Security fix: several shell scripts included in the Ghostscript package

allow local users to overwrite files via a symlink attack on temporary
files.

Security: CAN-2004-0967

13 files changed, 225 insertions, 3 deletions

diff --git a/print/ghostscript-afpl/Makefile.inc b/print/ghostscript-afpl/Makefile.inc
index 001c89b64f56..752a6b3309b9 100644
--- a/print/ghostscript-afpl/Makefile.inc
+++ b/print/ghostscript-afpl/Makefile.inc
@@ -1,5 +1,5 @@
 # $FreeBSD$
 
 GS_VERSION=	8.53
-GS_REVISION=	0
+GS_REVISION=	1
 GS_EPOCH=	1
diff --git a/print/ghostscript-afpl/files/patch-lib:ps2epsi.CAN-2004-0967 b/print/ghostscript-afpl/files/patch-lib:ps2epsi.CAN-2004-0967
new file mode 100644
index 000000000000..33636efcaef2
--- /dev/null
+++ b/print/ghostscript-afpl/files/patch-lib:ps2epsi.CAN-2004-0967
@@ -0,0 +1,12 @@
+--- lib/ps2epsi.orig	Mon Nov 28 02:17:38 2005
++++ lib/ps2epsi	Mon Nov 28 02:17:45 2005
+@@ -1,7 +1,8 @@
+ #!/bin/sh
+ # $Id: ps2epsi,v 1.7.2.1 2002/04/22 20:18:24 giles Exp $
+ 
+-tmpfile=/tmp/ps2epsi$$
++tmpfile=`mktemp -t ps2epsi.XXXXXX || exit 1`
++trap "rm -rf $tmpfile" 0 1 2 3 7 13 15
+ 
+ export outfile
+ 
diff --git a/print/ghostscript-afpl/files/patch-lib:pv.sh.CAN-2004-0967 b/print/ghostscript-afpl/files/patch-lib:pv.sh.CAN-2004-0967
new file mode 100644
index 000000000000..a37fc43aada9
--- /dev/null
+++ b/print/ghostscript-afpl/files/patch-lib:pv.sh.CAN-2004-0967
@@ -0,0 +1,16 @@
+--- lib/pv.sh.orig	Mon Nov 28 02:18:26 2005
++++ lib/pv.sh	Mon Nov 28 02:18:59 2005
+@@ -29,9 +29,10 @@
+ PAGE=$1
+ shift
+ FILE=$1
++TEMPFILE=`mktemp -t ${FILE}XXXXXX` || exit 1
+ shift
+-trap "rm -rf $TEMPDIR/$FILE.$$.pv" 0 1 2 15
++trap "rm -rf $TEMPFILE" 0 1 2 15
+ #dvips -D$RESOLUTION -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
+-dvips -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
+-gs $FILE.$$.pv
++dvips -p $PAGE -n 1 $FILE $* -o $TEMPFILE
++gs $TEMPFILE
+ exit 0
diff --git a/print/ghostscript-gnu/Makefile.inc b/print/ghostscript-gnu/Makefile.inc
index 347f7094fa83..e1902dd096e4 100644
--- a/print/ghostscript-gnu/Makefile.inc
+++ b/print/ghostscript-gnu/Makefile.inc
@@ -1,5 +1,5 @@
 # $FreeBSD$
 
