app-editors/nedit: security patch added

Package-Manager: portage-2.2.26

4 files changed, 130 insertions, 2 deletions

diff --git a/app-editors/nedit/files/nedit-5.5_p20110116-security.patch b/app-editors/nedit/files/nedit-5.5_p20110116-security.patch
new file mode 100644
index 000000000000..b24ef2355a3c
--- /dev/null
+++ b/app-editors/nedit/files/nedit-5.5_p20110116-security.patch
@@ -0,0 +1,63 @@
+Index: nedit-5.5/source/file.c
+===================================================================
+--- nedit-5.5.orig/source/file.c	2004-08-24 11:37:24.000000000 +0200
++++ nedit-5.5/source/file.c	2010-03-27 18:44:01.000000000 +0100
+@@ -1314,7 +1314,7 @@
+ */
+ void PrintString(const char *string, int length, Widget parent, const char *jobName)
+ {
+-    char tmpFileName[L_tmpnam];    /* L_tmpnam defined in stdio.h */
++    char *tmpFileName=strdup("/tmp/neditXXXXXX");
+     FILE *fp;
+     int fd;
+ 
+@@ -1325,14 +1325,10 @@
+ 	    1. Create a filename
+ 	    2. Open the file with the O_CREAT|O_EXCL flags
+ 	So all an attacker can do is a DoS on the print function. */
+-    tmpnam(tmpFileName);
++    fd = mkstemp(tmpFileName);
+ 
+     /* open the temporary file */
+-#ifdef VMS
+-    if ((fp = fopen(tmpFileName, "w", "rfm = stmlf")) == NULL)
+-#else
+-    if ((fd = open(tmpFileName, O_CREAT|O_EXCL|O_WRONLY, S_IRUSR | S_IWUSR)) < 0 || (fp = fdopen(fd, "w")) == NULL)
+-#endif /* VMS */
++    if ((fp = fdopen(fd, "w")) == NULL)
+     {
+         DialogF(DF_WARN, parent, 1, "Error while Printing",
+                 "Unable to write file for printing:\n%s", "OK",
+@@ -1346,7 +1342,7 @@
+     
+     /* write to the file */
+ #ifdef IBM_FWRITE_BUG
+-    write(fileno(fp), string, length);
++    write(fd, string, length);
+ #else
+     fwrite(string, sizeof(char), length, fp);
+ #endif
+@@ -1356,6 +1352,7 @@
+                 "%s not printed:\n%s", "OK", jobName, errorString());
+         fclose(fp); /* should call close(fd) in turn! */
+         remove(tmpFileName);
++	free(tmpFileName);
+         return;
+     }
+     
+@@ -1366,6 +1363,7 @@
+                 "Error closing temp. print file:\n%s", "OK",
+                 errorString());
+         remove(tmpFileName);
++	free(tmpFileName);
+         return;
+     }
+ 
+@@ -1377,6 +1375,7 @@
+     PrintFile(parent, tmpFileName, jobName);
+     remove(tmpFileName);
+ #endif /*VMS*/
++    free(tmpFileName);
+     return;
+ }
+ 
diff --git a/app-editors/nedit/files/nedit-5.6-security.patch b/app-editors/nedit/files/nedit-5.6-security.patch
new file mode 100644
index 000000000000..b24ef2355a3c
--- /dev/null
+++ b/app-editors/nedit/files/nedit-5.6-security.patch
@@ -0,0 +1,63 @@
+Index: nedit-5.5/source/file.c
+===================================================================
+--- nedit-5.5.orig/source/file.c	2004-08-24 11:37:24.000000000 +0200
++++ nedit-5.5/source/file.c	2010-03-27 18:44:01.000000000 +0100
+@@ -1314,7 +1314,7 @@
+ */
