Fix insecure temporary file usage (#235806).

Package-Manager: portage-2.1.4.4

4 files changed, 201 insertions, 5 deletions

diff --git a/net-dialup/mgetty/ChangeLog b/net-dialup/mgetty/ChangeLog
index 087a7e54afad..cf456f0607cc 100644
--- a/net-dialup/mgetty/ChangeLog
+++ b/net-dialup/mgetty/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for net-dialup/mgetty
 # Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-dialup/mgetty/ChangeLog,v 1.88 2008/08/23 03:08:01 cardoe Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-dialup/mgetty/ChangeLog,v 1.89 2008/09/07 09:54:28 mrness Exp $
+
+*mgetty-1.1.36-r2 (07 Sep 2008)
+
+  07 Sep 2008; Alin Năstac <mrness@gentoo.org>
+  +files/mgetty-1.1.36-tmpfile.patch, +mgetty-1.1.36-r2.ebuild:
+  Fix insecure temporary file usage (#235806).
 
   23 Aug 2008; Doug Goldstein <cardoe@gentoo.org> metadata.xml:
   add GLEP 56 USE flag desc from use.local.desc
diff --git a/net-dialup/mgetty/Manifest b/net-dialup/mgetty/Manifest
index ba1fdc243068..89a096856d36 100644
--- a/net-dialup/mgetty/Manifest
+++ b/net-dialup/mgetty/Manifest
@@ -6,14 +6,16 @@ AUX mgetty-1.1.36-callback.patch 991 RMD160 fd6b6198865a7cdafe66031014b55a07d217
 AUX mgetty-1.1.36-gentoo.patch 5746 RMD160 59810be601f24213aa4cfcd7f73e0efafa8b33c9 SHA1 959bcd2da70cf8ed6d04573acdc86eee80292573 SHA256 f8124ea78ef813233aa050d25deb45c3c2c667bb8ab8a1f0ce35ef3ed74ef952
 AUX mgetty-1.1.36-nofax.patch 3577 RMD160 1b6cab9f23eb3751fda601e40fe041696836d3a0 SHA1 6d797fd76b636cf950c925615fa7a2c2e99f06a9 SHA256 1b5f270d3589084bda15ef38dcb138113cbe5700287b9b7d89384f1d82867f22
 AUX mgetty-1.1.36-qa-fixes.patch 3369 RMD160 0394431b71f5fbe68a7614decabf7e002dda0d00 SHA1 7c54a40b7f9cebc88d20e30d13d2ac2b37393ce9 SHA256 53a0c38440b7f0e15ca032672a3f26913f7736d9d0ddcac7919771cf816a7570
+AUX mgetty-1.1.36-tmpfile.patch 780 RMD160 47da9e282cd37cb1d078f987e002afa14efc2d0a SHA1 10375e254d68a7357d040aa1e31c18b99aa07452 SHA256 5e32f9dde78a7616a38c0a96bc83fe38e7c02a990353fba41360d487cce619a5
 DIST mgetty1.1.36-Jun15.tar.gz 1046324 RMD160 421c72b8534c6665c46033d5fe1018ba1300fd50 SHA1 a9627e241502c505465a9c8ffadc09dd7d90fc02 SHA256 8b8642aa318604ad057ed161cacff5c600296cbfbc9b4d562134ee5c130c80ce
 EBUILD mgetty-1.1.36-r1.ebuild 4579 RMD160 0462903172ca557842a424aff9ea30862c32dfed SHA1 3d93091e5dc8719306fd71d106f19af210768070 SHA256 1c586f27f23f0455eaf219d778ee1d03546c343ff2b26d703d5faa2040717497
-MISC ChangeLog 13898 RMD160 cf29cb2cefd00d9955a1255e95a78a91da3c7723 SHA1 223583d4c6a95006a8814645f270fc9eff5eb5b2 SHA256 110766c11153485c63ab7dfd5982b074689b80dcd2b44b1bea14c4aec2de0f4c
+EBUILD mgetty-1.1.36-r2.ebuild 4650 RMD160 66d417676a23fcf29096242a3c40bdf3e8210d19 SHA1 3898007bb5e0a472467b17be5c892f1edba881b7 SHA256 b2879dbd7c65227f82aad60f21cb7e5e5c4db930c5acc4ced4e30c86aca2cbb1
+MISC ChangeLog 14091 RMD160 484e97531f379f28ac8ca5e0b086be769bd0e669 SHA1 2d6b7772365748158c8d4572e6b9339f21eb2602 SHA256 f3fd70d4eec999d8075c3ea836484c85fac79a835122ce2570d9f9611e355ba7
 MISC metadata.xml 488 RMD160 db4e5106fed1b87d107149371ea951856aadad24 SHA1 8b38e5d784b606e272aef35707a5760ba67f76b4 SHA256 2fc599d4ff24c2ea89339d5fc8c0794e5ef0b035bac0a99f1726b10363a9543d
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (GNU/Linux)
 
