diff options
| author |   Matt Thode <prometheanfire@gentoo.org> | 2013-06-21 14:25:15 +0000 |
|---|---|---|
| committer | Matt Thode <prometheanfire@gentoo.org> | 2013-06-21 14:25:15 +0000 |
| commit | 56100ddf8ada2f91766d23f978b3465a68823164 (patch) | |
| tree | 000b685a247fcd12303748857b55cd7c503fd599 /app-office/tpp | |
| parent | Initial commit (diff) | |
| download | historical-56100ddf8ada2f91766d23f978b3465a68823164.tar.gz historical-56100ddf8ada2f91766d23f978b3465a68823164.tar.bz2 historical-56100ddf8ada2f91766d23f978b3465a68823164.zip | |
fix for bug 474018 Possibility of arbitrary code execution when processing untrusted TPP template
Package-Manager: portage-2.1.11.62/cvs/Linux x86_64
Manifest-Sign-Key: 0x2471EB3E40AC5AC3
Diffstat (limited to 'app-office/tpp')
| -rw-r--r-- | app-office/tpp/ChangeLog | 13 | ||||
| -rw-r--r-- | app-office/tpp/Manifest | 26 | ||||
| -rw-r--r-- | app-office/tpp/files/tpp-1.3.1-optional-exec.patch | 55 | ||||
| -rw-r--r-- | app-office/tpp/tpp-1.3.1-r1.ebuild | 4 | ||||
| -rw-r--r-- | app-office/tpp/tpp-1.3.1-r2.ebuild | 28 |
5 files changed, 119 insertions, 7 deletions
diff --git a/app-office/tpp/ChangeLog b/app-office/tpp/ChangeLog index e43a712b885d..efcafa81aa09 100644 --- a/app-office/tpp/ChangeLog +++ b/app-office/tpp/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for app-office/tpp -# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-office/tpp/ChangeLog,v 1.20 2011/06/25 06:43:45 graaff Exp $ +# Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/app-office/tpp/ChangeLog,v 1.21 2013/06/21 14:25:06 prometheanfire Exp $ + +*tpp-1.3.1-r2 (21 Jun 2013) + + 21 Jun 2013; Matthew Thode <prometheanfire@gentoo.org> + +files/tpp-1.3.1-optional-exec.patch, +tpp-1.3.1-r2.ebuild, + tpp-1.3.1-r1.ebuild: + fix for bug 474018 Possibility of arbitrary code execution when processing + untrusted TPP template 25 Jun 2011; Hans de Graaff <graaff@gentoo.org> -tpp-1.3.1.ebuild: Remove old version. @@ -76,4 +84,3 @@ +files/tpp-1.1.1-Makefile.patch, +tpp-1.1.1.ebuild: Initial import. Requested by Adrian Fruehwirth <fruehwia@spengergasse.at> in bug #73938 - diff --git a/app-office/tpp/Manifest b/app-office/tpp/Manifest index 646d1728f11f..a6f37bebc668 100644 --- a/app-office/tpp/Manifest +++ b/app-office/tpp/Manifest @@ -1,5 +1,27 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + AUX tpp-1.3.1-Makefile.patch 854 SHA256 79d91a80826df1109303f93f99a8e4aabb3c2968d16300b37f6e471dfe601654 SHA512 5212d5342a1df4d786646eedd3e44362bc21b59d5746209c61a6b7e82e138e6ee0fea4b80c6e1fdbfa30bef1f08455d0d48d2382d46e14f10ea0f495330b300c WHIRLPOOL 28d7a294b88cc9bfe960d2abac026218c4bdba681b77f073af338b00ef67139cbe3b4bce6ea82a128f30b7ec6f5d7a1a55bcf6f42ed0abde902538cb5dc90b37 +AUX tpp-1.3.1-optional-exec.patch 1622 SHA256 de2720e58d69a506c6d91d7d4b475688814ce0c6668f17057c9085b4100a820f SHA512 568283bea1c58ab6194d7e88eacca6e84fdb03ec0f0ac5f3aee4ac2356305fdeef9a27942fb987df22fb3ca67230a109cbd2ebb56c28fd0c5d71de8f906301c9 WHIRLPOOL 8eefbe67eff95d897ea1f9e8df40dcac262634df1bc02a3c1c4786a59ae43b0a00fcf29fae9fdef9427ac3404654216285193cbdc9d64a65b1c2af75bbc45ce1 DIST tpp-1.3.1.tar.gz 42095 SHA256 68e3de94fbfb62bd91a6d635581bcf8671a306fffe615d00294d388ad91e1b5f SHA512 