[chm2pdf/f14/master] Patch to fix security bugs #474457 and #474455 modified: chm2pdf.spec new file: chm2pdf_insec

Lakshmi Narasimhan T V narasim at fedoraproject.org
Sun Jan 16 08:52:02 UTC 2011 

commit a39dc2cdcf6af44faddcb0a900b76d93c28fb688
Author: Lakshmi Narasimhan <lakshminaras2002 at gmail.com>
Date:   Sun Jan 16 14:02:53 2011 +0530

    Patch  to fix security bugs #474457 and #474455
    	modified:   chm2pdf.spec
    	new file:   chm2pdf_insecure_tempdirs.patch

 chm2pdf.spec                    |   32 +++++++------
 chm2pdf_insecure_tempdirs.patch |   95 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 113 insertions(+), 14 deletions(-)
---
diff --git a/chm2pdf.spec b/chm2pdf.spec
index 8ac0297..6eea95a 100644
--- a/chm2pdf.spec
+++ b/chm2pdf.spec
@@ -1,25 +1,26 @@
 %{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
 
-Name:		chm2pdf
-Version: 	0.9.1
-Release:	8%{?dist}
-Summary:	A tool to convert CHM files to PDF files
-Group:		Applications/Publishing
-License:	GPLv2+
-URL:		http://code.google.com/p/chm2pdf/
-Source: 	http://chm2pdf.googlecode.com/files/chm2pdf-%{version}.tar.gz
-
-BuildArch: 	noarch
-BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires:	python-devel
-Requires:	python >= 2.5, python-chm, htmldoc
+Name:       chm2pdf
+Version:    0.9.1
+Release:    9%{?dist}
+Summary:    A tool to convert CHM files to PDF files
+Group:      Applications/Publishing
+License:    GPLv2+
+URL:        http://code.google.com/p/chm2pdf/
+Source:     http://chm2pdf.googlecode.com/files/chm2pdf-%{version}.tar.gz
+
+BuildArch:  noarch
+BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires:  python-devel
+Requires:   python >= 2.5, python-chm, htmldoc
+Patch1:     chm2pdf_insecure_tempdirs.patch
 
 %description
 A simple Python script that converts CHM files into PDF files.
 
 %prep
 %setup -q
-
+%patch1 -p1 -b .orig
 
 %build
 CFLAGS="$RPM_OPT_FLAGS" %{__python} setup.py build
@@ -39,6 +40,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Sun Jan 9 2011 Lakshmi Narasimhan T V <lakshminaras2002 at gmail.com> - 0.9.1-9
+- Applied patch to fix use of fixed temporary directories. Fixes bugs 474455,474457
+
 * Wed Jul 21 2010 David Malcolm <dmalcolm at redhat.com> - 0.9.1-8
 - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild
 
