Revision: 148304 https://trac.macports.org/changeset/148304 Author: raimue@macports.org Date: 2016-05-03 07:43:01 -0700 (Tue, 03 May 2016) Log Message: ----------- sysutils/tardiff: Add patches for CVE-2015-0857, CVE-2015-0858, and other bugs, closes #51292 Modified Paths: -------------- trunk/dports/sysutils/tardiff/Portfile Added Paths: ----------- trunk/dports/sysutils/tardiff/files/patch-CVE-2015-0857.diff trunk/dports/sysutils/tardiff/files/patch-CVE-2015-0858.diff trunk/dports/sysutils/tardiff/files/patch-fix-statistic.diff trunk/dports/sysutils/tardiff/files/patch-fix-unique-uniquebase.diff Modified: trunk/dports/sysutils/tardiff/Portfile =================================================================== --- trunk/dports/sysutils/tardiff/Portfile 2016-05-03 13:23:58 UTC (rev 148303) +++ trunk/dports/sysutils/tardiff/Portfile 2016-05-03 14:43:01 UTC (rev 148304) @@ -5,11 +5,12 @@ name tardiff version 0.1 -revision 3 +revision 4 categories sysutils textproc devel archivers license GPL platforms darwin -maintainers ryandesign +maintainers ryandesign \ + openmaintainer supported_archs noarch description compares the contents of two tarballs @@ -38,7 +39,11 @@ copy ${distpath}/${name} ${worksrcpath} } -patchfiles patch-tardiff.diff +patchfiles patch-tardiff.diff \ + patch-fix-statistic.diff \ + patch-fix-unique-uniquebase.diff \ + patch-CVE-2015-0857.diff \ + patch-CVE-2015-0858.diff use_configure no Added: trunk/dports/sysutils/tardiff/files/patch-CVE-2015-0857.diff =================================================================== --- trunk/dports/sysutils/tardiff/files/patch-CVE-2015-0857.diff (rev 0) +++ trunk/dports/sysutils/tardiff/files/patch-CVE-2015-0857.diff 2016-05-03 14:43:01 UTC (rev 148304) @@ -0,0 +1,44 @@ +Upstream: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/tree/debian/patches... +Edit: gnutar instead of tar + +Description: Fix local code execution when calling diff (CVE-2015-0857) + Reported by Rainer Müller <raimue@codingfarm.de>. Implemented using + Text::Diff instead of diff and backticks. +Author: Axel Beckert <abe@debian.org> +Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0857 + +Index: tardiff +=================================================================== +--- tardiff 2016-04-28 19:19:02.194646937 +0200 ++++ tardiff 2016-04-28 19:36:41.253948109 +0200 +@@ -6,6 +6,7 @@ + # Published under GNU GPL conditions + + use strict; ++use Text::Diff; + + my $VERSION = '0.1'; + +@@ -73,7 +74,12 @@ + $flag = "-j"; + } + +- my $list = `gnutar -C $tempdir $flag -xvf $tarball 2>/dev/null`; ++ open(TARLIST, '-|', qw(gnutar -C), $tempdir, $flag, qw(-xvf), $tarball) ++ or die "Can't call tar as expected: $!"; ++ local $/ = undef; # slurp mode ++ my $list = <TARLIST> or die "Couldn't read from tar"; ++ close(TARLIST) or warn "tar exited with non-zero exit code"; ++ + return $list; + } + +@@ -116,7 +122,7 @@ + if(-d $file1 and -d $file2){ + return 0; + }elsif(-f $file1 and -f $file2){ +- my $diff = `diff $file1 $file2`; ++ my $diff = diff $file1, $file2, { STYLE => "OldStyle" }; + if($diff){ + if($opt_stats){ + my $plus = 0; Added: trunk/dports/sysutils/tardiff/files/patch-CVE-2015-0858.diff =================================================================== --- trunk/dports/sysutils/tardiff/files/patch-CVE-2015-0858.diff (rev 0) +++ trunk/dports/sysutils/tardiff/files/patch-CVE-2015-0858.diff 2016-05-03 14:43:01 UTC (rev 148304) @@ -0,0 +1,49 @@ +Upstream: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/tree/debian/patches... + +Description: Fix race condition when creating temporary files (CVE-2015-0858) + Reported by Florian Weimer <fw@deneb.enyo.de>. Implemented using + File::Temp instead of just using the process ID inside the directory + name as suggested by Florian. +Author: Axel Beckert <abe@debian.org> +Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0858 + +Index: tardiff +=================================================================== +--- tardiff 2016-04-28 20:24:06.913565891 +0200 ++++ tardiff 2016-04-28 