ports/130028: [vuxml] [patch] print/pdfjam: fix CVE-2008-5743; ocasionally remove bash dependency
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Mon Dec 29 17:40:03 UTC 2008
>Number: 130028
>Category: ports
>Synopsis: [vuxml] [patch] print/pdfjam: fix CVE-2008-5743; ocasionally remove bash dependency
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Dec 29 17:40:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.1-PRERELEASE amd64
>Description:
pdfjam is vulnerable to the symlink attack, as described in entry for
CVE-2008-5743 [1]. Note that there is no "."-in-the-PATH issue, [2],
in the FreeBSD port, because is provides full path for the pdflatex.
>How-To-Repeat:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5743
[2] https://bugs.gentoo.org/show_bug.cgi?id=252734
>Fix:
The following patch fixes the issue, adds static PATH item
${LOCALBASE}/bin to the end of the PATH (to allow user to override
pdflatex location by setting own value of the PATH) and remove
Bash-specific command "source".
--- fix-CVE-2008-5743-and-remove-Bash-isms.diff begins here ---
>From 7b60a9c08ecdf131a006e518b61263e5b5afbe95 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Mon, 29 Dec 2008 20:16:00 +0300
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5743
https://bugs.gentoo.org/show_bug.cgi?id=252734
Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
print/pdfjam/Makefile | 7 ++---
print/pdfjam/files/patch-scripts-pdf90 | 44 +++++++++++++++++++++++++++---
print/pdfjam/files/patch-scripts-pdfjoin | 43 ++++++++++++++++++++++++++---
print/pdfjam/files/patch-scripts-pdfnup | 43 ++++++++++++++++++++++++++---
4 files changed, 121 insertions(+), 16 deletions(-)
diff --git a/print/pdfjam/Makefile b/print/pdfjam/Makefile
index b6e67c5..4810821 100644
--- a/print/pdfjam/Makefile
+++ b/print/pdfjam/Makefile
@@ -7,7 +7,7 @@
PORTNAME= pdfjam
PORTVERSION= 1.20
-PORTREVISION= 3
+PORTREVISION= 4
CATEGORIES= print
MASTER_SITES= http://www2.warwick.ac.uk/fac/sci/statistics/staff/academic/firth/software/pdfjam/ \
http://www.it.ca/~paul/src/
@@ -17,8 +17,7 @@ EXTRACT_SUFX= .tgz
MAINTAINER= paul+ports at it.ca
COMMENT= Shell scripts to manipulate PDF files
-RUN_DEPENDS= pdflatex:${PORTSDIR}/print/teTeX-base \
- bash:${PORTSDIR}/shells/bash
+RUN_DEPENDS= pdflatex:${PORTSDIR}/print/teTeX-base
WRKSRC= ${WRKDIR}/${PORTNAME}
@@ -31,7 +30,7 @@ NO_BUILD= yes
post-patch:
@${LN} -s scripts ${WRKSRC}/bin
.for FILE in ${PLIST_FILES}
- @${SED} -i '' "1s:^#! /bin/sh:#!${LOCALBASE}/bin/bash:;s:__LOCALBASE__:${LOCALBASE}:" ${WRKSRC}/${FILE}
+ @${REINPLACE_CMD} -e"s|__LOCALBASE__|${LOCALBASE}|g" ${WRKSRC}/${FILE}
.endfor
do-install:
diff --git a/print/pdfjam/files/patch-scripts-pdf90 b/print/pdfjam/files/patch-scripts-pdf90
index b742159..93bff3c 100644
--- a/print/pdfjam/files/patch-scripts-pdf90
+++ b/print/pdfjam/files/patch-scripts-pdf90
@@ -1,11 +1,47 @@
---- scripts/pdf90.orig Tue Jan 25 14:19:21 2005
-+++ scripts/pdf90 Wed Mar 16 09:16:35 2005
-@@ -23,7 +23,7 @@
+--- scripts/pdf90.orig 2005-01-25 22:19:21.000000000 +0300
++++ scripts/pdf90 2008-12-29 20:00:05.000000000 +0300
