diff --git a/coreutils-CVE-2009-4135.patch b/coreutils-CVE-2009-4135.patch new file mode 100644 index 0000000..4d33e11 --- /dev/null +++ b/coreutils-CVE-2009-4135.patch @@ -0,0 +1,67 @@ +diff -urNp coreutils-7.6-orig/dist-check.mk coreutils-7.6/dist-check.mk +--- coreutils-7.6-orig/dist-check.mk 2009-09-01 13:01:16.000000000 +0200 ++++ coreutils-7.6/dist-check.mk 2009-12-11 19:25:01.231452251 +0100 +@@ -4,14 +4,14 @@ bin=bin-$$$$ + + write_loser = printf '\#!%s\necho $$0: bad path 1>&2; exit 1\n' '$(SHELL)' + +-TMPDIR ?= /tmp +-t=$(TMPDIR)/$(PACKAGE)/test ++tmpdir = $(abs_top_builddir)/tests/torture ++t=$(tmpdir)/$(PACKAGE)/test + pfx=$(t)/i + + # More than once, tainted build and source directory names would + # have caused at least one "make check" test to apply "chmod 700" + # to all directories under $HOME. Make sure it doesn't happen again. +-tp := $(shell echo "$(TMPDIR)/$(PACKAGE)-$$$$") ++tp = $(tmpdir)/taint + t_prefix = $(tp)/a + t_taint = '$(t_prefix) b' + fake_home = $(tp)/home +@@ -30,10 +30,11 @@ taint-distcheck: $(DIST_ARCHIVES) + touch $(fake_home)/f + mkdir -p $(fake_home)/d/e + ls -lR $(fake_home) $(t_prefix) > $(tp)/.ls-before ++ HOME=$(fake_home); export HOME; \ + cd $(t_taint)/$(distdir) \ + && ./configure \ + && $(MAKE) \ +- && HOME=$(fake_home) $(MAKE) check \ ++ && $(MAKE) check \ + && ls -lR $(fake_home) $(t_prefix) > $(tp)/.ls-after \ + && diff $(tp)/.ls-before $(tp)/.ls-after \ + && test -d $(t_prefix) +@@ -52,6 +53,7 @@ endef + # Install, then verify that all binaries and man pages are in place. + # Note that neither the binary, ginstall, nor the ].1 man page is installed. + define my-instcheck ++ echo running my-instcheck; \ + $(MAKE) prefix=$(pfx) install \ + && test ! -f $(pfx)/bin/ginstall \ + && { fail=0; \ +@@ -70,6 +72,7 @@ endef + + define coreutils-path-check + { \ ++ echo running coreutils-path-check; \ + if test -f $(srcdir)/src/true.c; then \ + fail=1; \ + mkdir $(bin) \ +@@ -117,7 +120,7 @@ my-distcheck: $(DIST_ARCHIVES) $(local-c + mkdir -p $(t) + GZIP=$(GZIP_ENV) $(AMTAR) -C $(t) -zxf $(distdir).tar.gz + cd $(t)/$(distdir) \ +- && ./configure --enable-gcc-warnings --disable-nls \ ++ && ./configure --quiet --enable-gcc-warnings --disable-nls \ + && $(MAKE) AM_MAKEFLAGS='$(null_AM_MAKEFLAGS)' \ + && $(MAKE) dvi \ + && $(install-transform-check) \ +@@ -128,6 +131,7 @@ my-distcheck: $(DIST_ARCHIVES) $(local-c + && $(AMTAR) -zxf - ) < $(distdir).tar.gz + diff -ur $(t)/$(distdir).old $(t)/$(distdir) + -rm -rf $(t) ++ rmdir $(tmpdir)/$(PACKAGE) $(tmpdir) + @echo "========================"; \ + echo "$(distdir).tar.gz is ready for distribution"; \ + echo "========================" diff --git a/coreutils.spec b/coreutils.spec index b89208d..a96abb4 100644 --- a/coreutils.spec +++ b/coreutils.spec @@ -1,7 +1,7 @@ Summary: A set of basic GNU tools commonly used in shell scripts Name: coreutils Version: 7.6 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv3+ Group: System Environment/Base Url: http://www.gnu.org/software/coreutils/ @@ -25,6 +25,7 @@ Patch4: coreutils-7.6-tail-F-renaming.patch Patch5: coreutils-7.6-trueexecve.patch Patch6: coreutils-7.6-ls-infloop.patch Patch7: coreutils-7.6-ls-derefdanglinginode.patch +Patch8: coreutils-CVE-2009-4135.patch # Our patches Patch100: coreutils-6.10-configuration.patch @@ -120,6 +121,7 @@ Libraries for coreutils package. %patch4 -p1 -b .renaming %patch5 -p1 -b .execve %patch6 -p1 -b .infloop +%patch8 -p1 -b .unsafetmp # Our patches %patch100 -p1 -b .configure @@ -341,6 +343,9 @@ fi %{_libdir}/coreutils %changelog +* Fri Dec 11 2009 Ondrej Vasik - 7.6-8 +- CVE-2009-4135 : Unsafe temporary directory use in "distcheck" rule + * Mon Nov 23 2009 Ondrej Vasik - 7.6-7 - update /etc/DIR_COLORS* files - ls -LR exits with status 2, not 0, when it encounters