- fix bnc#703665 - VUL-1: groff: missing checks for mktemp failures

(CVE-2009-5080)
- fix bnc#703666 - VUL-1: groff: insufficient number of X for mktemp
  (CVE-2009-5081)

OBS-URL: https://build.opensuse.org/package/show/M17N/groff?expand=0&rev=22
This commit is contained in:
Michal Vyskocil 2011-09-22 12:52:01 +00:00 committed by Git OBS Bridge
parent 8a7371eb3f
commit baaabb9ae1
4 changed files with 209 additions and 0 deletions

View File

@ -0,0 +1,40 @@
Index: groff-1.21/contrib/eqn2graph/eqn2graph.sh
===================================================================
--- groff-1.21.orig/contrib/eqn2graph/eqn2graph.sh 2011-09-22 14:15:22.000000000 +0200
+++ groff-1.21/contrib/eqn2graph/eqn2graph.sh 2011-09-22 14:23:55.754494862 +0200
@@ -69,6 +69,8 @@
tmp=$d/eqn2graph$$-$RANDOM
(umask 077 && mkdir $tmp) 2> /dev/null && break
+
+ tmp=
done;
if test -z "$tmp"; then
echo "$0: cannot create temporary directory" >&2
Index: groff-1.21/contrib/grap2graph/grap2graph.sh
===================================================================
--- groff-1.21.orig/contrib/grap2graph/grap2graph.sh 2011-09-22 14:15:22.000000000 +0200
+++ groff-1.21/contrib/grap2graph/grap2graph.sh 2011-09-22 14:23:55.754494862 +0200
@@ -65,6 +65,8 @@
tmp=$d/grap2graph$$-$RANDOM
(umask 077 && mkdir $tmp) 2> /dev/null && break
+
+ tmp=
done;
if test -z "$tmp"; then
echo "$0: cannot create temporary directory" >&2
Index: groff-1.21/contrib/pic2graph/pic2graph.sh
===================================================================
--- groff-1.21.orig/contrib/pic2graph/pic2graph.sh 2011-09-22 14:15:22.000000000 +0200
+++ groff-1.21/contrib/pic2graph/pic2graph.sh 2011-09-22 14:23:55.794496246 +0200
@@ -80,6 +80,8 @@
tmp=$d/pic2graph$$-$RANDOM
(umask 077 && mkdir $tmp) 2> /dev/null \
&& break
+
+ tmp=
done;
if test -z "$tmp"; then
echo "$0: cannot create temporary directory" >&2

