Fix and document insecure temporary file handling in portupgrade.

Security: CAN-2005-0610 Security: http://vuxml.FreeBSD.org/22f00553-a09d-11d9-a788-0001020eed82.html Approved by: erwin (mentor), maintainer timeout OK'ed by: portmgr Reviewed by: nectar
author: simon <simon@FreeBSD.org> 2005-04-12 08:24:48 +0000
committer: simon <simon@FreeBSD.org> 2005-04-12 08:24:48 +0000
commit: 48b207a8784fe41ed318dc94828066018959a9e5 (patch)
tree: 3fc4cde6e0d12d4c87162a468ed33851d079c909 /sysutils
parent: 8bc697940643b0d63687c7af39e53ab6db34821a (diff)
download: FreeBSD-ports-48b207a8784fe41ed318dc94828066018959a9e5.zip
FreeBSD-ports-48b207a8784fe41ed318dc94828066018959a9e5.tar.gz
4 files changed, 138 insertions, 2 deletions
diff --git a/sysutils/portupgrade-devel/Makefile b/sysutils/portupgrade-devel/Makefile
index 75fe60b..999d63e 100644
--- a/sysutils/portupgrade-devel/Makefile
+++ b/sysutils/portupgrade-devel/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	portupgrade
 PORTVERSION=	20041226
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils
 MASTER_SITES=	ftp://ftp.iDaemons.org/pub/distfiles/ \
 		${MASTER_SITE_LOCAL}
diff --git a/sysutils/portupgrade-devel/files/patch-CAN-2005-0610 b/sysutils/portupgrade-devel/files/patch-CAN-2005-0610
new file mode 100644
index 0000000..9e5a01a
--- /dev/null
+++ b/sysutils/portupgrade-devel/files/patch-CAN-2005-0610
@@ -0,0 +1,68 @@
+diff -ru ../orig.pkgtools-20041224/lib/pkgdb.rb ./lib/pkgdb.rb
+--- ../orig.pkgtools-20041224/lib/pkgdb.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgdb.rb	Tue Mar 29 00:27:02 2005
+@@ -97,7 +97,7 @@
+ 
+     @db_file = File.join(@db_dir, 'pkgdb.db')
+     @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
+-    @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
++    @fixme_file = File.join(@db_dir, 'pkgdb.fixme')
+     @db_filebase = @db_file.sub(/\.db$/, '')
+     close_db
+ 
+diff -ru ../orig.pkgtools-20041224/lib/pkgsqldb.rb ./lib/pkgsqldb.rb
+--- ../orig.pkgtools-20041224/lib/pkgsqldb.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgsqldb.rb	Tue Mar 29 00:29:51 2005
+@@ -74,7 +74,7 @@
+ 
+     @db_file = File.join(@db_dir, 'pkgdb.sqldb')
+     @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
+-    @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
++    @fixme_file = File.join(@db_dir, 'pkgdb.fixme')
+     close_db
+ 
+     @db_dir
+diff -ru ../orig.pkgtools-20041224/lib/pkgtools.rb ./lib/pkgtools.rb
+--- ../orig.pkgtools-20041224/lib/pkgtools.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgtools.rb	Wed Mar 30 23:51:50 2005
+@@ -204,7 +204,7 @@
+   $ports_dir = $portsdb.ports_dir
+   $packages_base = ENV['PACKAGES'] || File.join($ports_dir, 'packages')
+   $packages_dir = File.join($packages_base, 'All')
+-  $tmpdir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
++  init_tmpdir
+   $pkg_path = ENV['PKG_PATH'] || $packages_dir
+ 
+   $pkg_sites = (ENV['PKG_SITES'] || '').split
+@@ -222,6 +222,31 @@
+ 
+   $portsdb.ignore_categories = config_value(:IGNORE_CATEGORIES) || []
+   $portsdb.extra_categories = config_value(:EXTRA_CATEGORIES) || []
++end
++
++def init_tmpdir
++  maintmpdir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
++  if !FileTest.directory?(maintmpdir)
++    raise "Temporary directory #{maintmpdir} does not exist"
++  end
++
++  cmdline = shelljoin("/usr/bin/mktemp", "-d", maintmpdir + "/portupgradeXXXXXXXX")
++  pipe = IO.popen(cmdline)
++  tmpdir = pipe.gets
++  pipe.close
++  if $? != 0 || tmpdir.nil? || tmpdir.length == 0
++    raise "Could not create temporary directory in #{maintmpdir}"
++  end
++  tmpdir.chomp!
