[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Preparing update of 'mafft' to fix #496366 ("grave" security bug).



Le Mon, Aug 25, 2008 at 10:17:02PM -0700, Steve Langasek a écrit :
> On Tue, Aug 26, 2008 at 01:40:01PM +0900, Charles Plessy wrote:
> 
> > Would you accept this package in Lenny to fix #496366?
> 
> If the diff is in line with this description, yes.

Hi Steve, hi all,

thank you for your patience. I have been in contact with Upstream who
reviewd kindly finished the patching work (I did not manage to produce a
working patch for the Ruby file).

Here is the final changelog:

 mafft (6.240-2) unstable; urgency=high
 .
   [ Charles Plessy ]
   * debian/control:
     - Moved the Homepage: field out from the package's description.
     - Enhances: t-coffee.
   * Updated my email address.
   * Securisation of the temorary files of mafft-homologs:
     - debian/control: build-depend on quilt.
     - debian/rules: modified to use quilt.
     - debian/README.source: signals that the package uses quilt.
     - debian/patches: added a patch to use non-guessable temporary files
       (Closes: #496366). Thanks to Dmitry E. Oboukhov for finding the bug,
       Thijs Kinkhorst for preliminary patch and Kazutaka Katoh for the
       final implementation.
     - debian/mafft-homologs.1*, debian/README.Debian: document that the
       program is patched.
 .
   [ David Paleino ]
   * debian/mafft.1, debian/mafft-homologs.1 added - manpages built statically.
   * debian/control:
     - B-D updated (see above)
     - added myself to Uploaders
     - moved XS-Vcs-* fields to Vcs-*
     - Updated to Standards-Version 3.7.3 (no changes needed)
   * debian/rules:
     - reflecting static build of manpages
     - minor changes


Here is the diffstat:

aqwa『build-area』$ diffstat mafft_6.240-1_6.240-2.debdiff
 debian/README.source                              |    8 
 debian/mafft-homologs.1                           |  112 ++++++
 debian/mafft.1                                    |  370 ++++++++++++++++++++++
 debian/patches/Securisation-by-mktemp-usage.patch |  211 ++++++++++++
 debian/patches/series                             |    1 
 mafft-6.240/debian/README.Debian                  |    7 
 mafft-6.240/debian/changelog                      |   31 +
 mafft-6.240/debian/control                        |   20 -
 mafft-6.240/debian/mafft-homologs.1.xml           |    9 
 mafft-6.240/debian/mafft.1.xml                    |    9 
 mafft-6.240/debian/rules                          |   20 -

I added a paragraph about the patch to the manpages, but as the sources are in
XML and the stylesheets evolved, the diff is big. All the changes unrelated to
the bug are documented in the changelog, except the addition of
DM-Upload-Allowed: yes, that is systematic in our packages anyway, and cosmetic
improvements of the description. The patch itself now affects another file in
which a similar security problem was uncovered by Upstream. Here is the full
debdiff.

Have a nice day,

-- Charles Plessy, Debian Med packaging team, Tsurumi, Kanagawa, Japan


diff -u mafft-6.240/debian/mafft.1.xml mafft-6.240/debian/mafft.1.xml
--- mafft-6.240/debian/mafft.1.xml
+++ mafft-6.240/debian/mafft.1.xml
@@ -12,7 +12,7 @@
   <!ENTITY dhemail     "charles-debian-nospam@plessy.org">
   <!ENTITY dhusername  "&dhfirstname; &dhsurname;">
   <!ENTITY dhrelease   "6.240">
-  <!ENTITY dhdate      "2007-06-09">
+  <!ENTITY dhdate      "2008-09-01">
   <!ENTITY dhtitle     "Mafft Manual">
   <!ENTITY dhucpackage "MAFFT">
   <!ENTITY dhpackage   "mafft">
@@ -739,4 +739,11 @@
     </refsect2>
   </refsect1>
+  <refsect1>
+    <title>DIVERGENCE FROM UPSTREAM</title>
+    <para><command>mafft-homologs</command> has been patched to enhance the
+    security of the temporary files it creates. You can consult the patch in
+    the Debian source package. It has been reviewed and amended by Kazutaka
+    Katoh, the upstream author of MAFFT.</para>
+  </refsect1>
 </refentry>
 
diff -u mafft-6.240/debian/control mafft-6.240/debian/control
--- mafft-6.240/debian/control
+++ mafft-6.240/debian/control
@@ -2,18 +2,22 @@
 Section: science
 Priority: optional
 Maintainer: Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
-Uploaders: Charles Plessy <charles-debian-nospam@plessy.org>
-Build-Depends: debhelper (>= 5), xsltproc, docbook-xsl, docbook-xml
-Standards-Version: 3.7.2
-XS-Vcs-Browser: http://svn.debian.org/wsvn/debian-med/trunk/packages/mafft/trunk/
-XS-Vcs-Svn: svn://svn.debian.org/svn/debian-med/trunk/packages/mafft
+DM-Upload-Allowed: yes
+Uploaders: Charles Plessy <plessy@debian.org>,
+ David Paleino <d.paleino@gmail.com>
+Build-Depends: debhelper (>= 5), quilt
+Standards-Version: 3.7.3
+Vcs-Browser: http://svn.debian.org/wsvn/debian-med/trunk/packages/mafft/trunk/?rev=0&sc=0
+Vcs-Svn: svn://svn.debian.org/svn/debian-med/trunk/packages/mafft/trunk/
+Homepage: http://align.bmr.kyushu-u.ac.jp/mafft/software/
 
