[groff/f16] fix: CVE-2009-5044, CVE-2009-5080, CVE-2009-5081
jvcelak
jvcelak at fedoraproject.org
Tue May 29 13:01:54 UTC 2012
commit 2444228e67a321faa9af03c774c3ef7e3971ba57
Author: Jan Vcelak <jvcelak at redhat.com>
Date: Tue May 29 14:47:48 2012 +0200
fix: CVE-2009-5044, CVE-2009-5080, CVE-2009-5081
Resolves: #709415, #720060
groff-cve-2009-5044_5080_5081.patch | 191 +++++++++++++++++++++++++++++++++++
groff.spec | 17 ++-
2 files changed, 202 insertions(+), 6 deletions(-)
---
diff --git a/groff-cve-2009-5044_5080_5081.patch b/groff-cve-2009-5044_5080_5081.patch
new file mode 100644
index 0000000..0ee1af3
--- /dev/null
+++ b/groff-cve-2009-5044_5080_5081.patch
@@ -0,0 +1,191 @@
+Based on: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2;content-type=text%2Fplain
+Resolves: #709415, #720060
+Security: CVE-2009-5044 (#709413), CVE-2009-5080 (#720058), CVE-2009-5081 (#720057)
+
+diff -uNPrp groff-1.21/contrib/eqn2graph/eqn2graph.sh groff-1.21.fix/contrib/eqn2graph/eqn2graph.sh
+--- groff-1.21/contrib/eqn2graph/eqn2graph.sh 2010-12-31 08:33:09.000000000 +0100
++++ groff-1.21.fix/contrib/eqn2graph/eqn2graph.sh 2012-05-29 12:19:38.594581148 +0200
+@@ -69,6 +69,8 @@ for d in "$GROFF_TMPDIR" "$TMPDIR" "$TMP
+
+ tmp=$d/eqn2graph$$-$RANDOM
+ (umask 077 && mkdir $tmp) 2> /dev/null && break
++
++ tmp=
+ done;
+ if test -z "$tmp"; then
+ echo "$0: cannot create temporary directory" >&2
+diff -uNPrp groff-1.21/contrib/gdiffmk/tests/runtests.in groff-1.21.fix/contrib/gdiffmk/tests/runtests.in
+--- groff-1.21/contrib/gdiffmk/tests/runtests.in 2010-12-31 08:33:09.000000000 +0100
++++ groff-1.21.fix/contrib/gdiffmk/tests/runtests.in 2012-05-29 12:19:38.594581148 +0200
+@@ -56,8 +56,9 @@ function TestResult {
+ fi
+ }
+
+-tmpfile=/tmp/$$
+-trap 'rm -f ${tmpfile}' 0 1 2 3 15
++tmpfile="`mktemp -t gdiffmk-runtests.XXXXXXXXXX`" || exit
++trap 'rm -f -- "$tmpfile"' EXIT
++trap 'trap - EXIT; rm -f -- "$tmpfile"; exit 1' HUP INT QUIT TERM
+
+ # Run tests.
+
+diff -uNPrp groff-1.21/contrib/grap2graph/grap2graph.sh groff-1.21.fix/contrib/grap2graph/grap2graph.sh
+--- groff-1.21/contrib/grap2graph/grap2graph.sh 2010-12-31 08:33:09.000000000 +0100
++++ groff-1.21.fix/contrib/grap2graph/grap2graph.sh 2012-05-29 12:19:38.594581148 +0200
+@@ -65,6 +65,8 @@ for d in "$GROFF_TMPDIR" "$TMPDIR" "$TMP
+
+ tmp=$d/grap2graph$$-$RANDOM
+ (umask 077 && mkdir $tmp) 2> /dev/null && break
++
++ tmp=
+ done;
+ if test -z "$tmp"; then
+ echo "$0: cannot create temporary directory" >&2
+diff -uNPrp groff-1.21/contrib/groffer/perl/groffer.pl groff-1.21.fix/contrib/groffer/perl/groffer.pl
+--- groff-1.21/contrib/groffer/perl/groffer.pl 2012-05-29 12:19:21.425795787 +0200
++++ groff-1.21.fix/contrib/groffer/perl/groffer.pl 2012-05-29 12:19:38.595581136 +0200
+@@ -1379,7 +1379,7 @@ sub _check_prog_on_list {
+ ########################################################################
+
+ sub main_temp {
+- my $template = 'groffer_' . "$$" . '_XXXX';
++ my $template = 'groffer_' . "$$" . '_XXXXXXXXXX';
