security bump. insecure tmpfile handling bug 68405

5 files changed, 136 insertions, 4 deletions

diff --git a/app-arch/gzip/ChangeLog b/app-arch/gzip/ChangeLog
index e633ca4e48ff..71d2d1b7bb3a 100644
--- a/app-arch/gzip/ChangeLog
+++ b/app-arch/gzip/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for app-arch/gzip
 # Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-arch/gzip/ChangeLog,v 1.17 2004/10/13 23:08:36 lv Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-arch/gzip/ChangeLog,v 1.18 2004/10/26 23:17:18 solar Exp $
+
+*gzip-1.3.5-r2 (26 Oct 2004)
+
+  26 Oct 2004; <solar@gentoo.org> +files/gzip-1.3.5-zdiff-tempfile.patch,
+  +gzip-1.3.5-r2.ebuild:
+  security bump. insecure tmpfile handling bug 68405
 
   13 Oct 2004; Travis Tilley <lv@gentoo.org> gzip-1.3.5-r1.ebuild:
   stable on amd64
diff --git a/app-arch/gzip/Manifest b/app-arch/gzip/Manifest
index 2bd0c563e572..8f74aa033725 100644
--- a/app-arch/gzip/Manifest
+++ b/app-arch/gzip/Manifest
@@ -1,7 +1,20 @@
-MD5 bae41c0e5f4b738754302d13d7c09b5d ChangeLog 4708
-MD5 c792b7221f6eba29a5a78f53e40e2a70 gzip-1.3.3-r4.ebuild 1780
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
 MD5 8cf232bd624a2032dadf55c7ca093ffd gzip-1.3.5-r1.ebuild 2029
+MD5 c792b7221f6eba29a5a78f53e40e2a70 gzip-1.3.3-r4.ebuild 1780
+MD5 4aff1f182edc40859bd75fe7caca8bc5 gzip-1.3.5-r2.ebuild 2091
+MD5 1fc686bc980d5171b1a707bbc37b153f ChangeLog 4894
 MD5 9a09f8d531c582e78977dbfd96edc1f2 metadata.xml 164
+MD5 07e347c680d1ca49a2683aa6cb2b126a files/gzip-1.3.3-security.patch 2521
 MD5 2034712a3fa0de0258ee8a1598965ac5 files/digest-gzip-1.3.3-r4 62
 MD5 a3bbaab6aec4b44161509caf1883e5d8 files/digest-gzip-1.3.5-r1 134
-MD5 07e347c680d1ca49a2683aa6cb2b126a files/gzip-1.3.3-security.patch 2521
+MD5 a3bbaab6aec4b44161509caf1883e5d8 files/digest-gzip-1.3.5-r2 134
+MD5 f4727ba4030d08645aff9e1957453ecf files/gzip-1.3.5-zdiff-tempfile.patch 939
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.2.4 (GNU/Linux)
+
+iD8DBQFBftql94CCfB4KcwwRAsaHAJ4rLQmA1iqBMBq+sLLoNDyG1fb7bwCfWavM
+kLwuXoCVa04XHUb2WkKuX6k=
+=HD1s
+-----END PGP SIGNATURE-----
diff --git a/app-arch/gzip/files/digest-gzip-1.3.5-r2 b/app-arch/gzip/files/digest-gzip-1.3.5-r2
new file mode 100644
index 000000000000..d9e68f978e4f
--- /dev/null
+++ b/app-arch/gzip/files/digest-gzip-1.3.5-r2
@@ -0,0 +1,2 @@
+MD5 3d6c191dfd2bf307014b421c12dc8469 gzip_1.3.5.orig.tar.gz 331550
+MD5 63d6cf343da210a3740aef2ed583f85d gzip-1.3.5-deb.patch.bz2 9136
diff --git a/app-arch/gzip/files/gzip-1.3.5-zdiff-tempfile.patch b/app-arch/gzip/files/gzip-1.3.5-zdiff-tempfile.patch
new file mode 100644
index 000000000000..293560dc8763
--- /dev/null
+++ b/app-arch/gzip/files/gzip-1.3.5-zdiff-tempfile.patch
@@ -0,0 +1,29 @@
+--- zdiff.in	2002-09-26 04:33:24.000000000 -0400
++++ zdiff.in.new	2004-10-26 19:06:08.000000000 -0400
+@@ -35,6 +35,10 @@
+ 	echo "Usage: $prog [${comp}_options] file [file]"
+ 	exit 2
+ fi
++tmp=`tempfile -d /tmp -p gz` || {
