- fix bnc#703665 - VUL-1: groff: missing checks for mktemp failures

(CVE-2009-5080) - fix bnc#703666 - VUL-1: groff: insufficient number of X for mktemp (CVE-2009-5081) OBS-URL: https://build.opensuse.org/package/show/M17N/groff?expand=0&rev=22
2011-09-22 12:52:01 +00:00 · 2011-09-22 12:52:01 +00:00 · baaabb9ae1
commit baaabb9ae1
parent 8a7371eb3f
4 changed files with 209 additions and 0 deletions
--- a/groff-1.21-CVE-2009-5080.patch
+++ b/groff-1.21-CVE-2009-5080.patch
@ -0,0 +1,40 @@
+Index: groff-1.21/contrib/eqn2graph/eqn2graph.sh
+===================================================================
+--- groff-1.21.orig/contrib/eqn2graph/eqn2graph.sh	2011-09-22 14:15:22.000000000 +0200
+++ groff-1.21/contrib/eqn2graph/eqn2graph.sh	2011-09-22 14:23:55.754494862 +0200
+@@ -69,6 +69,8 @@
+ 
+     tmp=$d/eqn2graph$$-$RANDOM
+     (umask 077 && mkdir $tmp) 2> /dev/null && break
+
+    tmp=
+ done;
+ if test -z "$tmp"; then
+     echo "$0: cannot create temporary directory" >&2
+Index: groff-1.21/contrib/grap2graph/grap2graph.sh
+===================================================================
+--- groff-1.21.orig/contrib/grap2graph/grap2graph.sh	2011-09-22 14:15:22.000000000 +0200
+++ groff-1.21/contrib/grap2graph/grap2graph.sh	2011-09-22 14:23:55.754494862 +0200
+@@ -65,6 +65,8 @@
+ 
+     tmp=$d/grap2graph$$-$RANDOM
+     (umask 077 && mkdir $tmp) 2> /dev/null && break
+
+    tmp=
+ done;
+ if test -z "$tmp"; then
+     echo "$0: cannot create temporary directory" >&2
+
+Index: groff-1.21/contrib/pic2graph/pic2graph.sh
+===================================================================
+--- groff-1.21.orig/contrib/pic2graph/pic2graph.sh	2011-09-22 14:15:22.000000000 +0200
+++ groff-1.21/contrib/pic2graph/pic2graph.sh	2011-09-22 14:23:55.794496246 +0200
+@@ -80,6 +80,8 @@
+     tmp=$d/pic2graph$$-$RANDOM
+     (umask 077 && mkdir $tmp) 2> /dev/null \
+     && break
+
+    tmp=
+ done;
+ if test -z "$tmp"; then
+     echo "$0: cannot create temporary directory" >&2
--- a/groff-1.21-CVE-2009-5081.patch
+++ b/groff-1.21-CVE-2009-5081.patch
@ -0,0 +1,155 @@
+Index: groff-1.21/contrib/groffer/perl/groffer.pl
+===================================================================
+--- groff-1.21.orig/contrib/groffer/perl/groffer.pl	2010-12-31 08:33:09.000000000 +0100
+++ groff-1.21/contrib/groffer/perl/groffer.pl	2011-09-22 14:23:55.756494935 +0200
+@@ -1380,7 +1380,7 @@
+ ########################################################################
+ 
+ sub main_temp {
+-  my $template = 'groffer_' . "$$" . '_XXXX';
+  my $template = 'groffer_' . "$$" . '_XXXXXXXXXX';
+   foreach ($ENV{'GROFF_TMPDIR'}, $ENV{'TMPDIR'}, $ENV{'TMP'}, $ENV{'TEMP'},
+ 	   $ENV{'TEMPDIR'}, File::Spec->catfile($ENV{'HOME'}, 'tmp')) {
+     if ($_ && -d $_ && -w $_) {
+@@ -1411,12 +1411,12 @@
+ 
+   # further argument: SUFFIX => '.sh'
+   if ($Debug{'KEEP'}) {
+-    ($fh_cat, $tmp_cat) = tempfile(',cat_XXXX', DIR => $tmpdir);
+-    ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXX', DIR => $tmpdir);
+    ($fh_cat, $tmp_cat) = tempfile(',cat_XXXXXXXXXX', DIR => $tmpdir);
+    ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXXXXXXXX', DIR => $tmpdir);
+   } else {
+-    ($fh_cat, $tmp_cat) = tempfile(',cat_XXXX', UNLINK => 1,
+    ($fh_cat, $tmp_cat) = tempfile(',cat_XXXXXXXXXX', UNLINK => 1,
+ 				   DIR => $tmpdir);
+-    ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXX', UNLINK => 1,
+    ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXXXXXXXX', UNLINK => 1,
+ 				       DIR => $tmpdir);
+   }
+ }				# main_temp()
+Index: groff-1.21/contrib/groffer/perl/roff2.pl
