diff options
| author | naddy <naddy@FreeBSD.org> | 2005-02-12 05:35:40 +0800 |
|---|---|---|
| committer | naddy <naddy@FreeBSD.org> | 2005-02-12 05:35:40 +0800 |
| commit | 83faa820c73477d0fbac1f5b1f5f40be237945bc (patch) | |
| tree | a6b581aff2deeb66466e2197702bdeb518a3f10c | |
| parent | 5ed72b7d049506721b9cba4acae12f699aee05d8 (diff) | |
| download | freebsd-ports-gnome-83faa820c73477d0fbac1f5b1f5f40be237945bc.tar.gz freebsd-ports-gnome-83faa820c73477d0fbac1f5b1f5f40be237945bc.tar.zst freebsd-ports-gnome-83faa820c73477d0fbac1f5b1f5f40be237945bc.zip | |
Security fixes:
Erik Sjolund discovered several issues in enscript: it suffers from
several buffer overflows (CAN-2004-1186), quotes and shell escape
characters are insufficiently sanitized in filenames (CAN-2004-1185),
and it supported taking input from an arbitrary command pipe, with
unwanted side effects (CAN-2004-1184).
Obtained from: Gentoo
| -rw-r--r-- | print/enscript-letter/Makefile | 3 | ||||
| -rw-r--r-- | print/enscript-letter/files/patch-src_gsint.h | 15 | ||||
| -rw-r--r-- | print/enscript-letter/files/patch-src_main.c | 48 | ||||
| -rw-r--r-- | print/enscript-letter/files/patch-src_psgen.c | 37 | ||||
| -rw-r--r-- | print/enscript-letter/files/patch-src_util.c | 82 |
5 files changed, 184 insertions, 1 deletions
diff --git a/print/enscript-letter/Makefile b/print/enscript-letter/Makefile index b6610cb4292f..301b3650de58 100644 --- a/print/enscript-letter/Makefile +++ b/print/enscript-letter/Makefile @@ -7,12 +7,13 @@ PORTNAME= enscript-${PAPERSIZE} PORTVERSION= 1.6.4 +PORTREVISION= 1 CATEGORIES+= print MASTER_SITES= http://people.ssh.com/mtr/genscript/ DISTNAME= enscript-${PORTVERSION} MAINTAINER?= ports@FreeBSD.org -COMMENT= ASCII-to-PostScript filter +COMMENT= ASCII to PostScript filter # Work around configure issue CC= diff --git a/print/enscript-letter/files/patch-src_gsint.h b/print/enscript-letter/files/patch-src_gsint.h new file mode 100644 index 000000000000..29a18a1298bd --- /dev/null +++ b/print/enscript-letter/files/patch-src_gsint.h @@ -0,0 +1,15 @@ + +$FreeBSD$ + +--- src/gsint.h.orig ++++ src/gsint.h +@@ -701,4 +701,9 @@ + */ + void printer_close ___P ((void *context)); + ++/* ++ * Escape filenames for shell usage ++ */ ++char *shell_escape ___P ((const char *fn)); ++ + #endif /* not GSINT_H */ diff --git a/print/enscript-letter/files/patch-src_main.c b/print/enscript-letter/files/patch-src_main.c new file mode 100644 index 000000000000..a321b2834de6 --- /dev/null +++ b/print/enscript-letter/files/patch-src_main.c @@ -0,0 +1,48 @@ + +$FreeBSD$ + +--- src/main.c.orig ++++ src/main.c +@@ -1546,9 +1546,13 @@ + buffer_append (&cmd, intbuf); + buffer_append (&cmd, " "); + +- buffer_append (&cmd, "-Ddocument_title=\""); +- buffer_append (&cmd, title); +- buffer_append (&cmd, "\" "); ++ buffer_append (&cmd, "-Ddocument_title=\'"); ++ if ((cp = shell_escape (title)) != NULL) ++ { ++ buffer_append (&cmd, cp); ++ free (cp); ++ } ++ buffer_append (&cmd, "\' "); + + buffer_append (&cmd, "-Dtoc="); + buffer_append (&cmd, toc ? "1" : "0"); +@@ -1565,8 +1569,14 @@ + /* Append input files. */ + for (i = optind; i < argc; i++) + { +- buffer_append (&cmd, " "); +- buffer_append (&cmd, argv[i]); ++ char *cp; ++ if ((cp = shell_escape (argv[i])) != NULL) ++ { ++ buffer_append (&cmd, " \'"); ++ buffer_append (&cmd, cp); ++ buffer_append (&cmd, "\'"); ++ free (cp); ++ } + } + + /* And do the job. */ +@@ -1627,7 +1637,7 @@ + buffer_ptr (opts), buffer_len (opts)); + } + +- buffer_append (&buffer, " \"%s\""); ++ buffer_append (&buffer, " \'%s\'"); + + input_filter = buffer_copy (&buffer); + input_filter_stdin = "-"; diff --git a/print/enscript-letter/files/patch-src_psgen.c b/print/enscript-letter/files/patch-src_psgen.c new file mode 100644 index 000000000000..b1a419bd1de7 --- /dev/null +++ b/print/enscript-letter/files/patch-src_psgen.c @@ -0,0 +1,37 @@ + +$FreeBSD$ + +--- src/psgen.c.orig ++++ src/psgen.c +@@ -2034,8 +2034,9 @@ + else + { + ftail++; +- strncpy (buf, fname, ftail - fname); +- buf[ftail - fname] = '\0'; ++ i = ftail - fname >= sizeof (buf)-1 ? sizeof (buf)-1 : ftail - fname; ++ strncpy (buf, fname, i); ++ buf[i] = '\0'; + } + + if (nup > 1) +@@ -2385,9 +2386,10 @@ + MESSAGE (2, (stderr, "^@epsf=\"%s\"\n", token->u.epsf.filename)); + + i = strlen (token->u.epsf.filename); ++ /* + if (i > 0 && token->u.epsf.filename[i - 1] == '|') + { +- /* Read EPS data from pipe. */ ++ / * Read EPS data from pipe. * / + token->u.epsf.pipe = 1; + token->u.epsf.filename[i - 1] = '\0'; + token->u.epsf.fp = popen (token->u.epsf.filename, "r"); +@@ -2400,6 +2402,7 @@ + } + } + else ++ */ + { + char *filename; + diff --git a/print/enscript-letter/files/patch-src_util.c b/print/enscript-letter/files/patch-src_util.c new file mode 100644 index 000000000000..b2412235c480 --- /dev/null +++ b/print/enscript-letter/files/patch-src_util.c @@ -0,0 +1,82 @@ + +$FreeBSD$ + +--- src/util.c.orig ++++ src/util.c +@@ -1239,6 +1239,8 @@ + + /* Create result. */ + cp = xmalloc (len + 1); ++ if (cp == NULL) ++ return NULL; + for (i = 0, j = 0; string[i]; i++) + switch (string[i]) + { +@@ -1879,6 +1881,7 @@ + char *cmd = NULL; + int cmdlen; + int i, pos; ++ char *cp; + + is->is_pipe = 1; + +@@ -1902,12 +1905,16 @@ + { + case 's': + /* Expand cmd-buffer. */ +- cmdlen += strlen (fname); +- cmd = xrealloc (cmd, cmdlen); ++ if ((cp = shell_escape (fname)) != NULL) ++ { ++ cmdlen += strlen (cp); ++ cmd = xrealloc (cmd, cmdlen); + +- /* Paste filename. */ +- strcpy (cmd + pos, fname); +- pos += strlen (fname); ++ /* Paste filename. */ ++ strcpy (cmd + pos, cp); ++ pos += strlen (cp); ++ free (cp); ++ } + + i++; + break; +@@ -2115,4 +2122,37 @@ + buffer_len (Buffer *buffer) + { + return buffer->len; ++} ++ ++/* ++ * Escapes the name of a file so that the shell groks it in 'single' ++ * quotation marks. The resulting pointer has to be free()ed when not ++ * longer used. ++*/ ++char * ++shell_escape(const char *fn) ++{ ++ size_t len = 0; ++ const char *inp; ++ char *retval, *outp; ++ ++ for(inp = fn; *inp; ++inp) ++ switch(*inp) ++ { ++ case '\'': len += 4; break; ++ default: len += 1; break; ++ } ++ ++ outp = retval = malloc(len + 1); ++ if(!outp) ++ return NULL; /* perhaps one should do better error handling here */ ++ for(inp = fn; *inp; ++inp) ++ switch(*inp) ++ { ++ case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ = '\''; break; ++ default: *outp++ = *inp; break; ++ } ++ *outp = 0; ++ ++ return retval; + } |