Upgrade to gftp 2.0.8 and mark FORBIDDEN. gftp 2.0.8 was a security update

to fix a remotely exploitable format string vulnerability, but in the course of trying to make the new version actually build I discovered that it also has local tempfile vulnerabilities, among other problems.
svn path=/head/; revision=42067
2025-01-28 10:08:24 +00:00 · 2001-04-30 07:33:39 +00:00 · 2001-04-30 07:33:39 +00:00 · 687e227b48 · 2021-03-31 03:12:20 +00:00
commit 687e227b48
parent 1df8e52584
6 changed files with 57 additions and 2 deletions
--- a/ftp/gftp/Makefile
+++ b/ftp/gftp/Makefile
@ -6,7 +6,7 @@
 #

 PORTNAME=	gftp
-PORTVERSION=	2.0.7b
+PORTVERSION=	2.0.8
 CATEGORIES=	ftp
 MASTER_SITES=	http://gftp.seul.org/ \
 		ftp://gftp.seul.org/pub/gftp/
@ -20,6 +20,8 @@ GNU_CONFIGURE=	yes
 CONFIGURE_ENV=	CPPFLAGS="-I${LOCALBASE}/include" \
 		LIBS="-L${LOCALBASE}/lib"

+FORBIDDEN=	"Insecure temporary files up the wazoo"
+
 MAN1=		gftp.1

 .include <bsd.port.pre.mk>
--- a/ftp/gftp/distinfo
+++ b/ftp/gftp/distinfo
@ -1 +1 @@
-MD5 (gftp-2.0.7b.tar.gz) = 235162253d09281182ad6b9212141078
+MD5 (gftp-2.0.8.tar.gz) = a53217845e217162c11254fc936c1714
--- a/ftp/gftp/files/patch-ac
+++ b/ftp/gftp/files/patch-ac
@ -0,0 +1,11 @@
+--- src/text/Makefile.in.orig	Mon Apr 30 00:11:48 2001
+++ src/text/Makefile.in	Mon Apr 30 00:13:22 2001
+@@ -99,7 +99,7 @@
+ bin_PROGRAMS = gftp-text
+ gftp_text_SOURCES = gftp-text.c 
+ INCLUDES = @GLIB_CFLAGS@ -DSHARE_DIR=\"$(datadir)/gftp\" -DLOCALE_DIR=\"$(localedir)\"
+-LDADD = @INTLLIBS@ @GLIB_LIBS@ @EXTRA_LIBS@ ../../lib/libgftp.a
+LDADD = -lintl @INTLLIBS@ @GLIB_LIBS@ @EXTRA_LIBS@ ../../lib/libgftp.a
+ noinst_HEADERS = gftp-text.h
+ localedir = $(prefix)/share/locale
+ mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
--- a/ftp/gftp/files/patch-ad
+++ b/ftp/gftp/files/patch-ad
@ -0,0 +1,20 @@
+--- lib/cache.c.orig	Sat Mar  3 17:42:43 2001
+++ lib/cache.c	Mon Apr 30 00:16:57 2001
+@@ -42,7 +42,7 @@
+     }
+   g_free (tempstr);
+ 
+-  srand (time (NULL));
+  srandomdev();
+   tempstr = NULL;
+   cachefile = NULL;
+   do
+@@ -54,7 +54,7 @@
+         g_free (cachefile);
+ 
+       cachefile = g_strdup_printf ("cache%ld",
+-                                   1 + (long) (99999999.0 * rand () /
+                                   1 + (long) (99999999.0 * random () /
+ 				   (RAND_MAX + 1.0)));
+       tempstr = g_strdup_printf ("%s/%s", cachedir, cachefile);
+     }
--- a/ftp/gftp/files/patch-ae
+++ b/ftp/gftp/files/patch-ae
@ -0,0 +1,11 @@
+--- src/gtk/gftp-gtk.h.orig	Tue Mar 20 17:46:01 2001
+++ src/gtk/gftp-gtk.h	Mon Apr 30 00:18:12 2001
+@@ -197,7 +197,7 @@
+ void ftp_log					( gftp_logging_level level,
+ 						  void *ptr,
+ 						  const char *string,
+-						  ... );
+						  ... ) __attribute__((format(printf, 3, 4)));
+ 
+ void refresh 					( gftp_window_data * wdata );
+ 
--- a/ftp/gftp/files/patch-af
+++ b/ftp/gftp/files/patch-af
@ -0,0 +1,11 @@
+--- ./src/text/gftp-text.h.orig	Fri Feb 23 10:59:57 2001
+++ ./src/text/gftp-text.h	Mon Apr 30 00:19:21 2001
+@@ -43,7 +43,7 @@
+ /* gftp-text.h */
+ void gftp_text_log				( gftp_logging_level level, 
+ 						  void *ptr, 
+-						  const char *string, ... );
+						  const char *string, ... ) __attribute__((format(printf, 3, 4)));
+ int gftp_text_open				( gftp_request * request, 
+ 						  char *command, 
+ 						  gpointer *data );