Add a patch for temporary file vulnerablilty (CVE-2007-6061), bug #199751. It will set the default temporary file location to the user home directory add discard preferences if it is in /tmp.

Package-Manager: portage-2.1.4

5 files changed, 149 insertions, 8 deletions

diff --git a/media-sound/audacity/ChangeLog b/media-sound/audacity/ChangeLog
index e0c9c5d03799..5acd324cdf1f 100644
--- a/media-sound/audacity/ChangeLog
+++ b/media-sound/audacity/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for media-sound/audacity
 # Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-sound/audacity/ChangeLog,v 1.78 2008/01/13 19:34:46 aballier Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-sound/audacity/ChangeLog,v 1.79 2008/01/26 10:38:18 aballier Exp $
+
+*audacity-1.3.4-r1 (26 Jan 2008)
+
+  26 Jan 2008; Alexis Ballier <aballier@gentoo.org>
+  +files/CVE-2007-6061.patch, +audacity-1.3.4-r1.ebuild:
+  Add a patch for temporary file vulnerablilty (CVE-2007-6061), bug #199751.
+  It will set the default temporary file location to the user home directory
+  add discard preferences if it is in /tmp.
 
   13 Jan 2008; Alexis Ballier <aballier@gentoo.org>
   audacity-1.3.2-r1.ebuild, audacity-1.3.4.ebuild:
diff --git a/media-sound/audacity/Manifest b/media-sound/audacity/Manifest
index 23441636d29b..be8bd7b2280f 100644
--- a/media-sound/audacity/Manifest
+++ b/media-sound/audacity/Manifest
@@ -1,6 +1,10 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
+AUX CVE-2007-6061.patch 990 RMD160 65c960ffbad4ed21b56064fc44672da15a3a9a84 SHA1 4519a1b819feb77d6d49e22db1699dbad14a73f3 SHA256 45ef372a604d900ff9f40e7070525506fe63073cc4dd4edaf0fe7078d37df24d
+MD5 5dedb48cb7b3adef0d76e83aaadceeae files/CVE-2007-6061.patch 990
+RMD160 65c960ffbad4ed21b56064fc44672da15a3a9a84 files/CVE-2007-6061.patch 990
+SHA256 45ef372a604d900ff9f40e7070525506fe63073cc4dd4edaf0fe7078d37df24d files/CVE-2007-6061.patch 990
 AUX audacity-1.3.2+flac-1.1.3.patch 4143 RMD160 5e154be7cee78c206716509d71a8ed883066a114 SHA1 1e38825cb8ba0a5ffa74cd4086ca3a04aaa1264c SHA256 efce32ae9bc0085e2c058ddb4a2436547901bb22f5b2c9a4804dc5b088392eac
 MD5 9a8818667ff40745e903ead0821b6d68 files/audacity-1.3.2+flac-1.1.3.patch 4143
 RMD160 5e154be7cee78c206716509d71a8ed883066a114 files/audacity-1.3.2+flac-1.1.3.patch 4143
@@ -35,14 +39,18 @@ EBUILD audacity-1.3.2-r1.ebuild 2541 RMD160 9ba9e8655292519ca4a57cfeba5a61448561
 MD5 f03c06488ac9408662098a15c827c92e audacity-1.3.2-r1.ebuild 2541
 RMD160 9ba9e8655292519ca4a57cfeba5a61448561ca44 audacity-1.3.2-r1.ebuild 2541
 SHA256 7878a68ecd47f6a7d32960f4af26acfa5a0d1f4ec755fea6e45ff1fb2ac5513f audacity-1.3.2-r1.ebuild 2541
