[148304] trunk/dports/sysutils/tardiff

raimue at macports.org raimue at macports.org
Tue May 3 07:43:01 PDT 2016 

Revision: 148304
          https://trac.macports.org/changeset/148304
Author:   raimue at macports.org
Date:     2016-05-03 07:43:01 -0700 (Tue, 03 May 2016)
Log Message:
-----------
sysutils/tardiff:
Add patches for CVE-2015-0857, CVE-2015-0858, and other bugs, closes #51292

Modified Paths:
--------------
    trunk/dports/sysutils/tardiff/Portfile

Added Paths:
-----------
    trunk/dports/sysutils/tardiff/files/patch-CVE-2015-0857.diff
    trunk/dports/sysutils/tardiff/files/patch-CVE-2015-0858.diff
    trunk/dports/sysutils/tardiff/files/patch-fix-statistic.diff
    trunk/dports/sysutils/tardiff/files/patch-fix-unique-uniquebase.diff

Modified: trunk/dports/sysutils/tardiff/Portfile
===================================================================
--- trunk/dports/sysutils/tardiff/Portfile	2016-05-03 13:23:58 UTC (rev 148303)
+++ trunk/dports/sysutils/tardiff/Portfile	2016-05-03 14:43:01 UTC (rev 148304)
@@ -5,11 +5,12 @@
 
 name                tardiff
 version             0.1
-revision            3
+revision            4
 categories          sysutils textproc devel archivers
 license             GPL
 platforms           darwin
-maintainers         ryandesign
+maintainers         ryandesign \
+                    openmaintainer
 supported_archs     noarch
 
 description         compares the contents of two tarballs
@@ -38,7 +39,11 @@
     copy ${distpath}/${name} ${worksrcpath}
 }
 
-patchfiles          patch-tardiff.diff
+patchfiles          patch-tardiff.diff \
+                    patch-fix-statistic.diff \
+                    patch-fix-unique-uniquebase.diff \
+                    patch-CVE-2015-0857.diff \
+                    patch-CVE-2015-0858.diff
 
 use_configure       no
 

Added: trunk/dports/sysutils/tardiff/files/patch-CVE-2015-0857.diff
===================================================================
--- trunk/dports/sysutils/tardiff/files/patch-CVE-2015-0857.diff	                        (rev 0)
+++ trunk/dports/sysutils/tardiff/files/patch-CVE-2015-0857.diff	2016-05-03 14:43:01 UTC (rev 148304)
@@ -0,0 +1,44 @@
+Upstream: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/tree/debian/patches/CVE-2015-0857.diff
+Edit: gnutar instead of tar
+
+Description: Fix local code execution when calling diff (CVE-2015-0857)
+ Reported by Rainer Müller <raimue at codingfarm.de>. Implemented using
+ Text::Diff instead of diff and backticks.
+Author: Axel Beckert <abe at debian.org>
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0857
+
+Index: tardiff
+===================================================================
+--- tardiff	2016-04-28 19:19:02.194646937 +0200
++++ tardiff	2016-04-28 19:36:41.253948109 +0200
+@@ -6,6 +6,7 @@
+ # Published under GNU GPL conditions
+ 
+ use strict;
++use Text::Diff;
+ 
+ my $VERSION = '0.1';
+ 
+@@ -73,7 +74,12 @@
+ 		$flag = "-j";
+ 	}
+ 
+-	my $list = `gnutar -C $tempdir $flag -xvf $tarball 2>/dev/null`;
++	open(TARLIST, '-|', qw(gnutar -C), $tempdir, $flag, qw(-xvf), $tarball)
++	    or die "Can't call tar as expected: $!";
++	local $/ = undef; # slurp mode
++	my $list = <TARLIST> or die "Couldn't read from tar";
++	close(TARLIST) or warn "tar exited with non-zero exit code";
++
+ 	return $list;
+ }
+ 
+@@ -116,7 +122,7 @@
+ 	if(-d $file1 and -d $file2){
+ 		return 0;
+ 	}elsif(-f $file1 and -f $file2){
+-		my $diff = `diff $file1 $file2`;
++		my $diff = diff $file1, $file2, { STYLE => "OldStyle" };
+ 		if($diff){
+ 			if($opt_stats){
+ 				my $plus = 0;

Added: trunk/dports/sysutils/tardiff/files/patch-CVE-2015-0858.diff
===================================================================
--- trunk/dports/sysutils/tardiff/files/patch-CVE-2015-0858.diff	                        (rev 0)
+++ trunk/dports/sysutils/tardiff/files/patch-CVE-2015-0858.diff	2016-05-03 14:43:01 UTC (rev 148304)
@@ -0,0 +1,49 @@
+Upstream: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/tree/debian/patches/CVE-2015-0858.diff
+
+Description: Fix race condition when creating temporary files (CVE-2015-0858)
+ Reported by Florian Weimer <fw at deneb.enyo.de>. Implemented using
+ File::Temp instead of just using the process ID inside the directory
+ name as suggested by Florian.
+Author: Axel Beckert <abe at debian.org>
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0858
+
+Index: tardiff
+===================================================================
+--- tardiff	2016-04-28 20:24:06.913565891 +0200
++++ tardiff	2016-04-28 20:24:06.909565907 +0200
+@@ -7,12 +7,13 @@
+ 
+ use strict;
+ use Text::Diff;
++use File::Temp qw(tempdir);
+ 
+ my $VERSION = '0.1';
+ 
+ my ($tarball1, $tarball2);
+ my ($opt_list, $opt_modified, $opt_autoskip, $opt_stats);
+-my $tempdir;
++my $tempdir = tempdir( CLEANUP => 1 );
+ 
+ $SIG{'__DIE__'} = 'cleanup';
+ $SIG{'TERM'} = 'cleanup';
+@@ -173,9 +174,6 @@
+ sub tardiff{
+ 	my $error = 0;
+ 
+-	$tempdir = "/tmp/tardiff-$$";
+-	mkdir $tempdir;
+-
+ 	my $filelist1 = untar($tarball1) or die "Error: Could not unpack $tarball1.";
+ 	my $filelist2 = untar($tarball2) or die "Error: Could not unpack $tarball2.";
+ 
+@@ -216,10 +214,6 @@
+ sub cleanup{
+ 	my $handler = shift(@_);
+ 
+-	if($tempdir){
+-		system("rm -rf $tempdir");
+-	}
+-
+ 	if($handler eq "INT" or $handler eq "TERM"){
+ 		exit 1;
+ 	}

