Apply patches for two security issues:

- Fix insecure permissions for directories in distfile build tree. CVE-2009-4029
- Fix insecure permissions used for the top of the distfile build tree. CVE-2012-3386

This was already tested in a bulk build by me as part of a larger diff

from brad
ok aja@ sthen@ espie@
This commit is contained in:
jasper 2012-07-20 12:03:50 +00:00
parent 5752c45e75
commit 79af181004
11 changed files with 158 additions and 18 deletions

View File

@ -0,0 +1,15 @@
$OpenBSD: patch-lib_am_distdir_am,v 1.1 2012/07/20 12:03:50 jasper Exp $
Fix insecure permissions used for the top of the distfile build tree. CVE-2012-3386
--- lib/am/distdir.am.orig Thu Jul 19 15:05:14 2012
+++ lib/am/distdir.am Thu Jul 19 15:06:44 2012
@@ -362,7 +362,7 @@ distcheck: dist
## Make the new source tree read-only. Distributions ought to work in
## this case. However, make the top-level directory writable so we
## can make our new subdirs.
- chmod -R a-w $(distdir); chmod a+w $(distdir)
+ chmod -R a-w $(distdir); chmod u+w $(distdir)
mkdir $(distdir)/_build
mkdir $(distdir)/_inst
## Undo the write access.

View File

@ -1,10 +1,9 @@
# $OpenBSD: Makefile,v 1.10 2012/06/26 20:31:47 matthieu Exp $
# $OpenBSD: Makefile,v 1.11 2012/07/20 12:03:50 jasper Exp $
VERSION= 1.11
DISTNAME= automake-${VERSION}.5
REVISION= 0
REVISION= 1
PKGSPEC= automake->=${VERSION},<1.12
REVISION = 0
MODULES= lang/python

View File

@ -0,0 +1,15 @@
$OpenBSD: patch-lib_am_distdir_am,v 1.1 2012/07/20 12:03:50 jasper Exp $
Fix insecure permissions used for the top of the distfile build tree. CVE-2012-3386
--- lib/am/distdir.am.orig Thu Jul 19 15:41:03 2012
+++ lib/am/distdir.am Thu Jul 19 15:41:09 2012
@@ -451,7 +451,7 @@ distcheck: dist
## Make the new source tree read-only. Distributions ought to work in
## this case. However, make the top-level directory writable so we
## can make our new subdirs.
- chmod -R a-w $(distdir); chmod a+w $(distdir)
+ chmod -R a-w $(distdir); chmod u+w $(distdir)
mkdir $(distdir)/_build
mkdir $(distdir)/_inst
## Undo the write access.

View File

@ -1,10 +1,9 @@
# $OpenBSD: Makefile,v 1.3 2012/06/26 20:31:47 matthieu Exp $
# $OpenBSD: Makefile,v 1.4 2012/07/20 12:03:50 jasper Exp $
VERSION= 1.12
DISTNAME= automake-${VERSION}
REVISION= 0
REVISION= 1
PKGSPEC= automake->=${VERSION},<1.13
REVISION = 0
MODULES= lang/python

View File

@ -0,0 +1,15 @@
$OpenBSD: patch-lib_am_distdir_am,v 1.1 2012/07/20 12:03:50 jasper Exp $
Fix insecure permissions used for the top of the distfile build tree. CVE-2012-3386
--- lib/am/distdir.am.orig Thu Jul 19 15:39:48 2012
+++ lib/am/distdir.am Thu Jul 19 15:39:57 2012
@@ -449,7 +449,7 @@ distcheck: dist
## Make the new source tree read-only. Distributions ought to work in
## this case. However, make the top-level directory writable so we
## can make our new subdirs.
- chmod -R a-w $(distdir); chmod a+w $(distdir)
+ chmod -R a-w $(distdir); chmod u+w $(distdir)
mkdir $(distdir)/_build
mkdir $(distdir)/_inst
## Undo the write access.

View File

@ -1,10 +1,10 @@
# $OpenBSD: Makefile,v 1.11 2012/06/25 15:45:14 espie Exp $
# $OpenBSD: Makefile,v 1.12 2012/07/20 12:03:50 jasper Exp $
VERSION= 1.4
DISTNAME= automake-${VERSION}-p6
PKGNAME= automake-1.4.6
REVISION= 1
PKGSPEC= automake->=${VERSION},<1.5
REVISION= 0
MAINTAINER= Jason Ish <ish@openbsd.org>

View File

@ -1,6 +1,9 @@
$OpenBSD: patch-automake_in,v 1.1.1.1 2005/01/11 07:11:00 sturm Exp $
--- automake.in.orig Sun Jul 15 12:47:28 2001
+++ automake.in Fri Aug 17 12:47:25 2001
$OpenBSD: patch-automake_in,v 1.2 2012/07/20 12:03:50 jasper Exp $
Fix insecure permissions for directories in distfile build tree. CVE-2009-4029
--- automake.in.orig Sat Jul 27 16:55:58 2002
+++ automake.in Thu Jul 19 16:04:18 2012
@@ -2012,7 +2012,7 @@ sub handle_texinfo
# dependency list.
@texi_deps = ();
@ -10,3 +13,21 @@ $OpenBSD: patch-automake_in,v 1.1.1.1 2005/01/11 07:11:00 sturm Exp $
# Canonicalize name first.
($canonical = $infobase) =~ tr/A-Za-z0-9_/_/c;
@@ -2336,7 +2336,7 @@ sub handle_dist_worker
# Create dist directory.
$output_rules .= ("\t-rm -rf \$(distdir)\n"
. "\tmkdir \$(distdir)\n"
- . "\t-chmod 777 \$(distdir)\n");
+ . "\t-chmod 755 \$(distdir)\n");
}
# Only run automake in `dist' target if --include-deps and
@@ -2468,7 +2468,7 @@ sub handle_dist_worker
. "\t" . ' test -d $(distdir)/$$subdir ' . "\\\n"
. "\t" . ' || mkdir $(distdir)/$$subdir ' . "\\\n"
. "\t" . ' || exit 1; ' . "\\\n"
- . "\t" . ' chmod 777 $(distdir)/$$subdir; ' . "\\\n"
+ . "\t" . ' chmod 755 $(distdir)/$$subdir; ' . "\\\n"
. "\t" . ' (cd $$subdir'
. ' && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$('
. (($relative_dir eq '.') ? 'distdir' : 'top_distdir')

