Fix directory traversal and permission race security vulnerabilities in

gzip, and zgrep improper argument sanitation.

Security:	CAN-2005-0758, CAN-2005-0988, CAN-2005-1228
Security:	FreeBSD-SA-05:11.gzip
Obtained from:	RedHat, Steve Grubb via RedHat, Debian
Approved by:	maintainer timeout (4 days; security)

3 files changed, 92 insertions, 1 deletions

diff --git a/archivers/gzip/Makefile b/archivers/gzip/Makefile
index 9ada5d0..aaf1569 100644
--- a/archivers/gzip/Makefile
+++ b/archivers/gzip/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	gzip
 PORTVERSION=	1.3.5
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	archivers
 MASTER_SITES=	ftp://sunfreeware.risq.qc.ca/SOURCES/ \
 		ftp://sunsite.cnlab-switch.ch/mirror/solaris-freeware/SOURCES/ \
diff --git a/archivers/gzip/files/patch-gzip.c b/archivers/gzip/files/patch-gzip.c
new file mode 100644
index 0000000..afa8e0d
--- /dev/null
+++ b/archivers/gzip/files/patch-gzip.c
@@ -0,0 +1,62 @@
+--- gzip.c.orig	Sat Sep 28 09:38:43 2002
++++ gzip.c	Sat Jun 18 16:12:37 2005
+@@ -875,8 +875,11 @@
+     }
+ 
+     close(ifd);
+-    if (!to_stdout && close(ofd)) {
+-	write_error();
++    if (!to_stdout) {
++        /* Copy modes, times, ownership, and remove the input file */
++        copy_stat(&istat);
++        if (close(ofd))
++	    write_error();
+     }
+     if (method == -1) {
+ 	if (!to_stdout) xunlink (ofname);
+@@ -896,10 +899,6 @@
+ 	}
+ 	fprintf(stderr, "\n");
+     }
+-    /* Copy modes, times, ownership, and remove the input file */
+-    if (!to_stdout) {
+-	copy_stat(&istat);
+-    }
+ }
+ 
+ /* ========================================================================
+@@ -1317,6 +1316,7 @@
+ 		/* Copy the base name. Keep a directory prefix intact. */
+                 char *p = base_name (ofname);
+                 char *base = p;
++		char *base2;
+ 		for (;;) {
+ 		    *p = (char)get_char();
+ 		    if (*p++ == '\0') break;
+@@ -1324,6 +1324,8 @@
+ 			error("corrupted input -- file name too large");
+ 		    }
+ 		}
++		base2 = basename (base);
++		strcpy(base, base2);
+                 /* If necessary, adapt the name to local OS conventions: */
+                 if (!list) {
+                    MAKE_LEGAL_NAME(base);
+@@ -1725,7 +1727,7 @@
+     reset_times(ofname, ifstat);
+ #endif
+     /* Copy the protection modes */
+-    if (chmod(ofname, ifstat->st_mode & 07777)) {
++    if (fchmod(ofd, ifstat->st_mode & 07777)) {
+ 	int e = errno;
+ 	WARN((stderr, "%s: ", progname));
+ 	if (!quiet) {
+@@ -1734,7 +1736,7 @@
+ 	}
+     }
+ #ifndef NO_CHOWN
+-    chown(ofname, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
++    (void) fchown(ofd, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
+ #endif
+     remove_ofname = 0;
+     /* It's now safe to remove the input file: */
diff --git a/archivers/gzip/files/patch-zgrep.in b/archivers/gzip/files/patch-zgrep.in
new file mode 100644
index 0000000..3d1039b
--- /dev/null
+++ b/archivers/gzip/files/patch-zgrep.in
@@ -0,0 +1,29 @@
+--- zgrep.in
++++ zgrep.in
+@@ -24,7 +24,7 @@
+ 
+ PATH="BINDIR:$PATH"; export PATH
+ 
+-prog=`echo $0 | sed 's|.*/||'`
++prog=`echo "$0" | sed 's|.*/||'`
+ case "$prog" in
+ 	*egrep)	grep=${EGREP-egrep -a}	;;
+ 	*fgrep)	grep=${FGREP-fgrep -a}	;;
+@@ -112,12 +112,15 @@
+   fi
+   $uncompress -cdfq "$i" |
+     if test $files_with_matches -eq 1; then
+-      $grep $opt "$pat" > /dev/null && echo $i
++      $grep $opt "$pat" > /dev/null && printf "%s\n" "$i"
+     elif test $files_without_matches -eq 1; then
+-      $grep $opt "$pat" > /dev/null || echo $i
++      $grep $opt "$pat" > /dev/null || printf "%s\n" "$i"
+     elif test $with_filename -eq 0 && { test $# -eq 1 || test $no_filename -eq 1; }; then
+       $grep $opt "$pat"
+     else
++      i=${i//\\/\\\\}
++      i=${i//|/\\|}
++      i=${i//&/\\&}
+       if test $with_filename -eq 1; then
+ 	sed_script="s|^[^:]*:|${i}:|"
+       else