Added: trunk/dports/sysutils/tardiff/files/patch-fix-statistic.diff
===================================================================
--- trunk/dports/sysutils/tardiff/files/patch-fix-statistic.diff	                        (rev 0)
+++ trunk/dports/sysutils/tardiff/files/patch-fix-statistic.diff	2016-05-03 14:43:01 UTC (rev 148304)
@@ -0,0 +1,31 @@
+Upstream: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/tree/debian/patches/fix-statistic.diff
+
+Description: Fix calculation of statistics (option -s)
+ Using normal instead of unique diff is far easier to parse
+ unambiguously.
+Author: Axel Beckert <abe at debian.org>
+Bug-Debian: https://bugs.debian.org/802098
+
+Index: tardiff
+===================================================================
+--- tardiff	2015-10-17 16:37:09.675959837 +0200
++++ tardiff	2015-10-17 16:40:07.739438492 +0200
+@@ -116,15 +116,15 @@
+ 	if(-d $file1 and -d $file2){
+ 		return 0;
+ 	}elsif(-f $file1 and -f $file2){
+-		my $diff = `diff -u $file1 $file2`;
++		my $diff = `diff $file1 $file2`;
+ 		if($diff){
+ 			if($opt_stats){
+ 				my $plus = 0;
+ 				my $minus = 0;
+ 				foreach my $line(split(/\n/, $diff)){
+-					if($line =~ /^+\ /){
++					if($line =~ /^>/){
+ 						$plus++;
+-					}elsif($line =~ /^-\ /){
++					}elsif($line =~ /^</){
+ 						$minus++;
+ 					}
+ 				}

Added: trunk/dports/sysutils/tardiff/files/patch-fix-unique-uniquebase.diff
===================================================================
--- trunk/dports/sysutils/tardiff/files/patch-fix-unique-uniquebase.diff	                        (rev 0)
+++ trunk/dports/sysutils/tardiff/files/patch-fix-unique-uniquebase.diff	2016-05-03 14:43:01 UTC (rev 148304)
@@ -0,0 +1,58 @@
+Upstream: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/tree/debian/patches/fix-unique-uniquebase.diff
+
+Patch to allow to compare to tar balls with the same base
+directory. Also fixes an issue with listing a directory as present in
+the wrong tar ball.
+
+Author: Axel Beckert <abe at debian.org>
+
+Index: tardiff
+===================================================================
+--- tardiff	2005-05-17 14:52:27.000000000 +0200
++++ tardiff	2011-12-01 21:56:59.000000000 +0100
+@@ -80,6 +80,7 @@
+ sub analyzetar{
+ 	my $filelist = shift(@_);
+ 	my $filehash = shift(@_);
++	my $tarball = shift(@_);
+ 
+ 	my %files = %{$filehash};
+ 
+@@ -92,12 +93,12 @@
+ 		if(!$uniquebase){
+ 			$uniquebase = $base;
+ 		}else{
+-			($base eq $uniquebase) or die "$tarball1 contains different base dirs: $base and $uniquebase";
++			($base eq $uniquebase) or die "$tarball contains different base dirs: $base and $uniquebase";
+ 		}
+ 		if($files{$remainder}){
+ 			$files{$remainder} = "__both";
+ 		}else{
+-			$files{$remainder} = "$uniquebase";
++			$files{$remainder} = "$tarball";
+ 		}
+ 	}
+ 
+@@ -174,8 +175,8 @@
+ 
+ 	my %files;
+ 
+-	my ($base1, %files) = analyzetar($filelist1, \%files);
+-	my ($base2, %files) = analyzetar($filelist2, \%files);
++	my ($base1, %files) = analyzetar($filelist1, \%files, $tarball1);
++	my ($base2, %files) = analyzetar($filelist2, \%files, $tarball2);
+ 
+ 	foreach my $file(sort(keys(%files))){
+ 		next if $file eq "";
+@@ -196,9 +197,9 @@
+ 			if($opt_list and not $modified){
+ 				print "  $file\n";
+ 			}
+-		}elsif($base eq $base1){
++		}elsif($base eq $tarball1){
+ 			print "- $file\n";
+-		}elsif($base eq $base2){
++		}elsif($base eq $tarball2){
+ 			print "+ $file\n";
+ 		}else{
+ 			print "? $file\n";
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/macports-changes/attachments/20160503/b4836ef5/attachment-0001.html>

More information about the macports-changes mailing list