $blars$_";
-    }
+               my $destfile = $libdir."/".$_;
+               copy($destfile,$destfile.".bak");
+               $c .= " $blars$_ -O ".$destfile;
     $c .= ' 2>&1';
     open WGET, "-|", $c or die "Could not execute: $c";
     if ($quiet) {
@@ -55,7 +57,20 @@
     } else {
        print STDERR $_ while ($_ = <WGET>);
     }
+
+               # Check it's a valid perl file
+               my @args = ("perl","-c",$destfile);
+               my $foo = qx/ @args /;
+               undef $foo;
+               if ($? >> 8 != 0) {
+                       print STDERR "File $destfile is invalid, restoring\n";
+                       rename $destfile.".bak",$destfile;
+               } else {
+                       unlink $destfile.".bak";
+               }
+       }
 }
+
 print STDERR $capt if ($?);
 
 exit($?);
only in patch2:
unchanged:
--- hinfo-1.02.orig/hinfo
+++ hinfo-1.02/hinfo
@@ -894,6 +894,11 @@
                if (! exists $var{$varname} && $verbose >= 0) {
                    print STDERR "Warning: Unknown variable $varname set in 
$rcfile\n";
                }
+               # Don't allow the pager variable to be set, it can be used for 
command
+               # execution
+               if ($varname =~ /\$pager/) {
+                       next;
+               }
                $var{$varname} = $x;
                if ($rc =~ /\G\;\s*/sgc) {
                    next;

Reply via email to