 Package: mafft
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}
 Suggests: ruby, lynx, blast2
+Enhances: t-coffee
 Description: Multiple alignment program for amino acid or nucleotide sequences
- MAFFT is a multiple sequence alignment program, which offers three
+ MAFFT is a multiple sequence alignment program which offers three
  accuracy-oriented methods:
   * L-INS-i (probably most accurate; recommended for <200 sequences;
     iterative refinement method incorporating local pairwise alignment
@@ -23,7 +27,7 @@
     pairwise alignment information),
   * E-INS-i (suitable for sequences containing large unalignable regions;
     recommended for <200 sequences),
-    and five speed-oriented methods:
+ and five speed-oriented methods:
   * FFT-NS-i (iterative refinement method; two cycles only),
   * FFT-NS-i (iterative refinement method; max. 1000 iterations),
   * FFT-NS-2 (fast; progressive method),
@@ -34,2 +37,0 @@
- .
-  Homepage: http://align.bmr.kyushu-u.ac.jp/mafft/software/
diff -u mafft-6.240/debian/README.Debian mafft-6.240/debian/README.Debian
--- mafft-6.240/debian/README.Debian
+++ mafft-6.240/debian/README.Debian
@@ -21 +21,6 @@
- -- Charles Plessy <charles-debian-nospam@plessy.org>  Wed,  7 Feb 2007 21:44:40 +0900
+The programs mafft and mafft-homologs have been patched to enhance the security
+of the temporary files they create. You can consult the patch in the Debian
+source package. It has been reviewed and amended by Kazutaka Katoh, the
+upstream author of MAFFT.
+
+ -- Charles Plessy <charles-debian-nospam@plessy.org>  Mon, 25 Aug 2008 23:29:19 +0900
diff -u mafft-6.240/debian/mafft-homologs.1.xml mafft-6.240/debian/mafft-homologs.1.xml
--- mafft-6.240/debian/mafft-homologs.1.xml
+++ mafft-6.240/debian/mafft-homologs.1.xml
@@ -12,7 +12,7 @@
   <!ENTITY dhemail     "charles-debian-nospam@plessy.org">
   <!ENTITY dhusername  "&dhfirstname; &dhsurname;">
   <!ENTITY dhrelease   "2.1">
-  <!ENTITY dhdate      "2007-06-09">
+  <!ENTITY dhdate      "2008-09-01">
   <!ENTITY dhtitle     "Mafft Manual">
   <!ENTITY dhucpackage "MAFFT-HOMOLOGS">
   <!ENTITY dhpackage   "mafft-homologs">
@@ -193,2 +193,9 @@
 	</refsect1>
+  <refsect1>
+    <title>DIVERGENCE FROM UPSTREAM</title>
+    <para><command>mafft-homologs</command> has been patched to enhance the
+    security of the temporary files it creates. You can consult the patch in
+    the Debian source package. It has been reviewed and amended by Kazutaka
+    Katoh, the upstream author of MAFFT.</para>
+  </refsect1>
 </refentry>
diff -u mafft-6.240/debian/rules mafft-6.240/debian/rules
--- mafft-6.240/debian/rules
+++ mafft-6.240/debian/rules
@@ -5,11 +5,14 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
+include /usr/share/quilt/quilt.make
+
 XP=xsltproc  \
       -''-nonet \
       -''-param man.charmap.use.subset "0" \
       -''-param make.year.ranges "1" \
-      -''-param make.single.year.ranges "1"
+      -''-param make.single.year.ranges "1" \
+      -o debian/
 
 
 CFLAGS = -Wall -g
@@ -26,11 +29,11 @@
 mafft-homologs.1: debian/mafft-homologs.1.xml
 	$(XP) $<
 
-build-stamp: build
-build: mafft.1 mafft-homologs.1
+build: patch build-stamp
+build-stamp:
 	dh_testdir
 	$(MAKE) -C src PREFIX=/usr/lib/mafft
-	touch build-stamp
+	touch $@
 
 MAFFT = MAFFT_BINARIES=$(CURDIR)/binaries scripts/mafft
 
@@ -42,11 +45,11 @@
 	-$(MAFFT) --localpair			test/sample | diff test/sample.lins1 -
 	-$(MAFFT) --localpair --maxiterate 100	test/sample | diff test/sample.linsi -
 
