Fix and document insecure temporary file handling in portupgrade.

Security: CAN-2005-0610 Security: http://vuxml.FreeBSD.org/22f00553-a09d-11d9-a788-0001020eed82.html Approved by: erwin (mentor), maintainer timeout OK'ed by: portmgr Reviewed by: nectar
author: Simon L. B. Nielsen <simon@FreeBSD.org> 2005-04-12 08:24:48 +0000
committer: Simon L. B. Nielsen <simon@FreeBSD.org> 2005-04-12 08:24:48 +0000
commit: 2a6230f941145a41b174c031e2e9c8184eaf5903 (patch)
tree: e03b739133edfaa26c5753c065ce6ffd73e74421 /ports-mgmt
parent: upgrade to 0.74 (diff)
4 files changed, 138 insertions, 2 deletions
diff --git a/ports-mgmt/portupgrade-devel/Makefile b/ports-mgmt/portupgrade-devel/Makefile
index 75fe60b2e425..999d63e9e490 100644
--- a/ports-mgmt/portupgrade-devel/Makefile
+++ b/ports-mgmt/portupgrade-devel/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	portupgrade
 PORTVERSION=	20041226
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils
 MASTER_SITES=	ftp://ftp.iDaemons.org/pub/distfiles/ \
 		${MASTER_SITE_LOCAL}
diff --git a/ports-mgmt/portupgrade-devel/files/patch-CAN-2005-0610 b/ports-mgmt/portupgrade-devel/files/patch-CAN-2005-0610
new file mode 100644
index 000000000000..9e5a01a0b2a3
--- /dev/null
+++ b/ports-mgmt/portupgrade-devel/files/patch-CAN-2005-0610
@@ -0,0 +1,68 @@
+diff -ru ../orig.pkgtools-20041224/lib/pkgdb.rb ./lib/pkgdb.rb
+--- ../orig.pkgtools-20041224/lib/pkgdb.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgdb.rb	Tue Mar 29 00:27:02 2005
+@@ -97,7 +97,7 @@
+ 
+     @db_file = File.join(@db_dir, 'pkgdb.db')
+     @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
+-    @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
++    @fixme_file = File.join(@db_dir, 'pkgdb.fixme')
+     @db_filebase = @db_file.sub(/\.db$/, '')
+     close_db
+ 
+diff -ru ../orig.pkgtools-20041224/lib/pkgsqldb.rb ./lib/pkgsqldb.rb
+--- ../orig.pkgtools-20041224/lib/pkgsqldb.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgsqldb.rb	Tue Mar 29 00:29:51 2005
+@@ -74,7 +74,7 @@
+ 
+     @db_file = File.join(@db_dir, 'pkgdb.sqldb')
+     @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
+-    @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
++    @fixme_file = File.join(@db_dir, 'pkgdb.fixme')
+     close_db
+ 
+     @db_dir
+diff -ru ../orig.pkgtools-20041224/lib/pkgtools.rb ./lib/pkgtools.rb
+--- ../orig.pkgtools-20041224/lib/pkgtools.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgtools.rb	Wed Mar 30 23:51:50 2005
+@@ -204,7 +204,7 @@
+   $ports_dir = $portsdb.ports_dir
+   $packages_base = ENV['PACKAGES'] || File.join($ports_dir, 'packages')
+   $packages_dir = File.join($packages_base, 'All')
+-  $tmpdir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
++  init_tmpdir
+   $pkg_path = ENV['PKG_PATH'] || $packages_dir
+ 
+   $pkg_sites = (ENV['PKG_SITES'] || '').split
+@@ -222,6 +222,31 @@
+ 
+   $portsdb.ignore_categories = config_value(:IGNORE_CATEGORIES) || []
+   $portsdb.extra_categories = config_value(:EXTRA_CATEGORIES) || []
++end
++
++def init_tmpdir
++  maintmpdir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
++  if !FileTest.directory?(maintmpdir)
++    raise "Temporary directory #{maintmpdir} does not exist"
++  end
++
++  cmdline = shelljoin("/usr/bin/mktemp", "-d", maintmpdir + "/portupgradeXXXXXXXX")
++  pipe = IO.popen(cmdline)
++  tmpdir = pipe.gets
++  pipe.close
++  if $? != 0 || tmpdir.nil? || tmpdir.length == 0
++    raise "Could not create temporary directory in #{maintmpdir}"
++  end
++  tmpdir.chomp!
