9 files changed, 327 insertions, 4 deletions

diff --git a/ports-mgmt/portupgrade-devel/Makefile b/ports-mgmt/portupgrade-devel/Makefile
index 75fe60b2e425..999d63e9e490 100644
--- a/ports-mgmt/portupgrade-devel/Makefile
+++ b/ports-mgmt/portupgrade-devel/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	portupgrade
 PORTVERSION=	20041226
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils
 MASTER_SITES=	ftp://ftp.iDaemons.org/pub/distfiles/ \
 		${MASTER_SITE_LOCAL}
diff --git a/ports-mgmt/portupgrade-devel/files/patch-CAN-2005-0610 b/ports-mgmt/portupgrade-devel/files/patch-CAN-2005-0610
new file mode 100644
index 000000000000..9e5a01a0b2a3
--- /dev/null
+++ b/ports-mgmt/portupgrade-devel/files/patch-CAN-2005-0610
@@ -0,0 +1,68 @@
+diff -ru ../orig.pkgtools-20041224/lib/pkgdb.rb ./lib/pkgdb.rb
+--- ../orig.pkgtools-20041224/lib/pkgdb.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgdb.rb	Tue Mar 29 00:27:02 2005
+@@ -97,7 +97,7 @@
+ 
+     @db_file = File.join(@db_dir, 'pkgdb.db')
+     @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
+-    @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
++    @fixme_file = File.join(@db_dir, 'pkgdb.fixme')
+     @db_filebase = @db_file.sub(/\.db$/, '')
+     close_db
+ 
+diff -ru ../orig.pkgtools-20041224/lib/pkgsqldb.rb ./lib/pkgsqldb.rb
+--- ../orig.pkgtools-20041224/lib/pkgsqldb.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgsqldb.rb	Tue Mar 29 00:29:51 2005
+@@ -74,7 +74,7 @@
+ 
+     @db_file = File.join(@db_dir, 'pkgdb.sqldb')
+     @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
+-    @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
++    @fixme_file = File.join(@db_dir, 'pkgdb.fixme')
+     close_db
+ 
+     @db_dir
+diff -ru ../orig.pkgtools-20041224/lib/pkgtools.rb ./lib/pkgtools.rb
+--- ../orig.pkgtools-20041224/lib/pkgtools.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgtools.rb	Wed Mar 30 23:51:50 2005
+@@ -204,7 +204,7 @@
+   $ports_dir = $portsdb.ports_dir
+   $packages_base = ENV['PACKAGES'] || File.join($ports_dir, 'packages')
+   $packages_dir = File.join($packages_base, 'All')
+-  $tmpdir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
++  init_tmpdir
+   $pkg_path = ENV['PKG_PATH'] || $packages_dir
+ 
+   $pkg_sites = (ENV['PKG_SITES'] || '').split
+@@ -222,6 +222,31 @@
+ 
+   $portsdb.ignore_categories = config_value(:IGNORE_CATEGORIES) || []
+   $portsdb.extra_categories = config_value(:EXTRA_CATEGORIES) || []
++end
++
++def init_tmpdir
++  maintmpdir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
++  if !FileTest.directory?(maintmpdir)
++    raise "Temporary directory #{maintmpdir} does not exist"
++  end
++
++  cmdline = shelljoin("/usr/bin/mktemp", "-d", maintmpdir + "/portupgradeXXXXXXXX")
++  pipe = IO.popen(cmdline)
++  tmpdir = pipe.gets
++  pipe.close
++  if $? != 0 || tmpdir.nil? || tmpdir.length == 0
++    raise "Could not create temporary directory in #{maintmpdir}"
++  end
++  tmpdir.chomp!
++
++  at_exit {
++    begin
++      Dir.delete(tmpdir)
++    rescue
++      warning_message "Could not clean up temporary directory: " + $!