-clean:
+clean: unpatch
 	dh_testdir
 	dh_testroot
-	-$(MAKE) -C src clean
-	dh_clean mafft.1 mafft-homologs.1 build-stamp
+	[ ! -f Makefile ] || $(MAKE) -C src clean
+	dh_clean build-stamp
 
 install: build-stamp test
 	dh_testdir
@@ -57,14 +60,13 @@
 	mv debian/mafft/usr/bin/mafft-homologs.rb debian/mafft/usr/bin/mafft-homologs
 
 binary-indep: build install
-
 binary-arch: build install
 	dh_testdir
 	dh_testroot
 	dh_installchangelogs 
 	dh_installdocs
 	dh_install test usr/share/doc/mafft/
-	dh_installman mafft.1 mafft-homologs.1
+	dh_installman debian/mafft.1 debian/mafft-homologs.1
 	dh_link
 	dh_strip
 	dh_compress
diff -u mafft-6.240/debian/changelog mafft-6.240/debian/changelog
--- mafft-6.240/debian/changelog
+++ mafft-6.240/debian/changelog
@@ -1,3 +1,34 @@
+mafft (6.240-2) unstable; urgency=high
+
+  [ Charles Plessy ]
+  * debian/control:
+    - Moved the Homepage: field out from the package's description.
+    - Enhances: t-coffee.
+  * Updated my email address.
+  * Securisation of the temorary files of mafft-homologs:
+    - debian/control: build-depend on quilt.
+    - debian/rules: modified to use quilt.
+    - debian/README.source: signals that the package uses quilt.
+    - debian/patches: added a patch to use non-guessable temporary files
+      (Closes: #496366). Thanks to Dmitry E. Oboukhov for finding the bug,
+      Thijs Kinkhorst for preliminary patch and Kazutaka Katoh for the
+      final implementation.
+    - debian/mafft-homologs.1*, debian/README.Debian: document that the
+      program is patched.
+
+  [ David Paleino ]
+  * debian/mafft.1, debian/mafft-homologs.1 added - manpages built statically.
+  * debian/control:
+    - B-D updated (see above)
+    - added myself to Uploaders
+    - moved XS-Vcs-* fields to Vcs-*
+    - Updated to Standards-Version 3.7.3 (no changes needed)
+  * debian/rules:
+    - reflecting static build of manpages
+    - minor changes
+
+ -- Charles Plessy <plessy@debian.org>  Mon, 25 Aug 2008 23:30:20 +0900
+
 mafft (6.240-1) unstable; urgency=low
 
