rpms/groff
5
0
Fork 0
Code Issues Pull Requests Releases Activity

fix: CVE-2009-5044, CVE-2009-5080, CVE-2009-5081

Browse Source 
Resolves: #709415, #720060
This commit is contained in:
Jan Vcelak 2012-05-29 14:47:48 +02:00
parent b2a40aad56
commit 09ec58111a
2 changed files with 202 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

191
groff-cve-2009-5044_5080_5081.patch Normal file
View File

@ -0,0 +1,191 @@
Based on: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2;content-type=text%2Fplain
Resolves: #709415, #720060
Security: CVE-2009-5044 (#709413), CVE-2009-5080 (#720058), CVE-2009-5081 (#720057)
diff -uNPrp groff-1.21/contrib/eqn2graph/eqn2graph.sh groff-1.21.fix/contrib/eqn2graph/eqn2graph.sh
--- groff-1.21/contrib/eqn2graph/eqn2graph.sh 2010-12-31 08:33:09.000000000 +0100
+++ groff-1.21.fix/contrib/eqn2graph/eqn2graph.sh 2012-05-29 12:19:38.594581148 +0200
@@ -69,6 +69,8 @@ for d in "$GROFF_TMPDIR" "$TMPDIR" "$TMP
tmp=$d/eqn2graph$$-$RANDOM
(umask 077 && mkdir $tmp) 2> /dev/null && break
+
+ tmp=
done;
if test -z "$tmp"; then
echo "$0: cannot create temporary directory" >&2
diff -uNPrp groff-1.21/contrib/gdiffmk/tests/runtests.in groff-1.21.fix/contrib/gdiffmk/tests/runtests.in
--- groff-1.21/contrib/gdiffmk/tests/runtests.in 2010-12-31 08:33:09.000000000 +0100
+++ groff-1.21.fix/contrib/gdiffmk/tests/runtests.in 2012-05-29 12:19:38.594581148 +0200
@@ -56,8 +56,9 @@ function TestResult {
fi
}
-tmpfile=/tmp/$$
-trap 'rm -f ${tmpfile}' 0 1 2 3 15
+tmpfile="`mktemp -t gdiffmk-runtests.XXXXXXXXXX`" || exit
+trap 'rm -f -- "$tmpfile"' EXIT
+trap 'trap - EXIT; rm -f -- "$tmpfile"; exit 1' HUP INT QUIT TERM
# Run tests.
diff -uNPrp groff-1.21/contrib/grap2graph/grap2graph.sh groff-1.21.fix/contrib/grap2graph/grap2graph.sh
--- groff-1.21/contrib/grap2graph/grap2graph.sh 2010-12-31 08:33:09.000000000 +0100
+++ groff-1.21.fix/contrib/grap2graph/grap2graph.sh 2012-05-29 12:19:38.594581148 +0200
@@ -65,6 +65,8 @@ for d in "$GROFF_TMPDIR" "$TMPDIR" "$TMP
tmp=$d/grap2graph$$-$RANDOM
(umask 077 && mkdir $tmp) 2> /dev/null && break
+
+ tmp=
done;
if test -z "$tmp"; then
echo "$0: cannot create temporary directory" >&2
diff -uNPrp groff-1.21/contrib/groffer/perl/groffer.pl groff-1.21.fix/contrib/groffer/perl/groffer.pl
--- groff-1.21/contrib/groffer/perl/groffer.pl 2012-05-29 12:19:21.425795787 +0200
+++ groff-1.21.fix/contrib/groffer/perl/groffer.pl 2012-05-29 12:19:38.595581136 +0200
@@ -1379,7 +1379,7 @@ sub _check_prog_on_list {
########################################################################
sub main_temp {
- my $template = 'groffer_' . "$$" . '_XXXX';
+ my $template = 'groffer_' . "$$" . '_XXXXXXXXXX';
foreach ($ENV{'GROFF_TMPDIR'}, $ENV{'TMPDIR'}, $ENV{'TMP'}, $ENV{'TEMP'},
$ENV{'TEMPDIR'}, File::Spec->catfile($ENV{'HOME'}, 'tmp')) {
if ($_ && -d $_ && -w $_) {
@@ -1410,12 +1410,12 @@ sub main_temp {
# further argument: SUFFIX => '.sh'
if ($Debug{'KEEP'}) {
- ($fh_cat, $tmp_cat) = tempfile(',cat_XXXX', DIR => $tmpdir);
- ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXX', DIR => $tmpdir);
+ ($fh_cat, $tmp_cat) = tempfile(',cat_XXXXXXXXXX', DIR => $tmpdir);
+ ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXXXXXXXX', DIR => $tmpdir);
} else {
- ($fh_cat, $tmp_cat) = tempfile(',cat_XXXX', UNLINK => 1,
+ ($fh_cat, $tmp_cat) = tempfile(',cat_XXXXXXXXXX', UNLINK => 1,
DIR => $tmpdir);
- ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXX', UNLINK => 1,
+ ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXXXXXXXX', UNLINK => 1,
DIR => $tmpdir);
}
} # main_temp()
diff -uNPrp groff-1.21/contrib/groffer/perl/roff2.pl groff-1.21.fix/contrib/groffer/perl/roff2.pl
--- groff-1.21/contrib/groffer/perl/roff2.pl 2010-12-31 08:33:09.000000000 +0100
+++ groff-1.21.fix/contrib/groffer/perl/roff2.pl 2012-05-29 12:19:38.595581136 +0200
@@ -124,7 +124,7 @@ if ($Has_Groffer) {
last;
}
}
- my $template = $Name . '_XXXX';
+ my $template = $Name . '_XXXXXXXXXX';
my ($fh, $stdin);
if ($tempdir) {
($fh, $stdin) = tempfile($template, UNLINK => 1, DIR => $tempdir) ||
diff -uNPrp groff-1.21/contrib/pdfmark/pdfroff.man groff-1.21.fix/contrib/pdfmark/pdfroff.man
--- groff-1.21/contrib/pdfmark/pdfroff.man 2010-12-31 08:33:09.000000000 +0100
+++ groff-1.21.fix/contrib/pdfmark/pdfroff.man 2012-05-29 12:19:38.595581136 +0200
@@ -529,7 +529,7 @@ defaults to
.B GROFF_TMPDIR
Identifies the directory in which
.B pdfroff
-should create temporary files.
+should create a subdirectory for its temporary files.
If
.B \%GROFF_TMPDIR
is
@@ -541,7 +541,8 @@ and
.B TEMP
are considered in turn, as possible temporary file repositories.
If none of these are set, then temporary files are created
-in the current directory.
+in a subdirectory of
+.BR /tmp .
.
.TP
.B GROFF_GHOSTSCRIPT_INTERPRETER
diff -uNPrp groff-1.21/contrib/pic2graph/pic2graph.sh groff-1.21.fix/contrib/pic2graph/pic2graph.sh
--- groff-1.21/contrib/pic2graph/pic2graph.sh 2010-12-31 08:33:09.000000000 +0100
+++ groff-1.21.fix/contrib/pic2graph/pic2graph.sh 2012-05-29 12:19:38.596581124 +0200
@@ -80,6 +80,8 @@ for d in "$GROFF_TMPDIR" "$TMPDIR" "$TMP
tmp=$d/pic2graph$$-$RANDOM
(umask 077 && mkdir $tmp) 2> /dev/null \
&& break
+
+ tmp=
done;
if test -z "$tmp"; then
echo "$0: cannot create temporary directory" >&2
diff -uNPrp groff-1.21/doc/fixinfo.sh groff-1.21.fix/doc/fixinfo.sh
--- groff-1.21/doc/fixinfo.sh 2010-12-31 08:33:09.000000000 +0100
+++ groff-1.21.fix/doc/fixinfo.sh 2012-05-29 12:19:38.596581124 +0200
@@ -21,7 +21,9 @@
# groff.texinfo macro code. Hopefully, a new texinfo version makes it
# unnecessary.
-t=${TMPDIR-.}/gro$$.tmp
+t="`mktemp -t groff-fixinfo.XXXXXXXXXX`" || exit
+trap 'rm -f -- "$t"' EXIT
+trap 'trap - EXIT; rm -f -- "$t"; exit 1' HUP INT QUIT TERM
cat $1 | sed '
1 {
diff -uNPrp groff-1.21/doc/groff.info-2 groff-1.21.fix/doc/groff.info-2
--- groff-1.21/doc/groff.info-2 2012-05-29 12:19:21.446795526 +0200
+++ groff-1.21.fix/doc/groff.info-2 2012-05-29 12:19:38.598581100 +0200
@@ -1918,9 +1918,9 @@ not there, `groff' would not know when t
.sy perl -e 'printf ".nr H %d\\n.nr M %d\\n.nr S %d\\n",\
- (localtime(time))[2,1,0]' > /tmp/x\n[$$]
- .so /tmp/x\n[$$]
- .sy rm /tmp/x\n[$$]
+ (localtime(time))[2,1,0]' > timefile\n[$$]
+ .so timefile\n[$$]
+ .sy rm timefile\n[$$]
\nH:\nM:\nS
Note that this works by having the `perl' script (run by `sy')
diff -uNPrp groff-1.21/doc/groff.texinfo groff-1.21.fix/doc/groff.texinfo
--- groff-1.21/doc/groff.texinfo 2010-12-31 08:33:09.000000000 +0100
+++ groff-1.21.fix/doc/groff.texinfo 2012-05-29 12:19:38.602581048 +0200
@@ -13568,9 +13568,9 @@ into a document:
@pindex perl
@Example
.sy perl -e 'printf ".nr H %d\\n.nr M %d\\n.nr S %d\\n",\
- (localtime(time))[2,1,0]' > /tmp/x\n[$$]
-.so /tmp/x\n[$$]
-.sy rm /tmp/x\n[$$]
+ (localtime(time))[2,1,0]' > timefile\n[$$]
+.so timefile\n[$$]
+.sy rm timefile\n[$$]
\nH:\nM:\nS
@endExample
diff -uNPrp groff-1.21/gendef.sh groff-1.21.fix/gendef.sh
--- groff-1.21/gendef.sh 2010-12-31 08:33:08.000000000 +0100
+++ groff-1.21.fix/gendef.sh 2012-05-29 12:19:38.604581023 +0200
@@ -34,11 +34,9 @@ do
#define $def"
done
-# Use $TMPDIR if defined. Default to cwd, for non-Unix systems
-# which don't have /tmp on each drive (we are going to remove
-# the file before we exit anyway). Put the PID in the basename,
-# since the extension can only hold 3 characters on MS-DOS.
-t=${TMPDIR-.}/gro$$.tmp
+t="`mktemp -t groff-gendef.XXXXXXXXXX`" || exit
+trap 'rm -f -- "$t"' EXIT
+trap 'trap - EXIT; rm -f -- "$t"; exit 1' HUP INT QUIT TERM
sed -e 's/=/ /' >$t <<EOF
$defs
@@ -46,8 +44,6 @@ EOF
test -r $file && cmp -s $t $file || cp $t $file
-rm -f $t
-
exit 0
# eof