++    end
++    }
++  $tmpdir=tmpdir
+ end
+ 
+ def parse_pattern(str, regex = false)
diff --git a/ports-mgmt/portupgrade/Makefile b/ports-mgmt/portupgrade/Makefile
index 75fe60b2e425..999d63e9e490 100644
--- a/ports-mgmt/portupgrade/Makefile
+++ b/ports-mgmt/portupgrade/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	portupgrade
 PORTVERSION=	20041226
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils
 MASTER_SITES=	ftp://ftp.iDaemons.org/pub/distfiles/ \
 		${MASTER_SITE_LOCAL}
diff --git a/ports-mgmt/portupgrade/files/patch-CAN-2005-0610 b/ports-mgmt/portupgrade/files/patch-CAN-2005-0610
new file mode 100644
index 000000000000..9e5a01a0b2a3
--- /dev/null
+++ b/ports-mgmt/portupgrade/files/patch-CAN-2005-0610
@@ -0,0 +1,68 @@
+diff -ru ../orig.pkgtools-20041224/lib/pkgdb.rb ./lib/pkgdb.rb
+--- ../orig.pkgtools-20041224/lib/pkgdb.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgdb.rb	Tue Mar 29 00:27:02 2005
+@@ -97,7 +97,7 @@
+ 
+     @db_file = File.join(@db_dir, 'pkgdb.db')
+     @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
+-    @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
++    @fixme_file = File.join(@db_dir, 'pkgdb.fixme')
+     @db_filebase = @db_file.sub(/\.db$/, '')
+     close_db
+ 
+diff -ru ../orig.pkgtools-20041224/lib/pkgsqldb.rb ./lib/pkgsqldb.rb
+--- ../orig.pkgtools-20041224/lib/pkgsqldb.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgsqldb.rb	Tue Mar 29 00:29:51 2005
+@@ -74,7 +74,7 @@
+ 
+     @db_file = File.join(@db_dir, 'pkgdb.sqldb')
+     @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
+-    @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
++    @fixme_file = File.join(@db_dir, 'pkgdb.fixme')
+     close_db
+ 
+     @db_dir
+diff -ru ../orig.pkgtools-20041224/lib/pkgtools.rb ./lib/pkgtools.rb
+--- ../orig.pkgtools-20041224/lib/pkgtools.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgtools.rb	Wed Mar 30 23:51:50 2005
+@@ -204,7 +204,7 @@
+   $ports_dir = $portsdb.ports_dir
+   $packages_base = ENV['PACKAGES'] || File.join($ports_dir, 'packages')
+   $packages_dir = File.join($packages_base, 'All')
+-  $tmpdir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
++  init_tmpdir
+   $pkg_path = ENV['PKG_PATH'] || $packages_dir
+ 
+   $pkg_sites = (ENV['PKG_SITES'] || '').split
+@@ -222,6 +222,31 @@
+ 
+   $portsdb.ignore_categories = config_value(:IGNORE_CATEGORIES) || []
+   $portsdb.extra_categories = config_value(:EXTRA_CATEGORIES) || []
++end
++
++def init_tmpdir
++  maintmpdir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
++  if !FileTest.directory?(maintmpdir)
++    raise "Temporary directory #{maintmpdir} does not exist"
++  end
++
++  cmdline = shelljoin("/usr/bin/mktemp", "-d", maintmpdir + "/portupgradeXXXXXXXX")
++  pipe = IO.popen(cmdline)
++  tmpdir = pipe.gets
++  pipe.close
++  if $? != 0 || tmpdir.nil? || tmpdir.length == 0
++    raise "Could not create temporary directory in #{maintmpdir}"
++  end
++  tmpdir.chomp!
++
++  at_exit {
++    begin
++      Dir.delete(tmpdir)
++    rescue
++      warning_message "Could not clean up temporary directory: " + $!
