Bug #356811:

- Fix CVE-2011-1154
- Fix CVE-2011-1098
- Fix CVE-2011-1155

(Portage version: 2.2.0_alpha29/cvs/Linux x86_64)

3 files changed, 317 insertions, 0 deletions

diff --git a/app-admin/logrotate/files/logrotate-3.7.9-atomic-create.patch b/app-admin/logrotate/files/logrotate-3.7.9-atomic-create.patch
new file mode 100644
index 000000000000..b888dc0231a4
--- /dev/null
+++ b/app-admin/logrotate/files/logrotate-3.7.9-atomic-create.patch
@@ -0,0 +1,70 @@
+diff --git a/logrotate.c b/logrotate.c
+index 3748918..fbe232a 100644
+--- a/logrotate.c
++++ b/logrotate.c
+@@ -194,31 +194,41 @@ static int runScript(char *logfn, char *script)
+ int createOutputFile(char *fileName, int flags, struct stat *sb)
+ {
+     int fd;
++	char template[PATH_MAX + 1];
++	mode_t umask_value;
++	snprintf(template, PATH_MAX, "%s/logrotate_temp.XXXXXX", ourDirName(fileName));
++
++	umask_value = umask(0000);
++	fd = mkstemp(template);
++	umask(umask_value);
++
++	if (fd < 0) {
++		message(MESS_ERROR, "error creating unique temp file: %s\n",
++				strerror(errno));
++		return -1;
++	}
++
++	if (fchown(fd, sb->st_uid, sb->st_gid)) {
++		message(MESS_ERROR, "error setting owner of %s: %s\n",
++				fileName, strerror(errno));
++		close(fd);
++		return -1;
++	}
++
++	if (fchmod(fd, sb->st_mode)) {
++		message(MESS_ERROR, "error setting mode of %s: %s\n",
++				fileName, strerror(errno));
++		close(fd);
++		return -1;
++	}
++
++	if (rename(template, fileName)) {
++		message(MESS_ERROR, "error renaming temp file to %s: %s\n",
++				fileName, strerror(errno));
++		close(fd);
++		return -1;
++	}
+ 
+-    fd = open(fileName, flags, sb->st_mode);
+-    if (fd < 0) {
+-	message(MESS_ERROR, "error creating output file %s: %s\n",
+-		fileName, strerror(errno));
+-	return -1;
+-    }
+-    if (fchmod(fd, (S_IRUSR | S_IWUSR) & sb->st_mode)) {
+-	message(MESS_ERROR, "error setting mode of %s: %s\n",
+-		fileName, strerror(errno));
+-	close(fd);
+-	return -1;
+-    }
+-    if (fchown(fd, sb->st_uid, sb->st_gid)) {
+-	message(MESS_ERROR, "error setting owner of %s: %s\n",
+-		fileName, strerror(errno));
+-	close(fd);
+-	return -1;
+-    }
+-    if (fchmod(fd, sb->st_mode)) {
+-	message(MESS_ERROR, "error setting mode of %s: %s\n",
+-		fileName, strerror(errno));
+-	close(fd);
+-	return -1;
+-    }
+     return fd;
+ }
+ 
diff --git a/app-admin/logrotate/files/logrotate-3.7.9-shred.patch b/app-admin/logrotate/files/logrotate-3.7.9-shred.patch
new file mode 100644
index 000000000000..7df1e96c0d56
--- /dev/null
+++ b/app-admin/logrotate/files/logrotate-3.7.9-shred.patch
@@ -0,0 +1,151 @@
+diff --git a/logrotate.c b/logrotate.c
+index 95bc80b..8dfb3d7 100644
+--- a/logrotate.c
++++ b/logrotate.c
+@@ -56,7 +56,7 @@ int debug = 0;
+ char *mailCommand = DEFAULT_MAIL_COMMAND;
+ time_t nowSecs = 0;
+ 
+-static int shred_file(char *filename, struct logInfo *log);
++static int shred_file(int fd, char *filename, struct logInfo *log);
+ 
+ static int globerr(const char *pathname, int theerr)