+@@ -23,12 +23,18 @@
##
## First say where your "pdflatex" program lives:
##
-pdflatex=pdflatex
-+pdflatex=__LOCALBASE__/bin/pdflatex
++pdflatex="__LOCALBASE__"/bin/pdflatex
#pdflatex="pdflatex.exe" ## this for Windows computers
##
## Next a permitted location for temporary files on your system:
+ ##
+-tempfileDir="/var/tmp" ## /var/tmp is standard on most unix systems
++## /var/tmp is standard on most unix systems
++tempfileDir=`mktemp -dq /var/tmp/pdf90.XXXXXXXX`
++if [ -z "$tempfileDir" ]; then
++ echo "pdf90: unable to create temporary directory"
++ exit 2
++fi
++trap "rm -rf -- \"$tempfileDir\"" 0 1 2 3 15
+ #tempfileDir="C:/tmp" ## use something like this under Windows
+ ##
+ ## Now specify the default settings for pdf90:
+@@ -43,12 +49,12 @@
+ for d in /etc /usr/share/etc /usr/local/share /usr/local/etc
+ do if test -f $d/pdfnup.conf; then
+ echo "Reading site configuration from $d/pdfnup.conf"
+- source $d/pdfnup.conf
++ . $d/pdfnup.conf
+ fi
+ done
+ if test -f ~/.pdfnup.conf; then
+ echo "Reading user defaults from ~/.pdfnup.conf";
+- source ~/.pdfnup.conf;
++ . ~/.pdfnup.conf;
+ fi
+ #######################################################################
+ ##
+@@ -71,7 +77,7 @@
+ ##
+ ## Check that necessary LaTeX packages are installed
+ ##
+-PATH=`dirname "$pdflatex"`:$PATH
++PATH="$PATH":"__LOCALBASE__"/bin
+ export PATH
+ case `kpsewhich pdfpages.sty` in
+ "") echo "pdf90: pdfpages.sty not installed"; exit 1;;
diff --git a/print/pdfjam/files/patch-scripts-pdfjoin b/print/pdfjam/files/patch-scripts-pdfjoin
index bd590ff..eb50c07 100644
--- a/print/pdfjam/files/patch-scripts-pdfjoin
+++ b/print/pdfjam/files/patch-scripts-pdfjoin
@@ -1,11 +1,46 @@
---- scripts/pdfjoin.orig Tue Jan 25 14:19:21 2005
-+++ scripts/pdfjoin Wed Mar 16 09:16:42 2005
-@@ -23,7 +23,7 @@
+--- scripts/pdfjoin.orig 2005-01-25 22:19:21.000000000 +0300
++++ scripts/pdfjoin 2008-12-29 20:00:05.000000000 +0300
+@@ -23,12 +23,17 @@
##
## First say where your "pdflatex" program lives:
##
-pdflatex=pdflatex
-+pdflatex=__LOCALBASE__/bin/pdflatex
++pdflatex="__LOCALBASE__"/bin/pdflatex
#pdflatex="pdflatex.exe" ## this for Windows computers
##
## Next a permitted location for temporary files on your system:
+ ##
+-tempfileDir="/var/tmp" ## /var/tmp is standard on most unix systems
++## /var/tmp is standard on most unix systems
++tempfileDir=`mktemp -dq /var/tmp/pdfjoin.XXXXXXXX`
++if [ -z "$tempfileDir" ]; then
++ echo "pdfjoin: unable to create temporary directory"
++ exit 2
++fi
+ #tempfileDir="C:/tmp" ## use something like this under Windows
+ ##
+ ## Now specify the default settings for pdfjoin:
+@@ -50,12 +55,12 @@
+ for d in /etc /usr/share/etc /usr/local/share /usr/local/etc
+ do if test -f $d/pdfnup.conf; then
+ echo "Reading site configuration from $d/pdfnup.conf"
+- source $d/pdfnup.conf
++ . $d/pdfnup.conf
+ fi
+ done
+ if test -f ~/.pdfnup.conf; then
+ echo "Reading user defaults from ~/.pdfnup.conf";
+- source ~/.pdfnup.conf;
++ . ~/.pdfnup.conf;
+ fi
+ #######################################################################
+ ##
+@@ -99,7 +104,7 @@