++    end
++    }
++  $tmpdir=tmpdir
+ end
+ 
+ def parse_pattern(str, regex = false)
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 318940a8f7af..0a202a190347 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -32,6 +32,57 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="22f00553-a09d-11d9-a788-0001020eed82">
+    <topic>portupgrade -- insecure temporary file handling
+      vulnerability</topic>
+    <affects>
+      <package>
+	<name>portupgrade</name>
+	<range><lt>20041226_2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Simon L. Nielsen discovered that portupgrade handles
+	  temporary files in an insecure manner.  This could allow an
+	  unprivileged local attacker to execute arbitrary commands or
+	  overwrite arbitrary files with the permissions of the user
+	  running portupgrade, typically root, by way of a symlink
+	  attack.</p>
+	<p>The following issues exist where the temporary files are
+	  created, by default in the world writeable directory
+	  /var/tmp, with the permissions of the user running
+	  portupgrade:</p>
+	<ul>
+	  <li>pkg_fetch download packages with a predictable local
+	    filename allowing a local attacker to overwrite arbitrary
+	    local files or potentially replace the downloaded package
+	    after download but before install with a package with
+	    malicious content, allowing the attacker to run arbitrary
+	    commands.</li>
+	  <li>portupgrade will, when upgrading ports/packages, write
+	    the old package to a predictable temporary file, allowing
+	    an attacker to overwrite arbitrary files via a symlink
+	    attack.</li>
+	  <li>portupgrade will <q>touch</q> a temporary temporary file
+	    with a constant filename (pkgdb.fixme) allowing an
+	    attacker to create arbitrary zero-byte files via a symlink
+	    attack.</li>
+	</ul>
+	<p>A workaround for these issues is to set the
+	  <code>PKG_TMPDIR</code> environment variable to a directory
+	  only write-able by the user running portupgrade.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CAN-2005-0610</cvename>
+    </references>
+    <dates>
+      <discovery>2005-04-12</discovery>
+      <entry>2005-04-12</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="ecf68408-a9f5-11d9-a788-0001020eed82">
     <topic>gaim -- jabber remote crash</topic>
     <affects>
diff --git a/sysutils/portupgrade-devel/Makefile b/sysutils/portupgrade-devel/Makefile
index 75fe60b2e425..999d63e9e490 100644
--- a/sysutils/portupgrade-devel/Makefile
+++ b/sysutils/portupgrade-devel/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	portupgrade
 PORTVERSION=	20041226
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils
 MASTER_SITES=	ftp://ftp.iDaemons.org/pub/distfiles/ \
 		${MASTER_SITE_LOCAL}
diff --git a/sysutils/portupgrade-devel/files/patch-CAN-2005-0610 b/sysutils/portupgrade-devel/files/patch-CAN-2005-0610
new file mode 100644
index 000000000000..9e5a01a0b2a3
--- /dev/null
+++ b/sysutils/portupgrade-devel/files/patch-CAN-2005-0610
@@ -0,0 +1,68 @@
+diff -ru ../orig.pkgtools-20041224/lib/pkgdb.rb ./lib/pkgdb.rb
+--- ../orig.pkgtools-20041224/lib/pkgdb.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgdb.rb	Tue Mar 29 00:27:02 2005
+@@ -97,7 +97,7 @@
+ 
+     @db_file = File.join(@db_dir, 'pkgdb.db')
+     @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
+-    @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
++    @fixme_file = File.join(@db_dir, 'pkgdb.fixme')
+     @db_filebase = @db_file.sub(/\.db$/, '')
+     close_db
+ 
+diff -ru ../orig.pkgtools-20041224/lib/pkgsqldb.rb ./lib/pkgsqldb.rb
+--- ../orig.pkgtools-20041224/lib/pkgsqldb.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgsqldb.rb	Tue Mar 29 00:29:51 2005
+@@ -74,7 +74,7 @@
+ 
+     @db_file = File.join(@db_dir, 'pkgdb.sqldb')
+     @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
+-    @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
++    @fixme_file = File.join(@db_dir, 'pkgdb.fixme')
+     close_db
+ 
+     @db_dir
+diff -ru ../orig.pkgtools-20041224/lib/pkgtools.rb ./lib/pkgtools.rb
+--- ../orig.pkgtools-20041224/lib/pkgtools.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgtools.rb	Wed Mar 30 23:51:50 2005
+@@ -204,7 +204,7 @@
+   $ports_dir = $portsdb.ports_dir
+   $packages_base = ENV['PACKAGES'] || File.join($ports_dir, 'packages')
+   $packages_dir = File.join($packages_base, 'All')
+-  $tmpdir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
++  init_tmpdir
+   $pkg_path = ENV['PKG_PATH'] || $packages_dir
+ 
+   $pkg_sites = (ENV['PKG_SITES'] || '').split
+@@ -222,6 +222,31 @@
+ 
+   $portsdb.ignore_categories = config_value(:IGNORE_CATEGORIES) || []
+   $portsdb.extra_categories = config_value(:EXTRA_CATEGORIES) || []
++end
++
++def init_tmpdir
++  maintmpdir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
++  if !FileTest.directory?(maintmpdir)
++    raise "Temporary directory #{maintmpdir} does not exist"
++  end
++
++  cmdline = shelljoin("/usr/bin/mktemp", "-d", maintmpdir + "/portupgradeXXXXXXXX")
++  pipe = IO.popen(cmdline)
++  tmpdir = pipe.gets
++  pipe.close
++  if $? != 0 || tmpdir.nil? || tmpdir.length == 0
++    raise "Could not create temporary directory in #{maintmpdir}"
++  end
++  tmpdir.chomp!
