diff options
| author |   Matthew Thode <prometheanfire@gentoo.org> | 2013-06-21 14:25:07 +0000 |
|---|---|---|
| committer | Matthew Thode <prometheanfire@gentoo.org> | 2013-06-21 14:25:07 +0000 |
| commit | 1eacdb354cd629b0ad312ad6a389d8b40a1ca07f (patch) | |
| tree | bce9a6878684a43a2c761ba1c059c129671df2d1 /app-office/tpp | |
| parent | Initial commit (diff) | |
| download | gentoo-2-1eacdb354cd629b0ad312ad6a389d8b40a1ca07f.tar.gz gentoo-2-1eacdb354cd629b0ad312ad6a389d8b40a1ca07f.tar.bz2 gentoo-2-1eacdb354cd629b0ad312ad6a389d8b40a1ca07f.zip | |
fix for bug 474018 Possibility of arbitrary code execution when processing untrusted TPP template
(Portage version: 2.1.11.62/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
Diffstat (limited to 'app-office/tpp')
| -rw-r--r-- | app-office/tpp/ChangeLog | 13 | ||||
| -rw-r--r-- | app-office/tpp/files/tpp-1.3.1-optional-exec.patch | 55 | ||||
| -rw-r--r-- | app-office/tpp/tpp-1.3.1-r1.ebuild | 4 | ||||
| -rw-r--r-- | app-office/tpp/tpp-1.3.1-r2.ebuild | 28 |
4 files changed, 95 insertions, 5 deletions
diff --git a/app-office/tpp/ChangeLog b/app-office/tpp/ChangeLog index e43a712b885d..efcafa81aa09 100644 --- a/app-office/tpp/ChangeLog +++ b/app-office/tpp/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for app-office/tpp -# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-office/tpp/ChangeLog,v 1.20 2011/06/25 06:43:45 graaff Exp $ +# Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/app-office/tpp/ChangeLog,v 1.21 2013/06/21 14:25:06 prometheanfire Exp $ + +*tpp-1.3.1-r2 (21 Jun 2013) + + 21 Jun 2013; Matthew Thode <prometheanfire@gentoo.org> + +files/tpp-1.3.1-optional-exec.patch, +tpp-1.3.1-r2.ebuild, + tpp-1.3.1-r1.ebuild: + fix for bug 474018 Possibility of arbitrary code execution when processing + untrusted TPP template 25 Jun 2011; Hans de Graaff <graaff@gentoo.org> -tpp-1.3.1.ebuild: Remove old version. @@ -76,4 +84,3 @@ +files/tpp-1.1.1-Makefile.patch, +tpp-1.1.1.ebuild: Initial import. Requested by Adrian Fruehwirth <fruehwia@spengergasse.at> in bug #73938 - diff --git a/app-office/tpp/files/tpp-1.3.1-optional-exec.patch b/app-office/tpp/files/tpp-1.3.1-optional-exec.patch new file mode 100644 index 000000000000..1ad08e83c06b --- /dev/null +++ b/app-office/tpp/files/tpp-1.3.1-optional-exec.patch @@ -0,0 +1,55 @@ +--- tpp-1.3.1.orig/tpp.rb 2013-06-12 22:13:55.000000000 +0200 ++++ tpp-1.3.1/tpp.rb 2013-06-12 22:15:08.000000000 +0200 +@@ -725,9 +725,13 @@ + end + + def do_exec(cmdline) +- rc = Kernel.system(cmdline) +- if not rc then +- # @todo: add error message ++ if $execok then ++ rc = Kernel.system(cmdline) ++ if not rc then ++ # @todo: add error message ++ end ++ else ++ @screen.addstr("--exec disabled by default for security reasons. Use option -x to enable it.") + end + end + +@@ -1683,6 +1687,7 @@ + $stderr.puts "\t -t <type>\tset filetype <type> as output format" + $stderr.puts "\t -o <file>\twrite output to file <file>" + $stderr.puts "\t -s <seconds>\twait <seconds> seconds between slides (with -t autoplay)" ++ $stderr.puts "\t -x\t\tallow parsing of --exec in input files" + $stderr.puts "\t --version\tprint the version" + $stderr.puts "\t --help\t\tprint this help" + $stderr.puts "\n\t currently available types: ncurses (default), autoplay, latex, txt" +@@ -1699,6 +1704,7 @@ + output = nil + type = "ncurses" + time = 1 ++$execok = nil + + skip_next = false + +@@ -1720,6 +1726,8 @@ + elsif ARGV[i] == "-s" then + time = ARGV[i+1].to_i + skip_next = true ++ elsif ARGV[i] == "-x" then ++ $execok = 1 + elsif input == nil then + input = ARGV[i] + end +--- tpp-1.3.1.orig/doc/tpp.1 2013-06-12 22:13:55.000000000 +0200 ++++ tpp-1.3.1/doc/tpp.1 2013-06-12 22:13:55.000000000 +0200 +@@ -20,6 +20,8 @@ + .TP + -l output.tex input.tpp converts tpp slides into tex + .TP ++-x allow usage of "--exec" ++.TP + -v/--version display version number + + .SH KEYS diff --git a/app-office/tpp/tpp-1.3.1-r1.ebuild b/app-office/tpp/tpp-1.3.1-r1.ebuild index e913362ade96..6381e8c5b8f8 100644 --- a/app-office/tpp/tpp-1.3.1-r1.ebuild +++ b/app-office/tpp/tpp-1.3.1-r1.ebuild @@ -1,6 +1,6 @@ -# Copyright 1999-2011 Gentoo Foundation +# Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-office/tpp/tpp-1.3.1-r1.ebuild,v 1.3 2011/06/24 21:00:14 ranger Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-office/tpp/tpp-1.3.1-r1.ebuild,v 1.4 2013/06/21 14:25:06 prometheanfire Exp $ EAPI=2 USE_RUBY="ruby18" diff --git a/app-office/tpp/tpp-1.3.1-r2.ebuild b/app-office/tpp/tpp-1.3.1-r2.ebuild new file mode 100644 index 000000000000..02708a9bf206 --- /dev/null +++ b/app-office/tpp/tpp-1.3.1-r2.ebuild @@ -0,0 +1,28 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-office/tpp/tpp-1.3.1-r2.ebuild,v 1.1 2013/06/21 14:25:06 prometheanfire Exp $ + +EAPI=2 +USE_RUBY="ruby18" + +inherit eutils ruby-ng + +DESCRIPTION="An ncurses-based presentation tool." +HOMEPAGE="http://synflood.at/tpp.html" +SRC_URI="http://synflood.at/tpp/${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~ppc ~x86" +IUSE="figlet" + +RDEPEND="${RDEPEND} figlet? ( app-misc/figlet )" + +ruby_add_rdepend "dev-ruby/ncurses-ruby" + +RUBY_PATCHES=( "${FILESDIR}/${P}-Makefile.patch" + "${FILESDIR}/${P}-optional-exec.patch" ) + +each_ruby_install() { + make DESTDIR="${D}" install || die "make install failed" +} |