   * Initial release (Closes: #409640)
only in patch2:
unchanged:
--- mafft-6.240.orig/debian/mafft.1
+++ mafft-6.240/debian/mafft.1
@@ -0,0 +1,370 @@
+.\"     Title: MAFFT
+.\"    Author: Kazutaka Katoh <katoh_at_bioreg.kyushu-u.ac.jp.>
+.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>
+.\"      Date: 2008-09-01
+.\"    Manual: Mafft Manual
+.\"    Source: mafft 6.240
+.\"
+.TH "MAFFT" "1" "2008\-09\-01" "mafft 6.240" "Mafft Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+mafft \- Multiple alignment program for amino acid or nucleotide sequences
+.SH "SYNOPSIS"
+.HP 6
+\fBmafft\fR [\fBoptions\fR] \fIinput\fR [>\ \fIoutput\fR]
+.HP 6
+\fBlinsi\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 6
+\fBginsi\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 6
+\fBeinsi\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 7
+\fBfftnsi\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 6
+\fBfftns\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 14
+\fBmafft\-profile\fR \fIgroup1\fR \fIgroup2\fR [>\ \fIoutput\fR]
+.SH "DESCRIPTION"
+.PP
+\fBMAFFT\fR
+is a multiple sequence alignment program for unix\-like operating systems\&. It offers a range of multiple alignment methods\&.
+.SS "Accuracy\-oriented methods:"
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'L\-INS\-i (probably most accurate; recommended for <200 sequences; iterative refinement method incorporating local pairwise alignment information):
+.HP 6
+\fBmafft\fR \fB\-\-localpair\fR \fB\-\-maxiterate\fR\ \fI1000\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 6
+\fBlinsi\fR \fIinput\fR [>\ \fIoutput\fR]
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'G\-INS\-i (suitable for sequences of similar lengths; recommended for <200 sequences; iterative refinement method incorporating global pairwise alignment information):
+.HP 6
+\fBmafft\fR \fB\-\-globalpair\fR \fB\-\-maxiterate\fR\ \fI1000\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 6
+\fBginsi\fR \fIinput\fR [>\ \fIoutput\fR]
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'E\-INS\-i (suitable for sequences containing large unalignable regions; recommended for <200 sequences):
+.HP 6
+\fBmafft\fR \fB\-\-ep\fR\ \fI0\fR \fB\-\-genafpair\fR \fB\-\-maxiterate\fR\ \fI1000\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 6
+\fBeinsi\fR \fIinput\fR [>\ \fIoutput\fR]
+.br
+
+For E\-INS\-i, the
+\fB\-\-ep\fR
+\fI0\fR
+option is recommended to allow large gaps\&.
+.RE
+.SS "Speed\-oriented methods:"
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'FFT\-NS\-i (iterative refinement method; two cycles only):
+.HP 6
+\fBmafft\fR \fB\-\-retree\fR\ \fI2\fR \fB\-\-maxiterate\fR\ \fI2\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 7
+\fBfftnsi\fR \fIinput\fR [>\ \fIoutput\fR]
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'FFT\-NS\-i (iterative refinement method; max\&. 1000 iterations):
+.HP 6
+\fBmafft\fR \fB\-\-retree\fR\ \fI2\fR \fB\-\-maxiterate\fR\ \fI1000\fR \fIinput\fR [>\ \fIoutput\fR]
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'FFT\-NS\-2 (fast; progressive method):
+.HP 6
+\fBmafft\fR \fB\-\-retree\fR\ \fI2\fR \fB\-\-maxiterate\fR\ \fI0\fR \fIinput\fR [>\ \fIoutput\fR]
+.HP 6
+\fBfftns\fR \fIinput\fR [>\ \fIoutput\fR]
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'FFT\-NS\-1 (very fast; recommended for >2000 sequences; progressive method with a rough guide tree):
+.HP 6
+\fBmafft\fR \fB\-\-retree\fR\ \fI1\fR \fB\-\-maxiterate\fR\ \fI0\fR \fIinput\fR [>\ \fIoutput\fR]
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'NW\-NS\-PartTree\-1 (recommended for ?50,000 sequences; progressive method with the PartTree algorithm):
+.HP 6
+\fBmafft\fR \fB\-\-retree\fR\ \fI1\fR \fB\-\-maxiterate\fR\ \fI0\fR \fB\-\-parttree\fR \fIinput\fR [>\ \fIoutput\fR]
+.RE
+.SS "Group\-to\-group alignments"
+.HP 14
+\fBmafft\-profile\fR \fIgroup1\fR \fIgroup2\fR [>\ \fIoutput\fR]
+.PP
+or:
+.HP 6
+\fBmafft\fR \fB\-\-maxiterate\fR\ \fI1000\fR \fB\-\-seed\fR\ \fIgroup1\fR \fB\-\-seed\fR\ \fIgroup2\fR /dev/null [>\ \fIoutput\fR]
+.SH "OPTIONS"
+.PP
+\fB\-\-auto\fR
+.RS 4
+.RE
+.PP
+\fB\-\-clustalout\fR
+.RS 4
+.RE
+.PP
+\fB\-\-reorder\fR
+.RS 4
+.RE
+.PP
+\fB\-\-inputorder\fR
