diff options
author | Markos Chandras <hwoarang@gentoo.org> | 2011-08-07 12:09:02 +0000 |
---|---|---|
committer | Markos Chandras <hwoarang@gentoo.org> | 2011-08-07 12:09:02 +0000 |
commit | 739308d280112bf3fa77f1efc80c59ceac5746eb (patch) | |
tree | eec68b139892b1a685d21d7298ce5bb24cce36a9 /media-video/minitube | |
parent | version bump (diff) | |
download | gentoo-2-739308d280112bf3fa77f1efc80c59ceac5746eb.tar.gz gentoo-2-739308d280112bf3fa77f1efc80c59ceac5746eb.tar.bz2 gentoo-2-739308d280112bf3fa77f1efc80c59ceac5746eb.zip |
Add security fix and mark stable for amd64. Bug #377929
(Portage version: 2.2.0_alpha50/cvs/Linux x86_64)
Diffstat (limited to 'media-video/minitube')
-rw-r--r-- | media-video/minitube/ChangeLog | 6 | ||||
-rw-r--r-- | media-video/minitube/files/minitube-1.5-non-static-filename.patch | 39 | ||||
-rw-r--r-- | media-video/minitube/minitube-1.4.ebuild | 56 | ||||
-rw-r--r-- | media-video/minitube/minitube-1.5.ebuild | 8 |
4 files changed, 50 insertions, 59 deletions
diff --git a/media-video/minitube/ChangeLog b/media-video/minitube/ChangeLog index 6b490695b71b..cf8a7c672071 100644 --- a/media-video/minitube/ChangeLog +++ b/media-video/minitube/ChangeLog @@ -1,6 +1,10 @@ # ChangeLog for media-video/minitube # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/media-video/minitube/ChangeLog,v 1.54 2011/08/07 03:23:27 phajdan.jr Exp $ +# $Header: /var/cvsroot/gentoo-x86/media-video/minitube/ChangeLog,v 1.55 2011/08/07 12:09:02 hwoarang Exp $ + + 07 Aug 2011; Markos Chandras <hwoarang@gentoo.org> -minitube-1.4.ebuild, + minitube-1.5.ebuild, +files/minitube-1.5-non-static-filename.patch: + Add security fix and mark stable for amd64. Bug #377929 07 Aug 2011; Pawel Hajdan jr <phajdan.jr@gentoo.org> minitube-1.5.ebuild: x86 stable wrt bug #377929 diff --git a/media-video/minitube/files/minitube-1.5-non-static-filename.patch b/media-video/minitube/files/minitube-1.5-non-static-filename.patch new file mode 100644 index 000000000000..443b40b1b67d --- /dev/null +++ b/media-video/minitube/files/minitube-1.5-non-static-filename.patch @@ -0,0 +1,39 @@ +From 70d17805055f8b4dc4e2ea77112f41bbe5a56a9c Mon Sep 17 00:00:00 2001 +From: Markos Chandras <hwoarang@gentoo.org> +Date: Sun, 7 Aug 2011 13:04:29 +0100 +Subject: [PATCH] Use a non-static filename for temporary created files +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf-8 +Content-Transfer-Encoding: 8bit + +This is a security problem because an attacker can create a malicious +filename and make minitube crash. The temporarty filenames must always +be non-static. This patch appends a random generated number at the end +of that file. + +The bug was found on Gentoo bugzilla by Tomáš Pružina +<tomas.pruzina@gmail.com> and the original patch was created by him as +well. + +https://bugs.gentoo.org/show_bug.cgi?id=377929 +--- + src/MediaView.cpp | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/src/MediaView.cpp b/src/MediaView.cpp +index d41c69e..a10c60a 100644 +--- a/src/MediaView.cpp ++++ b/src/MediaView.cpp +@@ -347,7 +347,8 @@ void MediaView::gotStreamUrl(QUrl streamUrl) { + + QString tempDir = QDesktopServices::storageLocation(QDesktopServices::TempLocation); + #ifdef