diff --git a/groff-1.18.1.1-debian-538330.patch b/groff-1.18.1.1-debian-538330.patch new file mode 100644 index 0000000..23a08eb --- /dev/null +++ b/groff-1.18.1.1-debian-538330.patch @@ -0,0 +1,125 @@ +Index: groff-1.18.1.1/contrib/eqn2graph/eqn2graph.sh +=================================================================== +--- groff-1.18.1.1.orig/contrib/eqn2graph/eqn2graph.sh 2009-10-12 13:47:56.000000000 +0200 ++++ groff-1.18.1.1/contrib/eqn2graph/eqn2graph.sh 2009-10-12 15:35:07.489407486 +0200 +@@ -58,17 +58,36 @@ + shift + done + ++# create temporary directory ++tmp= ++for d in "$GROFF_TMPDIR" "$TMPDIR" "$TMP" "$TEMP" /tmp; do ++ test -z "$d" && continue ++ ++ tmp=`(umask 077 && mktemp -d -q "$d/eqn2graph-XXXXXX") 2> /dev/null` \ ++ && test -n "$tmp" && test -d "$tmp" \ ++ && break ++ ++ tmp=$d/eqn2graph$$-$RANDOM ++ (umask 077 && mkdir $tmp) 2> /dev/null && break ++ ++ tmp= ++done; ++if test -z "$tmp"; then ++ echo "$0: cannot create temporary directory" >&2 ++ { (exit 1); exit 1; } ++fi ++ ++trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0 2 15 ++ + # Here goes: + # 1. Add .EQ/.EN. + # 2. Process through eqn(1) to emit troff markup. + # 3. Process through groff(1) to emit Postscript. + # 4. Use convert(1) to crop the Postscript and turn it into a bitmap. +-tmp=/tmp/eqn2graph-$$ +-trap "rm ${tmp}.*" 0 2 15 + read equation + (echo ".EQ"; echo 'delim $$'; echo ".EN"; echo '$'"${equation}"'$') | \ +- groff -e $groff_opts -Tps >${tmp}.ps \ +- && convert -crop 0x0 $convert_opts ${tmp}.ps ${tmp}.${format} \ +- && cat ${tmp}.${format} ++ groff -e $groff_opts -Tps >${tmp}/eng2graph.ps \ ++ && convert -crop 0x0 $convert_opts ${tmp}/eng2graph.ps ${tmp}/eng2graph.${format} \ ++ && cat ${tmp}/eng2graph.${format} + + # End +Index: groff-1.18.1.1/contrib/groffer/groffer.sh +=================================================================== +--- groff-1.18.1.1.orig/contrib/groffer/groffer.sh 2009-10-12 13:47:57.000000000 +0200 ++++ groff-1.18.1.1/contrib/groffer/groffer.sh 2009-10-12 16:11:39.887806243 +0200 +@@ -2910,11 +2910,7 @@ + tmp_create() + { + func_check tmp_create '<=' 1 "$@"; +- local _tmp; +- # the output file does not have `,' as first character +- _tmp="${_TMP_DIR}/,$1"; +- echo -n >"${_tmp}"; +- echo -n "${_tmp}"; # output file name ++ mktemp "${_TMP_DIR}/,$1.XXXXXX" + eval "${return_ok}"; + } + +Index: groff-1.18.1.1/contrib/pic2graph/pic2graph.sh +=================================================================== +--- groff-1.18.1.1.orig/contrib/pic2graph/pic2graph.sh 2009-10-12 13:47:56.000000000 +0200 ++++ groff-1.18.1.1/contrib/pic2graph/pic2graph.sh 2009-10-12 16:24:13.815806026 +0200 +@@ -68,16 +68,35 @@ + eqndelim="delim $eqndelim" + fi + ++# create temporary directory ++tmp= ++for d in "$GROFF_TMPDIR" "$TMPDIR" "$TMP" "$TEMP" /tmp; do ++ test -z "$d" && continue ++ ++ tmp=`(umask 077 && mktemp -d -q "$d/pic2graph-XXXXXX") 2> /dev/null` \ ++ && test -n "$tmp" && test -d "$tmp" \ ++ && break ++ ++ tmp=$d/pic2graph$$-$RANDOM ++ (umask 077 && mkdir $tmp) 2> /dev/null && break ++ ++ tmp= ++done; ++if test -z "$tmp"; then ++ echo "$0: cannot create temporary directory" >&2 ++ { (exit 1); exit 1; } ++fi ++ ++trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0 2 15 ++ + # Here goes: + # 1. Wrap the input in dummy .PS/PE macros (and add possibly null .EQ/.EN) + # 2. Process through eqn and pic to emit troff markup. + # 3. Process through groff to emit Postscript. + # 4. Use convert(1) to crop the PostScript and turn it into a bitmap. +-tmp=/tmp/pic2graph-$$ +-trap "rm ${tmp}.*" 0 2 15 + (echo ".EQ"; echo $eqndelim; echo ".EN"; echo ".PS"; cat; echo ".PE") | \ +- groff -e -p $groffpic_opts -Tps >${tmp}.ps \ +- && convert -crop 0x0 $convert_opts ${tmp}.ps ${tmp}.${format} \ +- && cat ${tmp}.${format} ++ groff -e -p $groffpic_opts -Tps >${tmp}/pic2graph.ps \ ++ && convert -crop 0x0 $convert_opts ${tmp}/pic2graph.ps ${tmp}/pic2graph.${format} \ ++ && cat ${tmp}/pic2graph.${format} + + # End +Index: groff-1.18.1.1/doc/groff.texinfo +=================================================================== +--- groff-1.18.1.1.orig/doc/groff.texinfo 2002-10-02 18:45:19.000000000 +0200 ++++ groff-1.18.1.1/doc/groff.texinfo 2009-10-12 16:29:27.300306251 +0200 +@@ -11605,9 +11605,9 @@ + @pindex perl + @Example + .sy perl -e 'printf ".nr H %d\\n.nr M %d\\n.nr S %d\\n",\ +- (localtime(time))[2,1,0]' > /tmp/x\n[$$] +-.so /tmp/x\n[$$] +-.sy rm /tmp/x\n[$$] ++ (localtime(time))[2,1,0]' > timefile\n[$$] ++.so timefile\n[$$] ++.sy rm timefile\n[$$] + \nH:\nM:\nS + @endExample + diff --git a/groff.changes b/groff.changes index 17ae3e3..977b48e 100644 --- a/groff.changes +++ b/groff.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Oct 14 13:48:20 UTC 2009 - mvyskocil@suse.cz + +- fixed bnc#529557 - groff: insecure file handling + ------------------------------------------------------------------- Mon Sep 21 11:11:05 CEST 2009 - tiwai@suse.de diff --git a/groff.spec b/groff.spec index 5877457..5967d7e 100644 --- a/groff.spec +++ b/groff.spec @@ -29,7 +29,7 @@ Obsoletes: jgroff PreReq: %fillup_prereq %install_info_prereq AutoReqProv: on Version: 1.18.1.1 -Release: 170 +Release: 171 Summary: GNU troff Document Formatting System Url: http://www.gnu.org/software/groff/groff.html # cvs -z3 -d:pserver:anonymous@cvs.savannah.gnu.org:/sources/groff co groff @@ -55,6 +55,7 @@ Patch13: fgets-overflow.patch Patch14: groff-1.18.1.1-destbufferoverflow.patch Patch446710: bnc446710.patch Patch540600: nroff-empty-LANGUAGE-fix.diff +Patch15: groff-1.18.1.1-debian-538330.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -92,6 +93,7 @@ Authors: %patch14 %patch446710 -p1 %patch540600 -p1 +%patch15 -p1 -b .debian-538330 %build # remove empty backups diff --git a/gxdview.spec b/gxdview.spec index 2ebb245..d662292 100644 --- a/gxdview.spec +++ b/gxdview.spec @@ -25,7 +25,7 @@ AutoReqProv: on Requires: groff Conflicts: jgxdview Version: 1.18.1.1 -Release: 211 +Release: 212 Summary: Ditroff Output Displayer for Groff Url: http://www.gnu.org/software/groff/groff.html Source0: ftp://ftp.gnu.org/gnu/groff/groff-1.18.1.1.tar.bz2