+.RS 4
+.RE
+.PP
+\fB\-\-algq\fR
+.RS 4
+.RE
+.PP
+\fB\-\-groupsize\fR
+.RS 4
+.RE
+.PP
+\fB\-\-partsize\fR
+.RS 4
+.RE
+.PP
+\fB\-\-parttree\fR
+.RS 4
+.RE
+.PP
+\fB\-\-dpparttree\fR
+.RS 4
+.RE
+.PP
+\fB\-\-fastaparttree\fR
+.RS 4
+.RE
+.PP
+\fB\-\-treeout\fR
+.RS 4
+.RE
+.PP
+\fB\-\-fastswpair\fR
+.RS 4
+.RE
+.PP
+\fB\-\-fastapair\fR
+.RS 4
+.RE
+.PP
+\fB\-\-noscore\fR
+.RS 4
+.RE
+.PP
+\fB\-\-6merpair\fR
+.RS 4
+.RE
+.PP
+\fB\-\-blastpair\fR
+.RS 4
+.RE
+.PP
+\fB\-\-globalpair\fR
+.RS 4
+.RE
+.PP
+\fB\-\-localpair\fR
+.RS 4
+.RE
+.PP
+\fB\-\-genafpair\fR
+.RS 4
+.RE
+.PP
+\fB\-\-memsave\fR
+.RS 4
+.RE
+.PP
+\fB\-\-nuc\fR
+.RS 4
+.RE
+.PP
+\fB\-\-amino\fR
+.RS 4
+.RE
+.PP
+\fB\-\-fft\fR
+.RS 4
+.RE
+.PP
+\fB\-\-nofft\fR
+.RS 4
+.RE
+.PP
+\fB\-\-quiet\fR
+.RS 4
+.RE
+.PP
+\fB\-\-coreext\fR
+.RS 4
+.RE
+.PP
+\fB\-\-core\fR
+.RS 4
+.RE
+.PP
+\fB\-\-maxiterate\fR
+.RS 4
+.RE
+.PP
+\fB\-\-retree\fR
+.RS 4
+.RE
+.PP
+\fB\-\-aamatrix\fR
+.RS 4
+.RE
+.PP
+\fB\-\-fmodel\fR
+.RS 4
+.RE
+.PP
+\fB\-\-jtt\fR
+.RS 4
+.RE
+.PP
+\fB\-\-tm\fR
+.RS 4
+.RE
+.PP
+\fB\-\-bl\fR
+.RS 4
+.RE
+.PP
+\fB\-\-weighti\fR
+.RS 4
+.RE
+.PP
+\fB\-\-op\fR
+.RS 4
+.RE
+.PP
+\fB\-\-ep\fR
+.RS 4
+.RE
+.PP
+\fB\-\-lop\fR
+.RS 4
+.RE
+.PP
+\fB\-\-LOP\fR
+.RS 4
+.RE
+.PP
+\fB\-\-lep\fR
+.RS 4
+.RE
+.PP
+\fB\-\-lexp\fR
+.RS 4
+.RE
+.PP
+\fB\-\-LEXP\fR
+.RS 4
+.RE
+.PP
+\fB\-\-corethr\fR
+.RS 4
+.RE
+.PP
+\fB\-\-corewin\fR
+.RS 4
+.RE
+.PP
+\fB\-\-seed\fR
+.RS 4
+.RE
+.SH "FILES"
+.PP
+Mafft stores the input sequences and other files in a temporary directory, which by default is located in
+\fI/tmp\fR\&.
+.SH "ENVIONMENT"
+.PP
+\fBMAFFT_BINARIES\fR
+.RS 4
+Indicates the location of the binary files used by mafft\&. By default, they are searched in
+\fI/usr/local/lib/mafft\fR, but on Debian systems, they are searched in
+\fI/usr/lib/mafft\fR\&.
+.RE
+.PP
+\fBFASTA_4_MAFFT\fR
+.RS 4
+This variable can be set to indicate to mafft the location to the fasta34 program if it is not in the PATH\&.
+.RE
+.SH "SEE ALSO"
+.PP
+
+\fBmafft-homologs\fR(1)
+.SH "REFERENCES"
+.SS "In English"
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'Katoh and Toh (Bioinformatics 23:372\-374, 2007) PartTree: an algorithm to build an approximate tree from a large number of unaligned sequences (describes the PartTree algorithm)\&.
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'Katoh, Kuma, Toh and Miyata (Nucleic Acids Res\&. 33:511\-518, 2005) MAFFT version 5: improvement in accuracy of multiple sequence alignment (describes [ancestral versions of] the G\-INS\-i, L\-INS\-i and E\-INS\-i strategies)
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'Katoh, Misawa, Kuma and Miyata (Nucleic Acids Res\&. 30:3059\-3066, 2002) MAFFT: a novel method for rapid multiple sequence alignment based on fast Fourier transform (describes the FFT\-NS\-1, FFT\-NS\-2 and FFT\-NS\-i strategies)
+.RE
+.SS "In Japanese"
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'Katoh and Misawa (???? 46:312\-317, 2006) Multiple Sequence Alignments: the Next Generation
+.RE
+.sp
+.RS 4
+\h'-04'\(bu\h'+03'Katoh and Kuma (????? 44:102\-108, 2006) Jissen\-teki Multiple Alignment
+.RE
+.SH "DIVERGENCE FROM UPSTREAM"
+.PP
+\fBmafft\-homologs\fR
+has been patched to enhance the security of the temporary files it creates\&. You can consult the patch in the Debian source package\&. It has been reviewed and amended by Kazutaka Katoh, the upstream author of MAFFT\&.
+.SH "AUTHORS"
+.PP
+\fBKazutaka Katoh\fR <\&katoh_at_bioreg\&.kyushu\-u\&.ac\&.jp\&.\&>
+.sp -1n
+.IP "" 4
+Wrote Mafft\&.
+.PP
+\fBCharles Plessy\fR <\&charles\-debian\-nospam@plessy\&.org\&>
+.sp -1n
+.IP "" 4
+Wrote this manpage in DocBook XML for the Debian distribution, using Mafft\'s homepage as a template\&.
+.SH "COPYRIGHT"
+Copyright \(co 2002, 2003, 2004, 2005, 2006, 2007 Kazutaka Katoh (mafft)
+.br
+Copyright \(co 2007 Charles Plessy (this manpage)
+.br
+.PP
+Mafft and its manpage are offered under the following conditions:
+.PP
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+.sp
+.RS 4
+\h'-04' 1.\h'+02'Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer\&.
+.RE
+.sp
+.RS 4
+\h'-04' 2.\h'+02'Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution\&.