18
groff.spec
View File

@ -3,7 +3,7 @@
Summary: A document formatting system Summary: A document formatting system
Name: groff Name: groff
Version: 1.21 Version: 1.21
Release: 8%{?dist} Release: 9%{?dist}
License: GPLv3+ and GFDL and BSD and MIT License: GPLv3+ and GFDL and BSD and MIT
Group: Applications/Publishing Group: Applications/Publishing
URL: http://groff.ffii.org URL: http://groff.ffii.org
@ -16,6 +16,7 @@ Patch3: groff-manpages-typos.patch
Patch4: groff-grofferdir-auto.patch Patch4: groff-grofferdir-auto.patch
Patch5: groff-grotty-wc-no-sgr.patch Patch5: groff-grotty-wc-no-sgr.patch
Patch6: groff-config-etc.patch Patch6: groff-config-etc.patch
Patch7: groff-cve-2009-5044_5080_5081.patch
Requires: coreutils Requires: coreutils
Requires: /sbin/install-info Requires: /sbin/install-info
@ -93,12 +94,9 @@ language and documentation for creating PDF files.
%prep %prep
%setup -q %setup -q
%patch1 -p1 -b .info-missing-x11 for patch in %patches ; do
%patch2 -p1 -b .makefile-typo %__patch %_default_patch_flags --fuzz=%_default_patch_fuzz -p1 -i $patch
%patch3 -p1 -b .manpages-typos done
%patch4 -p1 -b .grofferdir-auto
%patch5 -p1 -b .grotty-wc-no-sgr
%patch6 -p1 -b .config-etc
for file in NEWS src/devices/grolbp/grolbp.man doc/{groff.info*,webpage.ms} \ for file in NEWS src/devices/grolbp/grolbp.man doc/{groff.info*,webpage.ms} \
contrib/mm/*.man contrib/mom/examples/{README.txt,*.mom} ; do contrib/mm/*.man contrib/mom/examples/{README.txt,*.mom} ; do
@ -415,6 +413,12 @@ fi
%doc %{_docdir}/%{name}-%{version}/pdf/ %doc %{_docdir}/%{name}-%{version}/pdf/
%changelog %changelog
* Tue May 29 2012 Jan Vcelak <jvcelak@redhat.com> 1.21-9
- older security fixes (#709415, #720060):
+ CVE-2009-5044: insecure temporary file handling in pdfroff
+ CVE-2009-5080: improper handling of failed attempts to create temporary directories in eqn2graph/pic2graph/grap2graph
+ CVE-2009-5081: roff2.pl and groffer.pl use easy-to-guess temporary file names
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.21-8 * Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.21-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild