Date: Mon, 29 Dec 2008 20:31:02 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/130028: [vuxml] [patch] print/pdfjam: fix CVE-2008-5743; ocasionally remove bash dependency Message-ID: <20081229173102.5217AB8019@phoenix.codelabs.ru> Resent-Message-ID: <200812291740.mBTHe1hl091803@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 130028 >Category: ports >Synopsis: [vuxml] [patch] print/pdfjam: fix CVE-2008-5743; ocasionally remove bash dependency >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Dec 29 17:40:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: pdfjam is vulnerable to the symlink attack, as described in entry for CVE-2008-5743 [1]. Note that there is no "."-in-the-PATH issue, [2], in the FreeBSD port, because is provides full path for the pdflatex. >How-To-Repeat: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5743 [2] https://bugs.gentoo.org/show_bug.cgi?id=252734 >Fix: The following patch fixes the issue, adds static PATH item ${LOCALBASE}/bin to the end of the PATH (to allow user to override pdflatex location by setting own value of the PATH) and remove Bash-specific command "source". --- fix-CVE-2008-5743-and-remove-Bash-isms.diff begins here --- >From 7b60a9c08ecdf131a006e518b61263e5b5afbe95 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Mon, 29 Dec 2008 20:16:00 +0300 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5743 https://bugs.gentoo.org/show_bug.cgi?id=252734 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- print/pdfjam/Makefile | 7 ++--- print/pdfjam/files/patch-scripts-pdf90 | 44 +++++++++++++++++++++++++++--- print/pdfjam/files/patch-scripts-pdfjoin | 43 ++++++++++++++++++++++++++--- print/pdfjam/files/patch-scripts-pdfnup | 43 ++++++++++++++++++++++++++--- 4 files changed, 121 insertions(+), 16 deletions(-) diff --git a/print/pdfjam/Makefile b/print/pdfjam/Makefile index b6e67c5..4810821 100644 --- a/print/pdfjam/Makefile +++ b/print/pdfjam/Makefile @@ -7,7 +7,7 @@ PORTNAME= pdfjam PORTVERSION= 1.20 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= print MASTER_SITES= http://www2.warwick.ac.uk/fac/sci/statistics/staff/academic/firth/software/pdfjam/ \ http://www.it.ca/~paul/src/ @@ -17,8 +17,7 @@ EXTRACT_SUFX= .tgz MAINTAINER= paul+ports@it.ca COMMENT= Shell scripts to manipulate PDF files -RUN_DEPENDS= pdflatex:${PORTSDIR}/print/teTeX-base \ - bash:${PORTSDIR}/shells/bash +RUN_DEPENDS= pdflatex:${PORTSDIR}/print/teTeX-base WRKSRC= ${WRKDIR}/${PORTNAME} @@ -31,7 +30,7 @@ NO_BUILD= yes post-patch: @${LN} -s scripts ${WRKSRC}/bin .for FILE in ${PLIST_FILES} - @${SED} -i '' "1s:^#! /bin/sh:#!${LOCALBASE}/bin/bash:;s:__LOCALBASE__:${LOCALBASE}:" ${WRKSRC}/${FILE} + @${REINPLACE_CMD} -e"s|__LOCALBASE__|${LOCALBASE}|g" ${WRKSRC}/${FILE} .endfor do-install: diff --git a/print/pdfjam/files/patch-scripts-pdf90 b/print/pdfjam/files/patch-scripts-pdf90 index b742159..93bff3c 100644 --- a/print/pdfjam/files/patch-scripts-pdf90 +++ b/print/pdfjam/files/patch-scripts-pdf90 @@ -1,11 +1,47 @@ ---- scripts/pdf90.orig Tue Jan 25 14:19:21 2005 -+++ scripts/pdf90 Wed Mar 16 09:16:35 2005 -@@ -23,7 +23,7 @@ +--- scripts/pdf90.orig 