Solar Designer did an audit of temp file handling in groff-1.20.
He found and fixed *lots* of ugliness, but most does not look
exploitable and some was already improved in groff-1.21.
This is my own fix for the only one that, with a huge amount of extra
paranoia, might be worth patching. To mount an exploit, the attacker
would need to trick root into setting an unusable TMPDIR (or similar)
variable in the environment such that mktemp -d fails, then convince
root to run pdfroff (*you* don't run that as root, do you?), then
handle a race condition to find the PID and predict the temp file
name to mount a symlink attack.
"I think we should still go for the fix" jasper@
LuaExpat XML Processing Denial of Service Vulnerability.
tweaks/ok sthen@ jolan@
ok jasper@
"MAINTAINER was notified a couple days ago about this. Since it is security-related,
you have my ok to commit it now." jolan@
- zap groff too, doesnt need it here
- install examples files
- it is only Artistic license, not both GPL/Artistic as perl
Full Changelog at: http://cpansearch.perl.org/src/DLOWE/Text-Tmpl-0.33/Changes
"looks good" to Alex Feinberg and sthen@
OK jasper@
with tweaks from myself and landry@. ok landry@
If PDF is electronic paper, then pdftk is an electronic staple-remover,
hole-punch, binder, secret-decoder-ring, and X-Ray-glasses. Pdftk is a
simple tool for doing everyday things with PDF documents. Use it to:
* Merge and/or split PDF Documents
* Rotate PDF Documents or Pages
* Decrypt/Encrypt PDF Documents
* Fill PDF Forms with X/FDF Data and/or Flatten Forms
* Apply a Background Watermark or a Foreground Stamp
* Report or update PDF Metrics such as Metadata and Bookmarks
* Attach Files to PDF Pages or the PDF Document
* Unpack PDF Attachments
* Uncompress and Re-Compress Page Streams
* Repair Corrupted PDF (Where Possible)
PLIST and delete everything under the @sample'd directory instead of the
directory itself to prevent a warning from pkg_delete(1) trying to
remove a non existing directory and to help preventing left-over files
and directories.
- doesnt need groff. mandoc handled fine those manpages
- set RUN_DEPENDS (textproc/p5-Text-CSV_XS)
This is an optional dependency, just to speed up Text::CSV.
Since that the new dependency is SHARED_ONLY, add a proper conditional treatment
so doesn't break it on NO_SHARED_LIBS arch.
- adjust pkg/DESCR, bump REVISION
ok jasper@, tweaks and ok sthen@
docbook2X is a software package that converts DocBook documents into
the traditional Unix man page format and the GNU Texinfo format.
It is free software under a MIT-style license.
Notable features include table support for man pages, internationalization
support, and easy customization of the output using XSLT. (Easy, because
unlike other converters, the docbook2X stylesheets are written in a modular
way, and the character escaping and whitespace issues with the man-page and
Texinfo formats are encapsulated away from the user.)
developed by users of e-books for users of e-books. It has a cornucopia
of features divided into the following main categories:
* Library Management
* E-book conversion
* Syncing to e-book reader devices
* Downloading news from the web and converting it into e-book form
* Comprehensive e-book viewer
* Content server for online access to your book collection
OK laurent@, jasper@
Enable one of the tests that was disabled in a patch (another test is
still disabled; this relates to non-utf8 locales and fails in the same
way with libutf8 or base). ok kili@
PDF::API2::Simple Simplistic wrapper for the excellent PDF::API2 modules.
from Anibal Ezau Limon Belmares (MAINTAINER), with tweaks by
gleydson soares and myself. ok sthen@
* add missing run dependencies
* set the correct path to ruby in the gonzui-* scripts
* remove the patches and cheat with pre-configure
* add patches to fix an error with more recent ruby-bdb
Docx2txt is a Perl based command-line tool to convert Microsoft docx
documents to (ASCII) text files, preserving some formatting and document
information (which MS text conversion drops) along with appropriate
character conversions. It can also recover text from damaged docx
documents in many cases.
tweaks and ok sthen@
rather than yet-another-xpdf-derivative) to 0.8.15.
various improvements and fixes, notably now supports AESv3 encrypted
PDFs and, very welcome, search now operates over all pages and is thus
actually useful.
