From 8989e9e33080ed5a6e940bfbca3a4ef28b3264b5 Mon Sep 17 00:00:00 2001
From: Jan Vcelak <jvcelak@redhat.com>
Date: Tue, 1 Jan 2013 15:35:04 +0100
Subject: [PATCH] various security fixes

CVE-2009-5044 (#709413)
CVE-2009-5080 (#720058)
CVE-2009-5081 (#720057)

Based on: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2;content-type=text%2Fplain
Resolves: #709415, #720060
Signed-off-by: Jan Vcelak <jvcelak@redhat.com>
---
 contrib/eqn2graph/eqn2graph.sh    |  2 ++
 contrib/gdiffmk/tests/runtests.in |  5 +++--
 contrib/grap2graph/grap2graph.sh  |  2 ++
 contrib/groffer/perl/groffer.pl   | 10 +++++-----
 contrib/groffer/perl/roff2.pl     |  2 +-
 contrib/pdfmark/pdfroff.man       |  5 +++--
 contrib/pic2graph/pic2graph.sh    |  2 ++
 doc/fixinfo.sh                    |  4 +++-
 doc/groff.info-2                  |  6 +++---
 doc/groff.texinfo                 |  6 +++---
 gendef.sh                         | 10 +++-------
 11 files changed, 30 insertions(+), 24 deletions(-)

diff --git a/contrib/eqn2graph/eqn2graph.sh b/contrib/eqn2graph/eqn2graph.sh
index 2f1fa56..c628423 100644
--- a/contrib/eqn2graph/eqn2graph.sh
+++ b/contrib/eqn2graph/eqn2graph.sh
@@ -69,6 +69,8 @@ for d in "$GROFF_TMPDIR" "$TMPDIR" "$TMP" "$TEMP" /tmp; do
 
     tmp=$d/eqn2graph$$-$RANDOM
     (umask 077 && mkdir $tmp) 2> /dev/null && break
+
+    tmp=
 done;
 if test -z "$tmp"; then
     echo "$0: cannot create temporary directory" >&2
diff --git a/contrib/gdiffmk/tests/runtests.in b/contrib/gdiffmk/tests/runtests.in
index 714ce48..40a35c4 100644
--- a/contrib/gdiffmk/tests/runtests.in
+++ b/contrib/gdiffmk/tests/runtests.in
@@ -56,8 +56,9 @@ function TestResult {
 	fi
 }
 
-tmpfile=/tmp/$$
-trap 'rm -f ${tmpfile}' 0 1 2 3 15
+tmpfile="`mktemp -t gdiffmk-runtests.XXXXXXXXXX`" || exit
+trap 'rm -f -- "$tmpfile"' EXIT
+trap 'trap - EXIT; rm -f -- "$tmpfile"; exit 1' HUP INT QUIT TERM
 
 #	Run tests.
 
diff --git a/contrib/grap2graph/grap2graph.sh b/contrib/grap2graph/grap2graph.sh
index 580e340..fe38041 100644
--- a/contrib/grap2graph/grap2graph.sh
+++ b/contrib/grap2graph/grap2graph.sh
@@ -65,6 +65,8 @@ for d in "$GROFF_TMPDIR" "$TMPDIR" "$TMP" "$TEMP" /tmp; do
 
     tmp=$d/grap2graph$$-$RANDOM
     (umask 077 && mkdir $tmp) 2> /dev/null && break
+
+    tmp=
 done;
 if test -z "$tmp"; then
     echo "$0: cannot create temporary directory" >&2
diff --git a/contrib/groffer/perl/groffer.pl b/contrib/groffer/perl/groffer.pl
index 65d4cdb..fd11ab1 100755
--- a/contrib/groffer/perl/groffer.pl
+++ b/contrib/groffer/perl/groffer.pl
@@ -1379,7 +1379,7 @@ sub _check_prog_on_list {
 ########################################################################
 
 sub main_temp {
-  my $template = 'groffer_' . "$$" . '_XXXX';
+  my $template = 'groffer_' . "$$" . '_XXXXXXXXXX';
   foreach ($ENV{'GROFF_TMPDIR'}, $ENV{'TMPDIR'}, $ENV{'TMP'}, $ENV{'TEMP'},
 	   $ENV{'TEMPDIR'}, File::Spec->catfile($ENV{'HOME'}, 'tmp')) {
     if ($_ && -d $_ && -w $_) {
@@ -1410,12 +1410,12 @@ sub main_temp {
 
   # further argument: SUFFIX => '.sh'
   if ($Debug{'KEEP'}) {
-    ($fh_cat, $tmp_cat) = tempfile(',cat_XXXX', DIR => $tmpdir);
-    ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXX', DIR => $tmpdir);
+    ($fh_cat, $tmp_cat) = tempfile(',cat_XXXXXXXXXX', DIR => $tmpdir);
+    ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXXXXXXXX', DIR => $tmpdir);
   } else {
-    ($fh_cat, $tmp_cat) = tempfile(',cat_XXXX', UNLINK => 1,
+    ($fh_cat, $tmp_cat) = tempfile(',cat_XXXXXXXXXX', UNLINK => 1,
 				   DIR => $tmpdir);
-    ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXX', UNLINK => 1,
+    ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXXXXXXXX', UNLINK => 1,
 				       DIR => $tmpdir);
   }
 }				# main_temp()
diff --git a/contrib/groffer/perl/roff2.pl b/contrib/groffer/perl/roff2.pl
index 0e1f17a..b9eb67e 100755
--- a/contrib/groffer/perl/roff2.pl
+++ b/contrib/groffer/perl/roff2.pl
@@ -124,7 +124,7 @@ if ($Has_Groffer) {
 	last;
       }
     }
-    my $template = $Name . '_XXXX';
+    my $template = $Name . '_XXXXXXXXXX';
     my ($fh, $stdin);
     if ($tempdir) {
       ($fh, $stdin) = tempfile($template, UNLINK => 1, DIR => $tempdir) ||
diff --git a/contrib/pdfmark/pdfroff.man b/contrib/pdfmark/pdfroff.man
index 3a1d705..73650a8 100644
--- a/contrib/pdfmark/pdfroff.man
+++ b/contrib/pdfmark/pdfroff.man
@@ -529,7 +529,7 @@ defaults to
 .B GROFF_TMPDIR
 Identifies the directory in which
 .B pdfroff
-should create temporary files.
+should create a subdirectory for its temporary files.
 If
 .B \%GROFF_TMPDIR
 is
@@ -541,7 +541,8 @@ and
 .B TEMP
 are considered in turn, as possible temporary file repositories.
 If none of these are set, then temporary files are created
-in the current directory.
+in a subdirectory of
+.BR /tmp .
 .
 .TP
 .B GROFF_GHOSTSCRIPT_INTERPRETER
diff --git a/contrib/pic2graph/pic2graph.sh b/contrib/pic2graph/pic2graph.sh
index 0c45610..874aad0 100644
--- a/contrib/pic2graph/pic2graph.sh
+++ b/contrib/pic2graph/pic2graph.sh
@@ -80,6 +80,8 @@ for d in "$GROFF_TMPDIR" "$TMPDIR" "$TMP" "$TEMP" /tmp; do
     tmp=$d/pic2graph$$-$RANDOM
     (umask 077 && mkdir $tmp) 2> /dev/null \
     && break
+
+    tmp=
 done;
 if test -z "$tmp"; then
     echo "$0: cannot create temporary directory" >&2
diff --git a/doc/fixinfo.sh b/doc/fixinfo.sh
index 2c853f8..a0e8295 100644
--- a/doc/fixinfo.sh
+++ b/doc/fixinfo.sh
@@ -22,7 +22,9 @@
 # groff.texinfo macro code.  Hopefully, a new texinfo version makes it
 # unnecessary.
 
-t=${TMPDIR-.}/gro$$.tmp
+t="`mktemp -t groff-fixinfo.XXXXXXXXXX`" || exit
+trap 'rm -f -- "$t"' EXIT
+trap 'trap - EXIT; rm -f -- "$t"; exit 1' HUP INT QUIT TERM
 
 cat $1 | sed '
 1 {
diff --git a/doc/groff.info-2 b/doc/groff.info-2
index 3e169ec..e964dd6 100644
--- a/doc/groff.info-2
+++ b/doc/groff.info-2
@@ -1957,9 +1957,9 @@ not there, `groff' would not know when to stop.
 
 
           .sy perl -e 'printf ".nr H %d\\n.nr M %d\\n.nr S %d\\n",\
-                       (localtime(time))[2,1,0]' > /tmp/x\n[$$]
-          .so /tmp/x\n[$$]
-          .sy rm /tmp/x\n[$$]
+                       (localtime(time))[2,1,0]' > timefile\n[$$]
+          .so timefile\n[$$]
+          .sy rm timefile\n[$$]
           \nH:\nM:\nS
 
      Note that this works by having the `perl' script (run by `sy')
diff --git a/doc/groff.texinfo b/doc/groff.texinfo
index bf77e95..914ba8b 100644
--- a/doc/groff.texinfo
+++ b/doc/groff.texinfo
@@ -13660,9 +13660,9 @@ into a document:
 @pindex perl
 @Example
 .sy perl -e 'printf ".nr H %d\\n.nr M %d\\n.nr S %d\\n",\
-             (localtime(time))[2,1,0]' > /tmp/x\n[$$]
-.so /tmp/x\n[$$]
-.sy rm /tmp/x\n[$$]
+             (localtime(time))[2,1,0]' > timefile\n[$$]
+.so timefile\n[$$]
+.sy rm timefile\n[$$]
 \nH:\nM:\nS
 @endExample
 
diff --git a/gendef.sh b/gendef.sh
index ad4ccb2..c25e2d4 100644
--- a/gendef.sh
+++ b/gendef.sh
@@ -34,11 +34,9 @@ do
 #define $def"
 done
 
-# Use $TMPDIR if defined.  Default to cwd, for non-Unix systems
-# which don't have /tmp on each drive (we are going to remove
-# the file before we exit anyway).  Put the PID in the basename,
-# since the extension can only hold 3 characters on MS-DOS.
-t=${TMPDIR-.}/gro$$.tmp
+t="`mktemp -t groff-gendef.XXXXXXXXXX`" || exit
+trap 'rm -f -- "$t"' EXIT
+trap 'trap - EXIT; rm -f -- "$t"; exit 1' HUP INT QUIT TERM
 
 sed -e 's/=/ /' >$t <<EOF
 $defs
@@ -46,8 +44,6 @@ EOF
 
 test -r $file && cmp -s $t $file || cp $t $file
 
-rm -f $t
-
 exit 0
 
 # eof
-- 
1.8.0.2