diff --git a/chm2pdf_insecure_tempdirs.patch b/chm2pdf_insecure_tempdirs.patch
new file mode 100644
index 0000000..890e656
--- /dev/null
+++ b/chm2pdf_insecure_tempdirs.patch
@@ -0,0 +1,95 @@
+*** chm2pdf-0.9.1_orig/chm2pdf	2008-07-09 16:12:26.000000000 +0530
+--- chm2pdf-0.9.1/chm2pdf	2011-01-09 17:54:49.581170068 +0530
+***************
+*** 27,32 ****
+--- 27,34 ----
+  import os, os.path
+  import re, glob
+  import getopt
++ import tempfile
++ import shutil
+  # from BeautifulSoup import BeautifulSoup
+  
+  global version
+***************
+*** 39,46 ****
+  global filename #the input filename
+  
+  version = '0.9.1'
+! CHM2PDF_TEMP_WORK_DIR='/tmp/chm2pdf/work' 
+! CHM2PDF_TEMP_ORIG_DIR='/tmp/chm2pdf/orig'
+  
+  
+  
+--- 41,48 ----
+  global filename #the input filename
+  
+  version = '0.9.1'
+! CHM2PDF_TEMP_WORK_DIR=tempfile.mkdtemp()
+! CHM2PDF_TEMP_ORIG_DIR=tempfile.mkdtemp()
+  
+  
+  
+***************
+*** 299,314 ****
+      # ########################### File extraction and correction: START ############################
+      #
+      if options['dontextract'] == '':
+-     
+-         try:
+-             os.mkdir(CHM2PDF_TEMP_WORK_DIR)
+-         except OSError: # The directory already exists.
+-             pass
+-         
+-         try:
+-             os.mkdir(CHM2PDF_TEMP_ORIG_DIR)
+-         except OSError: # The directory already exists.
+-             pass
+          
+          try:
+              os.mkdir(CHM2PDF_ORIG_DIR)
+--- 301,306 ----
+***************
+*** 620,626 ****
+      print '\t--continuous\n\t\tSpecifies  that  the  HTML  sources are unstructured (plain web pages).\n\t\tNo page breaks are inserted between each file or URL in the output.'
+      print '\t--cookies \'name="value with space"; name=value\'\n\t\t'
+      print '\t--datadir directory\n\t\tSpecifies the  location  of  the  HTMLDOC  data  files,  usually  /usr/share/htmldoc  or  C:\Program Files\HTMLDOC '
+!     print "\t--dontextract \n\t\tIf given, %s will not extract the HTML files from the given CHM file, but will use previously extracted copies from the temporary directory " %name + '(i.e. ' + CHM2PDF_TEMP_ORIG_DIR + ' and ' + CHM2PDF_TEMP_WORK_DIR + '). Usually you will use this option after you have used the \'--extract-only\' option to extract the files in order to correct them manually (in ' + CHM2PDF_TEMP_WORK_DIR + '). After the correction, a call with \'--dontextract\' will not overwrite your changes, but will use the corrected files instead.'
+      print '\t--duplex\n\t\tSpecifies that the output should be formatted for double-sided printing.'
+      print '\t--effectduration {0.1..10.0}\n\t\tSpecifies the duration in seconds of PDF page transition effects.'
+      print '\t--embedfonts\n\t\tSpecifies that fonts should be embedded in PDF output.'
+--- 612,618 ----
+      print '\t--continuous\n\t\tSpecifies  that  the  HTML  sources are unstructured (plain web pages).\n\t\tNo page breaks are inserted between each file or URL in the output.'
+      print '\t--cookies \'name="value with space"; name=value\'\n\t\t'
+      print '\t--datadir directory\n\t\tSpecifies the  location  of  the  HTMLDOC  data  files,  usually  /usr/share/htmldoc  or  C:\Program Files\HTMLDOC '
+! #    print "\t--dontextract \n\t\tIf given, %s will not extract the HTML files from the given CHM file, but will use previously extracted copies from the temporary directory " %name + '(i.e. ' + CHM2PDF_TEMP_ORIG_DIR + ' and ' + CHM2PDF_TEMP_WORK_DIR + '). Usually you will use this option after you have used the \'--extract-only\' option to extract the files in order to correct them manually (in ' + CHM2PDF_TEMP_WORK_DIR + '). After the correction, a call with \'--dontextract\' will not overwrite your changes, but will use the corrected files instead.'
+      print '\t--duplex\n\t\tSpecifies that the output should be formatted for double-sided printing.'
+      print '\t--effectduration {0.1..10.0}\n\t\tSpecifies the duration in seconds of PDF page transition effects.'
+      print '\t--embedfonts\n\t\tSpecifies that fonts should be embedded in PDF output.'
+***************
+*** 1084,1096 ****
+          print 'CHM file "' + filename + '" not found!'
+          return
+      
+-     #remove temporary files
+-     if options['dontextract'] == '':
+-         if options['verbose']=='--verbose' and options['verbositylevel']=='high':
+-             print 'Removing any previous temporary files...'
+-         os.system('rm -r '+CHM2PDF_ORIG_DIR+'/*')
+-         os.system('rm -r '+CHM2PDF_WORK_DIR+'/*')
+-     
+      cfile = chm.CHMFile()
+      cfile.LoadCHM(filename)
+  
+--- 1076,1081 ----
+***************
+*** 1105,1110 ****
+--- 1090,1097 ----
+              os.system('extract_chmLib ' + filename + ' ' + CHM2PDF_ORIG_DIR + '&> /dev/null')
+      
+      convert_to_pdf(cfile, filename, outputfilename, options)
++     shutil.rmtree(CHM2PDF_TEMP_WORK_DIR)
++     shutil.rmtree(CHM2PDF_TEMP_ORIG_DIR)
+  
+  
+  if __name__ == '__main__':

More information about the scm-commits mailing list