View File

@ -1,8 +1,8 @@
# $OpenBSD: Makefile,v 1.15 2012/06/25 15:45:14 espie Exp $
# $OpenBSD: Makefile,v 1.16 2012/07/20 12:03:50 jasper Exp $
VERSION= 1.8
DISTNAME= automake-${VERSION}.5
REVISION= 6
REVISION= 7
PKGSPEC= automake->=${VERSION},<1.9
AUTOCONF_VERSION= 2.59

View File

@ -0,0 +1,38 @@
$OpenBSD: patch-lib_am_distdir_am,v 1.1 2012/07/20 12:03:50 jasper Exp $
- Fix insecure permissions for directories in distfile build tree. CVE-2009-4029
- Fix insecure permissions used for the top of the distfile build tree. CVE-2012-3386
--- lib/am/distdir.am.orig Thu Jul 19 15:12:01 2012
+++ lib/am/distdir.am Thu Jul 19 15:37:07 2012
@@ -190,11 +190,7 @@ if %?DIST-TARGETS%
endif %?DIST-TARGETS%
##
## This complex find command will try to avoid changing the modes of
-## links into the source tree, in case they're hard-linked. It will
-## also make directories writable by everybody, because some
-## brain-dead tar implementations change ownership and permissions of
-## a directory before extracting the files, thus becoming unable to
-## extract them.
+## links into the source tree, in case they're hard-linked.
##
## Ignore return result from chmod, because it might give an error
## if we chmod a symlink.
@@ -207,7 +203,7 @@ endif %?DIST-TARGETS%
## the file in place in the source tree.
##
if %?TOPDIR_P%
- -find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+ -find $(distdir) -type d ! -perm -755 -exec chmod u+rwx,go+rx {} \; -o \
! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
! -type d ! -perm -400 -exec chmod a+r {} \; -o \
! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
@@ -318,7 +314,7 @@ distcheck: dist
## Make the new source tree read-only. Distributions ought to work in
## this case. However, make the top-level directory writable so we
## can make our new subdirs.
- chmod -R a-w $(distdir); chmod a+w $(distdir)
+ chmod -R a-w $(distdir); chmod u+w $(distdir)
mkdir $(distdir)/_build
mkdir $(distdir)/_inst
## Undo the write access.

View File

@ -1,8 +1,8 @@
# $OpenBSD: Makefile,v 1.23 2012/06/25 15:45:14 espie Exp $
# $OpenBSD: Makefile,v 1.24 2012/07/20 12:03:50 jasper Exp $
VERSION= 1.9
DISTNAME= automake-${VERSION}.6
REVISION= 9
REVISION= 10
PKGSPEC= automake->=${VERSION},<1.10
MODULES= lang/python

View File

@ -0,0 +1,38 @@
$OpenBSD: patch-lib_am_distdir_am,v 1.1 2012/07/20 12:03:50 jasper Exp $
- Fix insecure permissions for directories in distfile build tree. CVE-2009-4029
- Fix insecure permissions used for the top of the distfile build tree. CVE-2012-3386
--- lib/am/distdir.am.orig Thu Jul 19 15:09:52 2012
+++ lib/am/distdir.am Thu Jul 19 15:35:08 2012
@@ -192,11 +192,7 @@ if %?DIST-TARGETS%
endif %?DIST-TARGETS%
##
## This complex find command will try to avoid changing the modes of
-## links into the source tree, in case they're hard-linked. It will
-## also make directories writable by everybody, because some
-## brain-dead tar implementations change ownership and permissions of
-## a directory before extracting the files, thus becoming unable to
-## extract them.
+## links into the source tree, in case they're hard-linked.
##
## Ignore return result from chmod, because it might give an error
## if we chmod a symlink.
@@ -209,7 +205,7 @@ endif %?DIST-TARGETS%
## the file in place in the source tree.
##
if %?TOPDIR_P%
- -find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+ -find $(distdir) -type d ! -perm -755 -exec chmod u+rwx,go+rx {} \; -o \
! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
! -type d ! -perm -400 -exec chmod a+r {} \; -o \
! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
@@ -326,7 +322,7 @@ distcheck: dist
## Make the new source tree read-only. Distributions ought to work in
## this case. However, make the top-level directory writable so we
## can make our new subdirs.
- chmod -R a-w $(distdir); chmod a+w $(distdir)
+ chmod -R a-w $(distdir); chmod u+w $(distdir)
mkdir $(distdir)/_build
mkdir $(distdir)/_inst
## Undo the write access.