2005-01-25 22:19:21.000000000 +0300 ++++ scripts/pdf90 2008-12-29 20:00:05.000000000 +0300 +@@ -23,12 +23,18 @@ ## ## First say where your "pdflatex" program lives: ## -pdflatex=pdflatex -+pdflatex=__LOCALBASE__/bin/pdflatex ++pdflatex="__LOCALBASE__"/bin/pdflatex #pdflatex="pdflatex.exe" ## this for Windows computers ## ## Next a permitted location for temporary files on your system: + ## +-tempfileDir="/var/tmp" ## /var/tmp is standard on most unix systems ++## /var/tmp is standard on most unix systems ++tempfileDir=`mktemp -dq /var/tmp/pdf90.XXXXXXXX` ++if [ -z "$tempfileDir" ]; then ++ echo "pdf90: unable to create temporary directory" ++ exit 2 ++fi ++trap "rm -rf -- \"$tempfileDir\"" 0 1 2 3 15 + #tempfileDir="C:/tmp" ## use something like this under Windows + ## + ## Now specify the default settings for pdf90: +@@ -43,12 +49,12 @@ + for d in /etc /usr/share/etc /usr/local/share /usr/local/etc + do if test -f $d/pdfnup.conf; then + echo "Reading site configuration from $d/pdfnup.conf" +- source $d/pdfnup.conf ++ . $d/pdfnup.conf + fi + done + if test -f ~/.pdfnup.conf; then + echo "Reading user defaults from ~/.pdfnup.conf"; +- source ~/.pdfnup.conf; ++ . ~/.pdfnup.conf; + fi + ####################################################################### + ## +@@ -71,7 +77,7 @@ + ## + ## Check that necessary LaTeX packages are installed + ## +-PATH=`dirname "$pdflatex"`:$PATH ++PATH="$PATH":"__LOCALBASE__"/bin + export PATH + case `kpsewhich pdfpages.sty` in + "") echo "pdf90: pdfpages.sty not installed"; exit 1;; diff --git a/print/pdfjam/files/patch-scripts-pdfjoin b/print/pdfjam/files/patch-scripts-pdfjoin index bd590ff..eb50c07 100644 --- a/print/pdfjam/files/patch-scripts-pdfjoin +++ b/print/pdfjam/files/patch-scripts-pdfjoin @@ -1,11 +1,46 @@ ---- scripts/pdfjoin.orig Tue Jan 25 14:19:21 2005 -+++ scripts/pdfjoin Wed Mar 16 09:16:42 2005 -@@ -23,7 +23,7 @@ +--- scripts/pdfjoin.orig 2005-01-25 22:19:21.000000000 +0300 ++++ scripts/pdfjoin 2008-12-29 20:00:05.000000000 +0300 +@@ -23,12 +23,17 @@ ## ## First say where your "pdflatex" program lives: ## -pdflatex=pdflatex -+pdflatex=__LOCALBASE__/bin/pdflatex ++pdflatex="__LOCALBASE__"/bin/pdflatex #pdflatex="pdflatex.exe" ## this for Windows computers ## ## Next a permitted location for temporary files on your system: + ## +-tempfileDir="/var/tmp" ## /var/tmp is standard on most unix systems ++## /var/tmp is standard on most unix systems ++tempfileDir=`mktemp -dq /var/tmp/pdfjoin.XXXXXXXX` ++if [ -z "$tempfileDir" ]; then ++ echo "pdfjoin: unable to create temporary directory" ++ exit 2 ++fi + #tempfileDir="C:/tmp" ## use something like this under Windows + ## + ## Now specify the default settings for pdfjoin: +@@ -50,12 +55,12 @@ + for d in /etc /usr/share/etc /usr/local/share /usr/local/etc + do if test -f $d/pdfnup.conf; then + echo "Reading site configuration from $d/pdfnup.conf" +- source $d/pdfnup.conf ++ . $d/pdfnup.conf + fi + done + if test -f ~/.pdfnup.conf; then + echo "Reading user defaults from ~/.pdfnup.conf"; +- source ~/.pdfnup.conf; ++ . ~/.pdfnup.conf; + fi + ####################################################################### + ## +@@ -99,7 +104,7 @@ + ## + ## Check that necessary LaTeX packages are installed + ## +-PATH=`dirname "$pdflatex"`:$PATH ++PATH="$PATH":"__LOCALBASE__"/bin + export PATH + case `kpsewhich pdfpages.sty` in + "") echo "pdfjoin: pdfpages.sty not installed"; exit 1;; diff --git a/print/pdfjam/files/patch-scripts-pdfnup b/print/pdfjam/files/patch-scripts-pdfnup index 227a38a..68606ed 100644 --- a/print/pdfjam/files/patch-scripts-pdfnup +++ b/print/pdfjam/files/patch-scripts-pdfnup @@ -1,11 +1,46 @@ ---- scripts/pdfnup.orig Tue Jan 25 14:19:21 2005 -+++ scripts/pdfnup Wed Mar 16 09:17:40 2005 -@@ -23,7 +23,7 @@ +--- scripts/pdfnup.orig 2005-01-25 22:19:21.000000000 +0300 ++++ scripts/pdfnup 2008-12-29 20:00:44.000000000 +0300 +@@ -23,12 +23,17 @@ ## ## First say where your "pdflatex" program lives: ## -pdflatex=pdflatex -+pdflatex=__LOCALBASE__/bin/pdflatex ++pdflatex="__LOCALBASE__"/bin/pdflatex #pdflatex="pdflatex.exe" ## this for Windows computers ## ## Next a permitted location for temporary files on your system: + ## +-tempfileDir="/var/tmp" ## /var/tmp is standard on many unix systems ++## /var/tmp is standard on most unix systems ++tempfileDir=`mktemp -dq /var/tmp/pdfnup.XXXXXXXX` ++if [ -z "$tempfileDir" ]; then ++ echo "pdfnup: unable to create temporary directory" ++ exit 2 ++fi + #tempfileDir="C:/tmp" ## use something like this under Windows + ## + ## Now specify the default settings for pdfnup: +@@ -57,12 +62,12 @@ + for d in /etc /usr/share/etc /usr/local/share /usr/local/etc + do if test -f $d/pdfnup.conf; then + echo "Reading site configuration from $d/pdfnup.conf" +- source $d/pdfnup.conf ++ . $d/pdfnup.conf + fi + done + if test -f ~/.pdfnup.conf; then + echo "Reading user defaults from ~/.pdfnup.conf"; +- source ~/.pdfnup.conf; ++ . ~/.pdfnup.conf; + fi + ####################################################################### + ## +@@ -134,7 +139,7 @@ + ## + ## Check that necessary LaTeX packages are installed + ## +-PATH=`dirname "$pdflatex"`:$PATH ++PATH="$PATH":"__LOCALBASE__"/bin + export PATH + case `kpsewhich pdfpages.sty` in + "") echo "pdfnup: pdfpages.sty not installed"; exit 1;; -- 1.6.0.5 --- fix-CVE-2008-5743-and-remove-Bash-isms.diff ends here --- Had tested this patch for a bunch of PDF files -- it works for me. The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="e4aa439e-d5cc-11dd-b0cc-001fc66e7203"> <topic>pdfjam -- local users can overwrite files via symlink attack</topic> <affects> <package> <name>pdfjam</name> <range><lt>1.20_4</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Entry for CVE-2008-5743 says:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5743">; <p>pdfjam creates the (1) pdf90, (2) pdfjoin, and (3) pdfnup files with a predictable name, which allows local users to overwrite arbitrary files via a symlink attack.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-5743</cvename> <url>https://bugzilla.novell.com/show_bug.cgi?id=459031</url>; <url>https://bugs.gentoo.org/show_bug.cgi?id=252734</url>; </references> <dates> <discovery>15-12-2008</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081229173102.5217AB8019>