+ foreach ($ENV{'GROFF_TMPDIR'}, $ENV{'TMPDIR'}, $ENV{'TMP'}, $ENV{'TEMP'},
+ $ENV{'TEMPDIR'}, File::Spec->catfile($ENV{'HOME'}, 'tmp')) {
+ if ($_ && -d $_ && -w $_) {
+@@ -1410,12 +1410,12 @@ sub main_temp {
+
+ # further argument: SUFFIX => '.sh'
+ if ($Debug{'KEEP'}) {
+- ($fh_cat, $tmp_cat) = tempfile(',cat_XXXX', DIR => $tmpdir);
+- ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXX', DIR => $tmpdir);
++ ($fh_cat, $tmp_cat) = tempfile(',cat_XXXXXXXXXX', DIR => $tmpdir);
++ ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXXXXXXXX', DIR => $tmpdir);
+ } else {
+- ($fh_cat, $tmp_cat) = tempfile(',cat_XXXX', UNLINK => 1,
++ ($fh_cat, $tmp_cat) = tempfile(',cat_XXXXXXXXXX', UNLINK => 1,
+ DIR => $tmpdir);
+- ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXX', UNLINK => 1,
++ ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXXXXXXXX', UNLINK => 1,
+ DIR => $tmpdir);
+ }
+ } # main_temp()
+diff -uNPrp groff-1.21/contrib/groffer/perl/roff2.pl groff-1.21.fix/contrib/groffer/perl/roff2.pl
+--- groff-1.21/contrib/groffer/perl/roff2.pl 2010-12-31 08:33:09.000000000 +0100
++++ groff-1.21.fix/contrib/groffer/perl/roff2.pl 2012-05-29 12:19:38.595581136 +0200
+@@ -124,7 +124,7 @@ if ($Has_Groffer) {
+ last;
+ }
+ }
+- my $template = $Name . '_XXXX';
++ my $template = $Name . '_XXXXXXXXXX';
+ my ($fh, $stdin);
+ if ($tempdir) {
+ ($fh, $stdin) = tempfile($template, UNLINK => 1, DIR => $tempdir) ||
+diff -uNPrp groff-1.21/contrib/pdfmark/pdfroff.man groff-1.21.fix/contrib/pdfmark/pdfroff.man
+--- groff-1.21/contrib/pdfmark/pdfroff.man 2010-12-31 08:33:09.000000000 +0100
++++ groff-1.21.fix/contrib/pdfmark/pdfroff.man 2012-05-29 12:19:38.595581136 +0200
+@@ -529,7 +529,7 @@ defaults to
+ .B GROFF_TMPDIR
+ Identifies the directory in which
+ .B pdfroff
+-should create temporary files.
++should create a subdirectory for its temporary files.
+ If
+ .B \%GROFF_TMPDIR
+ is
+@@ -541,7 +541,8 @@ and
+ .B TEMP
+ are considered in turn, as possible temporary file repositories.
+ If none of these are set, then temporary files are created
+-in the current directory.
++in a subdirectory of
++.BR /tmp .
+ .
+ .TP
+ .B GROFF_GHOSTSCRIPT_INTERPRETER
+diff -uNPrp groff-1.21/contrib/pic2graph/pic2graph.sh groff-1.21.fix/contrib/pic2graph/pic2graph.sh
+--- groff-1.21/contrib/pic2graph/pic2graph.sh 2010-12-31 08:33:09.000000000 +0100
++++ groff-1.21.fix/contrib/pic2graph/pic2graph.sh 2012-05-29 12:19:38.596581124 +0200
+@@ -80,6 +80,8 @@ for d in "$GROFF_TMPDIR" "$TMPDIR" "$TMP
+ tmp=$d/pic2graph$$-$RANDOM
+ (umask 077 && mkdir $tmp) 2> /dev/null \
+ && break
++
++ tmp=
+ done;
+ if test -z "$tmp"; then
+ echo "$0: cannot create temporary directory" >&2
+diff -uNPrp groff-1.21/doc/fixinfo.sh groff-1.21.fix/doc/fixinfo.sh
+--- groff-1.21/doc/fixinfo.sh 2010-12-31 08:33:09.000000000 +0100
++++ groff-1.21.fix/doc/fixinfo.sh 2012-05-29 12:19:38.596581124 +0200
+@@ -21,7 +21,9 @@
+ # groff.texinfo macro code. Hopefully, a new texinfo version makes it
+ # unnecessary.
