Apply patches for two security issues:

- Fix insecure permissions for directories in distfile build tree. CVE-2009-4029
- Fix insecure permissions used for the top of the distfile build tree. CVE-2012-3386

This was already tested in a bulk build by me as part of a larger diff

from brad
ok aja@ sthen@ espie@
This commit is contained in:
jasper 2012-07-20 12:03:50 +00:00
parent 5752c45e75
commit 79af181004
11 changed files with 158 additions and 18 deletions

View File

@ -0,0 +1,15 @@
$OpenBSD: patch-lib_am_distdir_am,v 1.1 2012/07/20 12:03:50 jasper Exp $
Fix insecure permissions used for the top of the distfile build tree. CVE-2012-3386
--- lib/am/distdir.am.orig Thu Jul 19 15:05:14 2012
+++ lib/am/distdir.am Thu Jul 19 15:06:44 2012
@@ -362,7 +362,7 @@ distcheck: dist
## Make the new source tree read-only. Distributions ought to work in
## this case. However, make the top-level directory writable so we
## can make our new subdirs.
- chmod -R a-w $(distdir); chmod a+w $(distdir)
+ chmod -R a-w $(distdir); chmod u+w $(distdir)
mkdir $(distdir)/_build
mkdir $(distdir)/_inst
## Undo the write access.

View File

@ -1,10 +1,9 @@
# $OpenBSD: Makefile,v 1.10 2012/06/26 20:31:47 matthieu Exp $ # $OpenBSD: Makefile,v 1.11 2012/07/20 12:03:50 jasper Exp $
VERSION= 1.11 VERSION= 1.11
DISTNAME= automake-${VERSION}.5 DISTNAME= automake-${VERSION}.5
REVISION= 0 REVISION= 1
PKGSPEC= automake->=${VERSION},<1.12 PKGSPEC= automake->=${VERSION},<1.12
REVISION = 0
MODULES= lang/python MODULES= lang/python

View File

@ -0,0 +1,15 @@
$OpenBSD: patch-lib_am_distdir_am,v 1.1 2012/07/20 12:03:50 jasper Exp $
Fix insecure permissions used for the top of the distfile build tree. CVE-2012-3386
--- lib/am/distdir.am.orig Thu Jul 19 15:41:03 2012
+++ lib/am/distdir.am Thu Jul 19 15:41:09 2012
@@ -451,7 +451,7 @@ distcheck: dist
## Make the new source tree read-only. Distributions ought to work in
## this case. However, make the top-level directory writable so we
## can make our new subdirs.
- chmod -R a-w $(distdir); chmod a+w $(distdir)
+ chmod -R a-w $(distdir); chmod u+w $(distdir)
mkdir $(distdir)/_build
mkdir $(distdir)/_inst
## Undo the write access.

View File

@ -1,10 +1,9 @@
# $OpenBSD: Makefile,v 1.3 2012/06/26 20:31:47 matthieu Exp $ # $OpenBSD: Makefile,v 1.4 2012/07/20 12:03:50 jasper Exp $
VERSION= 1.12 VERSION= 1.12
DISTNAME= automake-${VERSION} DISTNAME= automake-${VERSION}
REVISION= 0 REVISION= 1
PKGSPEC= automake->=${VERSION},<1.13 PKGSPEC= automake->=${VERSION},<1.13
REVISION = 0
MODULES= lang/python MODULES= lang/python

View File

@ -0,0 +1,15 @@
$OpenBSD: patch-lib_am_distdir_am,v 1.1 2012/07/20 12:03:50 jasper Exp $
Fix insecure permissions used for the top of the distfile build tree. CVE-2012-3386
--- lib/am/distdir.am.orig Thu Jul 19 15:39:48 2012
+++ lib/am/distdir.am Thu Jul 19 15:39:57 2012
@@ -449,7 +449,7 @@ distcheck: dist
## Make the new source tree read-only. Distributions ought to work in
## this case. However, make the top-level directory writable so we
## can make our new subdirs.
- chmod -R a-w $(distdir); chmod a+w $(distdir)
+ chmod -R a-w $(distdir); chmod u+w $(distdir)
mkdir $(distdir)/_build
mkdir $(distdir)/_inst
## Undo the write access.