+.RE
+.sp
+.RS 4
+\h'-04' 3.\h'+02'The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission\&.
+.RE
+.PP
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED\&. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE\&.
+.sp
only in patch2:
unchanged:
--- mafft-6.240.orig/debian/README.source
+++ mafft-6.240/debian/README.source
@@ -0,0 +1,8 @@
+This package uses quilt to patch the sources. Please refer to
+/usr/share/doc/quilt/README.source for more informations.
+
+This package is maintained by the Debian Med packagign team. Please refer to
+our group policy if you would like to commit to our Subversion repository. All
+Debian developpers have write acces to it.
+
+http://debian-med.alioth.debian.org/docs/policy.html
only in patch2:
unchanged:
--- mafft-6.240.orig/debian/mafft-homologs.1
+++ mafft-6.240/debian/mafft-homologs.1
@@ -0,0 +1,112 @@
+.\"     Title: MAFFT-HOMOLOGS
+.\"    Author: Kazutaka Katoh <katoh_at_bioreg.kyushu-u.ac.jp.>
+.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>
+.\"      Date: 2008-09-01
+.\"    Manual: Mafft Manual
+.\"    Source: mafft-homologs 2.1
+.\"
+.TH "MAFFT\-HOMOLOGS" "1" "2008\-09\-01" "mafft-homologs 2.1" "Mafft Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+mafft-homologs \- aligns sequences together with homologues automatically collected from SwissProt via NCBI BLAST
+.SH "SYNOPSIS"
+.HP 15
+\fBmafft\-homologs\fR [\fBoptions\fR] \fIinput\fR [>\ \fIoutput\fR]
+.SH "DESCRIPTION"
+.PP
+The accuracy of an alignment of a few distantly related sequences is considerably improved when being aligned together with their close homologs\&. The reason for the improvement is probably the same as that for PSI\-BLAST\&. That is, the positions of highly conserved residues, those with many gaps and other additional information is brought by close homologs\&. According to Katoh et al\&. (2005), the improvement by adding close homologs is 10% or so, which is comparable to the improvement by incorporating structural information of a pair of sequences\&. Mafft\-homologs in a mafft server works like this:
+.sp
+.RS 4
+\h'-04' 1.\h'+02'Collect a number (50 by default) of close homologs (E=1e\-10 by default) of the input sequences\&.
+.RE
+.sp
+.RS 4
+\h'-04' 2.\h'+02'Align the input sequences and homologs all together using the L\-INS\-i strategy\&.
+.RE
+.sp
+.RS 4
+\h'-04' 3.\h'+02'Remove the homologs\&.
+.RE
+.SH "OPTIONS"
+.PP
+\fB\-a\fR \fI\fIn\fR\fR
+.RS 4
+The number of collected sequences (default: 50)\&.
+.RE
+.PP
+\fB\-e\fR \fI\fIn\fR\fR
+.RS 4
+Threshold value (default: 1e\-10)\&.
+.RE
+.PP
+\fB\-o\fR \fI\fIxxx\fR\fR
+.RS 4
+options for mafft (default: " \-\-op 1\&.53 \-\-ep 0\&.123 \-\-maxiterate 1000")\&.
+.RE
+.PP
+\fB\-l\fR
+.RS 4
+Locally carries out blast searches instead of NCBI blast (requires locally installed blast and a database)\&.
+.RE
+.PP
+\fB\-f\fR
+.RS 4
+Outputs collected homologues also (default: off)\&.
+.RE
+.PP
+\fB\-w\fR
+.RS 4
+entire sequences are subjected to BLAST search (default: well\-aligned region only)
+.RE
+.SH "REQUIREMENTS"
+.PP
+Mafft\-homologs requires a version of mafft higher than 5\&.58\&.
+.SH "REFERENCES"
+.PP
+Katoh, Kuma, Toh and Miyata (Nucleic Acids Res\&. 33:511\-518, 2005) MAFFT version 5: improvement in accuracy of multiple sequence alignment\&.
+.SH "SEE ALSO"
+.PP
+
+\fBmafft\fR(1)
+.SH "DIVERGENCE FROM UPSTREAM"
+.PP
+\fBmafft\-homologs\fR
+has been patched to enhance the security of the temporary files it creates\&. You can consult the patch in the Debian source package\&. It has been reviewed and amended by Kazutaka Katoh, the upstream author of MAFFT\&.
+.SH "AUTHORS"
+.PP
+\fBKazutaka Katoh\fR <\&katoh_at_bioreg\&.kyushu\-u\&.ac\&.jp\&.\&>
+.sp -1n
+.IP "" 4
+Wrote Mafft\&.
+.PP
+\fBCharles Plessy\fR <\&charles\-debian\-nospam@plessy\&.org\&>
+.sp -1n
+.IP "" 4
+Wrote this manpage in DocBook XML for the Debian distribution, using Mafft\'s homepage as a template\&.
+.SH "COPYRIGHT"
+Copyright \(co 2002, 2003, 2004, 2005, 2006, 2007 Kazutaka Katoh (mafft)
+.br
+Copyright \(co 2007 Charles Plessy (this manpage)
+.br
+.PP
+Mafft and its manpage are offered under the following conditions:
+.PP
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+.sp