++
++  at_exit {
++    begin
++      Dir.delete(tmpdir)
++    rescue
++      warning_message "Could not clean up temporary directory: " + $!
++    end
++    }
++  $tmpdir=tmpdir
+ end
+ 
+ def parse_pattern(str, regex = false)
diff --git a/sysutils/portupgrade/Makefile b/sysutils/portupgrade/Makefile
index 75fe60b..999d63e 100644
--- a/sysutils/portupgrade/Makefile
+++ b/sysutils/portupgrade/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	portupgrade
 PORTVERSION=	20041226
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils
 MASTER_SITES=	ftp://ftp.iDaemons.org/pub/distfiles/ \
 		${MASTER_SITE_LOCAL}
diff --git a/sysutils/portupgrade/files/patch-CAN-2005-0610 b/sysutils/portupgrade/files/patch-CAN-2005-0610
new file mode 100644
index 0000000..9e5a01a
--- /dev/null
+++ b/sysutils/portupgrade/files/patch-CAN-2005-0610
@@ -0,0 +1,68 @@
+diff -ru ../orig.pkgtools-20041224/lib/pkgdb.rb ./lib/pkgdb.rb
+--- ../orig.pkgtools-20041224/lib/pkgdb.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgdb.rb	Tue Mar 29 00:27:02 2005
+@@ -97,7 +97,7 @@
+ 
+     @db_file = File.join(@db_dir, 'pkgdb.db')
+     @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
+-    @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
++    @fixme_file = File.join(@db_dir, 'pkgdb.fixme')
+     @db_filebase = @db_file.sub(/\.db$/, '')
+     close_db
+ 
+diff -ru ../orig.pkgtools-20041224/lib/pkgsqldb.rb ./lib/pkgsqldb.rb
+--- ../orig.pkgtools-20041224/lib/pkgsqldb.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgsqldb.rb	Tue Mar 29 00:29:51 2005
+@@ -74,7 +74,7 @@
+ 
+     @db_file = File.join(@db_dir, 'pkgdb.sqldb')
+     @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
+-    @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
++    @fixme_file = File.join(@db_dir, 'pkgdb.fixme')
+     close_db
+ 
+     @db_dir
+diff -ru ../orig.pkgtools-20041224/lib/pkgtools.rb ./lib/pkgtools.rb
+--- ../orig.pkgtools-20041224/lib/pkgtools.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgtools.rb	Wed Mar 30 23:51:50 2005
+@@ -204,7 +204,7 @@
+   $ports_dir = $portsdb.ports_dir
+   $packages_base = ENV['PACKAGES'] || File.join($ports_dir, 'packages')
+   $packages_dir = File.join($packages_base, 'All')
+-  $tmpdir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
++  init_tmpdir
+   $pkg_path = ENV['PKG_PATH'] || $packages_dir
+ 
+   $pkg_sites = (ENV['PKG_SITES'] || '').split
+@@ -222,6 +222,31 @@
+ 
+   $portsdb.ignore_categories = config_value(:IGNORE_CATEGORIES) || []
+   $portsdb.extra_categories = config_value(:EXTRA_CATEGORIES) || []
++end
++
++def init_tmpdir
++  maintmpdir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
++  if !FileTest.directory?(maintmpdir)
++    raise "Temporary directory #{maintmpdir} does not exist"
++  end
++
++  cmdline = shelljoin("/usr/bin/mktemp", "-d", maintmpdir + "/portupgradeXXXXXXXX")
++  pipe = IO.popen(cmdline)
++  tmpdir = pipe.gets
++  pipe.close
++  if $? != 0 || tmpdir.nil? || tmpdir.length == 0
++    raise "Could not create temporary directory in #{maintmpdir}"
++  end
++  tmpdir.chomp!
++
++  at_exit {
++    begin
++      Dir.delete(tmpdir)
++    rescue
++      warning_message "Could not clean up temporary directory: " + $!
++    end
++    }
++  $tmpdir=tmpdir
+ end
+ 
+ def parse_pattern(str, regex = false)
author	simon <simon@FreeBSD.org>	2005-04-12 08:24:48 +0000
committer	simon <simon@FreeBSD.org>	2005-04-12 08:24:48 +0000
commit	48b207a8784fe41ed318dc94828066018959a9e5 (patch)
tree	3fc4cde6e0d12d4c87162a468ed33851d079c909 /sysutils
parent	8bc697940643b0d63687c7af39e53ab6db34821a (diff)
download	FreeBSD-ports-48b207a8784fe41ed318dc94828066018959a9e5.zip FreeBSD-ports-48b207a8784fe41ed318dc94828066018959a9e5.tar.gz