- Security patch to re-enable locking of temp files

Security: CVE-2011-4919

converters/mpack/Makefile

@@ -7,7 +7,7 @@
 
 PORTNAME=	mpack
 PORTVERSION=	1.6
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	converters mail news
 MASTER_SITES=	ftp://ftp.andrew.cmu.edu/pub/mpack/
 

converters/mpack/files/patch-decode.c

@@ -1,5 +1,5 @@
---- decode.c.orig	Mon Jul 21 23:47:54 2003
-+++ decode.c	Sun Mar 26 23:08:44 2006
+--- decode.c.orig	2003-07-21 22:47:54.000000000 +0200
++++ decode.c	2012-01-12 19:22:04.000000000 +0100
 @@ -26,8 +26,10 @@
   * SOFTWARE.  */
  
@@ -11,8 +11,11 @@
  #include "xmalloc.h"
  #include "common.h"
  #include "part.h"
-@@ -37,6 +39,19 @@
+@@ -35,8 +37,22 @@
+ 
+ extern char *os_idtodir(char *id);
  extern FILE *os_newtypedfile(char *fname, char *contentType, int flags, params contentParams);
++extern FILE *os_createfile(char *fname);
  extern FILE *os_createnewfile(char *fname);
  extern char *md5contextTo64(MD5_CTX *context);
 +extern void warn(char *s);
@@ -31,7 +34,7 @@
  
  /* The possible content transfer encodings */
  enum encoding { enc_none, enc_qp, enc_base64 };
-@@ -49,6 +64,17 @@
+@@ -49,6 +65,17 @@
  void from64(struct part *inpart, FILE *outfile, char **digestp, int suppressCR);
  void fromqp(struct part *inpart, FILE *outfile, char **digestp);
  void fromnone(struct part *inpart, FILE *outfile, char **digestp);
@@ -49,7 +52,7 @@
  /*
   * Read and handle an RFC 822 message from the body-part 'inpart'.
   */
-@@ -624,7 +650,7 @@
+@@ -624,7 +651,7 @@
      }
      thispart = atoi(p);
  
@@ -58,7 +61,16 @@
  	nparts = atoi(p);
  	if (nparts <= 0) {
  	    warn("partial message has invalid number of parts");
-@@ -643,7 +669,7 @@
+@@ -632,7 +659,7 @@
+ 	}
+ 	/* Store number of parts in reassembly directory */
+ 	sprintf(buf, "%sCT", dir);
+-	partfile = os_createnewfile(buf);
++	partfile = os_createfile(buf);
+ 	if (!partfile) {
+ 	    os_perror(buf);
+ 	    goto ignore;
+@@ -643,7 +670,7 @@
      else {
  	/* Try to retrieve number of parts from reassembly directory */
  	sprintf(buf, "%sCT", dir);

converters/mpack/files/patch-unixos.c

@@ -1,5 +1,5 @@
---- unixos.c.orig	Mon Jul 21 23:54:05 2003
-+++ unixos.c	Sun Mar 26 23:03:33 2006
+--- unixos.c.orig	2003-07-21 22:54:05.000000000 +0200
++++ unixos.c	2012-01-12 19:22:31.000000000 +0100
 @@ -23,24 +23,30 @@
   * SOFTWARE.
   */
@@ -51,19 +51,28 @@
      }
      strcat(buf, "/m-prts-");
      p = getenv("USER");
-@@ -136,11 +142,7 @@
-     int fd;
-     FILE *ret;
-      
--#ifdef O_EXCL
--    fd=open(fname, O_RDWR|O_CREAT|O_EXCL, 0644);
--#else
-     fd=open(fname, O_RDWR|O_CREAT|O_TRUNC, 0644);
--#endif
+@@ -131,6 +137,20 @@
+     rmdir(dir);
+ }
  
-     if (fd == -1)
-         return NULL;
-@@ -194,7 +196,7 @@
++FILE *os_createfile(char *fname)
++{
++    int fd;
++    FILE *ret;
++    
++    fd=open(fname, O_RDWR|O_CREAT|O_TRUNC, 0600);
++
++    if (fd == -1)
++        return NULL;
++    
++    ret=fdopen(fd, "w");
++    return ret;
++}
++
+ FILE *os_createnewfile(char *fname)
+ {
+     int fd;
+@@ -194,7 +214,7 @@
  	do {
  	    if (outfile) fclose(outfile);
  	    sprintf(buf, "part%d", ++filesuffix);
@@ -72,7 +81,7 @@
  	fname = buf;
      }
      else if (!overwrite_files && (outfile = fopen(fname, "r"))) {
-@@ -202,7 +204,7 @@
+@@ -202,7 +222,7 @@
  	    fclose(outfile);
  	    sprintf(buf, "%s.%d", fname, ++filesuffix);
  	 
@@ -81,7 +90,7 @@
  	fname = buf;
      }
  
-@@ -228,7 +230,7 @@
+@@ -228,7 +248,7 @@
  
      p = strchr(descfname, '/');
      if (!p) p = descfname;

converters/mpack/files/patch-unixpk.c

@@ -1,5 +1,5 @@
---- unixpk.c.orig	Mon Jul 21 23:50:41 2003
-+++ unixpk.c	Sun Mar 26 23:35:56 2006
+--- unixpk.c.orig	2003-07-21 22:50:41.000000000 +0200
++++ unixpk.c	2012-01-12 18:56:56.000000000 +0100
 @@ -23,23 +23,25 @@
   * SOFTWARE.
   */
@@ -41,7 +41,7 @@
  	subject = sbuf;
      }	
  
-@@ -164,10 +166,10 @@
+@@ -164,7 +166,7 @@
  	    strcpy(fnamebuf, getenv("TMPDIR"));
  	}
  	else {
@@ -49,8 +49,4 @@
 +	    strcpy(fnamebuf, "/tmp");
  	}
  	strcat(fnamebuf, "/mpackXXXXXX");
--	mktemp(fnamebuf);
-+	close(mkstemp(fnamebuf));
- 	outfname = strsave(fnamebuf);
-     }
- 
+ 	mktemp(fnamebuf);