Version bump and apply fixes from upstream for CVE-2009-4029 #295357.

(Portage version: 2.2_rc55/cvs/Linux x86_64)

3 files changed, 185 insertions, 0 deletions

diff --git a/sys-devel/automake/files/automake-1.4-CVE-2009-4029.patch b/sys-devel/automake/files/automake-1.4-CVE-2009-4029.patch
new file mode 100644
index 000000000000..42aef8c8e1bc
--- /dev/null
+++ b/sys-devel/automake/files/automake-1.4-CVE-2009-4029.patch
@@ -0,0 +1,65 @@
+http://bugs.gentoo.org/295357
+
+(Makefile.in mangled a little for 1.4_p6)
+
+From 449d20aa12e13fefd848604225fc83d0c39c61d0 Mon Sep 17 00:00:00 2001
+From: Jim Meyering <meyering@redhat.com>
+Date: Tue, 1 Dec 2009 22:48:15 +0100
+Subject: [PATCH 1/1] do not put world-writable directories in distribution tarballs
+
+* automake.in (handle_dist_worker): Do not make all directories
+group- or world-writable.  Instead, use 755.
+
+Signed-off-by: Ralf Wildenhues <Ralf.Wildenhues@gmx.de>
+---
+ Makefile.in |    4 ++--
+ automake.in |    4 ++--
+ 4 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index 93da407..59eb9f4 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -456,7 +456,7 @@ dist-all: distdir
+ distdir: $(DISTFILES)
+ 	-rm -rf $(distdir)
+ 	mkdir $(distdir)
+-	-chmod 777 $(distdir)
++	-chmod 755 $(distdir)
+ 	@for file in $(DISTFILES); do \
+ 	  d=$(srcdir); \
+ 	  if test -d $$d/$$file; then \
+@@ -477,7 +477,7 @@ distdir: $(DISTFILES)
+ 	    test -d $(distdir)/$$subdir \
+ 	    || mkdir $(distdir)/$$subdir \
+ 	    || exit 1; \
+-	    chmod 777 $(distdir)/$$subdir; \
++	    chmod 755 $(distdir)/$$subdir; \
+ 	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(distdir) distdir=../$(distdir)/$$subdir distdir) \
+ 	      || exit 1; \
+ 	  fi; \
+diff --git a/automake.in b/automake.in
+index 8eceea7..8f48236 100755
+--- a/automake.in
++++ b/automake.in
+@@ -2336,7 +2336,7 @@ sub handle_dist_worker
+ 	# Create dist directory.
+ 	$output_rules .= ("\t-rm -rf \$(distdir)\n"
+ 			  . "\tmkdir \$(distdir)\n"
+-			  . "\t-chmod 777 \$(distdir)\n");
++			  . "\t-chmod 755 \$(distdir)\n");
+     }
+ 
+     # Only run automake in `dist' target if --include-deps and
+@@ -2468,7 +2468,7 @@ sub handle_dist_worker
+ 	     . "\t" . '    test -d $(distdir)/$$subdir ' . "\\\n"
+ 	     . "\t" . '    || mkdir $(distdir)/$$subdir ' . "\\\n"
+ 	     . "\t" . '    || exit 1; ' . "\\\n"
+-	     . "\t" . '    chmod 777 $(distdir)/$$subdir; ' . "\\\n"
++	     . "\t" . '    chmod 755 $(distdir)/$$subdir; ' . "\\\n"
+ 	     . "\t" . '    (cd $$subdir'
+ 	     . ' && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$('
+ 	     . (($relative_dir eq '.') ? 'distdir' : 'top_distdir')
+-- 
+1.6.5.4
+
diff --git a/sys-devel/automake/files/automake-1.5-CVE-2009-4029.patch b/sys-devel/automake/files/automake-1.5-CVE-2009-4029.patch
new file mode 100644
index 000000000000..d91139b30178
--- /dev/null
+++ b/sys-devel/automake/files/automake-1.5-CVE-2009-4029.patch
@@ -0,0 +1,60 @@
+http://bugs.gentoo.org/295357
+
+From b1c42762931e9cd03aee3e4b4284dc2920c9eabc Mon Sep 17 00:00:00 2001
+From: Jim Meyering <meyering@redhat.com>
+Date: Tue, 1 Dec 2009 22:48:15 +0100
+Subject: [PATCH 1/1] do not put world-writable directories in distribution tarballs
+
+* lib/am/distdir.am (distdir): Do not make all directories
+group- or world-writable.  Instead, use 755.
+
+Signed-off-by: Ralf Wildenhues <Ralf.Wildenhues@gmx.de>
+---
+ Makefile.in       |    3 ++-
+ lib/am/distdir.am |    9 +++------
+ 4 files changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index ebbfd2f..76991db 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -379,7 +379,8 @@ distdir: $(DISTFILES)
+ 	$(MAKE) $(AM_MAKEFLAGS) \
+ 	  top_distdir="${top_distdir}" distdir="$(distdir)" \
+ 	  dist-info
+-	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
++	-find "$(distdir)" -type d ! -perm -755 \
++		-exec chmod u+rwx,go+rx {} \; -o \
+ 	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
+ 	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
+ 	  ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
+diff --git a/lib/am/distdir.am b/lib/am/distdir.am
+index e808966..0a01c4e 100644
+--- a/lib/am/distdir.am
++++ b/lib/am/distdir.am
+@@ -127,11 +127,7 @@ if %?DIST-TARGETS%
+ endif %?DIST-TARGETS%
+ ##
+ ## This complex find command will try to avoid changing the modes of
+-## links into the source tree, in case they're hard-linked.  It will
+-## also make directories writable by everybody, because some
+-## brain-dead tar implementations change ownership and permissions of
+-## a directory before extracting the files, thus becoming unable to
+-## extract them.
++## links into the source tree, in case they're hard-linked.
+ ##
+ ## Ignore return result from chmod, because it might give an error
+ ## if we chmod a symlink.
+@@ -144,7 +140,8 @@ endif %?DIST-TARGETS%
+ ## the file in place in the source tree.
+ ##
+ if %?TOPDIR_P%
+-	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
++	-find "$(distdir)" -type d ! -perm -755 \
++		-exec chmod u+rwx,go+rx {} \; -o \
+ 	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
+ 	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
+ 	  ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
+-- 
+1.6.5.4
+
diff --git a/sys-devel/automake/files/automake-1.8.5-CVE-2009-4029.patch b/sys-devel/automake/files/automake-1.8.5-CVE-2009-4029.patch
new file mode 100644
index 000000000000..9e42e52c80bd
--- /dev/null
+++ b/sys-devel/automake/files/automake-1.8.5-CVE-2009-4029.patch
@@ -0,0 +1,60 @@
+http://bugs.gentoo.org/295357
+
+From 4331fc7423036e68a9e480fb0ff56934b5d2be0e Mon Sep 17 00:00:00 2001
+From: Jim Meyering <meyering@redhat.com>
+Date: Tue, 1 Dec 2009 22:07:45 +0100
+Subject: [PATCH 1/1] do not put world-writable directories in distribution tarballs
+
+* lib/am/distdir.am (distdir): Do not make all directories
+group- or world-writable.  Instead, use 755.
+
+Signed-off-by: Ralf Wildenhues <Ralf.Wildenhues@gmx.de>
+---
+ Makefile.in       |    3 ++-
+ lib/am/distdir.am |    9 +++------
+ 4 files changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index f6971b4..c753eaa 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -389,7 +389,8 @@ distdir: $(DISTFILES)
+ 	      || exit 1; \
+ 	  fi; \
+ 	done
+-	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
++	-find "$(distdir)" -type d ! -perm -755 \
++		-exec chmod u+rwx,go+rx {} \; -o \
+ 	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
+ 	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
+ 	  ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
+diff --git a/lib/am/distdir.am b/lib/am/distdir.am
+index 0ed0593..91dbe6b 100644
+--- a/lib/am/distdir.am
++++ b/lib/am/distdir.am
+@@ -190,11 +190,7 @@ if %?DIST-TARGETS%
+ endif %?DIST-TARGETS%
+ ##
+ ## This complex find command will try to avoid changing the modes of
+-## links into the source tree, in case they're hard-linked.  It will
+-## also make directories writable by everybody, because some
+-## brain-dead tar implementations change ownership and permissions of
+-## a directory before extracting the files, thus becoming unable to
+-## extract them.
++## links into the source tree, in case they're hard-linked.
+ ##
+ ## Ignore return result from chmod, because it might give an error
+ ## if we chmod a symlink.
+@@ -207,7 +203,8 @@ endif %?DIST-TARGETS%
+ ## the file in place in the source tree.
+ ##
+ if %?TOPDIR_P%
+-	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
++	-find "$(distdir)" -type d ! -perm -755 \
++		-exec chmod u+rwx,go+rx {} \; -o \
+ 	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
+ 	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
+ 	  ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
+-- 
+1.6.5.4
+