+EBUILD audacity-1.3.4-r1.ebuild 2437 RMD160 9d3b708e95a2ea64948e979913dd8c2e7eb96195 SHA1 31c6a54278561737e0da3e9b1816afa0121c110c SHA256 8782ef37b974bfa85e9008413fb7c5c005474276bdbdc4917e998c05fc434991
+MD5 f4faa2e2694884896fb0d7cdea5a3db0 audacity-1.3.4-r1.ebuild 2437
+RMD160 9d3b708e95a2ea64948e979913dd8c2e7eb96195 audacity-1.3.4-r1.ebuild 2437
+SHA256 8782ef37b974bfa85e9008413fb7c5c005474276bdbdc4917e998c05fc434991 audacity-1.3.4-r1.ebuild 2437
 EBUILD audacity-1.3.4.ebuild 2099 RMD160 9dbcfaf76693eaa816dba164b29a524b79fa68c4 SHA1 379d01f6a8ff7521adf6e9e9e2b3c68fc9208668 SHA256 863375c05ae9ab8d837a0d4a2ef44de074cad3fe509abfb7b13db23ffffd496d
 MD5 86c852f24b364fa7c77fdd3b1dfbdcfe audacity-1.3.4.ebuild 2099
 RMD160 9dbcfaf76693eaa816dba164b29a524b79fa68c4 audacity-1.3.4.ebuild 2099
 SHA256 863375c05ae9ab8d837a0d4a2ef44de074cad3fe509abfb7b13db23ffffd496d audacity-1.3.4.ebuild 2099
-MISC ChangeLog 13992 RMD160 3c4ac9dd8e1b0bdefdada7f58921913e2c58e36c SHA1 b22871bf188124dbc51adbff09eb88bdaa6bb69c SHA256 3f94c1914dbb39a87e668d28d356f11258ae651b029e031b47f4404040d6d15b
-MD5 2a86c66a10e5bb3bca3bb60bc6731fce ChangeLog 13992
-RMD160 3c4ac9dd8e1b0bdefdada7f58921913e2c58e36c ChangeLog 13992
-SHA256 3f94c1914dbb39a87e668d28d356f11258ae651b029e031b47f4404040d6d15b ChangeLog 13992
+MISC ChangeLog 14334 RMD160 8e2b323430424a4691dd007d3d58e62556316b4f SHA1 a51bb9085259cccae2885799dde89fc34b0497cb SHA256 b6b62ff4d241dde19493cc556c389c192e2bcf0ac9f988c6e4566284fb0ef594
+MD5 c56c2dfdd357e6e717edb5beb470c09d ChangeLog 14334
+RMD160 8e2b323430424a4691dd007d3d58e62556316b4f ChangeLog 14334
+SHA256 b6b62ff4d241dde19493cc556c389c192e2bcf0ac9f988c6e4566284fb0ef594 ChangeLog 14334
 MISC metadata.xml 161 RMD160 2738d17827a71b5ccbadae4c4f909d2b57d147b0 SHA1 90201ddb830142147774cc7b7b5178fbd0a9af0c SHA256 0ba191421eefd954d1efe9f6c3384e8c8d7455d35a7e79457272e1c29211b09e
 MD5 f62f5a9cf5fe86389cf2bf4d85244ef5 metadata.xml 161
 RMD160 2738d17827a71b5ccbadae4c4f909d2b57d147b0 metadata.xml 161
@@ -53,10 +61,13 @@ SHA256 707a1fdb467f1d843eb4978eac90c42d2a428918549578c186d6c568808aaaa5 files/di
 MD5 a17807e49f06d99579c8200aa7693838 files/digest-audacity-1.3.4 262
 RMD160 89756e4630786a8e678b6d0a335931f9b7fab652 files/digest-audacity-1.3.4 262
 SHA256 907f29bacd1611ceede8e1c1fcb84fe623e30c25e7db82d5bb17636983be429b files/digest-audacity-1.3.4 262
+MD5 a17807e49f06d99579c8200aa7693838 files/digest-audacity-1.3.4-r1 262
+RMD160 89756e4630786a8e678b6d0a335931f9b7fab652 files/digest-audacity-1.3.4-r1 262
+SHA256 907f29bacd1611ceede8e1c1fcb84fe623e30c25e7db82d5bb17636983be429b files/digest-audacity-1.3.4-r1 262
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.7 (GNU/Linux)
 
