From owner-freebsd-ports-bugs@FreeBSD.ORG  Mon Dec 29 17:40:03 2008
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4D9B91065670
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Mon, 29 Dec 2008 17:40:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 2BD5D8FC19;
	Mon, 29 Dec 2008 17:40:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mBTHe1qq091815;
	Mon, 29 Dec 2008 17:40:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mBTHe1hl091803;
	Mon, 29 Dec 2008 17:40:01 GMT (envelope-from gnats)
Resent-Date: Mon, 29 Dec 2008 17:40:01 GMT
Resent-Message-Id: <200812291740.mBTHe1hl091803@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Cc: paul+ports@it.ca
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4EEDD1065670
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 29 Dec 2008 17:31:03 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id D9C628FC13
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 29 Dec 2008 17:31:02 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from phoenix.codelabs.ru (ppp85-141-64-192.pppoe.mtu-net.ru
	[85.141.64.192])
	by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256)
	id 1LHLxF-0002s6-O1 for FreeBSD-gnats-submit@freebsd.org;
	Mon, 29 Dec 2008 20:31:01 +0300
Message-Id: <20081229173102.5217AB8019@phoenix.codelabs.ru>
Date: Mon, 29 Dec 2008 20:31:02 +0300 (MSK)
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
X-GNATS-Notify: paul+ports@it.ca
Cc: 
Subject: ports/130028: [vuxml] [patch] print/pdfjam: fix CVE-2008-5743;
	ocasionally remove bash dependency
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2008 17:40:03 -0000


>Number:         130028
>Category:       ports
>Synopsis:       [vuxml] [patch] print/pdfjam: fix CVE-2008-5743; ocasionally remove bash dependency
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 29 17:40:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE amd64

>Description:

pdfjam is vulnerable to the symlink attack, as described in entry for
CVE-2008-5743 [1].  Note that there is no "."-in-the-PATH issue, [2],
in the FreeBSD port, because is provides full path for the pdflatex.

>How-To-Repeat:

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5743
[2] https://bugs.gentoo.org/show_bug.cgi?id=252734

>Fix:

The following patch fixes the issue, adds static PATH item
${LOCALBASE}/bin to the end of the PATH (to allow user to override
pdflatex location by setting own value of the PATH) and remove
Bash-specific command "source".

--- fix-CVE-2008-5743-and-remove-Bash-isms.diff begins here ---
>From 7b60a9c08ecdf131a006e518b61263e5b5afbe95 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Mon, 29 Dec 2008 20:16:00 +0300

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5743
https://bugs.gentoo.org/show_bug.cgi?id=252734

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 print/pdfjam/Makefile                    |    7 ++---
 print/pdfjam/files/patch-scripts-pdf90   |   44 +++++++++++++++++++++++++++---
 print/pdfjam/files/patch-scripts-pdfjoin |   43 ++++++++++++++++++++++++++---
 print/pdfjam/files/patch-scripts-pdfnup  |   43 ++++++++++++++++++++++++++---
 4 files changed, 121 insertions(+), 16 deletions(-)

diff --git a/print/pdfjam/Makefile b/print/pdfjam/Makefile
index b6e67c5..4810821 100644
--- a/print/pdfjam/Makefile
+++ b/print/pdfjam/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	pdfjam
 PORTVERSION=	1.20
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	print
 MASTER_SITES=	http://www2.warwick.ac.uk/fac/sci/statistics/staff/academic/firth/software/pdfjam/ \
 		http://www.it.ca/~paul/src/
@@ -17,8 +17,7 @@ EXTRACT_SUFX=	.tgz
 MAINTAINER=	paul+ports@it.ca
 COMMENT=	Shell scripts to manipulate PDF files
 
-RUN_DEPENDS=	pdflatex:${PORTSDIR}/print/teTeX-base \
-		bash:${PORTSDIR}/shells/bash
+RUN_DEPENDS=	pdflatex:${PORTSDIR}/print/teTeX-base
 
