Bug#499271: please unblock myspell 1:3.0+pre3.1-22 (was: Re: Bug#499271: verified to be caused by myspell-tools)
Hi,
Agustin Martin wrote:
> I have been reviewing original patch and seems I found the problem. tmpfiles
> are created in the midle of a pipe. Original program uses implicit
> continuation lines, and there was the tmpfile creation. Seems that with
> attached patch in myspell tools a russian dict can be created with a non
> void aff file.
>
> See attached patch.
>
> Rene, let me know if you will do the upload or I should NMU.
I don't mind; I just uploaded it though. Thanks for the patch.
release team: can you please unblock myspell 1:3.0+pre3.1-22 which fixes
a regression e.g. in rus-ispell (#499236) caused by the "symlink attack"
patch.
Almost identical ( I just changed the version, me on the uploader and
thanked Agustin) patch like to what I uploaded is this:
> diff -u myspell-3.0+pre3.1/debian/changelog myspell-3.0+pre3.1/debian/changelog
> --- myspell-3.0+pre3.1/debian/changelog
> +++ myspell-3.0+pre3.1/debian/changelog
> @@ -1,3 +1,10 @@
> +myspell (1:3.0+pre3.1-21.1) unstable; urgency=low
> +
> + * 10_fix_insecure_tmp.dpatch: Move utils/i2myspell tmpfile
> + creation out of the pipe it was breaking (Closes: #499271)
> +
> + -- Agustin Martin Domingo <agmartin@debian.org> Thu, 18 Sep 2008 15:01:30 +0200
> +
> myspell (1:3.0+pre3.1-21) unstable; urgency=high
>
> * fix insecure temp file usage, thanks Thijs Kinkhorst (closes: #496392);
> diff -u myspell-3.0+pre3.1/debian/patches/10_fix_insecure_tmp.dpatch myspell-3.0+pre3.1/debian/patches/10_fix_insecure_tmp.dpatch
> --- myspell-3.0+pre3.1/debian/patches/10_fix_insecure_tmp.dpatch
> +++ myspell-3.0+pre3.1/debian/patches/10_fix_insecure_tmp.dpatch
> @@ -5,9 +5,9 @@
> ## DP: fix insecure temp file usage
>
> @DPATCH@
> -diff -Nur myspell-3.0+pre3.1.orig/utils/i2myspell myspell-3.0+pre3.1/utils/i2myspell
> ---- myspell-3.0+pre3.1.orig/utils/i2myspell 2002-03-08 15:15:53.000000000 +0100
> -+++ myspell-3.0+pre3.1/utils/i2myspell 2008-08-26 15:14:45.000000000 +0200
> +diff -urNad myspell-3.0+pre3.1~/utils/i2myspell myspell-3.0+pre3.1/utils/i2myspell
> +--- myspell-3.0+pre3.1~/utils/i2myspell 2002-03-08 15:15:53.000000000 +0100
> ++++ myspell-3.0+pre3.1/utils/i2myspell 2008-09-18 15:00:46.000000000 +0200
> @@ -32,6 +32,7 @@
> -d)
>
> @@ -16,7 +16,7 @@
> sed 's#/# #' $2 | sort -r -k 1 | uniq | grep -v ^$ |
> awk '{
> if (p!=$1) {
> -@@ -41,16 +42,18 @@
> +@@ -41,15 +42,17 @@
> if ($2!="") printf "/%s", $2;
> }
> }' | sed 's#/##g
> @@ -33,12 +33,11 @@
> exit;;
> esac
>
> - ispell -d $1 -D | # dump affix table from the ispell hash
> +TEMPFILE1=`mktemp -t i2my1.XXXXXXXXXX`
> +TEMPFILE2=`mktemp -t i2my2.XXXXXXXXXX`
> + ispell -d $1 -D | # dump affix table from the ispell hash
> sed 's/ //g
> /prefixes/,/suffixes/s/flag[*]\(.\):/PFX \1 Y /
> - /prefixes/,/suffixes/s/flag\(.\):/PFX \1 N /
> @@ -58,7 +61,7 @@
> /suffixes/,//s/flag\(.\):/SFX \1 N /
> s/\([^ ]*\).>.\([^,]*\)$/0 \2 \1/
Grüße/Regards,
René
--
.''`. René Engelhard -- Debian GNU/Linux Developer
: :' : http://www.debian.org | http://people.debian.org/~rene/
`. `' rene@debian.org | GnuPG-Key ID: 248AEB73
`- Fingerprint: 41FA F208 28D4 7CA5 19BB 7AD9 F859 90B0 248A EB73
Reply to: