15440739 SUNBT6633578 gzcmp/gzdiff + gznew shell scripts use temporary files unsafely
17601897 The gznew script should have /usr/gnu/bin at the front of its PATH
--- a/components/gzip/gzip.p5m Mon Oct 21 23:00:28 2013 -0700
+++ b/components/gzip/gzip.p5m Tue Oct 22 07:03:55 2013 -0700
@@ -24,29 +24,22 @@
<transform file path=usr.*/man/.+ -> default mangler.man.stability committed>
set name=pkg.fmri \
value=pkg:/compress/gzip@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
+set name=pkg.summary value="GNU Zip (gzip)"
set name=pkg.description value="The GNU Zip (gzip) compression utility"
-set name=pkg.summary value="GNU Zip (gzip)"
set name=com.oracle.info.description value="GNU zip"
set name=com.oracle.info.tpno value=7913
set name=info.classification \
value="org.opensolaris.category.2008:Applications/System Utilities"
set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
-set name=org.opensolaris.arc-caseid \
- value=PSARC/1999/555
+set name=org.opensolaris.arc-caseid value=PSARC/1999/555
set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
-dir path=usr
-dir path=usr/bin
-dir path=usr/share
-dir path=usr/share/info
-dir path=usr/share/man
-dir path=usr/share/man/man1
file path=usr/bin/gunzip
file path=usr/bin/gzcat
file path=usr/bin/gzcmp
file path=usr/bin/gzdiff
+file path=usr/bin/gzegrep
file path=usr/bin/gzexe
-file path=usr/bin/gzegrep
file path=usr/bin/gzfgrep
file path=usr/bin/gzforce
file path=usr/bin/gzgrep
@@ -68,10 +61,11 @@
file path=usr/share/man/man1/gzless.1
file path=usr/share/man/man1/gzmore.1
file path=usr/share/man/man1/gznew.1
-legacy pkg=SUNWgzip \
- desc="The GNU Zip (gzip) compression utility" \
+legacy pkg=SUNWgzip desc="The GNU Zip (gzip) compression utility" \
name="The GNU Zip (gzip) compression utility"
+license gzip.license license="GPLv3, FDLv1.3"
-license gzip.license license="GPLv3, FDLv1.3"
+# znew needs GNU chmod.
+depend type=require fmri=__TBD pkg.debug.depend.file=usr/gnu/bin/chmod
# zgrep needs a version of grep that has the -f command line option.
-depend fmri=system/xopen/xcu4 type=require
+depend type=require fmri=__TBD pkg.debug.depend.file=usr/xpg4/bin/grep
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/gzip/patches/znew.patch Tue Oct 22 07:03:55 2013 -0700
@@ -0,0 +1,161 @@
+From b3b5611e046b93fb20aa783d6d11d986f33f91f6 Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert <at> cs.ucla.edu>
+Date: Thu, 3 Oct 2013 21:12:09 -0700
+Subject: [PATCH] znew: avoid denial-of-service issue
+
+Reported by Rich Burridge in <http://bugs.gnu.org/15522>.
+* znew.in: Rewrite to avoid the need for a temporary file in /tmp.
+That way, we avoid the need for set -C
+and worrying about denial of service.
+Use touch -r and chmod --reference rather than cpmod.
+Assume cp -p works, as it's now universal.
+Quote 'echo' args better, while we're at it.
+(warn, tmp, cpmod, cpmodarg): Remove.
+(GZIP): Unset, so that we needn't test for gzip extension.
+(ext): Now always '.gz'.
+* znew.1: Document the change of implementation assumptions.
+---
+diff --git a/znew.1 b/znew.1
+index dcdf84f..2a7e5e1 100644
+--- a/znew.1
++++ b/znew.1
+@@ -32,9 +32,16 @@ Keep a .Z file when it is smaller than the .gz file; implies
+ .SH "SEE ALSO"
+ gzip(1), zmore(1), zdiff(1), zgrep(1), zforce(1), gzexe(1), compress(1)
+ .SH BUGS
+-.I Znew
+-does not maintain the time stamp with the -P option if
+-.I cpmod(1)
+-is not available and
+-.I touch(1)
+-does not support the -r option.
++If the
++.B \-P
++option is used,
++.I znew
++does not maintain the time stamp if
++.IR touch (1)
++does not support the
++.B \-r
++option, and does not maintain permissions if
++.IR chmod (1)
++does not support the
++.B \-\-reference
++option.
