The set-user-ID binary zhcon normally reads it's user-specified

configuration file as root.  Drop privileges before opening the file to
prevent a local user from reading arbitrary files.

Reported by:	Erik Sjölund
Obtained from:	Debian

2 files changed, 22 insertions, 1 deletions

diff --git a/chinese/zhcon/Makefile b/chinese/zhcon/Makefile
index b5fe324feaa..c0e6d430600 100644
--- a/chinese/zhcon/Makefile
+++ b/chinese/zhcon/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	zhcon
 PORTVERSION=	0.2.3
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	chinese
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
diff --git a/chinese/zhcon/files/patch-src::configfile.cpp b/chinese/zhcon/files/patch-src::configfile.cpp
new file mode 100644
index 00000000000..15850160280
--- /dev/null
+++ b/chinese/zhcon/files/patch-src::configfile.cpp
@@ -0,0 +1,21 @@
+--- src/configfile.cpp.orig	Tue Jan 25 07:38:59 2005
++++ src/configfile.cpp	Tue Jan 25 07:41:19 2005
+@@ -19,13 +19,18 @@
+ #include <stdexcept>
+ #include <fstream>
+ #include <cstdlib>
++#include <sys/types.h>
++#include <unistd.h>
+ #include "configfile.h"
+ 
+ ConfigFile::ConfigFile(const char *fn) {
++    uid_t euid = geteuid();
++    setuid(getuid());
+     ifstream in(fn);
+     if (!in)
+         throw runtime_error("Could not open config file!");
+     ParseFile(in);
++    setuid(euid);
+ }
+ 
+ ConfigFile::~ConfigFile() {}