20:24:06.909565907 +0200 +@@ -7,12 +7,13 @@ + + use strict; + use Text::Diff; ++use File::Temp qw(tempdir); + + my $VERSION = '0.1'; + + my ($tarball1, $tarball2); + my ($opt_list, $opt_modified, $opt_autoskip, $opt_stats); +-my $tempdir; ++my $tempdir = tempdir( CLEANUP => 1 ); + + $SIG{'__DIE__'} = 'cleanup'; + $SIG{'TERM'} = 'cleanup'; +@@ -173,9 +174,6 @@ + sub tardiff{ + my $error = 0; + +- $tempdir = "/tmp/tardiff-$$"; +- mkdir $tempdir; +- + my $filelist1 = untar($tarball1) or die "Error: Could not unpack $tarball1."; + my $filelist2 = untar($tarball2) or die "Error: Could not unpack $tarball2."; + +@@ -216,10 +214,6 @@ + sub cleanup{ + my $handler = shift(@_); + +- if($tempdir){ +- system("rm -rf $tempdir"); +- } +- + if($handler eq "INT" or $handler eq "TERM"){ + exit 1; + } Added: trunk/dports/sysutils/tardiff/files/patch-fix-statistic.diff =================================================================== --- trunk/dports/sysutils/tardiff/files/patch-fix-statistic.diff (rev 0) +++ trunk/dports/sysutils/tardiff/files/patch-fix-statistic.diff 2016-05-03 14:43:01 UTC (rev 148304) @@ -0,0 +1,31 @@ +Upstream: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/tree/debian/patches... + +Description: Fix calculation of statistics (option -s) + Using normal instead of unique diff is far easier to parse + unambiguously. +Author: Axel Beckert <abe@debian.org> +Bug-Debian: https://bugs.debian.org/802098 + +Index: tardiff +=================================================================== +--- tardiff 2015-10-17 16:37:09.675959837 +0200 ++++ tardiff 2015-10-17 16:40:07.739438492 +0200 +@@ -116,15 +116,15 @@ + if(-d $file1 and -d $file2){ + return 0; + }elsif(-f $file1 and -f $file2){ +- my $diff = `diff -u $file1 $file2`; ++ my $diff = `diff $file1 $file2`; + if($diff){ + if($opt_stats){ + my $plus = 0; + my $minus = 0; + foreach my $line(split(/\n/, $diff)){ +- if($line =~ /^+\ /){ ++ if($line =~ /^>/){ + $plus++; +- }elsif($line =~ /^-\ /){ ++ }elsif($line =~ /^</){ + $minus++; + } + } Added: trunk/dports/sysutils/tardiff/files/patch-fix-unique-uniquebase.diff =================================================================== --- trunk/dports/sysutils/tardiff/files/patch-fix-unique-uniquebase.diff (rev 0) +++ trunk/dports/sysutils/tardiff/files/patch-fix-unique-uniquebase.diff 2016-05-03 14:43:01 UTC (rev 148304) @@ -0,0 +1,58 @@ +Upstream: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/tree/debian/patches... + +Patch to allow to compare to tar balls with the same base +directory. Also fixes an issue with listing a directory as present in +the wrong tar ball. + +Author: Axel Beckert <abe@debian.org> + +Index: tardiff +=================================================================== +--- tardiff 2005-05-17 14:52:27.000000000 +0200 ++++ tardiff 2011-12-01 21:56:59.000000000 +0100 +@@ -80,6 +80,7 @@ + sub analyzetar{ + my $filelist = shift(@_); + my $filehash = shift(@_); ++ my $tarball = shift(@_); + + my %files = %{$filehash}; + +@@ -92,12 +93,12 @@ + if(!$uniquebase){ + $uniquebase = $base; + }else{ +- ($base eq $uniquebase) or die "$tarball1 contains different base dirs: $base and $uniquebase"; ++ ($base eq $uniquebase) or die "$tarball contains different base dirs: $base and $uniquebase"; + } + if($files{$remainder}){ + $files{$remainder} = "__both"; + }else{ +- $files{$remainder} = "$uniquebase"; ++ $files{$remainder} = "$tarball"; + } + } + +@@ -174,8 +175,8 @@ + + my %files; + +- my ($base1, %files) = analyzetar($filelist1, \%files); +- my ($base2, %files) = analyzetar($filelist2, \%files); ++ my ($base1, %files) = analyzetar($filelist1, \%files, $tarball1); ++ my ($base2, %files) = analyzetar($filelist2, \%files, $tarball2); + + foreach my $file(sort(keys(%files))){ + next if $file eq ""; +@@ -196,9 +197,9 @@ + if($opt_list and not $modified){ + print " $file\n"; + } +- }elsif($base eq $base1){ ++ }elsif($base eq $tarball1){ + print "- $file\n"; +- }elsif($base eq $base2){ ++ }elsif($base eq $tarball2){ + print "+ $file\n"; + }else{ + print "? $file\n";