+diff --git a/znew.in b/znew.in
+index 9bd3ce9..d16311a 100644
+--- a/znew.in
++++ b/znew.in
+@@ -21,7 +21,7 @@
+ case $1 in
+ --__bindir) bindir=${2?}; shift; shift;;
+ esac
+-PATH=$bindir:$PATH; export PATH
++PATH=/usr/gnu/bin:$bindir:$PATH; export PATH
+
+ version="znew (gzip) @VERSION@
+ Copyright (C) 2010-2012 Free Software Foundation, Inc.
+@@ -58,33 +58,9 @@ new=0
+ block=1024
+ # block is the disk block size (best guess, need not be exact)
+
+-warn="(does not preserve modes and timestamp)"
+-tmp=${TMPDIR-/tmp}/zfoo.$$
+-set -C
+-echo hi > $tmp || exit
+-if test -z "`(${CPMOD-cpmod} $tmp $tmp) 2>&1`"; then
+- cpmod=${CPMOD-cpmod}
+- warn=""
+-fi
+-
+-if test -z "$cpmod" && ${TOUCH-touch} -r $tmp $tmp 2>/dev/null; then
+- cpmod="${TOUCH-touch}"
+- cpmodarg="-r"
+- warn="(does not preserve file modes)"
+-fi
+-
+-# check if GZIP env. variable uses -S or --suffix
+-gzip -q $tmp
+-ext=`echo $tmp* | sed "s|$tmp||"`
+-rm -f $tmp*
+-if test -z "$ext"; then
+- echo znew: error determining gzip extension
+- exit 1
+-fi
+-if test "$ext" = ".Z"; then
+- echo znew: cannot use .Z as gzip extension.
+- exit 1
+-fi
++# Beware -s or --suffix in $GZIP.
++unset GZIP
++ext=.gz
+
+ for arg
+ do
+@@ -116,26 +92,27 @@ if test -n "$opt"; then
+ fi
+
+ for i do
+- n=`echo $i | sed 's/.Z$//'`
++ n=`echo "$i" | sed 's/.Z$//'`
+ if test ! -f "$n.Z" ; then
+- echo $n.Z not found
++ echo "$n.Z not found"
+ res=1; continue
+ fi
+ test $keep -eq 1 && old=`wc -c < "$n.Z"`
+ if test $pipe -eq 1; then
+ if gzip -d < "$n.Z" | gzip $opt > "$n$ext"; then
+ # Copy file attributes from old file to new one, if possible.
+- test -n "$cpmod" && $cpmod $cpmodarg "$n.Z" "$n$ext" 2> /dev/null
++ touch -r"$n.Z" -- "$n$ext" 2>/dev/null
++ chmod --reference="$n.Z" -- "$n$ext" 2>/dev/null
+ else
+- echo error while recompressing $n.Z
++ echo "error while recompressing $n.Z"
+ res=1; continue
+ fi
+ else
+ if test $check -eq 1; then
+- if cp -p "$n.Z" "$n.$$" 2> /dev/null || cp "$n.Z" "$n.$$"; then
++ if cp -p "$n.Z" "$n.$$"; then
+ :
+ else
+- echo cannot backup "$n.Z"
++ echo "cannot backup $n.Z"
+ res=1; continue
+ fi
+ fi
+@@ -143,7 +120,7 @@ for i do
+ :
+ else
+ test $check -eq 1 && mv "$n.$$" "$n.Z"
+- echo error while uncompressing $n.Z
++ echo "error while uncompressing $n.Z"
+ res=1; continue
+ fi
+ if gzip $opt "$n"; then
+@@ -151,10 +128,10 @@ for i do
+ else
+ if test $check -eq 1; then
+ mv "$n.$$" "$n.Z" && rm -f "$n"
+- echo error while recompressing $n
++ echo "error while recompressing $n"
+ else
+ # compress $n (might be dangerous if disk full)
+- echo error while recompressing $n, left uncompressed
++ echo "error while recompressing $n, left uncompressed"
+ fi
+ res=1; continue
+ fi
+@@ -175,7 +152,7 @@ for i do
+ else
+ test $pipe -eq 0 && mv "$n.$$" "$n.Z"
+ rm -f "$n$ext"
+- echo error while testing $n$ext, $n.Z unchanged
++ echo "error while testing $n$ext, $n.Z unchanged"
+ res=1; continue
+ fi
+ elif test $pipe -eq 1; then
+--
+1.8.3.1
--- a/components/gzip/resolve.deps Mon Oct 21 23:00:28 2013 -0700
+++ b/components/gzip/resolve.deps Tue Oct 22 07:03:55 2013 -0700
@@ -1,2 +1,4 @@
+file/gnu-coreutils
shell/bash
system/library
+system/xopen/xcu4