+ void PrintString(const char *string, int length, Widget parent, const char *jobName)
+ {
+-    char tmpFileName[L_tmpnam];    /* L_tmpnam defined in stdio.h */
++    char *tmpFileName=strdup("/tmp/neditXXXXXX");
+     FILE *fp;
+     int fd;
+ 
+@@ -1325,14 +1325,10 @@
+ 	    1. Create a filename
+ 	    2. Open the file with the O_CREAT|O_EXCL flags
+ 	So all an attacker can do is a DoS on the print function. */
+-    tmpnam(tmpFileName);
++    fd = mkstemp(tmpFileName);
+ 
+     /* open the temporary file */
+-#ifdef VMS
+-    if ((fp = fopen(tmpFileName, "w", "rfm = stmlf")) == NULL)
+-#else
+-    if ((fd = open(tmpFileName, O_CREAT|O_EXCL|O_WRONLY, S_IRUSR | S_IWUSR)) < 0 || (fp = fdopen(fd, "w")) == NULL)
+-#endif /* VMS */
++    if ((fp = fdopen(fd, "w")) == NULL)
+     {
+         DialogF(DF_WARN, parent, 1, "Error while Printing",
+                 "Unable to write file for printing:\n%s", "OK",
+@@ -1346,7 +1342,7 @@
+     
+     /* write to the file */
+ #ifdef IBM_FWRITE_BUG
+-    write(fileno(fp), string, length);
++    write(fd, string, length);
+ #else
+     fwrite(string, sizeof(char), length, fp);
+ #endif
+@@ -1356,6 +1352,7 @@
+                 "%s not printed:\n%s", "OK", jobName, errorString());
+         fclose(fp); /* should call close(fd) in turn! */
+         remove(tmpFileName);
++	free(tmpFileName);
+         return;
+     }
+     
+@@ -1366,6 +1363,7 @@
+                 "Error closing temp. print file:\n%s", "OK",
+                 errorString());
+         remove(tmpFileName);
++	free(tmpFileName);
+         return;
+     }
+ 
+@@ -1377,6 +1375,7 @@
+     PrintFile(parent, tmpFileName, jobName);
+     remove(tmpFileName);
+ #endif /*VMS*/
++    free(tmpFileName);
+     return;
+ }
+ 
diff --git a/app-editors/nedit/nedit-5.5_p20110116-r3.ebuild b/app-editors/nedit/nedit-5.5_p20110116-r3.ebuild
index 0acd3788fd2f..86ab91648186 100644
--- a/app-editors/nedit/nedit-5.5_p20110116-r3.ebuild
+++ b/app-editors/nedit/nedit-5.5_p20110116-r3.ebuild
@@ -29,7 +29,8 @@ src_prepare() {
 	#respecting LDFLAGS, bug #208189
 	epatch \
 		"${FILESDIR}"/nedit-5.5_p20090914-ldflags.patch \
-		"${FILESDIR}"/${P}-40_Pointer_to_Integer.patch
+		"${FILESDIR}"/${P}-40_Pointer_to_Integer.patch \
+		"${FILESDIR}"/${P}-security.patch
 
 	sed \
 		-e "s:bin/:${EPREFIX}/bin/:g" \
diff --git a/app-editors/nedit/nedit-5.6-r1.ebuild b/app-editors/nedit/nedit-5.6-r1.ebuild
index c8b0da39a43f..68ebc4b934a4 100644
--- a/app-editors/nedit/nedit-5.6-r1.ebuild
+++ b/app-editors/nedit/nedit-5.6-r1.ebuild
@@ -30,7 +30,8 @@ src_prepare() {
 	epatch \
 		"${FILESDIR}"/${P}-format.patch \
 		"${FILESDIR}"/${P}-ldflags.patch \
-		"${FILESDIR}"/${P}-40_Pointer_to_Integer.patch
+		"${FILESDIR}"/${P}-40_Pointer_to_Integer.patch \
+		"${FILESDIR}"/${P}-security.patch
 	sed \
 		-e "s:bin/:${EPREFIX}/bin/:g" \
 		-i Makefile source/preferences.c source/help_data.h source/nedit.c Xlt/Makefile || die