From 6bccf9427b586d4267666bb630e7c1d155cc3ca2 Mon Sep 17 00:00:00 2001 From: jasper Date: Wed, 23 Nov 2011 21:13:27 +0000 Subject: [PATCH] Security fix for SA46955 GNU Gnash Cookie Disclosure Security Issue ok brad (MAINTAINER) --- www/gnash/Makefile | 4 ++-- .../patches/patch-plugin_npapi_plugin_cpp | 20 +++++++++++++++++++ 2 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 www/gnash/patches/patch-plugin_npapi_plugin_cpp diff --git a/www/gnash/Makefile b/www/gnash/Makefile index cec6126a3ac..b021c10fe64 100644 --- a/www/gnash/Makefile +++ b/www/gnash/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.45 2011/09/16 12:00:06 espie Exp $ +# $OpenBSD: Makefile,v 1.46 2011/11/23 21:13:27 jasper Exp $ SHARED_ONLY= Yes @@ -8,7 +8,7 @@ COMMENT= SWF player with Firefox browser plugin VER= 0.8.9 DISTNAME= gnash-${VER} -REVISION= 2 +REVISION= 3 EPOCH= 0 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_GNU:=gnash/${VER}/} diff --git a/www/gnash/patches/patch-plugin_npapi_plugin_cpp b/www/gnash/patches/patch-plugin_npapi_plugin_cpp new file mode 100644 index 00000000000..0cde2549222 --- /dev/null +++ b/www/gnash/patches/patch-plugin_npapi_plugin_cpp @@ -0,0 +1,20 @@ +$OpenBSD: patch-plugin_npapi_plugin_cpp,v 1.5 2011/11/23 21:13:27 jasper Exp $ + +Security fix for SA46955 +GNU Gnash Cookie Disclosure Security Issue: + +From fa481c116e65ccf9137c7ddc8abc3cf05dc12f55 Mon Sep 17 00:00:00 2001 +From: Gabriele Giacone <1o5g4r8o@gmail.com> +Date: Sun, 20 Nov 2011 17:27:42 +0100 +Subject: [PATCH] Make cookie file not world-readable. Fixes http://bugs.debian.org/649384 + +--- plugin/npapi/plugin.cpp.orig Wed Nov 23 13:36:08 2011 ++++ plugin/npapi/plugin.cpp Wed Nov 23 13:36:21 2011 +@@ -1102,6 +1102,7 @@ nsPluginInstance::setupCookies(const std::string& page + ss << "/tmp/gnash-cookies." << getpid(); + + cookiefile.open(ss.str().c_str(), std::ios::out | std::ios::trunc); ++ chmod (ss.str().c_str(), 0600); + + // Firefox provides cookies in the following format: + //