7008719 Problem with print/a2ps
authorVladimir Marek <Vladimir.Marek@oracle.com>
Thu, 18 Aug 2011 12:40:34 -0700
changeset 483 039b6fd5ced3
parent 482 be3d0ad01572
child 484 63ed89d661a3
7008719 Problem with print/a2ps
components/a2ps/patches/CVE-2004-1170.patch
components/a2ps/patches/CVE-2004-1377.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/a2ps/patches/CVE-2004-1170.patch	Thu Aug 18 12:40:34 2011 -0700
@@ -0,0 +1,57 @@
+--- ap2s/src/select.c.orig	Thu Dec 16 02:04:56 1999
++++ ap2s/src/select.c	Sat Aug 21 12:05:31 2004
[email protected]@ -131,6 +131,36 @@
+   return 1;
+ }
+ 
++/* escapes the name of a file so that the shell groks it in 'single' q.marks. 
++   The resulting pointer has to be free()ed when not longer used. */
++char *
++shell_escape(const char *fn)
++{
++  size_t len = 0;
++  const char *inp;
++  char *retval, *outp;
++
++  for(inp = fn; *inp; ++inp)
++    switch(*inp)
++    {
++      case '\'': len += 4; break;
++      default:   len += 1; break;
++    }
++
++  outp = retval = malloc(len + 1);
++  if(!outp)
++    return NULL; /* perhaps one should do better error handling here */
++  for(inp = fn; *inp; ++inp)
++    switch(*inp)
++    {
++      case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ = '\''; break;
++      default:   *outp++ = *inp; break;
++    }
++  *outp = 0;
++
++  return retval;
++}
++
+ /* What says file about the type of a file (result is malloc'd).  NULL
+   if could not be run.  */
+ 
[email protected]@ -144,11 +174,15 @@
+   if (IS_EMPTY (job->file_command))
+     return NULL;
+ 
++  filename = shell_escape(filename);
++  if(filename == NULL)
++    return NULL;
+   /* Call file(1) with the correct option */
+-  command = ALLOCA (char, (2
++  command = ALLOCA (char, (4
+ 			   + strlen (job->file_command)
+ 			   + ustrlen (filename)));
+-  sprintf (command, "%s %s", job->file_command, (const char *) filename);
++  sprintf (command, "%s '%s'", job->file_command, (const char *) filename);
++  free(filename);
+   message (msg_tool, (stderr, "Reading pipe: `%s'\n", command));
+   file_out = popen (command, "r");
+ 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/a2ps/patches/CVE-2004-1377.patch	Thu Aug 18 12:40:34 2011 -0700
@@ -0,0 +1,130 @@
+Fix for CVE-2004-1377. This is not taken from a2ps-1.14 but rather created
+based on the CVE description. pdiff.in and pdiff.m4 has the same tmpdir, but it
+does not seem to be used, or the dir created anywhere. So I skipped pdiff.