+ {
+@@ -216,59 +216,79 @@ int createOutputFile(char *fileName, int flags, struct stat *sb)
+     return fd;
+ }
+ 
+-#define SHRED_CALL "shred -u "
+-#define SHRED_COUNT_FLAG "-n "
+ #define DIGITS 10
++
+ /* unlink, but try to call shred from GNU fileutils */
+-static int shred_file(char *filename, struct logInfo *log)
++static int shred_file(int fd, char *filename, struct logInfo *log)
+ {
+-	int len, ret;
+-	char *cmd;
+ 	char count[DIGITS];    /*  that's a lot of shredding :)  */
++	const char **fullCommand;
++	int id = 0;
++	int status;
+ 
+ 	if (!(log->flags & LOG_FLAG_SHRED)) {
+ 		return unlink(filename);
+ 	}
+ 
+-	len = strlen(filename) + strlen(SHRED_CALL);
+-	len += strlen(SHRED_COUNT_FLAG) + DIGITS;
+-	cmd = malloc(len);
++	message(MESS_DEBUG, "Using shred to remove the file %s\n", filename);
+ 
+-	if (!cmd) {
+-		message(MESS_ERROR, "malloc error while shredding");
+-		return unlink(filename);
++	if (log->shred_cycles != 0) {
++		fullCommand = alloca(sizeof(*fullCommand) * 6);
++	}
++	else {
++		fullCommand = alloca(sizeof(*fullCommand) * 4);
+ 	}
+-	strcpy(cmd, SHRED_CALL);
++	fullCommand[id++] = "shred";
++	fullCommand[id++] = "-u";
++
+ 	if (log->shred_cycles != 0) {
+-		strcat(cmd, SHRED_COUNT_FLAG);
++		fullCommand[id++] = "-n";
+ 		snprintf(count, DIGITS - 1, "%d", log->shred_cycles);
+-		strcat(count, " ");
+-		strcat(cmd, count);
++		fullCommand[id++] = count;
++	}
++	fullCommand[id++] = "-";
++	fullCommand[id++] = NULL;
++
++	if (!fork()) {
++		dup2(fd, 1);
++		close(fd);
++
++		execvp(fullCommand[0], (void *) fullCommand);
++		exit(1);
+ 	}
+-	strcat(cmd, filename);
+-	ret = system(cmd);
+-	free(cmd);
+-	if (ret != 0) {
++	
++	wait(&status);
++
++	if (!WIFEXITED(status) || WEXITSTATUS(status)) {
+ 		message(MESS_ERROR, "Failed to shred %s\n, trying unlink", filename);
+-		if (ret != -1) {
+-			message(MESS_NORMAL, "Shred returned %d\n", ret);
+-		}
+ 		return unlink(filename);
+-	} else {
+-		return ret;
+ 	}
++
++	/* We have to unlink it after shred anyway,
++	 * because it doesn't remove the file itself */
++	return unlink(filename);
+ }
+ 
+ static int removeLogFile(char *name, struct logInfo *log)
+ {
+-    message(MESS_DEBUG, "removing old log %s\n", name);
++	int fd;
++	message(MESS_DEBUG, "removing old log %s\n", name);
+ 
+-    if (!debug && shred_file(name, log)) {
+-	message(MESS_ERROR, "Failed to remove old log %s: %s\n",
+-		name, strerror(errno));
+-	return 1;
+-    }
+-    return 0;
++	if ((fd = open(name, O_RDWR)) < 0) {
++		message(MESS_ERROR, "error opening %s: %s\n",
++			name, strerror(errno));
++		return 1;
++	}
++
++	if (!debug && shred_file(fd, name, log)) {
++		message(MESS_ERROR, "Failed to remove old log %s: %s\n",
++			name, strerror(errno));
++		close(fd);
++		return 1;
++	}
++
++	close(fd);
++	return 0;
+ }
+ 
+ static int compressLogFile(char *name, struct logInfo *log, struct stat *sb)
+@@ -294,7 +314,7 @@ static int compressLogFile(char *name, struct logInfo *log, struct stat *sb)
+     compressedName = alloca(strlen(name) + strlen(log->compress_ext) + 2);
+     sprintf(compressedName, "%s%s", name, log->compress_ext);
+ 
+-    if ((inFile = open(name, O_RDONLY)) < 0) {
++    if ((inFile = open(name, O_RDWR)) < 0) {
+ 	message(MESS_ERROR, "unable to open %s for compression\n", name);
+ 	return 1;
+     }
+@@ -316,7 +336,6 @@ static int compressLogFile(char *name, struct logInfo *log, struct stat *sb)
+ 	exit(1);
+     }
+ 
+-    close(inFile);
+     close(outFile);
+ 
+     wait(&status);
+@@ -326,7 +345,8 @@ static int compressLogFile(char *name, struct logInfo *log, struct stat *sb)
+ 	return 1;
+     }
+ 
+-    shred_file(name, log);
++    shred_file(inFile, name, log);
++	close(inFile);
+ 
+     return 0;
+ }
diff --git a/app-admin/logrotate/files/logrotate-3.7.9-statefile.patch b/app-admin/logrotate/files/logrotate-3.7.9-statefile.patch
new file mode 100644
index 000000000000..daa02402fad7
--- /dev/null
+++ b/app-admin/logrotate/files/logrotate-3.7.9-statefile.patch
@@ -0,0 +1,96 @@
+Index: logrotate.c
+===================================================================
+--- logrotate.c	(revision 314)
++++ logrotate.c	(working copy)
+@@ -45,6 +45,12 @@
+ #define GLOB_ABORTED GLOB_ABEND
+ #endif
+ 
++#ifdef PATH_MAX
++#define STATEFILE_BUFFER_SIZE 2 * PATH_MAX + 16
++#else
++#define STATEFILE_BUFFER_SIZE 4096
++#endif
++
+ struct logState {
+     char *fn;
+     struct tm lastRotated;	/* only tm.mon, tm_mday, tm_year are good! */
+@@ -82,6 +88,34 @@
+     return 1;
+ }
+ 
++static void unescape(char *arg)
++{
++	char *p = arg;
++	char *next;
++	char escaped;
++	while ((next = strchr(p, '\\')) != NULL) {
++
++		p = next;
++
++		switch (p[1]) {
++		case 'n':
++			escaped = '\n';
++			break;
++		case '\\':
++			escaped = '\\';
++			break;
++		default:
++			++p;
++			continue;
++		}
++
++		/* Overwrite the backslash with the intended character,
++		 * and shift everything down one */
++		*p++ = escaped;
++		memmove(p, p+1, 1 + strlen(p+1));
++	}
++}
++
+ #define HASH_SIZE_MIN 64
+ static int allocateHash(void)
+ {
+@@ -1546,7 +1580,13 @@
+ 			for (chptr = p->fn; *chptr; chptr++) {
+ 				switch (*chptr) {
+ 				case '"':
++				case '\\':
+ 					fputc('\\', f);
++					break;
++				case '\n':
++					fputc('\\', f);
++					fputc('n', f);
++					continue;
+ 				}
+ 
+ 				fputc(*chptr, f);
+@@ -1567,7 +1607,8 @@
+ static int readState(char *stateFilename)
+ {
+     FILE *f;
+-    char buf[1024];
++    char buf[STATEFILE_BUFFER_SIZE];
++	char *filename;
+     const char **argv;
+     int argc;
+     int year, month, day;
+@@ -1678,7 +1719,10 @@
+ 
+ 	year -= 1900, month -= 1;
+ 
+-	if ((st = findState(argv[0])) == NULL)
++	filename = strdup(argv[0]);
++	unescape(filename);
++	
++	if ((st = findState(filename)) == NULL)
+ 		return 1;
+ 
+ 	st->lastRotated.tm_mon = month;
+@@ -1690,6 +1734,7 @@
+ 	st->lastRotated = *localtime(&lr_time);
+ 
+ 	free(argv);
++	free(filename);
+     }
+ 
+     fclose(f);