++	echo 'cannot create a temporary file' >&2
++	exit 1
++}
+ set $FILES
+ if test $# -eq 1; then
+ 	FILE=`echo "$1" | sed 's/[-.][zZtga]*$//'`
+@@ -47,11 +51,11 @@
+ 	        *[-.]gz* | *[-.][zZ] | *.t[ga]z)
+ 			F=`echo "$2" | sed 's|.*/||;s|[-.][zZtga]*||'`
+ 			set -C
+-			trap 'rm -f /tmp/"$F".$$; exit 2' HUP INT PIPE TERM 0
+-			gzip -cdfq "$2" > /tmp/"$F".$$ || exit
+-                        gzip -cdfq "$1" | $comp $OPTIONS - /tmp/"$F".$$
++			trap 'rm -f $tmp; exit 2' HUP INT PIPE TERM 0
++			gzip -cdfq "$2" > $tmp || exit
++			gzip -cdfq "$1" | $comp $OPTIONS - $tmp
+                         STAT="$?"
+-			/bin/rm -f /tmp/"$F".$$ || STAT=2
++			/bin/rm -f $tmp || STAT=2
+ 			trap - HUP INT PIPE TERM 0
+ 			exit $STAT;;
+ 
diff --git a/app-arch/gzip/gzip-1.3.5-r2.ebuild b/app-arch/gzip/gzip-1.3.5-r2.ebuild
new file mode 100644
index 000000000000..2bccd31d0517
--- /dev/null
+++ b/app-arch/gzip/gzip-1.3.5-r2.ebuild
@@ -0,0 +1,82 @@
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-arch/gzip/gzip-1.3.5-r2.ebuild,v 1.1 2004/10/26 23:17:18 solar Exp $
+
+inherit eutils flag-o-matic
+
+DESCRIPTION="Standard GNU compressor"
+HOMEPAGE="http://www.gnu.org/software/gzip/gzip.html"
+# This is also available from alpha.gnu.org, but that site has very limited
+# bandwidth and often isn't accessible
+SRC_URI="mirror://debian/pool/main/g/gzip/gzip_${PV}.orig.tar.gz
+	mirror://gentoo/${P}-deb.patch.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~ppc64 ~s390"
+IUSE="nls build static pic"
+
+RDEPEND="virtual/libc"
+DEPEND="${RDEPEND}
+	nls? ( sys-devel/gettext )"
+PROVIDE="virtual/gzip"
+
+src_unpack() {
+	unpack gzip_${PV}.orig.tar.gz
+	cd ${S}
+	epatch ${DISTDIR}/${P}-deb.patch.bz2
+	epatch ${FILESDIR}/gzip-1.3.5-zdiff-tempfile.patch
+}
+
+src_compile() {
+	use static && append-flags -static
+	# avoid text relocation in gzip
+	use pic && export DEFS="NO_ASM"
+	econf --exec-prefix=/ $(use_enable nls) || die
+	emake || die
+}
+
+src_install() {
+	dodir /usr/bin /usr/share/man/man1
+	make prefix=${D}/usr \
+		exec_prefix=${D}/ \
+		mandir=${D}/usr/share/man \
+		infodir=${D}/usr/share/info \
+		install || die
+
+	cd ${D}/bin
+
+	for i in gzexe zforce zgrep zmore znew zcmp
+	do
+		sed -i -e "s:${D}::" ${i} || die
+		chmod 755 ${i}
+	done
+
+	# No need to waste space -- these guys should be links
+	# gzcat is equivilant to zcat, but historically zcat
+	# was a link to compress.
+	rm -f gunzip zcat zcmp zegrep zfgrep
+	dosym gzip /bin/gunzip
+	dosym gzip /bin/gzcat
+	dosym gzip /bin/zcat
+	dosym zdiff /bin/zcmp
+	dosym zgrep /bin/zegrep
+	dosym zgrep /bin/zfgrep
+
+	if ! use build
+	then
+		cd ${D}/usr/share/man/man1
+		rm -f gunzip.* zcmp.* zcat.*
+		ln -s gzip.1.gz gunzip.1.gz
+		ln -s zdiff.1.gz zcmp.1.gz
+		ln -s gzip.1.gz zcat.1.gz
+		ln -s gzip.1.gz gzcat.1.gz
+		cd ${S}
+		rm -rf ${D}/usr/man ${D}/usr/lib
+		dodoc ChangeLog NEWS README THANKS TODO
+		docinto txt
+		dodoc algorithm.doc gzip.doc
+	else
+		rm -rf ${D}/usr
+	fi
+}