View File

@ -1,10 +1,10 @@
# $OpenBSD: Makefile,v 1.11 2012/06/25 15:45:14 espie Exp $ # $OpenBSD: Makefile,v 1.12 2012/07/20 12:03:50 jasper Exp $
VERSION= 1.4 VERSION= 1.4
DISTNAME= automake-${VERSION}-p6 DISTNAME= automake-${VERSION}-p6
PKGNAME= automake-1.4.6 PKGNAME= automake-1.4.6
PKGSPEC = automake->=${VERSION},<1.5 REVISION= 1
REVISION= 0 PKGSPEC= automake->=${VERSION},<1.5
MAINTAINER= Jason Ish <ish@openbsd.org> MAINTAINER= Jason Ish <ish@openbsd.org>

View File

@ -1,6 +1,9 @@
$OpenBSD: patch-automake_in,v 1.1.1.1 2005/01/11 07:11:00 sturm Exp $ $OpenBSD: patch-automake_in,v 1.2 2012/07/20 12:03:50 jasper Exp $
--- automake.in.orig Sun Jul 15 12:47:28 2001
+++ automake.in Fri Aug 17 12:47:25 2001 Fix insecure permissions for directories in distfile build tree. CVE-2009-4029
--- automake.in.orig Sat Jul 27 16:55:58 2002
+++ automake.in Thu Jul 19 16:04:18 2012
@@ -2012,7 +2012,7 @@ sub handle_texinfo @@ -2012,7 +2012,7 @@ sub handle_texinfo
# dependency list. # dependency list.
@texi_deps = (); @texi_deps = ();
@ -10,3 +13,21 @@ $OpenBSD: patch-automake_in,v 1.1.1.1 2005/01/11 07:11:00 sturm Exp $
# Canonicalize name first. # Canonicalize name first.
($canonical = $infobase) =~ tr/A-Za-z0-9_/_/c; ($canonical = $infobase) =~ tr/A-Za-z0-9_/_/c;
@@ -2336,7 +2336,7 @@ sub handle_dist_worker
# Create dist directory.
$output_rules .= ("\t-rm -rf \$(distdir)\n"
. "\tmkdir \$(distdir)\n"
- . "\t-chmod 777 \$(distdir)\n");
+ . "\t-chmod 755 \$(distdir)\n");
}
# Only run automake in `dist' target if --include-deps and
@@ -2468,7 +2468,7 @@ sub handle_dist_worker
. "\t" . ' test -d $(distdir)/$$subdir ' . "\\\n"
. "\t" . ' || mkdir $(distdir)/$$subdir ' . "\\\n"
. "\t" . ' || exit 1; ' . "\\\n"
- . "\t" . ' chmod 777 $(distdir)/$$subdir; ' . "\\\n"
+ . "\t" . ' chmod 755 $(distdir)/$$subdir; ' . "\\\n"
. "\t" . ' (cd $$subdir'
. ' && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$('
. (($relative_dir eq '.') ? 'distdir' : 'top_distdir')

View File

@ -1,9 +1,9 @@
# $OpenBSD: Makefile,v 1.15 2012/06/25 15:45:14 espie Exp $ # $OpenBSD: Makefile,v 1.16 2012/07/20 12:03:50 jasper Exp $
VERSION= 1.8 VERSION= 1.8
DISTNAME= automake-${VERSION}.5 DISTNAME= automake-${VERSION}.5
REVISION= 6 REVISION= 7
PKGSPEC = automake->=${VERSION},<1.9 PKGSPEC= automake->=${VERSION},<1.9
AUTOCONF_VERSION= 2.59 AUTOCONF_VERSION= 2.59

