rpms/coreutils/F-12 coreutils-CVE-2009-4135.patch, NONE, 1.1 coreutils.spec, 1.281, 1.282

Ondrej Vasik ovasik at fedoraproject.org
Fri Dec 11 18:38:30 UTC 2009 

Author: ovasik

Update of /cvs/extras/rpms/coreutils/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv26544

Modified Files:
	coreutils.spec 
Added Files:
	coreutils-CVE-2009-4135.patch 
Log Message:
CVE-2009-4135 : Unsafe temporary directory use in distcheck rule

coreutils-CVE-2009-4135.patch:
 dist-check.mk |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- NEW FILE coreutils-CVE-2009-4135.patch ---
diff -urNp coreutils-7.6-orig/dist-check.mk coreutils-7.6/dist-check.mk
--- coreutils-7.6-orig/dist-check.mk	2009-09-01 13:01:16.000000000 +0200
+++ coreutils-7.6/dist-check.mk	2009-12-11 19:25:01.231452251 +0100
@@ -4,14 +4,14 @@ bin=bin-$$$$
 
 write_loser = printf '\#!%s\necho $$0: bad path 1>&2; exit 1\n' '$(SHELL)'
 
-TMPDIR ?= /tmp
-t=$(TMPDIR)/$(PACKAGE)/test
+tmpdir = $(abs_top_builddir)/tests/torture
+t=$(tmpdir)/$(PACKAGE)/test
 pfx=$(t)/i
 
 # More than once, tainted build and source directory names would
 # have caused at least one "make check" test to apply "chmod 700"
 # to all directories under $HOME.  Make sure it doesn't happen again.
-tp := $(shell echo "$(TMPDIR)/$(PACKAGE)-$$$$")
+tp = $(tmpdir)/taint
 t_prefix = $(tp)/a
 t_taint = '$(t_prefix) b'
 fake_home = $(tp)/home
@@ -30,10 +30,11 @@ taint-distcheck: $(DIST_ARCHIVES)
 	touch $(fake_home)/f
 	mkdir -p $(fake_home)/d/e
 	ls -lR $(fake_home) $(t_prefix) > $(tp)/.ls-before
+	HOME=$(fake_home); export HOME;			\
 	cd $(t_taint)/$(distdir)			\
 	  && ./configure				\
 	  && $(MAKE)					\
-	  && HOME=$(fake_home) $(MAKE) check		\
+	  && $(MAKE) check				\
 	  && ls -lR $(fake_home) $(t_prefix) > $(tp)/.ls-after \
 	  && diff $(tp)/.ls-before $(tp)/.ls-after	\
 	  && test -d $(t_prefix)
@@ -52,6 +53,7 @@ endef
 # Install, then verify that all binaries and man pages are in place.
 # Note that neither the binary, ginstall, nor the ].1 man page is installed.
 define my-instcheck
+  echo running my-instcheck;				\
   $(MAKE) prefix=$(pfx) install				\
     && test ! -f $(pfx)/bin/ginstall			\
     && { fail=0;					\
@@ -70,6 +72,7 @@ endef
 
 define coreutils-path-check
   {							\
+    echo running coreutils-path-check;			\
     if test -f $(srcdir)/src/true.c; then		\
       fail=1;						\
       mkdir $(bin)					\
@@ -117,7 +120,7 @@ my-distcheck: $(DIST_ARCHIVES) $(local-c
 	mkdir -p $(t)
 	GZIP=$(GZIP_ENV) $(AMTAR) -C $(t) -zxf $(distdir).tar.gz
 	cd $(t)/$(distdir)				\
-	  && ./configure --enable-gcc-warnings --disable-nls \
+	  && ./configure --quiet --enable-gcc-warnings --disable-nls \
 	  && $(MAKE) AM_MAKEFLAGS='$(null_AM_MAKEFLAGS)' \
 	  && $(MAKE) dvi				\
 	  && $(install-transform-check)			\
@@ -128,6 +131,7 @@ my-distcheck: $(DIST_ARCHIVES) $(local-c
 	  && $(AMTAR) -zxf - ) < $(distdir).tar.gz
 	diff -ur $(t)/$(distdir).old $(t)/$(distdir)
 	-rm -rf $(t)
+	rmdir $(tmpdir)/$(PACKAGE) $(tmpdir)
 	@echo "========================"; \
 	echo "$(distdir).tar.gz is ready for distribution"; \
 	echo "========================"


Index: coreutils.spec
===================================================================
RCS file: /cvs/extras/rpms/coreutils/F-12/coreutils.spec,v
retrieving revision 1.281
retrieving revision 1.282
diff -u -p -r1.281 -r1.282
--- coreutils.spec	23 Nov 2009 09:56:03 -0000	1.281
+++ coreutils.spec	11 Dec 2009 18:38:30 -0000	1.282
@@ -1,7 +1,7 @@
 Summary: A set of basic GNU tools commonly used in shell scripts
 Name:    coreutils
 Version: 7.6
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPLv3+
 Group:   System Environment/Base
 Url:     http://www.gnu.org/software/coreutils/
@@ -25,6 +25,7 @@ Patch4: coreutils-7.6-tail-F-renaming.pa
 Patch5: coreutils-7.6-trueexecve.patch
 Patch6: coreutils-7.6-ls-infloop.patch
 Patch7: coreutils-7.6-ls-derefdanglinginode.patch
+Patch8: coreutils-CVE-2009-4135.patch
 
 # Our patches
 Patch100: coreutils-6.10-configuration.patch
@@ -120,6 +121,7 @@ Libraries for coreutils package.
 %patch4 -p1 -b .renaming
 %patch5 -p1 -b .execve
 %patch6 -p1 -b .infloop
+%patch8 -p1 -b .unsafetmp
 
 # Our patches
 %patch100 -p1 -b .configure
@@ -341,6 +343,9 @@ fi
 %{_libdir}/coreutils
 
 %changelog
+* Fri Dec 11 2009 Ondrej Vasik <ovasik at redhat.com> - 7.6-8
+- CVE-2009-4135 : Unsafe temporary directory use in "distcheck" rule
+
 * Mon Nov 23 2009 Ondrej Vasik <ovasik at redhat.com> - 7.6-7
 - update /etc/DIR_COLORS* files
 - ls -LR exits with status 2, not 0, when it encounters

More information about the fedora-extras-commits mailing list