+
+-t=${TMPDIR-.}/gro$$.tmp
++t="`mktemp -t groff-fixinfo.XXXXXXXXXX`" || exit
++trap 'rm -f -- "$t"' EXIT
++trap 'trap - EXIT; rm -f -- "$t"; exit 1' HUP INT QUIT TERM
+
+ cat $1 | sed '
+ 1 {
+diff -uNPrp groff-1.21/doc/groff.info-2 groff-1.21.fix/doc/groff.info-2
+--- groff-1.21/doc/groff.info-2 2012-05-29 12:19:21.446795526 +0200
++++ groff-1.21.fix/doc/groff.info-2 2012-05-29 12:19:38.598581100 +0200
+@@ -1918,9 +1918,9 @@ not there, `groff' would not know when t
+
+
+ .sy perl -e 'printf ".nr H %d\\n.nr M %d\\n.nr S %d\\n",\
+- (localtime(time))[2,1,0]' > /tmp/x\n[$$]
+- .so /tmp/x\n[$$]
+- .sy rm /tmp/x\n[$$]
++ (localtime(time))[2,1,0]' > timefile\n[$$]
++ .so timefile\n[$$]
++ .sy rm timefile\n[$$]
+ \nH:\nM:\nS
+
+ Note that this works by having the `perl' script (run by `sy')
+diff -uNPrp groff-1.21/doc/groff.texinfo groff-1.21.fix/doc/groff.texinfo
+--- groff-1.21/doc/groff.texinfo 2010-12-31 08:33:09.000000000 +0100
++++ groff-1.21.fix/doc/groff.texinfo 2012-05-29 12:19:38.602581048 +0200
+@@ -13568,9 +13568,9 @@ into a document:
+ @pindex perl
+ @Example
+ .sy perl -e 'printf ".nr H %d\\n.nr M %d\\n.nr S %d\\n",\
+- (localtime(time))[2,1,0]' > /tmp/x\n[$$]
+-.so /tmp/x\n[$$]
+-.sy rm /tmp/x\n[$$]
++ (localtime(time))[2,1,0]' > timefile\n[$$]
++.so timefile\n[$$]
++.sy rm timefile\n[$$]
+ \nH:\nM:\nS
+ @endExample
+
+diff -uNPrp groff-1.21/gendef.sh groff-1.21.fix/gendef.sh
+--- groff-1.21/gendef.sh 2010-12-31 08:33:08.000000000 +0100
++++ groff-1.21.fix/gendef.sh 2012-05-29 12:19:38.604581023 +0200
+@@ -34,11 +34,9 @@ do
+ #define $def"
+ done
+
+-# Use $TMPDIR if defined. Default to cwd, for non-Unix systems
+-# which don't have /tmp on each drive (we are going to remove
+-# the file before we exit anyway). Put the PID in the basename,
+-# since the extension can only hold 3 characters on MS-DOS.
+-t=${TMPDIR-.}/gro$$.tmp
++t="`mktemp -t groff-gendef.XXXXXXXXXX`" || exit
++trap 'rm -f -- "$t"' EXIT
++trap 'trap - EXIT; rm -f -- "$t"; exit 1' HUP INT QUIT TERM
+
+ sed -e 's/=/ /' >$t <<EOF
+ $defs
+@@ -46,8 +44,6 @@ EOF
+
+ test -r $file && cmp -s $t $file || cp $t $file
+
+-rm -f $t
+-
+ exit 0
+
+ # eof
diff --git a/groff.spec b/groff.spec
index b3fd060..7fa62d5 100644
--- a/groff.spec
+++ b/groff.spec
@@ -3,7 +3,7 @@
Summary: A document formatting system
Name: groff
Version: 1.21
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv3+ and GFDL and BSD and MIT
Group: Applications/Publishing
URL: http://groff.ffii.org
@@ -15,6 +15,7 @@ Patch2: groff-makefile-typo.patch
Patch3: groff-manpages-typos.patch
Patch4: groff-grofferdir-auto.patch
Patch5: groff-grotty-wc-no-sgr.patch
+Patch6: groff-cve-2009-5044_5080_5081.patch
Requires: mktemp
Requires: /sbin/install-info
@@ -79,11 +80,9 @@ language and documentation for creating PDF files.
%prep
%setup -q
-%patch1 -p1 -b .info-missing-x11
-%patch2 -p1 -b .makefile-typo
-%patch3 -p1 -b .manpages-typos
-%patch4 -p1 -b .grofferdir-auto
-%patch5 -p1 -b .grotty-wc-no-sgr
+for patch in %patches ; do
+ %__patch %_default_patch_flags --fuzz=%_default_patch_fuzz -p1 -i $patch
+done
for file in NEWS src/devices/grolbp/grolbp.man doc/{groff.info*,webpage.ms} \
contrib/mm/*.man contrib/mom/examples/{README.txt,*.mom} ; do
@@ -208,6 +207,12 @@ fi
%doc %{_docdir}/%{name}-%{version}/pdf/
%changelog
+* Tue May 29 2012 Jan Vcelak <jvcelak at redhat.com> 1.21-4
+- older security fixes (#709415, #720060):
+ + CVE-2009-5044: insecure temporary file handling in pdfroff
+ + CVE-2009-5080: improper handling of failed attempts to create temporary directories in eqn2graph/pic2graph/grap2graph
+ + CVE-2009-5081: roff2.pl and groffer.pl use easy-to-guess temporary file names
+
* Fri Jun 17 2011 Jan Vcelak <jvcelak at redhat.com> 1.21-3
- fix #678572: groffer libdir is incorrect
- fix #709474: unowned groff doc dir
More information about the scm-commits
mailing list