View File

@ -0,0 +1,155 @@
Index: groff-1.21/contrib/groffer/perl/groffer.pl
===================================================================
--- groff-1.21.orig/contrib/groffer/perl/groffer.pl 2010-12-31 08:33:09.000000000 +0100
+++ groff-1.21/contrib/groffer/perl/groffer.pl 2011-09-22 14:23:55.756494935 +0200
@@ -1380,7 +1380,7 @@
########################################################################
sub main_temp {
- my $template = 'groffer_' . "$$" . '_XXXX';
+ my $template = 'groffer_' . "$$" . '_XXXXXXXXXX';
foreach ($ENV{'GROFF_TMPDIR'}, $ENV{'TMPDIR'}, $ENV{'TMP'}, $ENV{'TEMP'},
$ENV{'TEMPDIR'}, File::Spec->catfile($ENV{'HOME'}, 'tmp')) {
if ($_ && -d $_ && -w $_) {
@@ -1411,12 +1411,12 @@
# further argument: SUFFIX => '.sh'
if ($Debug{'KEEP'}) {
- ($fh_cat, $tmp_cat) = tempfile(',cat_XXXX', DIR => $tmpdir);
- ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXX', DIR => $tmpdir);
+ ($fh_cat, $tmp_cat) = tempfile(',cat_XXXXXXXXXX', DIR => $tmpdir);
+ ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXXXXXXXX', DIR => $tmpdir);
} else {
- ($fh_cat, $tmp_cat) = tempfile(',cat_XXXX', UNLINK => 1,
+ ($fh_cat, $tmp_cat) = tempfile(',cat_XXXXXXXXXX', UNLINK => 1,
DIR => $tmpdir);
- ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXX', UNLINK => 1,
+ ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXXXXXXXX', UNLINK => 1,
DIR => $tmpdir);
}
} # main_temp()
Index: groff-1.21/contrib/groffer/perl/roff2.pl
===================================================================
--- groff-1.21.orig/contrib/groffer/perl/roff2.pl 2010-12-31 08:33:09.000000000 +0100
+++ groff-1.21/contrib/groffer/perl/roff2.pl 2011-09-22 14:23:55.783495865 +0200
@@ -124,7 +124,7 @@
last;
}
}
- my $template = $Name . '_XXXX';
+ my $template = $Name . '_XXXXXXXXXX';
my ($fh, $stdin);
if ($tempdir) {
($fh, $stdin) = tempfile($template, UNLINK => 1, DIR => $tempdir) ||
Index: groff-1.21/contrib/pdfmark/pdfroff.man
===================================================================
--- groff-1.21.orig/contrib/pdfmark/pdfroff.man 2011-09-22 14:15:22.000000000 +0200
+++ groff-1.21/contrib/pdfmark/pdfroff.man 2011-09-22 14:23:55.792496177 +0200
@@ -529,7 +529,7 @@
.B GROFF_TMPDIR
Identifies the directory in which
.B pdfroff
-should create temporary files.
+should create a subdirectory for its temporary files.
If
.B \%GROFF_TMPDIR
is
@@ -541,7 +541,8 @@
.B TEMP
are considered in turn, as possible temporary file repositories.
If none of these are set, then temporary files are created
-in the current directory.
+in a subdirectory of
+.BR /tmp .
.
.TP
.B GROFF_GHOSTSCRIPT_INTERPRETER
Index: groff-1.21/doc/fixinfo.sh
===================================================================
--- groff-1.21.orig/doc/fixinfo.sh 2010-12-31 08:33:09.000000000 +0100
+++ groff-1.21/doc/fixinfo.sh 2011-09-22 14:23:55.795496280 +0200
@@ -21,7 +21,9 @@
# groff.texinfo macro code. Hopefully, a new texinfo version makes it
# unnecessary.
-t=${TMPDIR-.}/gro$$.tmp
+t="`mktemp -t groff-fixinfo.XXXXXXXXXX`" || exit
+trap 'rm -f -- "$t"' EXIT
+trap 'trap - EXIT; rm -f -- "$t"; exit 1' HUP INT QUIT TERM
cat $1 | sed '
1 {
Index: groff-1.21/doc/groff.info-2
===================================================================
--- groff-1.21.orig/doc/groff.info-2 2010-12-31 08:33:12.000000000 +0100
+++ groff-1.21/doc/groff.info-2 2011-09-22 14:23:55.798496383 +0200
@@ -1918,9 +1918,9 @@
.sy perl -e 'printf ".nr H %d\\n.nr M %d\\n.nr S %d\\n",\
- (localtime(time))[2,1,0]' > /tmp/x\n[$$]
- .so /tmp/x\n[$$]
- .sy rm /tmp/x\n[$$]
+ (localtime(time))[2,1,0]' > timefile\n[$$]
+ .so timefile\n[$$]
+ .sy rm timefile\n[$$]
\nH:\nM:\nS
Note that this works by having the `perl' script (run by `sy')
Index: groff-1.21/doc/groff.texinfo
===================================================================
--- groff-1.21.orig/doc/groff.texinfo 2010-12-31 08:33:09.000000000 +0100
+++ groff-1.21/doc/groff.texinfo 2011-09-22 14:23:55.803496556 +0200
@@ -13568,9 +13568,9 @@
@pindex perl
@Example
.sy perl -e 'printf ".nr H %d\\n.nr M %d\\n.nr S %d\\n",\
- (localtime(time))[2,1,0]' > /tmp/x\n[$$]
-.so /tmp/x\n[$$]
-.sy rm /tmp/x\n[$$]
+ (localtime(time))[2,1,0]' > timefile\n[$$]
+.so timefile\n[$$]
+.sy rm timefile\n[$$]
\nH:\nM:\nS
@endExample
Index: groff-1.21/gendef.sh
===================================================================
--- groff-1.21.orig/gendef.sh 2010-12-31 08:33:08.000000000 +0100
+++ groff-1.21/gendef.sh 2011-09-22 14:23:55.804496590 +0200
@@ -34,11 +34,9 @@
#define $def"
done
-# Use $TMPDIR if defined. Default to cwd, for non-Unix systems
-# which don't have /tmp on each drive (we are going to remove
-# the file before we exit anyway). Put the PID in the basename,
-# since the extension can only hold 3 characters on MS-DOS.
-t=${TMPDIR-.}/gro$$.tmp
+t="`mktemp -t groff-gendef.XXXXXXXXXX`" || exit
+trap 'rm -f -- "$t"' EXIT
+trap 'trap - EXIT; rm -f -- "$t"; exit 1' HUP INT QUIT TERM
sed -e 's/=/ /' >$t <<EOF
$defs
@@ -46,8 +44,6 @@
test -r $file && cmp -s $t $file || cp $t $file
-rm -f $t
-
exit 0
# eof
Index: groff-1.21/src/roff/groff/pipeline.c
===================================================================
--- groff-1.21.orig/src/roff/groff/pipeline.c 2010-12-31 08:33:08.000000000 +0100
+++ groff-1.21/src/roff/groff/pipeline.c 2011-09-22 14:23:55.804496590 +0200
@@ -378,6 +378,7 @@
/* Don't use `tmpnam' here: Microsoft's implementation yields unusable
file names if current directory is on network share with read-only
root. */
+#error AUDIT: This code is only compiled under DOS
tmpfiles[0] = tempnam(tmpdir, NULL);
tmpfiles[1] = tempnam(tmpdir, NULL);