+
+diff -urN a2ps-4.13/contrib/fixps.in a2ps-4.13-fix/contrib/fixps.in
+--- a2ps-4.13/contrib/fixps.in	2000-02-21 00:16:15.000000000 -0800
++++ a2ps-4.13-fix/contrib/fixps.in	2011-08-18 07:19:10.207791746 -0700
[email protected]@ -38,7 +38,6 @@
+ run_gs=0
+ # What action to perform: fixps, cat, check, and gs
+ task=fixps
+-tmpdir=/tmp/$program.$$
+ verbose=echo
+ 
+ # The version/usage strings
[email protected]@ -183,6 +182,11 @@
+       exit 1;;
+ esac
+ 
++tmpdir=$( mktemp -d -t fixps.XXXXXX )
++if [ -z "$tmpdir" ]; then
++  echo "Can't create temporary directory - quitting"
++  exit 1
++fi
+ if test -n "$debug"; then
+   # Set -x now if debugging
+   set -x
[email protected]@ -191,7 +195,6 @@
+   trap "/bin/rm -rf $tmpdir" 0 1 2 3 13 15
+ fi
+ 
+-mkdir $tmpdir
+ fixps_sed=$tmpdir/fixps.sed
+ 
+ # If printing from stdin, save into a tmp file
+diff -urN a2ps-4.13/contrib/fixps.m4 a2ps-4.13-fix/contrib/fixps.m4
+--- a2ps-4.13/contrib/fixps.m4	2000-02-21 00:16:02.000000000 -0800
++++ a2ps-4.13-fix/contrib/fixps.m4	2011-08-18 07:19:19.602142022 -0700
[email protected]@ -24,7 +24,6 @@
+ run_gs=0
+ # What action to perform: fixps, cat, check, and gs
+ task=fixps
+-tmpdir=/tmp/$program.$$
+ verbose=echo
+ 
+ # The version/usage strings
[email protected]@ -101,6 +100,11 @@
+       exit 1;;
+ esac
+ 
++tmpdir=$( mktemp -d -t fixps.XXXXXX )
++if [ -z "$tmpdir" ]; then
++  echo "Can't create temporary directory - quitting"
++  exit 1
++fi
+ if test -n "$debug"; then
+   # Set -x now if debugging
+   set -x
[email protected]@ -109,7 +113,6 @@
+   trap "/bin/rm -rf $tmpdir" 0 1 2 3 13 15
+ fi
+ 
+-mkdir $tmpdir
+ fixps_sed=$tmpdir/fixps.sed
+ 
+ # If printing from stdin, save into a tmp file
+diff -urN a2ps-4.13/contrib/psmandup.in a2ps-4.13-fix/contrib/psmandup.in
+--- a2ps-4.13/contrib/psmandup.in	1999-10-24 06:06:42.000000000 -0700
++++ a2ps-4.13-fix/contrib/psmandup.in	2011-08-18 07:19:28.387779180 -0700
[email protected]@ -36,7 +36,6 @@
+ message=
+ psselect=${PSSELECT:-psselect}
+ psset=${PSSET:-psset}
+-tmpdir=/tmp/$program.$$
+ 
+ # These two must be kept in synch.  They are opposed.
+ verbose=echo
[email protected]@ -177,6 +176,11 @@
+       exit 1;;
+ esac
+ 
++tmpdir=$( mktemp -d -t psmandup.XXXXXX )
++if [ -z "$tmpdir" ]; then
++  echo "Can't create temporary directory - quitting"
++  exit 1
++fi
+ if test -n "$debug"; then
+   # Set -x now if debugging
+   set -x
[email protected]@ -185,8 +189,6 @@
+   trap "/bin/rm -rf $tmpdir" 0 1 2 3 13 15
+ fi
+ 
+-mkdir $tmpdir
+-
+ # If printing from stdin, save into a tmp file
+ if test $file = '-'; then
+   file=$tmpdir/stdin.ps
+diff -urN a2ps-4.13/contrib/psmandup.m4 a2ps-4.13-fix/contrib/psmandup.m4
+--- a2ps-4.13/contrib/psmandup.m4	1999-10-24 05:46:52.000000000 -0700
++++ a2ps-4.13-fix/contrib/psmandup.m4	2011-08-18 07:20:00.973705908 -0700
[email protected]@ -22,7 +22,6 @@
+ message=
+ psselect=${PSSELECT:-psselect}
+ psset=${PSSET:-psset}
+-tmpdir=/tmp/$program.$$
+ 
+ # These two must be kept in synch.  They are opposed.
+ verbose=echo
[email protected]@ -95,6 +94,11 @@
+       exit 1;;
+ esac
+ 
++tmpdir=$( mktemp -d -t psmandup.XXXXXX )
++if [ -z "$tmpdir" ]; then
++  echo "Can't create temporary directory - quitting"
++  exit 1
++fi
+ if test -n "$debug"; then
+   # Set -x now if debugging
+   set -x
[email protected]@ -103,8 +107,6 @@
+   trap "/bin/rm -rf $tmpdir" 0 1 2 3 13 15
+ fi
+ 
+-mkdir $tmpdir
+-
+ # If printing from stdin, save into a tmp file
+ if test $file = '-'; then
+   file=$tmpdir/stdin.ps