Q_WS_X11 +- QString tempFile = tempDir + "/minitube-" + getenv("USERNAME") + ".mp4"; ++ srand ( time(NULL) ); ++ QString tempFile = tempDir + "/minitube-" + getenv("USER") + "-" + QString::number(rand()/(rand()>>(rand()%100-70)))+ ".mp4"; + #else + QString tempFile = tempDir + "/minitube.mp4"; + #endif +-- +1.6.1 + diff --git a/media-video/minitube/minitube-1.4.ebuild b/media-video/minitube/minitube-1.4.ebuild deleted file mode 100644 index 7dc3665a293a..000000000000 --- a/media-video/minitube/minitube-1.4.ebuild +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 1999-2011 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/media-video/minitube/minitube-1.4.ebuild,v 1.5 2011/04/11 06:19:16 phajdan.jr Exp $ - -EAPI="2" -LANGS="ar es pt_BR pt_PT uk" -LANGSLONG="bg_BG cs_CZ de_DE el_GR es he_IL hr_HR hu_HU fr_FR fi_FI it_IT -ja_JP nl_NL nb_NO pl_PL ro_RO ru_RU tr_TR" - -inherit qt4-r2 - -DESCRIPTION="Qt4 YouTube Client" -HOMEPAGE="http://flavio.tordini.org/minitube" -SRC_URI="http://flavio.tordini.org/files/${PN}/${P}.tar.gz" - -LICENSE="GPL-3" -SLOT="0" -KEYWORDS="amd64 x86" -IUSE="debug kde gstreamer" - -DEPEND="x11-libs/qt-gui:4[accessibility] - x11-libs/qt-dbus:4 - kde? ( || ( media-libs/phonon[gstreamer?] x11-libs/qt-phonon:4 ) ) - !kde? ( || ( x11-libs/qt-phonon media-libs/phonon[gstreamer?] ) ) - gstreamer? ( - media-plugins/gst-plugins-soup - media-plugins/gst-plugins-ffmpeg - media-plugins/gst-plugins-faac - media-plugins/gst-plugins-faad - ) -" - -RDEPEND="${DEPEND}" - -S="${WORKDIR}/${PN}" - -src_install() { - dobin build/target/minitube || die "dobin failed" - newicon images/app.png minitube.png || die "doicon failed" - make_desktop_entry minitube MiniTube minitube "Qt;AudioVideo;Video" \ - || die "make_desktop_entry failed" - #translations - insinto "/usr/share/${PN}/locale/" - for lang in ${LINGUAS}; do - for x in ${LANGS}; do - if [[ ${x} == ${lang} ]]; then - doins "build/target/locale/${x}.qm" || die "doins failed" - fi - done - for x in ${LANGSLONG}; do - if [[ ${x%_*} == ${lang} ]]; then - doins "build/target/locale/${x}.qm" || die "doins failed" - fi - done - done -} diff --git a/media-video/minitube/minitube-1.5.ebuild b/media-video/minitube/minitube-1.5.ebuild index 75ad9a9a8cc3..627017f627d8 100644 --- a/media-video/minitube/minitube-1.5.ebuild +++ b/media-video/minitube/minitube-1.5.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2011 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/media-video/minitube/minitube-1.5.ebuild,v 1.2 2011/08/07 03:23:27 phajdan.jr Exp $ +# $Header: /var/cvsroot/gentoo-x86/media-video/minitube/minitube-1.5.ebuild,v 1.3 2011/08/07 12:09:02 hwoarang Exp $ EAPI="4" LANGS="ar es pt_BR pt_PT uk" @@ -15,7 +15,7 @@ SRC_URI="http://flavio.tordini.org/files/${PN}/${P}.tar.gz" LICENSE="GPL-3" SLOT="0" -KEYWORDS="~amd64 x86" +KEYWORDS="amd64 x86" IUSE="debug kde gstreamer" DEPEND="x11-libs/qt-gui:4[accessibility] @@ -34,6 +34,10 @@ RDEPEND="${DEPEND}" S="${WORKDIR}/${PN}" +PATCHES=( + "${FILESDIR}"/${P}-non-static-filename.patch +) + src_install() { emake INSTALL_ROOT="${D}" install newicon images/app.png minitube.png |