Accepting request 254390 from home:leonardocf:branches:Base:System

Replace at-sane-envkeys.diff by at-3.1.15-sane-envkeys.patch, a simpler fix from upstream [bsc#899160] OBS-URL: https://build.opensuse.org/request/show/254390 OBS-URL: https://build.opensuse.org/package/show/Base:System/at?expand=0&rev=93
2014-10-07 08:01:52 +00:00
parent 35c3ee1fda
commit 91d28cec0a
4 changed files with 47 additions and 61 deletions
--- a/at-3.1.15-sane-envkeys.patch
+++ b/at-3.1.15-sane-envkeys.patch
@@ -0,0 +1,39 @@
+commit 482f5962d9584d6110b940f0f51ab5919a6eb8a0
+Author: Ansgar Burchardt <ansgar@debian.org>
+Date:   Sun Sep 28 17:06:12 2014 +0200
+
+    at: only retain variables whose name consists of alphanumerics and underscores
+    
+    Since a recent security update[1] bash might export variables named
+    BASH_FUNC_*() to the environment which the serialization code in at
+    cannot handle properly.
+    
+      [1] <https://www.debian.org/security/2014/dsa-3035>
+
+Index: at-3.1.15/at.c
+===================================================================
+--- at-3.1.15.orig/at.c
+++ at-3.1.15/at.c
+@@ -390,6 +390,22 @@ writefile(time_t runtimer, char queue)
+ 	int export = 1;
+ 	char *eqp;
+ 
+        /* Only accept alphanumerics and underscore in variable names.
+         * Also require the name to not start with a digit.
+         * Some shells don't like other variable names.
+         */
+        {
+            char *p = *atenv;
+            if (isdigit(*p))
+                export = 0;
+            for (; *p != '=' && *p != '\0'; ++p) {
+                if (!isalnum(*p) && *p != '_') {
+                    export = 0;
+                    break;
+                }
+            }
+        }
+
+ 	eqp = strchr(*atenv, '=');
+ 	if (ap == NULL)
+ 	    eqp = *atenv;
--- a/at-sane-envkeys.diff
+++ b/at-sane-envkeys.diff
@@ -1,60 +0,0 @@
-From: Jan Engelhardt <jengelh@inai.de>
-Date: 2014-09-30 15:15:52.645631792 +0200
-X-Status: fixes an upstream issue
-
-Shells generally only allow setting environment variables whose keys
-are of the form /^[A-Z_][A-Z0-9_]/i. Exporting anything else is going
-to end in disaster (sh throwing syntax errors).
-
---
- at.c |   24 ++++++++++++++++++++++--
- 1 file changed, 22 insertions(+), 2 deletions(-)
-
-Index: at-3.1.14/at.c
-===================================================================
--- at-3.1.14.orig/at.c
-+++ at-3.1.14/at.c
-@@ -225,6 +225,23 @@ nextjob()
-     return jobno;
- }
- 
-+/**
-+ * @s:	string in the form of "key=value" and \0-terminated
-+ * @n:	length of key portion
-+ */
-+static bool legit_key(const char *s, size_t n)
-+{
-+	/* First char has extra restrictions: must not be a digit */
-+	if (!isalpha(*s) && *s != '_')
-+		return false;
-+	for (; n-- > 0; ++s) {
-+		if (!isalnum(*s) && *s != '_')
-+			return false;
-+		++s;
-+	}
-+	return true;
-+}
-+
- static void
- writefile(time_t runtimer, char queue)
- {
-@@ -403,7 +420,10 @@ writefile(time_t runtimer, char queue)
- 	    eqp++;
- 	}
- 
-	if (export) {
-+	if (!export || !legit_key(*atenv, eqp - *atenv)) {
-+	    continue;
-+	}
-+
- 	    fwrite(*atenv, sizeof(char), eqp - *atenv, fp);
- 	    for (ap = eqp; *ap != '\0'; ap++) {
- 		if (*ap == '\n')
-@@ -439,7 +459,6 @@ writefile(time_t runtimer, char queue)
- 	    fwrite(*atenv, sizeof(char), eqp - *atenv - 1, fp);
- 	    fputc('\n', fp);
- 
-	}
-     }
-     /* Cd to the directory at the time and write out all the
-      * commands the user supplies from stdin.
--- a/at.changes
+++ b/at.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Oct  6 20:32:38 UTC 2014 - lchiquitto@suse.com
+
+- Replace at-sane-envkeys.diff by at-3.1.15-sane-envkeys.patch,
+  a simpler fix from upstream [bsc#899160]
+
 -------------------------------------------------------------------
 Fri Oct  3 15:00:43 UTC 2014 - crrodriguez@opensuse.org

--- a/at.spec
+++ b/at.spec
@@ -59,7 +59,8 @@ Patch23:        at-secure_getenv.patch
 Patch24:        at-backport-old-privs.patch
 #PATCH-FEATURE-UPSTREAM introduce -o <timeformat> argument for atq (bnc#879402)
 Patch25:        at-atq-timeformat.patch
-Patch26:        at-sane-envkeys.diff
+#PATCH-FIX-UPSTREAM sanitize environment variables (bnc#899160)
+Patch26:        at-3.1.15-sane-envkeys.patch
 #PATCH-FIX-OPENSUSE use posix timers to avoid the need of suspend/resume hacks.
 Patch27:        at-3.1.14-usePOSIXtimers.patch
 BuildRequires:  autoconf >= 2.69