print/a2ps: use safer patches and comment CVEs

2024-10-18 19:49:40 +00:00 · 2022-03-14 11:06:07 +01:00 · 2022-03-14 11:06:07 +01:00 · 4b378d2f8e
commit 4b378d2f8e
parent 3d0b738e14
3 changed files with 71 additions and 1 deletions
--- a/print/a2ps/Makefile
+++ b/print/a2ps/Makefile
@ -2,7 +2,7 @@

 PORTNAME=	a2ps
 PORTVERSION=	4.13b
-PORTREVISION=	15
+PORTREVISION=	16
 CATEGORIES=	print
 MASTER_SITES=	GNU LOCAL/hrs/a2ps/:i18n

@ -23,6 +23,11 @@ INFO=		a2ps ogonkify regex
 WRKSRC=		${WRKDIR}/${PORTNAME}-4.13
 I18N_PACKAGE=	i18n-fonts-0.1
 CPE_VENDOR=	gnu
+# CVE-2015-8107 fixed in files/patch-output.c
+# CVE-2014-0466 fixed in files/patch-fixps.in
+# CVE-2004-1377 fixed in files/patch-fixps.in files/patch-contrib-tmpdircreation
+# CVE-2004-1170 fixed in files/patch-select.c
+# CVE-2001-1593 fixed in files/patch-routines.[hc]

 CONFIGURE_ARGS=	--with-medium=libpaper --sharedstatedir=${PREFIX}/share \
 	--sysconfdir=${PREFIX}/etc --datadir=${PREFIX}/share \
--- a/print/a2ps/files/patch-routines.c
+++ b/print/a2ps/files/patch-routines.c
@ -0,0 +1,53 @@
+--- lib/routines.c.orig	1999-10-16 04:46:37 UTC
+++ lib/routines.c
+@@ -242,3 +242,50 @@ unlink2 (PARAM_UNUSED void * dummy, const char * filen
+   /* Don't complain if you can't unlink.  Who cares of a tmp file? */
+   unlink (filename);
+ }
+
+/*
+ * Securely generate a temp file, and make sure it gets
+ * deleted upon exit.
+ */
+static char **	tempfiles;
+static unsigned	ntempfiles;
+
+static void
+cleanup_tempfiles()
+{
+	while (ntempfiles--)
+		unlink(tempfiles[ntempfiles]);
+}
+
+char *
+safe_tempnam(const char *pfx)
+{
+	char	*dirname, *filename;
+	int	fd;
+
+	if (!(dirname = getenv("TMPDIR")))
+		dirname = "/tmp";
+
+	tempfiles = (char **) realloc(tempfiles,
+			(ntempfiles+1) * sizeof(char *));
+	if (tempfiles == NULL)
+		return NULL;
+
+	filename = malloc(strlen(dirname) + strlen(pfx) + sizeof("/XXXXXX"));
+	if (!filename)
+		return NULL;
+
+	sprintf(filename, "%s/%sXXXXXX", dirname, pfx);
+
+	if ((fd = mkstemp(filename)) < 0) {
+		free(filename);
+		return NULL;
+	}
+	close(fd);
+
+	if (ntempfiles == 0)
+		atexit(cleanup_tempfiles);
+	tempfiles[ntempfiles++] = filename;
+
+	return filename;
+}
--- a/print/a2ps/files/patch-routines.h
+++ b/print/a2ps/files/patch-routines.h
@ -0,0 +1,12 @@
+--- lib/routines.h.orig	1999-10-18 20:24:41 UTC
+++ lib/routines.h
+@@ -255,7 +255,8 @@ FILE * xwpopen PARAMS ((const char * command));
+ /* If _STR_ is not defined, give it a tempname in _TMPDIR_ */
+ #define tempname_ensure(Str)				\
+ do {							\
+-  (Str) = (Str) ? (Str) : tempnam (NULL, "a2_");	\
+  (Str) = (Str) ? (Str) : safe_tempnam("a2_");	\
+ } while (0)
+char * safe_tempnam(const char *);
+ 
+ #endif