[chm2pdf] Imported srpm. Patch that fixes security bugs 474457 and 474455 Spec file is same as previous commit
Lakshmi Narasimhan T V
narasim at fedoraproject.org
Sun Jan 16 09:00:25 UTC 2011
commit a477264d4bf6ef6ec9af3d5d703e82d544e27d09
Author: Lakshmi Narasimhan <lakshminaras2002 at gmail.com>
Date: Sun Jan 16 14:00:55 2011 +0530
Imported srpm. Patch that fixes security bugs 474457 and 474455
Spec file is same as previous commit
modified: chm2pdf.spec
new file: chm2pdf_insecure_tempdirs.patch
chm2pdf.spec | 3 +-
chm2pdf_insecure_tempdirs.patch | 95 +++++++++++++++++++++++++++++++++++++++
2 files changed, 96 insertions(+), 2 deletions(-)
---
diff --git a/chm2pdf.spec b/chm2pdf.spec
index b4e7a43..6eea95a 100644
--- a/chm2pdf.spec
+++ b/chm2pdf.spec
@@ -41,8 +41,7 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Sun Jan 9 2011 Lakshmi Narasimhan T V <lakshminaras2002 at gmail.com> - 0.9.1-9
-- Applied patch to fix use of fixed temporary directories. Fixes bugs #474455,#474457
-- CVE-2008-5298 and CVE-2008-5299 are fixed by this patch
+- Applied patch to fix use of fixed temporary directories. Fixes bugs 474455,474457
* Wed Jul 21 2010 David Malcolm <dmalcolm at redhat.com> - 0.9.1-8
- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild
diff --git a/chm2pdf_insecure_tempdirs.patch b/chm2pdf_insecure_tempdirs.patch
new file mode 100644
index 0000000..890e656
--- /dev/null
+++ b/chm2pdf_insecure_tempdirs.patch
@@ -0,0 +1,95 @@
+*** chm2pdf-0.9.1_orig/chm2pdf 2008-07-09 16:12:26.000000000 +0530
+--- chm2pdf-0.9.1/chm2pdf 2011-01-09 17:54:49.581170068 +0530
+***************
+*** 27,32 ****
+--- 27,34 ----
+ import os, os.path
+ import re, glob
+ import getopt
++ import tempfile
++ import shutil
+ # from BeautifulSoup import BeautifulSoup
+
+ global version
+***************
+*** 39,46 ****
+ global filename #the input filename
+
+ version = '0.9.1'
+! CHM2PDF_TEMP_WORK_DIR='/tmp/chm2pdf/work'
+! CHM2PDF_TEMP_ORIG_DIR='/tmp/chm2pdf/orig'
+
+
+
+--- 41,48 ----
+ global filename #the input filename
+
+ version = '0.9.1'
+! CHM2PDF_TEMP_WORK_DIR=tempfile.mkdtemp()
+! CHM2PDF_TEMP_ORIG_DIR=tempfile.mkdtemp()
+
+
+
+***************
+*** 299,314 ****
+ # ########################### File extraction and correction: START ############################
+ #
+ if options['dontextract'] == '':
+-
+- try:
+- os.mkdir(CHM2PDF_TEMP_WORK_DIR)
+- except OSError: # The directory already exists.
+- pass
+-
+- try:
+- os.mkdir(CHM2PDF_TEMP_ORIG_DIR)
+- except OSError: # The directory already exists.
+- pass
+
+ try:
+ os.mkdir(CHM2PDF_ORIG_DIR)
+--- 301,306 ----
+***************
+*** 620,626 ****
+ print '\t--continuous\n\t\tSpecifies that the HTML sources are unstructured (plain web pages).\n\t\tNo page breaks are inserted between each file or URL in the output.'
+ print '\t--cookies \'name="value with space"; name=value\'\n\t\t'
+ print '\t--datadir directory\n\t\tSpecifies the location of the HTMLDOC data files, usually /usr/share/htmldoc or C:\Program Files\HTMLDOC '
+! print "\t--dontextract \n\t\tIf given, %s will not extract the HTML files from the given CHM file, but will use previously extracted copies from the temporary directory " %name + '(i.e. ' + CHM2PDF_TEMP_ORIG_DIR + ' and ' + CHM2PDF_TEMP_WORK_DIR + '). Usually you will use this option after you have used the \'--extract-only\' option to extract the files in order to correct them manually (in ' + CHM2PDF_TEMP_WORK_DIR + '). After the correction, a call with \'--dontextract\' will not overwrite your changes, but will use the corrected files instead.'
+ print '\t--duplex\n\t\tSpecifies that the output should be formatted for double-sided printing.'
+ print '\t--effectduration {0.1..10.0}\n\t\tSpecifies the duration in seconds of PDF page transition effects.'
+ print '\t--embedfonts\n\t\tSpecifies that fonts should be embedded in PDF output.'
+--- 612,618 ----
+ print '\t--continuous\n\t\tSpecifies that the HTML sources are unstructured (plain web pages).\n\t\tNo page breaks are inserted between each file or URL in the output.'
+ print '\t--cookies \'name="value with space"; name=value\'\n\t\t'
+ print '\t--datadir directory\n\t\tSpecifies the location of the HTMLDOC data files, usually /usr/share/htmldoc or C:\Program Files\HTMLDOC '
+! # print "\t--dontextract \n\t\tIf given, %s will not extract the HTML files from the given CHM file, but will use previously extracted copies from the temporary directory " %name + '(i.e. ' + CHM2PDF_TEMP_ORIG_DIR + ' and ' + CHM2PDF_TEMP_WORK_DIR + '). Usually you will use this option after you have used the \'--extract-only\' option to extract the files in order to correct them manually (in ' + CHM2PDF_TEMP_WORK_DIR + '). After the correction, a call with \'--dontextract\' will not overwrite your changes, but will use the corrected files instead.'
+ print '\t--duplex\n\t\tSpecifies that the output should be formatted for double-sided printing.'
+ print '\t--effectduration {0.1..10.0}\n\t\tSpecifies the duration in seconds of PDF page transition effects.'
+ print '\t--embedfonts\n\t\tSpecifies that fonts should be embedded in PDF output.'
+***************
+*** 1084,1096 ****
+ print 'CHM file "' + filename + '" not found!'
+ return
+
+- #remove temporary files
+- if options['dontextract'] == '':
+- if options['verbose']=='--verbose' and options['verbositylevel']=='high':
+- print 'Removing any previous temporary files...'
+- os.system('rm -r '+CHM2PDF_ORIG_DIR+'/*')
+- os.system('rm -r '+CHM2PDF_WORK_DIR+'/*')
+-
+ cfile = chm.CHMFile()
+ cfile.LoadCHM(filename)
+
+--- 1076,1081 ----
+***************
+*** 1105,1110 ****
+--- 1090,1097 ----
+ os.system('extract_chmLib ' + filename + ' ' + CHM2PDF_ORIG_DIR + '&> /dev/null')
+
+ convert_to_pdf(cfile, filename, outputfilename, options)
++ shutil.rmtree(CHM2PDF_TEMP_WORK_DIR)
++ shutil.rmtree(CHM2PDF_TEMP_ORIG_DIR)
+
+
+ if __name__ == '__main__':
More information about the scm-commits
mailing list