From aa2777931138e124fa6474cce9c8601f82b30fd3 Mon Sep 17 00:00:00 2001 From: Christian Weisgerber Date: Sat, 29 Oct 2005 19:13:43 +0000 Subject: [PATCH] Upstream fix for very insecure temp file creation in example script (CVE-2005-2965). Approved by: perky --- graphics/graphviz/Makefile | 2 +- .../graphviz/files/patch-dotty::dotty.lefty | 21 +++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 graphics/graphviz/files/patch-dotty::dotty.lefty diff --git a/graphics/graphviz/Makefile b/graphics/graphviz/Makefile index c9ce77fcae33..ae7ffbbbb972 100644 --- a/graphics/graphviz/Makefile +++ b/graphics/graphviz/Makefile @@ -7,7 +7,7 @@ PORTNAME= graphviz PORTVERSION= 2.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= graphics tk84 MASTER_SITES= http://www.graphviz.org/pub/graphviz/ARCHIVE/ diff --git a/graphics/graphviz/files/patch-dotty::dotty.lefty b/graphics/graphviz/files/patch-dotty::dotty.lefty new file mode 100644 index 000000000000..7223873e7f2a --- /dev/null +++ b/graphics/graphviz/files/patch-dotty::dotty.lefty @@ -0,0 +1,21 @@ +--- dotty/dotty.lefty.orig ++++ dotty/dotty.lefty +@@ -668,7 +668,10 @@ + if (~(otype = ask ('print to', 'choice', 'file|printer'))) + return; + if (otype == 'printer') { +- name = '/tmp/dottyout.ps'; ++ if (~getenv ('TMPDIR')) ++ name = concat (getenv ('HOME'), '/.dottyout.ps'); ++ else ++ name = concat (getenv ('TMPDIR'), '/.dottyout.ps', random (10000)); + if (getenv ('LEFTYWINSYS') ~= 'mswin' & ~pr) + if (~(pr = ask ('printer command', 'string', 'lpr'))) + return; +@@ -768,5 +771,5 @@ + vt.canvas = canvas; + destroywidget (pscanvas); + if (otype == 'printer' & getenv ('LEFTYWINSYS') ~= 'mswin') +- system (concat (pr, ' /tmp/dottyout.ps; rm /tmp/dottyout.ps')); ++ system (concat (pr, ' ', name, '; rm ',name)); + };