Lots of new functionality, lots of bug fixes, and bringing in
significant maintenance efforts from upstream.
To name just one specific example, the number of arguments mdoc(7)
macros can take is no longer limited.
Two of the more tricky patches contributed by naddy@, thanks!
Tested in bulk builds by landry@.
Tested on sparc (GCC 2) by phessler@ and on alpha (GCC 3) by naddy@.
ok naddy@, landry@
Before using this to build ports, make sure you install
the src/usr.sbin/pkg_add/OpenBSD/PackingElement.pm patch
i'm going to commit right afterwards as well, or you will end up
with ports manuals containing ANSI escape sequences.
In parser_get_next_char(), make sure we are on at least the second character
when testing if the current double-quote char is escaped.
Might fix the crash reported in ID: 2994723
This fixes a crash in evolution.
ok sebastia@ (maintainer)
upstream will release this fix in xpdf-3.03).
Also apply a patch that kili@ lifted from poppler some time ago.
Both patches fix crashes seen with some PDF documents.
ok sthen, "don't wait for me" kili
Quite a few new features and bugfixes from our previous version, more
details are available at http://codespeak.net/lxml/changes-2.2.8.html
remove MAINTAINER (requested by MAINTAINER)
OK sthen@, previous MAINTAINER Benoit Chesneau
Committing on behalf of sthen@ who did the actual work
happens to be newer than the current p5-XML-LibXML-1.69p3, so
pkg_create now loudly complains. So set EPOCH to 0 to make it happier.
agreed by jasper@ and sthen@
XML::DOM::XPath allows you to use XML::XPath methods to query a DOM.
This is often much easier than relying only on getElementsByTagName.
It lets you use all of the XML::DOM methods.
ok sthen@
Liquid is a template engine which I wrote for very specific
requirements:
* It has to have beautiful and simple markup. Template engines which
don't produce good looking markup are no fun to use.
* It needs to be non evaling and secure. Liquid templates are made so
that users can edit them. You don't want to run code on your server
which your users wrote.
* It has to be stateless. Compile and render steps have to be seperate
so that the expensive parsing and compiling can be done once and later
on you can just render it passing in a hash with local variables and
objects.
Fast-stemmer is simply a wrapping around multithreaded Porter stemming
algorithm.
This gem adds a String#stem method, and it conflicts with the stemmer
gem. It's in order of magnitude faster (and uses much less memory) than
the latter.
Classifier is a general module to allow Bayesian and other types of
classifications. It supports both Bayes and LSI (Latent Semantic
Indexing) classifications.
Discount is an implementation of John Gruber's Markdown markup language
in C. It implements all of the language described in the markdown syntax
document and passes the Markdown 1.0 test suite. rdiscount is a ruby C
extension that wraps Discount.
Previously, we were using ruby->=1.8,<=1.9, instead of
ruby->=1.8,<1.9. While this wouldn't cause an issue, since
our ruby-1.9.2 package isn't included in ruby->=1.8,<=1.9,
it's still wrong and should be fixed. This also fixes the
following minor issues:
Switch from using FLAVOR to MODRUBY_FLAVOR for *_DEPENDS.
Currently we don't have a ruby port that uses FLAVORs that
would differ from MODRUBY_FLAVOR, but it's possible we will
in the future.
Switch from BASE_PKGPATH to BUILD_PKGPATH in a few cases in
REGRESS_DEPENDS. This probably is not strictly necessary, but
BUILD_PKGPATH is used in more cases, so it is good for
consistency.
Switch to new style *_DEPENDS, with the version specification
at the end. The remaining cases where this is not done is
because a specific version is used.
Some FULLPKGNAME added to REGRESS_DEPENDS, to make sure that if
the old version is installed when you run a regress test, it
will install the new version first.
Some conversion of spaces to tabs for consistency.
OK landry@