++
++  at_exit {
++    begin
++      Dir.delete(tmpdir)
++    rescue
++      warning_message "Could not clean up temporary directory: " + $!
++    end
++    }
++  $tmpdir=tmpdir
+ end
+ 
+ def parse_pattern(str, regex = false)
diff --git a/ports-mgmt/portupgrade/Makefile b/ports-mgmt/portupgrade/Makefile
index 75fe60b2e425..999d63e9e490 100644
--- a/ports-mgmt/portupgrade/Makefile
+++ b/ports-mgmt/portupgrade/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	portupgrade
 PORTVERSION=	20041226
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils
 MASTER_SITES=	ftp://ftp.iDaemons.org/pub/distfiles/ \
 		${MASTER_SITE_LOCAL}
diff --git a/ports-mgmt/portupgrade/files/patch-CAN-2005-0610 b/ports-mgmt/portupgrade/files/patch-CAN-2005-0610
new file mode 100644
index 000000000000..9e5a01a0b2a3
--- /dev/null
+++ b/ports-mgmt/portupgrade/files/patch-CAN-2005-0610
@@ -0,0 +1,68 @@
+diff -ru ../orig.pkgtools-20041224/lib/pkgdb.rb ./lib/pkgdb.rb
+--- ../orig.pkgtools-20041224/lib/pkgdb.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgdb.rb	Tue Mar 29 00:27:02 2005
+@@ -97,7 +97,7 @@
+ 
+     @db_file = File.join(@db_dir, 'pkgdb.db')
+     @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
+-    @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
++    @fixme_file = File.join(@db_dir, 'pkgdb.fixme')
+     @db_filebase = @db_file.sub(/\.db$/, '')
+     close_db
+ 
+diff -ru ../orig.pkgtools-20041224/lib/pkgsqldb.rb ./lib/pkgsqldb.rb
+--- ../orig.pkgtools-20041224/lib/pkgsqldb.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgsqldb.rb	Tue Mar 29 00:29:51 2005
+@@ -74,7 +74,7 @@
+ 
+     @db_file = File.join(@db_dir, 'pkgdb.sqldb')
+     @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
+-    @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
++    @fixme_file = File.join(@db_dir, 'pkgdb.fixme')
+     close_db
+ 
+     @db_dir
+diff -ru ../orig.pkgtools-20041224/lib/pkgtools.rb ./lib/pkgtools.rb
+--- ../orig.pkgtools-20041224/lib/pkgtools.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgtools.rb	Wed Mar 30 23:51:50 2005
+@@ -204,7 +204,7 @@
+   $ports_dir = $portsdb.ports_dir
+   $packages_base = ENV['PACKAGES'] || File.join($ports_dir, 'packages')
+   $packages_dir = File.join($packages_base, 'All')
+-  $tmpdir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
++  init_tmpdir
+   $pkg_path = ENV['PKG_PATH'] || $packages_dir
+ 
+   $pkg_sites = (ENV['PKG_SITES'] || '').split
+@@ -222,6 +222,31 @@
+ 
+   $portsdb.ignore_categories = config_value(:IGNORE_CATEGORIES) || []
+   $portsdb.extra_categories = config_value(:EXTRA_CATEGORIES) || []
++end
++
++def init_tmpdir
++  maintmpdir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
++  if !FileTest.directory?(maintmpdir)
++    raise "Temporary directory #{maintmpdir} does not exist"
++  end
++
++  cmdline = shelljoin("/usr/bin/mktemp", "-d", maintmpdir + "/portupgradeXXXXXXXX")
++  pipe = IO.popen(cmdline)
++  tmpdir = pipe.gets
++  pipe.close
++  if $? != 0 || tmpdir.nil? || tmpdir.length == 0
++    raise "Could not create temporary directory in #{maintmpdir}"
++  end
++  tmpdir.chomp!
++
++  at_exit {
++    begin
++      Dir.delete(tmpdir)
++    rescue
++      warning_message "Could not clean up temporary directory: " + $!
++    end
++    }
++  $tmpdir=tmpdir
+ end
+ 
+ def parse_pattern(str, regex = false)
author	Simon L. B. Nielsen <simon@FreeBSD.org>	2005-04-12 08:24:48 +0000
committer	Simon L. B. Nielsen <simon@FreeBSD.org>	2005-04-12 08:24:48 +0000
commit	2a6230f941145a41b174c031e2e9c8184eaf5903 (patch)
tree	e03b739133edfaa26c5753c065ce6ffd73e74421 /ports-mgmt
parent	upgrade to 0.74 (diff)