 WRKSRC=		${WRKDIR}/${PORTNAME}
 
@@ -31,7 +30,7 @@ NO_BUILD=	yes
 post-patch:
 	@${LN} -s scripts ${WRKSRC}/bin
 .for FILE in ${PLIST_FILES}
-	@${SED} -i '' "1s:^#! /bin/sh:#!${LOCALBASE}/bin/bash:;s:__LOCALBASE__:${LOCALBASE}:" ${WRKSRC}/${FILE}
+	@${REINPLACE_CMD} -e"s|__LOCALBASE__|${LOCALBASE}|g" ${WRKSRC}/${FILE}
 .endfor
 
 do-install:
diff --git a/print/pdfjam/files/patch-scripts-pdf90 b/print/pdfjam/files/patch-scripts-pdf90
index b742159..93bff3c 100644
--- a/print/pdfjam/files/patch-scripts-pdf90
+++ b/print/pdfjam/files/patch-scripts-pdf90
@@ -1,11 +1,47 @@
---- scripts/pdf90.orig	Tue Jan 25 14:19:21 2005
-+++ scripts/pdf90	Wed Mar 16 09:16:35 2005
-@@ -23,7 +23,7 @@
+--- scripts/pdf90.orig        2005-01-25 22:19:21.000000000 +0300
++++ scripts/pdf90     2008-12-29 20:00:05.000000000 +0300
+@@ -23,12 +23,18 @@
  ##  
  ##  First say where your "pdflatex" program lives:
  ##
 -pdflatex=pdflatex
-+pdflatex=__LOCALBASE__/bin/pdflatex
++pdflatex="__LOCALBASE__"/bin/pdflatex
  #pdflatex="pdflatex.exe"    ## this for Windows computers
  ##
  ##  Next a permitted location for temporary files on your system:
+ ##
+-tempfileDir="/var/tmp" ## /var/tmp is standard on most unix systems
++## /var/tmp is standard on most unix systems
++tempfileDir=`mktemp -dq /var/tmp/pdf90.XXXXXXXX`
++if [ -z "$tempfileDir" ]; then
++	echo "pdf90: unable to create temporary directory"
++	exit 2
++fi
++trap "rm -rf -- \"$tempfileDir\"" 0 1 2 3 15
+ #tempfileDir="C:/tmp"  ## use something like this under Windows
+ ##
+ ##  Now specify the default settings for pdf90:
+@@ -43,12 +49,12 @@
+ for d in /etc /usr/share/etc /usr/local/share /usr/local/etc
+ do if test -f $d/pdfnup.conf; then
+    echo "Reading site configuration from $d/pdfnup.conf"
+-   source $d/pdfnup.conf
++   . $d/pdfnup.conf
+    fi 
+ done
+ if test -f ~/.pdfnup.conf; then 
+    echo "Reading user defaults from ~/.pdfnup.conf";
+-   source ~/.pdfnup.conf; 
++   . ~/.pdfnup.conf; 
+ fi
+ #######################################################################
+ ##
+@@ -71,7 +77,7 @@
+ ##
+ ##  Check that necessary LaTeX packages are installed
+ ##
+-PATH=`dirname "$pdflatex"`:$PATH
++PATH="$PATH":"__LOCALBASE__"/bin
+ export PATH
+ case `kpsewhich pdfpages.sty` in
+ 	"") echo "pdf90: pdfpages.sty not installed"; exit 1;;
diff --git a/print/pdfjam/files/patch-scripts-pdfjoin b/print/pdfjam/files/patch-scripts-pdfjoin
index bd590ff..eb50c07 100644
--- a/print/pdfjam/files/patch-scripts-pdfjoin
+++ b/print/pdfjam/files/patch-scripts-pdfjoin
@@ -1,11 +1,46 @@
---- scripts/pdfjoin.orig	Tue Jan 25 14:19:21 2005
-+++ scripts/pdfjoin	Wed Mar 16 09:16:42 2005
-@@ -23,7 +23,7 @@
+--- scripts/pdfjoin.orig	2005-01-25 22:19:21.000000000 +0300
++++ scripts/pdfjoin	2008-12-29 20:00:05.000000000 +0300
+@@ -23,12 +23,17 @@
  ##  
  ##  First say where your "pdflatex" program lives:
  ##
 -pdflatex=pdflatex
-+pdflatex=__LOCALBASE__/bin/pdflatex
++pdflatex="__LOCALBASE__"/bin/pdflatex
  #pdflatex="pdflatex.exe"    ## this for Windows computers
  ##
  ##  Next a permitted location for temporary files on your system:
+ ##
+-tempfileDir="/var/tmp" ## /var/tmp is standard on most unix systems
++## /var/tmp is standard on most unix systems
++tempfileDir=`mktemp -dq /var/tmp/pdfjoin.XXXXXXXX`
++if [ -z "$tempfileDir" ]; then
++	echo "pdfjoin: unable to create temporary directory"
++	exit 2
++fi
+ #tempfileDir="C:/tmp"  ## use something like this under Windows
+ ##
+ ##  Now specify the default settings for pdfjoin:
+@@ -50,12 +55,12 @@
+ for d in /etc /usr/share/etc /usr/local/share /usr/local/etc
+ do if test -f $d/pdfnup.conf; then