+ ##
+ ## Check that necessary LaTeX packages are installed
+ ##
+-PATH=`dirname "$pdflatex"`:$PATH
++PATH="$PATH":"__LOCALBASE__"/bin
+ export PATH
+ case `kpsewhich pdfpages.sty` in
+ "") echo "pdfjoin: pdfpages.sty not installed"; exit 1;;
diff --git a/print/pdfjam/files/patch-scripts-pdfnup b/print/pdfjam/files/patch-scripts-pdfnup
index 227a38a..68606ed 100644
--- a/print/pdfjam/files/patch-scripts-pdfnup
+++ b/print/pdfjam/files/patch-scripts-pdfnup
@@ -1,11 +1,46 @@
---- scripts/pdfnup.orig Tue Jan 25 14:19:21 2005
-+++ scripts/pdfnup Wed Mar 16 09:17:40 2005
-@@ -23,7 +23,7 @@
+--- scripts/pdfnup.orig 2005-01-25 22:19:21.000000000 +0300
++++ scripts/pdfnup 2008-12-29 20:00:44.000000000 +0300
+@@ -23,12 +23,17 @@
##
## First say where your "pdflatex" program lives:
##
-pdflatex=pdflatex
-+pdflatex=__LOCALBASE__/bin/pdflatex
++pdflatex="__LOCALBASE__"/bin/pdflatex
#pdflatex="pdflatex.exe" ## this for Windows computers
##
## Next a permitted location for temporary files on your system:
+ ##
+-tempfileDir="/var/tmp" ## /var/tmp is standard on many unix systems
++## /var/tmp is standard on most unix systems
++tempfileDir=`mktemp -dq /var/tmp/pdfnup.XXXXXXXX`
++if [ -z "$tempfileDir" ]; then
++ echo "pdfnup: unable to create temporary directory"
++ exit 2
++fi
+ #tempfileDir="C:/tmp" ## use something like this under Windows
+ ##
+ ## Now specify the default settings for pdfnup:
+@@ -57,12 +62,12 @@
+ for d in /etc /usr/share/etc /usr/local/share /usr/local/etc
+ do if test -f $d/pdfnup.conf; then
+ echo "Reading site configuration from $d/pdfnup.conf"
+- source $d/pdfnup.conf
++ . $d/pdfnup.conf
+ fi
+ done
+ if test -f ~/.pdfnup.conf; then
+ echo "Reading user defaults from ~/.pdfnup.conf";
+- source ~/.pdfnup.conf;
++ . ~/.pdfnup.conf;
+ fi
+ #######################################################################
+ ##
+@@ -134,7 +139,7 @@
+ ##
+ ## Check that necessary LaTeX packages are installed
+ ##
+-PATH=`dirname "$pdflatex"`:$PATH
++PATH="$PATH":"__LOCALBASE__"/bin
+ export PATH
+ case `kpsewhich pdfpages.sty` in
+ "") echo "pdfnup: pdfpages.sty not installed"; exit 1;;
--
1.6.0.5
--- fix-CVE-2008-5743-and-remove-Bash-isms.diff ends here ---
Had tested this patch for a bunch of PDF files -- it works for me.
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="e4aa439e-d5cc-11dd-b0cc-001fc66e7203">
<topic>pdfjam -- local users can overwrite files via symlink attack</topic>
<affects>
<package>
<name>pdfjam</name>
<range><lt>1.20_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Entry for CVE-2008-5743 says:</p>
<blockquote
cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5743">
<p>pdfjam creates the (1) pdf90, (2) pdfjoin, and (3) pdfnup
files with a predictable name, which allows local users to
overwrite arbitrary files via a symlink attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-5743</cvename>
<url>https://bugzilla.novell.com/show_bug.cgi?id=459031</url>
<url>https://bugs.gentoo.org/show_bug.cgi?id=252734</url>
</references>
<dates>
<discovery>15-12-2008</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list