View File

@ -0,0 +1,38 @@
$OpenBSD: patch-lib_am_distdir_am,v 1.1 2012/07/20 12:03:50 jasper Exp $
- Fix insecure permissions for directories in distfile build tree. CVE-2009-4029
- Fix insecure permissions used for the top of the distfile build tree. CVE-2012-3386
--- lib/am/distdir.am.orig Thu Jul 19 15:12:01 2012
+++ lib/am/distdir.am Thu Jul 19 15:37:07 2012
@@ -190,11 +190,7 @@ if %?DIST-TARGETS%
endif %?DIST-TARGETS%
##
## This complex find command will try to avoid changing the modes of
-## links into the source tree, in case they're hard-linked. It will
-## also make directories writable by everybody, because some
-## brain-dead tar implementations change ownership and permissions of
-## a directory before extracting the files, thus becoming unable to
-## extract them.
+## links into the source tree, in case they're hard-linked.
##
## Ignore return result from chmod, because it might give an error
## if we chmod a symlink.
@@ -207,7 +203,7 @@ endif %?DIST-TARGETS%
## the file in place in the source tree.
##
if %?TOPDIR_P%
- -find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+ -find $(distdir) -type d ! -perm -755 -exec chmod u+rwx,go+rx {} \; -o \
! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
! -type d ! -perm -400 -exec chmod a+r {} \; -o \
! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
@@ -318,7 +314,7 @@ distcheck: dist
## Make the new source tree read-only. Distributions ought to work in
## this case. However, make the top-level directory writable so we
## can make our new subdirs.
- chmod -R a-w $(distdir); chmod a+w $(distdir)
+ chmod -R a-w $(distdir); chmod u+w $(distdir)
mkdir $(distdir)/_build
mkdir $(distdir)/_inst
## Undo the write access.

View File

@ -1,9 +1,9 @@
# $OpenBSD: Makefile,v 1.23 2012/06/25 15:45:14 espie Exp $ # $OpenBSD: Makefile,v 1.24 2012/07/20 12:03:50 jasper Exp $
VERSION= 1.9 VERSION= 1.9
DISTNAME= automake-${VERSION}.6 DISTNAME= automake-${VERSION}.6
REVISION= 9 REVISION= 10
PKGSPEC = automake->=${VERSION},<1.10 PKGSPEC= automake->=${VERSION},<1.10
MODULES= lang/python MODULES= lang/python

View File

@ -0,0 +1,38 @@
$OpenBSD: patch-lib_am_distdir_am,v 1.1 2012/07/20 12:03:50 jasper Exp $
- Fix insecure permissions for directories in distfile build tree. CVE-2009-4029
- Fix insecure permissions used for the top of the distfile build tree. CVE-2012-3386
--- lib/am/distdir.am.orig Thu Jul 19 15:09:52 2012
+++ lib/am/distdir.am Thu Jul 19 15:35:08 2012
@@ -192,11 +192,7 @@ if %?DIST-TARGETS%
endif %?DIST-TARGETS%
##
## This complex find command will try to avoid changing the modes of
-## links into the source tree, in case they're hard-linked. It will
-## also make directories writable by everybody, because some
-## brain-dead tar implementations change ownership and permissions of
-## a directory before extracting the files, thus becoming unable to
-## extract them.
+## links into the source tree, in case they're hard-linked.
##
## Ignore return result from chmod, because it might give an error
## if we chmod a symlink.
@@ -209,7 +205,7 @@ endif %?DIST-TARGETS%
## the file in place in the source tree.
##
if %?TOPDIR_P%
- -find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+ -find $(distdir) -type d ! -perm -755 -exec chmod u+rwx,go+rx {} \; -o \
! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
! -type d ! -perm -400 -exec chmod a+r {} \; -o \
! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
@@ -326,7 +322,7 @@ distcheck: dist
## Make the new source tree read-only. Distributions ought to work in
## this case. However, make the top-level directory writable so we
## can make our new subdirs.
- chmod -R a-w $(distdir); chmod a+w $(distdir)
+ chmod -R a-w $(distdir); chmod u+w $(distdir)
mkdir $(distdir)/_build
mkdir $(distdir)/_inst
## Undo the write access.