f3e0282c01fb5e524a0aac15ce6070c72a1cc98fd2b1614660f8850e4cc1f1af2ba21fba753e854d8797354f76192ee0d29df41d5c6cc4a623a4ae917e55b455 WHIRLPOOL 2d69f5a407d51a1b3808ea53f1200915507d65c7f9855a6a3580f3e0d6fe7f5b5c52e101b2556b4c6d1fe59b1cf534f9906c2b229fe3cef5c2e61538df262764 -EBUILD tpp-1.3.1-r1.ebuild 694 SHA256 24dfd623ac402612d522f9e34b8602ae1228afdde1155434825dfdcd02eeb258 SHA512 98aeaac38f3b0db020316366e697497c1c818902373cc35d7875ef8323ee0ec2028c0f0bd3f9ec012b34c4a482c42df76ed40dee8b4034da727719185e39320e WHIRLPOOL 6954b0b444fd0c80759c64dd1b8d819cd9a27c26a70d236b49757026a9aca7a0b8fe89c9240e4d2b4bbf41a50635fb4203a267fc39a3c2e293d4d2ad3e7e8a10 -MISC ChangeLog 2650 SHA256 605ec025fe54d2fa15e31e71ef2b18332672beca38442f4bd29e43d812246c6c SHA512 c680ac31fe210ab66b2c64e922465e38b49ecddb770d74cd3bfc613f3e1176b636bd7b2a70062ba3f72e96bc08c26c9af69c6367a971988bc53feb96a5089ef8 WHIRLPOOL 462b6a2c585a70b31535082ffb343b1d6cf484ba624b613f1c335bca6b9fde17fc29483af37667e3b972a521384b3cd2a5e72e0f0cf4817ca755ca716cb78f6a +EBUILD tpp-1.3.1-r1.ebuild 702 SHA256 dc8b9e52b4abcfa93b32ab8483e9228f3f9ea09e4b7df01cad239e3723aa0a6f SHA512 4d2b4ab779e3bd8f2b22ea9292a3567ec7b9bb548d12b43bb5856b388ecd8cc1e790f873894abfe06fc898297079938909d70532ce6cf66b2629eadb30933395 WHIRLPOOL fbc93fbbe96faaf18df44ee6a889856f92d48bb6b596c8ea4a2f8b665d481d791f29129f49917744a03314d2634fed59f5f27dc90f2ea7c3f3a294495db9e41f +EBUILD tpp-1.3.1-r2.ebuild 747 SHA256 13118ad6ca3d1324ed4eb36ee32f95bac9b14529582b9337ebc2571a47090373 SHA512 f6e8247398054789a052ea7f96cb9c7fb62df938ec913fb36cc09dc66a5e2243380f8aff1e60eac5ef141f96e2beb496d64c1811be6b6f45e57c37099b23c933 WHIRLPOOL 2b08c744ebd52935f8956d7bbc46dce779e3727d90041a25c11f7822e2d565aa8f0a954722621fedc1c68081b68d8d2e05b31914c313c921a48dd285e02381fc +MISC ChangeLog 2931 SHA256 a1d3d3b5bb6b4cc367386c804fb52d489d0d3287b91bfe8ea4c59e4ecb253641 SHA512 6d8b528ee87db78257468b3afced8405899f402dc37ce330e2f60efee40e3a0e7ad8a1dd485e31fa2181ae3f87968b9f83dfabf2d32ec6623c9ee4b858dad916 WHIRLPOOL a311b826c77c6da7377e5f7879338ecdf6c359ae0525d0688857ef6ee953b1e5a6c2aa5a9fd70ec7e18b7516d883f0640b7cc3a846bac1a2778557a99b5e1551 MISC metadata.xml 268 SHA256 794d90f4001c8722c1a7dc8320ee92973c2eb5dabf4722b35d85cca28b74a380 SHA512 7ac816eede6729cd2f678b4a9239a4b8a622d735fe65d68d273f4bd027e94d2fcceb39da8f75ee5a5b0945e9116f52956e79e4c433df4ce96291215e04e02d4f WHIRLPOOL 1e9eb7c5e4de12bec7e913e38d56af2eeacd46cfe22c9db50049168b9c9deb65a803e36c258e0bc9750d412456b3df12e79b4aefa5f6a74eef7b4462fca6fcfa +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.19 (GNU/Linux) + +iQIcBAEBCAAGBQJRxGJRAAoJECRx6z5ArFrD3aYP/jaV6lGwIky+jjzp3JpSpXML +W1dCdh7pqGMijcmgqFl2qIkic6Ep+bNCx+eLQnswnNXKdZe3ODAY+eOPTrrZDe1U +8o0rX/UZq3ax2zZ1lCeGqBqZR6tqC/L2roVxPpdaShH3i/np7i/wXCdWe04ukuW9 +2D8I7Srw5I/mn7pkhzjxbX+uRBREeliNDo8iiOjkxtENawmmwcn0iHeM1duXHi6B +Sd5XvrxAIr/mjbn/bpVMN5sqN9EGaAT8iL7M15bjR5IBmme7r3GcPR7PvWRWbGoy +VBc3AhC4d8U0fAp2o/529yQMyIv9kKwXGxjd+KZb7v+a7n097n48RU7b2SNAMj42 +9AsTHEfilSTJf9+9317g5ZgpKQAEXx4kIxexcYz4YueWkQnYr7B0VqulVhYUwA1X +gf8iMNwqTPYwNXHgSXm4+4DU75fUslczXlxO4ZP1ewkqUAe7okficLLYnhoKuY+Y +AthKmcQkgXRRRNAHG+++QCHhuDZR0mLm74IoxIMBFxVaGQC+kO203IP+Ntj+fbFu +ApgsjnW61elszE8bcADlfAdQW9jvjqW8gl2GuH8JKOGZcNGBWCENFiDeH1nGwFI4 +fBvYIbE3MIH5dxX9/Mb1hfy2h2sOM9TVPBCI9yLme/SS3/WbZymXCKq2p+zQrTPe +9Ex59gBm3TtE5MJMe9Ub +=Qxpt +-----END PGP SIGNATURE----- diff --git a/app-office/tpp/files/tpp-1.3.1-optional-exec.patch b/app-office/tpp/files/tpp-1.3.1-optional-exec.patch new file mode 100644 index 000000000000..1ad08e83c06b --- /dev/null +++ b/app-office/tpp/files/tpp-1.3.1-optional-exec.patch @@ -0,0 +1,55 @@ +--- tpp-1.3.1.orig/tpp.rb 2013-06-12 22:13:55.000000000 +0200 ++++ tpp-1.3.1/tpp.rb 2013-06-12 22:15:08.000000000 +0200 +@@ -725,9 +725,13 @@ + end + + def do_exec(cmdline) +- rc = Kernel.system(cmdline) +- if not rc then +- # @todo: add error message ++ if $execok then ++ rc = Kernel.system(cmdline) ++ if not rc then ++ # @todo: add error message ++ end ++ else ++ @screen.addstr("--exec disabled by default for security reasons. Use option -x to enable it.") + end + end + +@@ -1683,6 +1687,7 @@ + $stderr.puts "\t -t <type>\tset filetype <type> as output format" + $stderr.puts "\t -o <file>\twrite output to file <file>" + $stderr.puts "\t -s <seconds>\twait <seconds> seconds between slides (with -t autoplay)" ++ $stderr.puts "\t -x\t\tallow parsing of --exec in input files" + $stderr.puts "\t --version\tprint the version" + $stderr.puts "\t --help\t\tprint this help" + $stderr.puts "\n\t currently available types: ncurses (default), autoplay, latex, txt" +@@ -1699,6 +1704,7 @@ + output = nil + type = "ncurses" + time = 1 ++$execok = nil + + skip_next = false + +@@ -1720,6 +1726,8 @@ + elsif ARGV[i] == "-s" then + time = ARGV[i+1].to_i + skip_next = true ++ elsif ARGV[i] == "-x" then ++ $execok = 1 + elsif input == nil then + input = ARGV[i] + end +--- tpp-1.3.1.orig/doc/tpp.1 2013-06-12 22:13:55.000000000 +0200 ++++ tpp-1.3.1/doc/tpp.1 2013-06-12 22:13:55.000000000 +0200 +@@ -20,6 +20,8 @@ + .TP + -l output.tex input.tpp converts tpp slides into tex + .TP ++-x allow usage of "--exec" ++.TP + -v/--version display version number + + .SH KEYS diff --git a/app-office/tpp/tpp-1.3.1-r1.ebuild b/app-office/tpp/tpp-1.3.1-r1.ebuild index e913362ade96..6381e8c5b8f8 100644 --- a/app-office/tpp/tpp-1.3.1-r1.ebuild +++ b/app-office/tpp/tpp-1.3.1-r1.ebuild @@ -1,6 +1,6 @@ -# Copyright 1999-2011 Gentoo Foundation +# Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-office/tpp/tpp-1.3.1-r1.ebuild,v 1.3 2011/06/24 21:00:14 ranger Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-office/tpp/tpp-1.3.1-r1.ebuild,v 1.4 2013/06/21 14:25:06 prometheanfire Exp $ EAPI=2 USE_RUBY="ruby18" diff --git a/app-office/tpp/tpp-1.3.1-r2.ebuild b/app-office/tpp/tpp-1.3.1-r2.ebuild new file mode 100644 index 000000000000..02708a9bf206 --- /dev/null +++ b/app-office/tpp/tpp-1.3.1-r2.ebuild @@ -0,0 +1,28 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-office/tpp/tpp-1.3.1-r2.ebuild,v 1.1 2013/06/21 14:25:06 prometheanfire Exp $ + +EAPI=2 +USE_RUBY="ruby18" + +inherit eutils ruby-ng + +DESCRIPTION="An ncurses-based presentation tool." +HOMEPAGE="http://synflood.at/tpp.html" +SRC_URI="http://synflood.at/tpp/${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~ppc ~x86" +IUSE="figlet" + +RDEPEND="${RDEPEND} figlet? ( app-misc/figlet )" + +ruby_add_rdepend "dev-ruby/ncurses-ruby" + +RUBY_PATCHES=( "${FILESDIR}/${P}-Makefile.patch" + "${FILESDIR}/${P}-optional-exec.patch" ) + +each_ruby_install() { + make DESTDIR="${D}" install || die "make install failed" +} |