+===================================================================
+--- groff-1.21.orig/contrib/groffer/perl/roff2.pl	2010-12-31 08:33:09.000000000 +0100
+++ groff-1.21/contrib/groffer/perl/roff2.pl	2011-09-22 14:23:55.783495865 +0200
+@@ -124,7 +124,7 @@
+ 	last;
+       }
+     }
+-    my $template = $Name . '_XXXX';
+    my $template = $Name . '_XXXXXXXXXX';
+     my ($fh, $stdin);
+     if ($tempdir) {
+       ($fh, $stdin) = tempfile($template, UNLINK => 1, DIR => $tempdir) ||
+Index: groff-1.21/contrib/pdfmark/pdfroff.man
+===================================================================
+--- groff-1.21.orig/contrib/pdfmark/pdfroff.man	2011-09-22 14:15:22.000000000 +0200
+++ groff-1.21/contrib/pdfmark/pdfroff.man	2011-09-22 14:23:55.792496177 +0200
+@@ -529,7 +529,7 @@
+ .B GROFF_TMPDIR
+ Identifies the directory in which
+ .B pdfroff
+-should create temporary files.
+should create a subdirectory for its temporary files.
+ If
+ .B \%GROFF_TMPDIR
+ is
+@@ -541,7 +541,8 @@
+ .B TEMP
+ are considered in turn, as possible temporary file repositories.
+ If none of these are set, then temporary files are created
+-in the current directory.
+in a subdirectory of
+.BR /tmp .
+ .
+ .TP
+ .B GROFF_GHOSTSCRIPT_INTERPRETER
+Index: groff-1.21/doc/fixinfo.sh
+===================================================================
+--- groff-1.21.orig/doc/fixinfo.sh	2010-12-31 08:33:09.000000000 +0100
+++ groff-1.21/doc/fixinfo.sh	2011-09-22 14:23:55.795496280 +0200
+@@ -21,7 +21,9 @@
+ # groff.texinfo macro code.  Hopefully, a new texinfo version makes it
+ # unnecessary.
+ 
+-t=${TMPDIR-.}/gro$$.tmp
+t="`mktemp -t groff-fixinfo.XXXXXXXXXX`" || exit
+trap 'rm -f -- "$t"' EXIT
+trap 'trap - EXIT; rm -f -- "$t"; exit 1' HUP INT QUIT TERM
+ 
+ cat $1 | sed '
+ 1 {
+Index: groff-1.21/doc/groff.info-2
+===================================================================
+--- groff-1.21.orig/doc/groff.info-2	2010-12-31 08:33:12.000000000 +0100
+++ groff-1.21/doc/groff.info-2	2011-09-22 14:23:55.798496383 +0200
+@@ -1918,9 +1918,9 @@
+ 
+ 
+           .sy perl -e 'printf ".nr H %d\\n.nr M %d\\n.nr S %d\\n",\
+-                       (localtime(time))[2,1,0]' > /tmp/x\n[$$]
+-          .so /tmp/x\n[$$]
+-          .sy rm /tmp/x\n[$$]
+                       (localtime(time))[2,1,0]' > timefile\n[$$]
+          .so timefile\n[$$]
+          .sy rm timefile\n[$$]
+           \nH:\nM:\nS
+ 
+      Note that this works by having the `perl' script (run by `sy')
+Index: groff-1.21/doc/groff.texinfo
+===================================================================
+--- groff-1.21.orig/doc/groff.texinfo	2010-12-31 08:33:09.000000000 +0100
+++ groff-1.21/doc/groff.texinfo	2011-09-22 14:23:55.803496556 +0200
+@@ -13568,9 +13568,9 @@
+ @pindex perl
+ @Example
+ .sy perl -e 'printf ".nr H %d\\n.nr M %d\\n.nr S %d\\n",\
+-             (localtime(time))[2,1,0]' > /tmp/x\n[$$]
+-.so /tmp/x\n[$$]
+-.sy rm /tmp/x\n[$$]
+             (localtime(time))[2,1,0]' > timefile\n[$$]
+.so timefile\n[$$]
+.sy rm timefile\n[$$]
+ \nH:\nM:\nS
+ @endExample
+ 
+Index: groff-1.21/gendef.sh
+===================================================================
+--- groff-1.21.orig/gendef.sh	2010-12-31 08:33:08.000000000 +0100
+++ groff-1.21/gendef.sh	2011-09-22 14:23:55.804496590 +0200
+@@ -34,11 +34,9 @@
+ #define $def"
+ done
+ 
+-# Use $TMPDIR if defined.  Default to cwd, for non-Unix systems
+-# which don't have /tmp on each drive (we are going to remove
+-# the file before we exit anyway).  Put the PID in the basename,
+-# since the extension can only hold 3 characters on MS-DOS.