+.RS 4
+\h'-04' 1.\h'+02'Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer\&.
+.RE
+.sp
+.RS 4
+\h'-04' 2.\h'+02'Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution\&.
+.RE
+.sp
+.RS 4
+\h'-04' 3.\h'+02'The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission\&.
+.RE
+.PP
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED\&. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE\&.
+.sp
only in patch2:
unchanged:
--- mafft-6.240.orig/debian/patches/Securisation-by-mktemp-usage.patch
+++ mafft-6.240/debian/patches/Securisation-by-mktemp-usage.patch
@@ -0,0 +1,211 @@
+Author: Kazutaka Katoh and Charles Plessy, with the kind help of Thijs Kinkhorst.
+Description: Securisation of the temporary files of mafft-homologs.
+ Mafft-homologs uses predictable names for its temporary files. This patch
+ replaces the pid-based file names by names constructed with the `mktemp'
+ program. 
+ .
+ Quoting its manual page:
+ mktemp is a program to allow shell scripts to safely use temporary files.
+ Traditionally, many shell scripts take the name of the program with the PID
+ as a suffix and use that as a temporary filename.  This kind of naming scheme
+ is predictable and  the race condition  it  creates is  easy for an attacker
+ to win.  A safer, though still inferior approach is to make a temporary
+ directory using the same naming scheme.  While this does allow one to
+ guarantee that a temporary file will not  be  subverted, it still allows a
+ simple denial of service attack.  For these reasons it is suggested that
+ mktemp be used instead.
+Forwarded: Kazutaka Katoh <katoh@bioreg.kyushu-u.ac.jp>
+Reviewed: Kazutaka Katoh
+License: same as MAFFT itself.
+
+Index: mafft-6.240/src/mafft-homologs.tmpl
+===================================================================
+--- mafft-6.240.orig/src/mafft-homologs.tmpl
++++ mafft-6.240/src/mafft-homologs.tmpl
+@@ -31,11 +31,22 @@
+ #   -w        entire sequences are subjected to BLAST search 
+ #             (default: well-aligned region only)
+ 
+-
+ require 'getopts'
++require 'tempfile'
++
++# mktemp
++temp_vf = Tempfile.new("_vf").path
++temp_if = Tempfile.new("_if").path
++temp_pf = Tempfile.new("_pf").path
++temp_af = Tempfile.new("_af").path
++temp_qf = Tempfile.new("_qf").path
++temp_bf = Tempfile.new("_bf").path
++temp_rid = Tempfile.new("_rid").path
++temp_res = Tempfile.new("_res").path
+ 
+-system( mafftpath + " --help > /tmp/_vf#{$$} 2>&1" )
+-pfp = File.open( "/tmp/_vf#{$$}", 'r' )
++
++system( mafftpath + " --help > #{temp_vf} 2>&1" )
++pfp = File.open( "#{temp_vf}", 'r' )
+ while pfp.gets
+ 	break if $_ =~ /MAFFT v/
+ end
+@@ -114,35 +125,38 @@
+ 	mafftopt += " " + $OPT_o + " "
+ end
+ 
+-system "cat " + ARGV.to_s + " > /tmp/_if#{$$}"
++system "cat " + ARGV.to_s + " > #{temp_if}"
+ ar = mafftopt.split(" ")
+ nar = ar.length
+ for i in 0..(nar-1)
+ 	if ar[i] == "--seed" then
+-		system "cat #{ar[i+1]} >> /tmp/_if#{$$}"
++		system "cat #{ar[i+1]} >> #{temp_if}"
+ 	end
+ end
+ 
+ nseq = 0
+-ifp = File.open( "/tmp/_if#{$$}", 'r' )
++ifp = File.open( "#{temp_if}", 'r' )
+ 	while ifp.gets
+ 		nseq += 1 if $_ =~ /^>/
+ 	end
+ ifp.close
+ 
+-STDERR.puts "Performing preliminary alignment .. "
+-if nseq == 1 then
+-	system( "cp /tmp/_if#{$$}"  + " /tmp/_pf#{$$}" )
++if nseq >= 100 then
++	STDERR.puts "The number of input sequences must be <100."
++	exit
++elsif nseq == 1 then
++	system( "cp #{temp_if}"  + " #{temp_pf}" )
+ else
++	STDERR.puts "Performing preliminary alignment .. "
+ 	if entiresearch == 1 then
+-#		system( mafftpath + " --maxiterate 1000 --localpair /tmp/_if#{$$} > /tmp/_pf#{$$}" )
+-		system( mafftpath + " --maxiterate 0 --retree 2 /tmp/_if#{$$} > /tmp/_pf#{$$}" )
++#		system( mafftpath + " --maxiterate 1000 --localpair #{temp_if} > #{temp_pf}" )
++		system( mafftpath + " --maxiterate 0 --retree 2 #{temp_if} > #{temp_pf}" )
+ 	else
+-		system( mafftpath + " --maxiterate 1000 --localpair --core --coreext --corethr #{corethr.to_s} --corewin #{corewin.to_s} /tmp/_if#{$$} > /tmp/_pf#{$$}" )
++		system( mafftpath + " --maxiterate 1000 --localpair --core --coreext --corethr #{corethr.to_s} --corewin #{corewin.to_s} #{temp_if} > #{temp_pf}" )
+ 	end
+ end
+ 