 GS_VERSION=	7.07
-GS_REVISION=	13
+GS_REVISION=	14
 GS_EPOCH=	0
diff --git a/print/ghostscript-gnu/files/patch-lib:pj-gs.sh.CAN-2004-0967 b/print/ghostscript-gnu/files/patch-lib:pj-gs.sh.CAN-2004-0967
new file mode 100644
index 000000000000..9d4a0850f191
--- /dev/null
+++ b/print/ghostscript-gnu/files/patch-lib:pj-gs.sh.CAN-2004-0967
@@ -0,0 +1,40 @@
+--- lib/pj-gs.sh.orig	Thu Mar  9 17:40:40 2000
++++ lib/pj-gs.sh	Mon Nov 28 02:22:20 2005
+@@ -241,6 +241,7 @@
+ 			then
+ 				/usr/lib/lprcat $Nofilter $Nolabel $file PCL1 $user $dev
+ 			else
++				TEMPFILE=`mktemp -t pjXXXXXX` || exit 1
+ 				type=`file $file | sed 's/^[^:]*..//'`
+ 				case "$type" in
+ 				postscript*)
+@@ -251,22 +252,22 @@
+ #
+ #					gs -q -sDEVICE=paintjet -r180 -sOutputFile=- -dDISKFONTS -dNOPAUSE - < $file 2>/tmp/sh$$
+ 
+-					gs -q -sDEVICE=paintjet -r180 -sOutputFile=/tmp/pj$$ -dDISKFONTS -dNOPAUSE - < $file 1>2
+-					cat /tmp/pj$$
+-					rm /tmp/pj$$
++					gs -q -sDEVICE=paintjet -r180 -sOutputFile=$TEMPFILE -dDISKFONTS -dNOPAUSE - < $file 1>2
++					cat $TEMPFILE
++					rm $TEMPFILE
+ 					needff=
+ 					;;
+-				*)	cat "$file" 2>/tmp/sh$$
++				*)	cat "$file" 2>$TEMPFILE
+ 					needff=1
+ 					;;
+ 				esac
+ 
+-				if [ -s /tmp/sh$$ ]
++				if [ -s $TEMPFILE ]
+ 				then
+ #				    cat /tmp/sh$$	# output any errors
+-				    cat /tmp/sh$$ 1>2	# output any errors
++				    cat $TEMPFILE 1>2	# output any errors
+ 				fi
+-				rm -f /tmp/sh$$
++				rm -f $TEMPFILE
+ 				if [ $needff ]; then echo "\014\r\c"; fi
+ 			fi
+ 
diff --git a/print/ghostscript-gnu/files/patch-lib:ps2epsi.CAN-2004-0967 b/print/ghostscript-gnu/files/patch-lib:ps2epsi.CAN-2004-0967
new file mode 100644
index 000000000000..33636efcaef2
--- /dev/null
+++ b/print/ghostscript-gnu/files/patch-lib:ps2epsi.CAN-2004-0967
@@ -0,0 +1,12 @@
+--- lib/ps2epsi.orig	Mon Nov 28 02:17:38 2005
++++ lib/ps2epsi	Mon Nov 28 02:17:45 2005
+@@ -1,7 +1,8 @@
+ #!/bin/sh
+ # $Id: ps2epsi,v 1.7.2.1 2002/04/22 20:18:24 giles Exp $
+ 
+-tmpfile=/tmp/ps2epsi$$
++tmpfile=`mktemp -t ps2epsi.XXXXXX || exit 1`
++trap "rm -rf $tmpfile" 0 1 2 3 7 13 15
+ 
+ export outfile
+ 
diff --git a/print/ghostscript-gnu/files/patch-lib:pv.sh.CAN-2004-0967 b/print/ghostscript-gnu/files/patch-lib:pv.sh.CAN-2004-0967
new file mode 100644
index 000000000000..a37fc43aada9
--- /dev/null
+++ b/print/ghostscript-gnu/files/patch-lib:pv.sh.CAN-2004-0967
@@ -0,0 +1,16 @@
+--- lib/pv.sh.orig	Mon Nov 28 02:18:26 2005
++++ lib/pv.sh	Mon Nov 28 02:18:59 2005
+@@ -29,9 +29,10 @@
+ PAGE=$1
+ shift
+ FILE=$1
++TEMPFILE=`mktemp -t ${FILE}XXXXXX` || exit 1
+ shift
+-trap "rm -rf $TEMPDIR/$FILE.$$.pv" 0 1 2 15
++trap "rm -rf $TEMPFILE" 0 1 2 15
+ #dvips -D$RESOLUTION -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
+-dvips -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
+-gs $FILE.$$.pv
++dvips -p $PAGE -n 1 $FILE $* -o $TEMPFILE
++gs $TEMPFILE
+ exit 0
diff --git a/print/ghostscript-gnu/files/patch-lib:sysvlp.sh.CAN-2004-0967 b/print/ghostscript-gnu/files/patch-lib:sysvlp.sh.CAN-2004-0967
new file mode 100644
index 000000000000..314d5d0bbe84
--- /dev/null
+++ b/print/ghostscript-gnu/files/patch-lib:sysvlp.sh.CAN-2004-0967
@@ -0,0 +1,29 @@
+--- lib/sysvlp.sh.orig	Thu Mar  9 17:40:40 2000
++++ lib/sysvlp.sh	Mon Nov 28 02:22:42 2005
+@@ -27,20 +27,23 @@
+ # Brother HL-4: switch to HP laserjet II+ emulation
+ # echo "\033\015H\c"
+ 
++TEMPDIR=`mktemp -td sysvlp.XXXXXX` || exit 1
++
+ i=1
+ while [ $i -le $copies ]
+ do
+ 	for file in $files
+ 	do
+ 		$GSHOME/gs \
+-			-sOUTPUTFILE=/tmp/psp$$.%02d \
++			-sOUTPUTFILE=$TEMPDIR/psp$$.%02d \
+ 			-sDEVICE=$DEVICE \
+ 			$EHANDLER $file \
+ 			< /dev/null >> /usr/tmp/ps_log 2>&1
+ 
+-		cat /tmp/psp$$.* 2>> /usr/tmp/ps_log
+-		rm -f /tmp/psp$$.*
++		cat $TEMPDIR/psp$$.* 2>> /usr/tmp/ps_log
++		rm -f $TEMPDIR/psp$$.*
+ 	done
+ 	i=`expr $i + 1`
+ done
++rmdir $TEMPDIR
+ exit 0
diff --git a/print/ghostscript7/Makefile.inc b/print/ghostscript7/Makefile.inc
index 347f7094fa83..e1902dd096e4 100644
--- a/print/ghostscript7/Makefile.inc
+++ b/print/ghostscript7/Makefile.inc
@@ -1,5 +1,5 @@
 # $FreeBSD$
 
 GS_VERSION=	7.07
-GS_REVISION=	13
+GS_REVISION=	14
 GS_EPOCH=	0
diff --git a/print/ghostscript7/files/patch-lib:pj-gs.sh.CAN-2004-0967 b/print/ghostscript7/files/patch-lib:pj-gs.sh.CAN-2004-0967
new file mode 100644
index 000000000000..9d4a0850f191
--- /dev/null
+++ b/print/ghostscript7/files/patch-lib:pj-gs.sh.CAN-2004-0967
@@ -0,0 +1,40 @@
+--- lib/pj-gs.sh.orig	Thu Mar  9 17:40:40 2000
++++ lib/pj-gs.sh	Mon Nov 28 02:22:20 2005
+@@ -241,6 +241,7 @@
+ 			then
+ 				/usr/lib/lprcat $Nofilter $Nolabel $file PCL1 $user $dev
+ 			else
++				TEMPFILE=`mktemp -t pjXXXXXX` || exit 1
+ 				type=`file $file | sed 's/^[^:]*..//'`
+ 				case "$type" in
+ 				postscript*)
+@@ -251,22 +252,22 @@
+ #
+ #					gs -q -sDEVICE=paintjet -r180 -sOutputFile=- -dDISKFONTS -dNOPAUSE - < $file 2>/tmp/sh$$
+ 
+-					gs -q -sDEVICE=paintjet -r180 -sOutputFile=/tmp/pj$$ -dDISKFONTS -dNOPAUSE - < $file 1>2
+-					cat /tmp/pj$$
+-					rm /tmp/pj$$
++					gs -q -sDEVICE=paintjet -r180 -sOutputFile=$TEMPFILE -dDISKFONTS -dNOPAUSE - < $file 1>2
++					cat $TEMPFILE
++					rm $TEMPFILE
+ 					needff=
+ 					;;
+-				*)	cat "$file" 2>/tmp/sh$$
++				*)	cat "$file" 2>$TEMPFILE
+ 					needff=1
+ 					;;
+ 				esac
+ 
+-				if [ -s /tmp/sh$$ ]
++				if [ -s $TEMPFILE ]
+ 				then
+ #				    cat /tmp/sh$$	# output any errors
+-				    cat /tmp/sh$$ 1>2	# output any errors
++				    cat $TEMPFILE 1>2	# output any errors
+ 				fi
+-				rm -f /tmp/sh$$
++				rm -f $TEMPFILE
+ 				if [ $needff ]; then echo "\014\r\c"; fi
+ 			fi
+ 
diff --git a/print/ghostscript7/files/patch-lib:ps2epsi.CAN-2004-0967 b/print/ghostscript7/files/patch-lib:ps2epsi.CAN-2004-0967
new file mode 100644
index 000000000000..33636efcaef2
--- /dev/null
+++ b/print/ghostscript7/files/patch-lib:ps2epsi.CAN-2004-0967
@@ -0,0 +1,12 @@
+--- lib/ps2epsi.orig	Mon Nov 28 02:17:38 2005
++++ lib/ps2epsi	Mon Nov 28 02:17:45 2005
+@@ -1,7 +1,8 @@
+ #!/bin/sh
+ # $Id: ps2epsi,v 1.7.2.1 2002/04/22 20:18:24 giles Exp $
+ 
+-tmpfile=/tmp/ps2epsi$$
++tmpfile=`mktemp -t ps2epsi.XXXXXX || exit 1`
++trap "rm -rf $tmpfile" 0 1 2 3 7 13 15
+ 
+ export outfile
+ 
diff --git a/print/ghostscript7/files/patch-lib:pv.sh.CAN-2004-0967 b/print/ghostscript7/files/patch-lib:pv.sh.CAN-2004-0967
new file mode 100644
index 000000000000..a37fc43aada9
--- /dev/null
+++ b/print/ghostscript7/files/patch-lib:pv.sh.CAN-2004-0967
@@ -0,0 +1,16 @@
+--- lib/pv.sh.orig	Mon Nov 28 02:18:26 2005
++++ lib/pv.sh	Mon Nov 28 02:18:59 2005
+@@ -29,9 +29,10 @@
+ PAGE=$1
+ shift
+ FILE=$1
++TEMPFILE=`mktemp -t ${FILE}XXXXXX` || exit 1
+ shift
+-trap "rm -rf $TEMPDIR/$FILE.$$.pv" 0 1 2 15
++trap "rm -rf $TEMPFILE" 0 1 2 15
+ #dvips -D$RESOLUTION -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
+-dvips -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
+-gs $FILE.$$.pv
++dvips -p $PAGE -n 1 $FILE $* -o $TEMPFILE
++gs $TEMPFILE
+ exit 0
diff --git a/print/ghostscript7/files/patch-lib:sysvlp.sh.CAN-2004-0967 b/print/ghostscript7/files/patch-lib:sysvlp.sh.CAN-2004-0967
new file mode 100644
index 000000000000..314d5d0bbe84
--- /dev/null
+++ b/print/ghostscript7/files/patch-lib:sysvlp.sh.CAN-2004-0967
@@ -0,0 +1,29 @@
+--- lib/sysvlp.sh.orig	Thu Mar  9 17:40:40 2000
++++ lib/sysvlp.sh	Mon Nov 28 02:22:42 2005
+@@ -27,20 +27,23 @@
+ # Brother HL-4: switch to HP laserjet II+ emulation
+ # echo "\033\015H\c"
+ 
++TEMPDIR=`mktemp -td sysvlp.XXXXXX` || exit 1
++
+ i=1
+ while [ $i -le $copies ]
+ do
+ 	for file in $files
+ 	do
+ 		$GSHOME/gs \
+-			-sOUTPUTFILE=/tmp/psp$$.%02d \
++			-sOUTPUTFILE=$TEMPDIR/psp$$.%02d \
+ 			-sDEVICE=$DEVICE \
+ 			$EHANDLER $file \
+ 			< /dev/null >> /usr/tmp/ps_log 2>&1
+ 
+-		cat /tmp/psp$$.* 2>> /usr/tmp/ps_log
+-		rm -f /tmp/psp$$.*
++		cat $TEMPDIR/psp$$.* 2>> /usr/tmp/ps_log
++		rm -f $TEMPDIR/psp$$.*
+ 	done
+ 	i=`expr $i + 1`
+ done
++rmdir $TEMPDIR
+ exit 0