-iEYEARECAAYFAkivfxYACgkQoeSe8B0zEfxddwCffJQK1Y2InR01KXuso0wHVc4L
-QF8An07wJwFJRohd/WwQfaXYN8bYa+GO
-=8O8w
+iEYEARECAAYFAkjDpN4ACgkQPrHvTlXvhtvWZQCff3NaiBOiQ1fRrDEQF8i5eCWJ
+HEQAnRJP7oajVGwxHZjcTYpN35lGloF1
+=0mJt
 -----END PGP SIGNATURE-----
diff --git a/net-dialup/mgetty/files/mgetty-1.1.36-tmpfile.patch b/net-dialup/mgetty/files/mgetty-1.1.36-tmpfile.patch
new file mode 100644
index 000000000000..e8f5c7e245f9
--- /dev/null
+++ b/net-dialup/mgetty/files/mgetty-1.1.36-tmpfile.patch
@@ -0,0 +1,32 @@
+diff -Nru mgetty-1.1.36.orig/fax/faxspool.in mgetty-1.1.36/fax/faxspool.in
+--- mgetty-1.1.36.orig/fax/faxspool.in	2008-08-31 13:06:48.000000000 +0000
++++ mgetty-1.1.36/fax/faxspool.in	2008-09-07 09:44:01.000000000 +0000
+@@ -675,9 +675,7 @@
+     if [ x$file = x- ]
+     then
+ 	$echo "spooling $file (stdin)..."
+-	trap "rm /tmp/faxsp.$$" 0
+-        cat - >/tmp/faxsp.$$
+-	file=/tmp/faxsp.$$
++	file=$spooldir/faxsp
+     else
+ 	$echo "spooling $file..."
+     fi
+@@ -924,7 +922,7 @@
+ then
+     $echo "\nnothing to do (no cover page, no data)." >&2
+     cd $FAX_SPOOL_OUT
+-    rmdir $spooldir
++    rm -rf $spooldir
+     exit 52
+ fi
+ 
+@@ -965,7 +963,7 @@
+ # clean up
+ rm $job.q
+ cd ..
+-rmdir $spooldir
++rm -rf $spooldir
+ 
+ if [ -z "`find $LAST_RUN -ctime -1 -print 2>/dev/null`" ]
+ then
diff --git a/net-dialup/mgetty/mgetty-1.1.36-r2.ebuild b/net-dialup/mgetty/mgetty-1.1.36-r2.ebuild
new file mode 100644
index 000000000000..cb4a5257c436
--- /dev/null
+++ b/net-dialup/mgetty/mgetty-1.1.36-r2.ebuild
@@ -0,0 +1,156 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-dialup/mgetty/mgetty-1.1.36-r2.ebuild,v 1.1 2008/09/07 09:54:28 mrness Exp $
+
+inherit toolchain-funcs flag-o-matic eutils
+
+DESCRIPTION="fax and voice modem programs"
+SRC_URI="ftp://mgetty.greenie.net/pub/mgetty/source/1.1/${PN}${PV}-Jun15.tar.gz"
+HOMEPAGE="http://mgetty.greenie.net/"
+
+DEPEND="doc? ( virtual/latex-base virtual/texi2dvi )
+	>=sys-apps/sed-4
+	sys-apps/gawk
+	sys-apps/groff
+	dev-lang/perl
+	sys-apps/texinfo
+	fax? ( !net-misc/hylafax )"
+RDEPEND="${DEPEND}
+	fax? ( media-libs/netpbm virtual/ghostscript )"
+
+SLOT="0"
+LICENSE="GPL-2"
+KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86"
+IUSE="doc fax fidonet"
+
+pkg_setup() {
+	enewgroup fax
+	enewuser fax -1 -1 /dev/null fax
+}
+
+src_unpack() {
+	unpack ${A}
+
+	cd "${S}"
+	epatch "${FILESDIR}/${P}-gentoo.patch"
+	epatch "${FILESDIR}/${P}-qa-fixes.patch"
+	epatch "${FILESDIR}/${P}-callback.patch" # add callback install to Makefile
+	epatch "${FILESDIR}/Lucent.c.patch" # Lucent modem CallerID patch - bug #80366
+	use fax || epatch "${FILESDIR}/${P}-nofax.patch" # don't install fax related files - bug #195467
+	epatch "${FILESDIR}/${P}-tmpfile.patch" # fix security bug 235806
+
+	sed -e 's:var/log/mgetty:var/log/mgetty/mgetty:' \
+		-e 's:var/log/sendfax:var/log/mgetty/sendfax:' \
+		-e 's:\/\* \(\#define CNDFILE "dialin.config"\) \*\/:\1:' \
+		-e 's:\(\#define FAX_NOTIFY_PROGRAM\).*:\1 "/etc/mgetty+sendfax/new_fax":' \
+		"${S}/policy.h-dist" > "${S}/policy.h"
+
+	sed -i -e 's:/usr/local/lib/mgetty+sendfax:/etc/mgetty+sendfax:' faxrunq.config
+	sed -i -e 's:/usr/local/bin/g3cat:/usr/bin/g3cat:' faxrunq.config fax/faxspool.rules
+
+	sed -e "/^doc-all:/s/mgetty.asc mgetty.info mgetty.dvi mgetty.ps/mgetty.info/" \
+		-i "${S}/doc/Makefile"
+	if use doc; then
+		sed -e "s/^doc-all:/doc-all: mgetty.ps/" \
+			-i "${S}/doc/Makefile"
+	fi
+}
+
+src_compile() {
+	use fidonet && append-flags "-DFIDO"
+	append-flags "-DAUTO_PPP"
+
+	# parallel make fix later - 'sedscript' issue
+	VARTEXFONTS="${T}"/fonts make prefix=/usr \
+		CC="$(tc-getCC)" \
+		CONFDIR=/etc/mgetty+sendfax \
+		CFLAGS="${CFLAGS}" \
+		LDFLAGS="${LDFLAGS}" \
+		all vgetty || die "make failed."
+}
+
+src_install () {
+	dodir /var/spool
+	keepdir /var/log/mgetty
+	dodir /usr/share/info
+
+	make prefix="${D}/usr" \
+		INFODIR="${D}/usr/share/info" \
+		CONFDIR="${D}/etc/mgetty+sendfax" \
+		MAN1DIR="${D}/usr/share/man/man1" \
+		MAN4DIR="${D}/usr/share/man/man4" \
+		MAN5DIR="${D}/usr/share/man/man5" \
+		MAN8DIR="${D}/usr/share/man/man8" \
+		SBINDIR="${D}/usr/sbin" \
+		BINDIR="${D}/usr/bin" \
+		VOICE_DIR="${D}/var/spool/voice" \
+		PHONE_GROUP=fax \
+		PHONE_PERMS=755 \
+		spool="${D}/var/spool" \
+		install vgetty-install install-callback || die "make install failed."
+
+	#Install mgetty into /sbin (#119078)
+	dodir /sbin && \
+		mv "${D}"/usr/sbin/mgetty "${D}"/sbin && \
+		dosym /sbin/mgetty /usr/sbin/mgetty || die "failed to install /sbin/mgetty"
+	#Don't install ct (#106337)
+	rm "${D}"/usr/bin/ct || die "failed to remove useless ct program"
+
+	cd "${S}"
+	dodoc BUGS ChangeLog README.1st Recommend THANKS TODO \
+		doc/*.txt doc/modems.db || die "dodoc failed."
+	doinfo doc/mgetty.info || die "doinfo failed."
+
+	docinto vgetty
+	dodoc voice/{Readme,Announce,ChangeLog,Credits} || die "vgetty voice failed."
+
+	if use doc; then
+		dodoc doc/mgetty.ps || die "mgetty.ps failed"
+	fi
+
+	docinto vgetty/doc
+	dodoc voice/doc/*
+
+	if use fax; then
+	    mv samples/new_fax.all samples_new_fax.all || die "move failed."
+	    docinto samples
+	    dodoc samples/*
+
+	    docinto samples/new_fax
+	    dodoc samples_new_fax.all/*
+	fi
+
+	if ! use fax; then
+	    insinto /usr/share/${PN}/frontends
+	    doins -r frontends/{voice,network}
+	else
+	    insinto /usr/share/${PN}
+	    doins -r frontends
+	fi
+	insinto /usr/share/${PN}
+	doins -r patches
+	insinto /usr/share/${PN}/voice
+	doins -r voice/{contrib,Perl,scripts}
+
+	diropts -m 0750 -o fax -g fax
+	dodir /var/spool/voice
+	keepdir /var/spool/voice/incoming
+	keepdir /var/spool/voice/messages
+	if use fax; then
+		dodir /var/spool/fax
+		dodir /var/spool/fax/outgoing
+		keepdir /var/spool/fax/outgoing/locks
+		keepdir /var/spool/fax/incoming
+	fi
+}
+
+pkg_postinst() {
+	elog "Users who wish to use the fax or voicemail capabilities must be members"
+	elog "of the group fax in order to access files"
+	elog
+	elog "If you want to grab voice messages from a remote location, you must save"
+	elog "the password in /var/spool/voice/.code file"
+	echo
+	ewarn "/var/spool/voice/.code and /var/spool/voice/messages/Index"
+	ewarn "are not longer created by this automatically!"
+}