+-pfp = File.open( "/tmp/_pf#{$$}", 'r' )
++pfp = File.open( "#{temp_pf}", 'r' )
+ inname = []
+ inseq = []
+ slen = []
+@@ -155,7 +169,7 @@
+ end
+ pfp.close
+ 
+-pfp = File.open( "/tmp/_if#{$$}", 'r' )
++pfp = File.open( "#{temp_if}", 'r' )
+ orname = []
+ orseq = []
+ nin = 0
+@@ -188,7 +202,7 @@
+ #p act
+ 
+ 
+-afp = File.open( "/tmp/_af#{$$}", 'w' )
++afp = File.open( "#{temp_af}", 'w' )
+ 
+ STDERR.puts "Searching .. \n"
+ ids = []
+@@ -209,10 +223,10 @@
+ 	end
+ 
+ 	if local == 0 then
+-		command = "lynx -source 'http://www.ncbi.nlm.nih.gov/blast/Blast.cgi?QUERY="; + inseq[i] + "&DATABASE=swissprot&HITLIST_SIZE=" + nadd.to_s + "&FILTER=L&EXPECT='" + eval.to_s + "'&FORMAT_TYPE=TEXT&PROGRAM=blastp&SERVICE=plain&NCBI_GI=on&PAGE=Proteins&CMD=Put' > /tmp/_rid#{$$}"
++		command = "lynx -source 'http://www.ncbi.nlm.nih.gov/blast/Blast.cgi?QUERY="; + inseq[i] + "&DATABASE=swissprot&HITLIST_SIZE=" + nadd.to_s + "&FILTER=L&EXPECT='" + eval.to_s + "'&FORMAT_TYPE=TEXT&PROGRAM=blastp&SERVICE=plain&NCBI_GI=on&PAGE=Proteins&CMD=Put' > #{temp_rid}"
+ 		system command
+ 	
+-		ridp = File.open( "/tmp/_rid#{$$}", 'r' )
++		ridp = File.open( "#{temp_rid}", 'r' )
+ 		while ridp.gets
+ 			break if $_ =~ / RID = (.*)/
+ 		end
+@@ -224,9 +238,9 @@
+ 		while 1 
+ 			STDERR.printf "."
+ 			sleep 10
+-			command = "lynx -source 'http://www.ncbi.nlm.nih.gov/blast/Blast.cgi?RID="; + rid + "&DESCRIPTIONS=500&ALIGNMENTS=" + nadd.to_s + "&ALIGNMENT_TYPE=Pairwise&OVERVIEW=no&CMD=Get&FORMAT_TYPE=XML' > /tmp/_res#{$$}"
++			command = "lynx -source 'http://www.ncbi.nlm.nih.gov/blast/Blast.cgi?RID="; + rid + "&DESCRIPTIONS=500&ALIGNMENTS=" + nadd.to_s + "&ALIGNMENT_TYPE=Pairwise&OVERVIEW=no&CMD=Get&FORMAT_TYPE=XML' > #{temp_res}"
+ 			system command
+-			resp = File.open( "/tmp/_res#{$$}", 'r' )
++			resp = File.open( "#{temp_res}", 'r' )
+ #			resp.gets
+ #			if $_ =~ /WAITING/ then
+ #				resp.close
+@@ -247,17 +261,17 @@
+ 	else
+ #		puts "Not supported"
+ #		exit
+-		qfp = File.open( "/tmp/_q#{$$}", 'w' )
++		qfp = File.open( "#{temp_qf}", 'w' )
+ 			qfp.puts "> "
+ 			qfp.puts inseq[i]
+ 		qfp.close
+-		command = blastpath + "  -p blastp  -e #{eval} -b 1000 -m 7 -i /tmp/_q#{$$} -d #{localdb} > /tmp/_res#{$$}"
++		command = blastpath + "  -p blastp  -e #{eval} -b 1000 -m 7 -i #{temp_qf} -d #{localdb} > #{temp_res}"
+ 		system command
+-		resp = File.open( "/tmp/_res#{$$}", 'r' )
++		resp = File.open( "#{temp_res}", 'r' )
+ 	end
+ 	STDERR.puts " Done.\n\n"
+ 
+-	resp = File.open( "/tmp/_res#{$$}", 'r' )
++	resp = File.open( "#{temp_res}", 'r' )
+ 	while 1
+ 		while resp.gets
+ 			break if $_ =~ /<Hit_id>(.*)<\/Hit_id>/ || $_ =~ /(<Iteration_stat>)/
+@@ -310,17 +324,15 @@
+ afp.close
+ 
+ STDERR.puts "Performing alignment .. "
+-system( mafftpath + mafftopt + " /tmp/_af#{$$} > /tmp/_bf#{$$}" )
++system( mafftpath + mafftopt + " #{temp_af} > #{temp_bf}" )
+ STDERR.puts "done."
+ 
+-bfp = File.open( "/tmp/_bf#{$$}", 'r' )
++bfp = File.open( "#{temp_bf}", 'r' )
+ outseq = []
+ outnam = []
+ readfasta( bfp, outnam, outseq )
+ bfp.close
+ 
+-
+-
+ outseq2 = []
+ outnam2 = []
+ 
+@@ -357,4 +369,5 @@
+ 	puts outseq2[i].gsub( /.{1,60}/, "\\0\n" )
+ end
+ 
+-system( "rm -rf /tmp/_if#{$$} /tmp/_vf#{$$} /tmp/_af#{$$} /tmp/_bf#{$$} /tmp/_pf#{$$} /tmp/_q#{$$} /tmp/_res#{$$} /tmp/_rid#{$$}" )
++
++#system( "rm -rf #{temp_if} #{temp_vf} #{temp_af} #{temp_bf} #{temp_pf} #{temp_qf} #{temp_res} #{temp_rid}" )
+Index: mafft-6.240/src/mafft.tmpl
+===================================================================
+--- mafft-6.240.orig/src/mafft.tmpl
++++ mafft-6.240/src/mafft.tmpl
+@@ -240,11 +240,11 @@
+ 		shift   
+ 	done;
+ 
+-#	TMPFILE=/tmp/`basename $0`.`whoami`.$$.`date +%y%m%d%H%M%S`
+-	TMPFILE=/tmp/$progname.$$
++#	TMPFILE=/tmp/$progname.$$
++	TMPFILE=`mktemp -dt $progname.XXXXXXXXXX`
+ 	umask 077
+-	mkdir  $TMPFILE  || er=1
+-	trap "rm -r $TMPFILE " 0
++#	mkdir  $TMPFILE  || er=1
++	trap "rm -rf $TMPFILE " 0
+ 	if [ $# -eq 1 ]; then
+ 		if [ -r "$1" -o "$1" = - ]; then
+ 			cat "$1" | tr "\r" "\n" > $TMPFILE/infile 
only in patch2:
unchanged:
--- mafft-6.240.orig/debian/patches/series
+++ mafft-6.240/debian/patches/series
@@ -0,0 +1 @@
+Securisation-by-mktemp-usage.patch


Reply to: