Solar Designer did an audit of temp file handling in groff-1.20.
He found and fixed *lots* of ugliness, but most does not look
exploitable and some was already improved in groff-1.21.
This is my own fix for the only one that, with a huge amount of extra
paranoia, might be worth patching. To mount an exploit, the attacker
would need to trick root into setting an unusable TMPDIR (or similar)
variable in the environment such that mktemp -d fails, then convince
root to run pdfroff (*you* don't run that as root, do you?), then
handle a race condition to find the PID and predict the temp file
name to mount a symlink attack.
"I think we should still go for the fix" jasper@
Lots of new functionality, lots of bug fixes, and bringing in
significant maintenance efforts from upstream.
To name just one specific example, the number of arguments mdoc(7)
macros can take is no longer limited.
Two of the more tricky patches contributed by naddy@, thanks!
Tested in bulk builds by landry@.
Tested on sparc (GCC 2) by phessler@ and on alpha (GCC 3) by naddy@.
ok naddy@, landry@
Before using this to build ports, make sure you install
the src/usr.sbin/pkg_add/OpenBSD/PackingElement.pm patch
i'm going to commit right afterwards as well, or you will end up
with ports manuals containing ANSI escape sequences.