-iD4DBQFHimg0vFcC4BYPU0oRAglFAJiGPtw1GHtCfySE1BeJElRlawWNAKC63u0X
-FtCvmpNWA+XPZfLh+2UFyg==
-=i+xx
+iD8DBQFHmw2ivFcC4BYPU0oRAlzcAJ4o6PpZAsq4oD9qHkkTuLsAQFnFGwCgpHaJ
+/6Wlf5HSmOP+go5vBZMs1E0=
+=o/Lc
 -----END PGP SIGNATURE-----
diff --git a/media-sound/audacity/audacity-1.3.4-r1.ebuild b/media-sound/audacity/audacity-1.3.4-r1.ebuild
new file mode 100644
index 000000000000..771c1ce77438
--- /dev/null
+++ b/media-sound/audacity/audacity-1.3.4-r1.ebuild
@@ -0,0 +1,97 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-sound/audacity/audacity-1.3.4-r1.ebuild,v 1.1 2008/01/26 10:38:18 aballier Exp $
+
+inherit eutils wxwidgets
+
+IUSE="flac id3tag ladspa libsamplerate mp3 soundtouch twolame unicode vamp vorbis"
+
+MY_P="${PN}-src-${PV}"
+DESCRIPTION="Free crossplatform audio editor"
+HOMEPAGE="http://audacity.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${MY_P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~ppc64 ~sparc ~x86"
+RESTRICT="test"
+
+COMMON_DEPEND="=x11-libs/wxGTK-2.6*
+	>=app-arch/zip-2.3
+	dev-libs/expat
+	>=media-libs/libsndfile-1.0.0
+	soundtouch? ( >=media-libs/libsoundtouch-1.3.1 )
+	vorbis? ( >=media-libs/libvorbis-1.0 )
+	mp3? ( >=media-libs/libmad-0.14.2b )
+	id3tag? ( media-libs/libid3tag )
+	flac? ( media-libs/flac )
+	libsamplerate? ( >=media-libs/libsamplerate-0.1.2 )
+	vamp? ( media-libs/vamp-plugin-sdk )
+	twolame? ( media-sound/twolame )"
+RDEPEND="${COMMON_DEPEND}
+	mp3? ( >=media-sound/lame-3.70 )"
+DEPEND="${COMMON_DEPEND}
+	dev-util/pkgconfig"
+
+S="${WORKDIR}/${MY_P}-beta"
+
+pkg_setup() {
+	if use flac && ! built_with_use --missing true media-libs/flac cxx; then
+		eerror "To build ${PN} with flac support you need the C++ bindings for flac."
+		eerror "Please enable the cxx USE flag for media-libs/flac"
+		die "Missing FLAC C++ bindings."
+	fi
+}
+
+src_unpack() {
+	unpack ${A}
+
+	cd "${S}"
+
+	epatch "${FILESDIR}/${P}-nolibfailure.patch"
+	epatch "${FILESDIR}/CVE-2007-6061.patch"
+}
+
+src_compile() {
+	WX_GTK_VER="2.6"
+
+	if use unicode; then
+		need-wxwidgets unicode
+	else
+		need-wxwidgets gtk2
+	fi
+
+	econf \
+		--with-libexpat=system \
+		$(use_enable unicode) \
+		$(use_with ladspa) \
+		$(use_with vorbis) \
+		$(use_with mp3 libmad) \
+		$(use_with id3tag) \
+		$(use_with flac libflac) \
+		$(use_enable vamp) \
+		$(use_with twolame libtwolame) \
+		$(use_with soundtouch) \
+		$(use_with libsamplerate) \
+		|| die
+
+	emake || die
+}
+
+src_install() {
+	emake DESTDIR="${D}" install || die
+
+	# Remove bad doc install
+	rm -rf "${D}"/usr/share/doc
+
+	# Install our docs
+	dodoc README.txt
+}
+
+pkg_postinst() {
+	ewarn "For security reasons, audacity temporary directory"
+	ewarn "has been moved to your home directory."
+	ewarn "This version will not allow you to set it in /tmp"
+	ewarn "and will discard your preferences if it is there."
+	ewarn "See bug #199751 for more information."
+}
diff --git a/media-sound/audacity/files/CVE-2007-6061.patch b/media-sound/audacity/files/CVE-2007-6061.patch
new file mode 100644
index 000000000000..d80ae681ffb1
--- /dev/null
+++ b/media-sound/audacity/files/CVE-2007-6061.patch
@@ -0,0 +1,22 @@
+Index: audacity-src-1.3.4-beta/src/AudacityApp.cpp
+===================================================================
+--- audacity-src-1.3.4-beta.orig/src/AudacityApp.cpp
++++ audacity-src-1.3.4-beta/src/AudacityApp.cpp
+@@ -573,7 +573,7 @@ bool AudacityApp::OnInit()
+    // * The user's .audacity-files directory in their home directory
+    // * The "share" and "share/doc" directories in their install path
+    #ifdef __WXGTK__
+-   defaultTempDir.Printf(wxT("/tmp/audacity%d.%d-%s"), 
++   defaultTempDir.Printf(wxT("%s/.audacity%d.%d-%s"), home.c_str(),
+                          AUDACITY_VERSION, AUDACITY_RELEASE, wxGetUserId().c_str());
+    
+    wxString pathVar = wxGetenv(wxT("AUDACITY_PATH"));
+@@ -996,7 +996,7 @@ bool AudacityApp::InitTempDir()
+    wxString temp = wxT("");
+ 
+    #ifdef __WXGTK__
+-   if (tempFromPrefs.GetChar(0) != wxT('/'))
++   if (tempFromPrefs.GetChar(0) != wxT('/') || tempFromPrefs.compare(0,4, wxT("/tmp")) == 0)
+       tempFromPrefs = wxT("");
+    #endif
+ 
diff --git a/media-sound/audacity/files/digest-audacity-1.3.4-r1 b/media-sound/audacity/files/digest-audacity-1.3.4-r1
new file mode 100644
index 000000000000..2d4ac9d624db
--- /dev/null
+++ b/media-sound/audacity/files/digest-audacity-1.3.4-r1
@@ -0,0 +1,3 @@
+MD5 6c4ada9085f916b5ae1675eaa4754442 audacity-src-1.3.4.tar.bz2 4349381
+RMD160 754d81fb0e660d697e7c315c41f28584917e0a9e audacity-src-1.3.4.tar.bz2 4349381
+SHA256 102d60e48e1928f3fd995a214ed9ba872929c6365cf5f784f107f351b42499f9 audacity-src-1.3.4.tar.bz2 4349381