+-t=${TMPDIR-.}/gro$$.tmp
+t="`mktemp -t groff-gendef.XXXXXXXXXX`" || exit
+trap 'rm -f -- "$t"' EXIT
+trap 'trap - EXIT; rm -f -- "$t"; exit 1' HUP INT QUIT TERM
+ 
+ sed -e 's/=/ /' >$t <<EOF
+ $defs
+@@ -46,8 +44,6 @@
+ 
+ test -r $file && cmp -s $t $file || cp $t $file
+ 
+-rm -f $t
+-
+ exit 0
+ 
+ # eof
+Index: groff-1.21/src/roff/groff/pipeline.c
+===================================================================
+--- groff-1.21.orig/src/roff/groff/pipeline.c	2010-12-31 08:33:08.000000000 +0100
+++ groff-1.21/src/roff/groff/pipeline.c	2011-09-22 14:23:55.804496590 +0200
+@@ -378,6 +378,7 @@
+   /* Don't use `tmpnam' here: Microsoft's implementation yields unusable
+      file names if current directory is on network share with read-only
+      root. */
+#error AUDIT: This code is only compiled under DOS
+   tmpfiles[0] = tempnam(tmpdir, NULL);
+   tmpfiles[1] = tempnam(tmpdir, NULL);
+ 
--- a/groff.changes
+++ b/groff.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Sep 22 12:50:27 UTC 2011 - mvyskocil@suse.cz
+
+- fix bnc#703665 - VUL-1: groff: missing checks for mktemp failures
+  (CVE-2009-5080)
+- fix bnc#703666 - VUL-1: groff: insufficient number of X for mktemp
+  (CVE-2009-5081)
+
 -------------------------------------------------------------------
 Mon Jun 27 11:14:25 UTC 2011 - mvyskocil@suse.cz

--- a/groff.spec
+++ b/groff.spec
@ -37,6 +37,10 @@ Patch2:         groff-1.20.1-nroff-empty-LANGUAGE.patch
 Patch3:         groff-1.21-groffer-libexecdir.patch
 Patch4:         groff-1.20.1-deunicode.patch
 Patch5:         groff-1.21-CVE-2009-5044.patch
+#PATCH-FIX-OPENSUSE: splitted patch6 and patch7 from
+#http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2;content-type=text%2Fplain
+Patch6:         groff-1.21-CVE-2009-5080.patch
+Patch7:         groff-1.21-CVE-2009-5081.patch

 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  gcc-c++
@ -86,6 +90,8 @@ programs store their man pages in either /usr/share/man/ or
 %patch3 -p1 -b .groffer-libexecdir
 %patch4 -p1 -b .deunicode
 %patch5 -p1 -b .CVE-2009-5044
+%patch6 -p1 -b .CVE-2009-5080
+%patch7 -p1 -b .CVE-2009-5081

 %build
 PATH=$PWD/src/roff/troff:$PWD/src/preproc/pic:$PWD/src/preproc/eqn:$PWD/src/preproc/tbl:$PWDsrc/preproc/refer:$PWD/src/preproc/soelim:$PATH