++
++  at_exit {
++    begin
++      Dir.delete(tmpdir)
++    rescue
++      warning_message "Could not clean up temporary directory: " + $!
++    end
++    }
++  $tmpdir=tmpdir
+ end
+ 
+ def parse_pattern(str, regex = false)
diff --git a/sysutils/portupgrade/Makefile b/sysutils/portupgrade/Makefile
index 75fe60b2e425..999d63e9e490 100644
--- a/sysutils/portupgrade/Makefile
+++ b/sysutils/portupgrade/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	portupgrade
 PORTVERSION=	20041226
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils
 MASTER_SITES=	ftp://ftp.iDaemons.org/pub/distfiles/ \
 		${MASTER_SITE_LOCAL}
diff --git a/sysutils/portupgrade/files/patch-CAN-2005-0610 b/sysutils/portupgrade/files/patch-CAN-2005-0610
new file mode 100644
index 000000000000..9e5a01a0b2a3
--- /dev/null
+++ b/sysutils/portupgrade/files/patch-CAN-2005-0610
@@ -0,0 +1,68 @@
+diff -ru ../orig.pkgtools-20041224/lib/pkgdb.rb ./lib/pkgdb.rb
+--- ../orig.pkgtools-20041224/lib/pkgdb.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgdb.rb	Tue Mar 29 00:27:02 2005
+@@ -97,7 +97,7 @@
+ 
+     @db_file = File.join(@db_dir, 'pkgdb.db')
+     @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
+-    @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
++    @fixme_file = File.join(@db_dir, 'pkgdb.fixme')
+     @db_filebase = @db_file.sub(/\.db$/, '')
+     close_db
+ 
+diff -ru ../orig.pkgtools-20041224/lib/pkgsqldb.rb ./lib/pkgsqldb.rb
+--- ../orig.pkgtools-20041224/lib/pkgsqldb.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgsqldb.rb	Tue Mar 29 00:29:51 2005
+@@ -74,7 +74,7 @@
+ 
+     @db_file = File.join(@db_dir, 'pkgdb.sqldb')
+     @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
+-    @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
++    @fixme_file = File.join(@db_dir, 'pkgdb.fixme')
+     close_db
+ 
+     @db_dir
+diff -ru ../orig.pkgtools-20041224/lib/pkgtools.rb ./lib/pkgtools.rb
+--- ../orig.pkgtools-20041224/lib/pkgtools.rb	Wed Mar 23 21:37:47 2005
++++ ./lib/pkgtools.rb	Wed Mar 30 23:51:50 2005
+@@ -204,7 +204,7 @@
+   $ports_dir = $portsdb.ports_dir
+   $packages_base = ENV['PACKAGES'] || File.join($ports_dir, 'packages')
+   $packages_dir = File.join($packages_base, 'All')
+-  $tmpdir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
++  init_tmpdir
+   $pkg_path = ENV['PKG_PATH'] || $packages_dir
+ 
+   $pkg_sites = (ENV['PKG_SITES'] || '').split
+@@ -222,6 +222,31 @@
+ 
+   $portsdb.ignore_categories = config_value(:IGNORE_CATEGORIES) || []
+   $portsdb.extra_categories = config_value(:EXTRA_CATEGORIES) || []
++end
++
++def init_tmpdir
++  maintmpdir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
++  if !FileTest.directory?(maintmpdir)
++    raise "Temporary directory #{maintmpdir} does not exist"
++  end
++
++  cmdline = shelljoin("/usr/bin/mktemp", "-d", maintmpdir + "/portupgradeXXXXXXXX")
++  pipe = IO.popen(cmdline)
++  tmpdir = pipe.gets
++  pipe.close
++  if $? != 0 || tmpdir.nil? || tmpdir.length == 0
++    raise "Could not create temporary directory in #{maintmpdir}"
++  end
++  tmpdir.chomp!
++
++  at_exit {
++    begin
++      Dir.delete(tmpdir)
++    rescue
++      warning_message "Could not clean up temporary directory: " + $!
++    end
++    }
++  $tmpdir=tmpdir
+ end
+ 
+ def parse_pattern(str, regex = false)