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Thu Sep 22 12:50:27 UTC 2011 - mvyskocil@suse.cz
- fix bnc#703665 - VUL-1: groff: missing checks for mktemp failures
(CVE-2009-5080)
- fix bnc#703666 - VUL-1: groff: insufficient number of X for mktemp
(CVE-2009-5081)
-------------------------------------------------------------------
Mon Jun 27 11:14:25 UTC 2011 - mvyskocil@suse.cz

View File

@ -37,6 +37,10 @@ Patch2: groff-1.20.1-nroff-empty-LANGUAGE.patch
Patch3: groff-1.21-groffer-libexecdir.patch
Patch4: groff-1.20.1-deunicode.patch
Patch5: groff-1.21-CVE-2009-5044.patch
#PATCH-FIX-OPENSUSE: splitted patch6 and patch7 from
#http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2;content-type=text%2Fplain
Patch6: groff-1.21-CVE-2009-5080.patch
Patch7: groff-1.21-CVE-2009-5081.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: gcc-c++
@ -86,6 +90,8 @@ programs store their man pages in either /usr/share/man/ or
%patch3 -p1 -b .groffer-libexecdir
%patch4 -p1 -b .deunicode
%patch5 -p1 -b .CVE-2009-5044
%patch6 -p1 -b .CVE-2009-5080
%patch7 -p1 -b .CVE-2009-5081
%build
PATH=$PWD/src/roff/troff:$PWD/src/preproc/pic:$PWD/src/preproc/eqn:$PWD/src/preproc/tbl:$PWDsrc/preproc/refer:$PWD/src/preproc/soelim:$PATH