+    echo "Reading site configuration from $d/pdfnup.conf"
+-   source $d/pdfnup.conf
++   . $d/pdfnup.conf
+    fi 
+ done
+ if test -f ~/.pdfnup.conf; then 
+    echo "Reading user defaults from ~/.pdfnup.conf";
+-   source ~/.pdfnup.conf; 
++   . ~/.pdfnup.conf; 
+ fi
+ #######################################################################
+ ##
+@@ -99,7 +104,7 @@
+ ##
+ ##  Check that necessary LaTeX packages are installed
+ ##
+-PATH=`dirname "$pdflatex"`:$PATH
++PATH="$PATH":"__LOCALBASE__"/bin
+ export PATH
+ case `kpsewhich pdfpages.sty` in
+ 	"") echo "pdfjoin: pdfpages.sty not installed"; exit 1;;
diff --git a/print/pdfjam/files/patch-scripts-pdfnup b/print/pdfjam/files/patch-scripts-pdfnup
index 227a38a..68606ed 100644
--- a/print/pdfjam/files/patch-scripts-pdfnup
+++ b/print/pdfjam/files/patch-scripts-pdfnup
@@ -1,11 +1,46 @@
---- scripts/pdfnup.orig	Tue Jan 25 14:19:21 2005
-+++ scripts/pdfnup	Wed Mar 16 09:17:40 2005
-@@ -23,7 +23,7 @@
+--- scripts/pdfnup.orig	2005-01-25 22:19:21.000000000 +0300
++++ scripts/pdfnup	2008-12-29 20:00:44.000000000 +0300
+@@ -23,12 +23,17 @@
  ##  
  ##  First say where your "pdflatex" program lives:
  ##
 -pdflatex=pdflatex
-+pdflatex=__LOCALBASE__/bin/pdflatex
++pdflatex="__LOCALBASE__"/bin/pdflatex
  #pdflatex="pdflatex.exe"    ## this for Windows computers
  ##
  ##  Next a permitted location for temporary files on your system:
+ ##
+-tempfileDir="/var/tmp" ## /var/tmp is standard on many unix systems
++## /var/tmp is standard on most unix systems
++tempfileDir=`mktemp -dq /var/tmp/pdfnup.XXXXXXXX`
++if [ -z "$tempfileDir" ]; then
++	echo "pdfnup: unable to create temporary directory"
++	exit 2
++fi
+ #tempfileDir="C:/tmp"  ## use something like this under Windows
+ ##
+ ##  Now specify the default settings for pdfnup:
+@@ -57,12 +62,12 @@
+ for d in /etc /usr/share/etc /usr/local/share /usr/local/etc
+ do if test -f $d/pdfnup.conf; then
+      echo "Reading site configuration from $d/pdfnup.conf"
+-     source $d/pdfnup.conf
++     . $d/pdfnup.conf
+    fi 
+ done
+ if test -f ~/.pdfnup.conf; then 
+    echo "Reading user defaults from ~/.pdfnup.conf";
+-   source ~/.pdfnup.conf; 
++   . ~/.pdfnup.conf; 
+ fi
+ #######################################################################
+ ##
+@@ -134,7 +139,7 @@
+ ##
+ ##  Check that necessary LaTeX packages are installed
+ ##
+-PATH=`dirname "$pdflatex"`:$PATH
++PATH="$PATH":"__LOCALBASE__"/bin
+ export PATH
+ case `kpsewhich pdfpages.sty` in
+ 	"") echo "pdfnup: pdfpages.sty not installed"; exit 1;;
-- 
1.6.0.5
--- fix-CVE-2008-5743-and-remove-Bash-isms.diff ends here ---
Had tested this patch for a bunch of PDF files -- it works for me.

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="e4aa439e-d5cc-11dd-b0cc-001fc66e7203">
    <topic>pdfjam -- local users can overwrite files via symlink attack</topic>
    <affects>
      <package>
        <name>pdfjam</name>
        <range><lt>1.20_4</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Entry for CVE-2008-5743 says:</p>
        <blockquote
          cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5743">
          <p>pdfjam creates the (1) pdf90, (2) pdfjoin, and (3) pdfnup
          files with a predictable name, which allows local users to
          overwrite arbitrary files via a symlink attack.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-5743</cvename>
      <url>https://bugzilla.novell.com/show_bug.cgi?id=459031</url>
      <url>https://bugs.gentoo.org/show_bug.cgi?id=252734</url>
    </references>
    <dates>
      <discovery>15-12-2008</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted: