--- /dev/null
+this patch fixes gentoo bug #243238 (CVE-2008-{4640,4641})
+
+diff -ru jhead-2.84.orig/jhead.c jhead-2.84/jhead.c
+--- jhead-2.84.orig/jhead.c 2008-10-04 18:10:35.000000000 +0200
++++ jhead-2.84/jhead.c 2008-11-28 18:51:52.000000000 +0100
+@@ -295,44 +295,88 @@
+
+
+ //--------------------------------------------------------------------------
++// Escape an argument such that it is interpreted literally by the shell
++// (returns the number of written characters)
++//--------------------------------------------------------------------------
++static int shellescape(char* to, const char* from)
++{
++ int i, j;
++ i = j = 0;
++
++ // Enclosing characters in double quotes preserves the literal value of
++ // all characters within the quotes, with the exception of $, `, and \.
++ to[j++] = '"';
++ while(from[i])
++ {
++#ifdef _WIN32
++ // Under WIN32, there isn't really anything dangerous you can do with
++ // escape characters, plus windows users aren't as sercurity paranoid.
++ // Hence, no need to do fancy escaping.
++ to[j++] = from[i++];
++#else
++ switch(from[i]) {
++ case '"':
++ case '$':
++ case '`':
++ case '\\':
++ to[j++] = '\\';
++ default:
++ to[j++] = from[i++];
++ }
++#endif
++ if (j >= PATH_MAX) ErrFatal("max path exceeded");
++ }
++ to[j++] = '"';
++ return j;
++}
++
++
++//--------------------------------------------------------------------------
+ // Apply the specified command to the JPEG file.
+ //--------------------------------------------------------------------------
+ static void DoCommand(const char * FileName, int ShowIt)
+ {
+ int a,e;
+- char ExecString[PATH_MAX*2];
+- char TempName[PATH_MAX+1];
++ char ExecString[PATH_MAX*3];
++ char TempName[PATH_MAX+10];
+ int TempUsed = FALSE;
+
+ e = 0;
+
+- // Make a temporary file in the destination directory by changing last char.
+- strcpy(TempName, FileName);
+- a = strlen(TempName)-1;
+- TempName[a] = (char)(TempName[a] == 't' ? 'z' : 't');
++ // Generate an unused temporary file name in the destination directory
++ // (a is the number of characters to copy from FileName)
++ a = strlen(FileName)-1;
++ while(a > 0 && FileName[a-1] != '/') a--;
++ memcpy(TempName, FileName, a);
++ strcpy(TempName+a, "XXXXXX");
++ mkstemp(TempName);
++ if(!TempName[0]) {
++ ErrFatal("Cannot find available temporary file name");
++ }
++
++
+
+ // Build the exec string. &i and &o in the exec string get replaced by input and output files.
+ for (a=0;;a++){
+ if (ApplyCommand[a] == '&'){
+ if (ApplyCommand[a+1] == 'i'){
+ // Input file.
+- e += sprintf(ExecString+e, "\"%s\"",FileName);
++ e += shellescape(ExecString+e, FileName);
+ a += 1;
+ continue;
+ }
+ if (ApplyCommand[a+1] == 'o'){
+ // Needs an output file distinct from the input file.
+- e += sprintf(ExecString+e, "\"%s\"",TempName);
++ e += shellescape(ExecString+e, TempName);
+ a += 1;
+ TempUsed = TRUE;
+- unlink(TempName);// Remove any pre-existing temp file
+ continue;
+ }
+ }
+ ExecString[e++] = ApplyCommand[a];
+ if (ApplyCommand[a] == 0) break;
+ }
+-
++ShowIt = 1;
+ if (ShowIt) printf("Cmd:%s\n",ExecString);
+
+ errno = 0;
+@@ -638,7 +682,7 @@
+ ErrFatal("Orientation screwup");
+ }
+
+- sprintf(RotateCommand, "jpegtran -%s -outfile &o &i", Argument);
++ sprintf(RotateCommand, "jpegtran -trim -%s -outfile &o &i", Argument);
+ ApplyCommand = RotateCommand;
+ DoCommand(FileName, FALSE);
+ ApplyCommand = NULL;
+@@ -657,7 +701,7 @@
+ strcpy(ThumbTempName_out, FileName);
+ strcat(ThumbTempName_out, ".tho");
+ SaveThumbnail(ThumbTempName_in);
+- sprintf(RotateCommand,"jpegtran -%s -outfile \"%s\" \"%s\"",
++ sprintf(RotateCommand,"jpegtran -trim -%s -outfile \"%s\" \"%s\"",
+ Argument, ThumbTempName_out, ThumbTempName_in);
+
+ if (system(RotateCommand) == 0){
+++ /dev/null
-# Configure file for MozPlugger 1.10
-# Version: July 15, 2008
-#
-# Commands which are not installed on your system will not be used.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA.
-
-
-###################
-### m4 macros ###
-###################
-
-changequote([,])
-
-### Helpers
-
-### MPlayer
-
-define(MP_CMD,[mplayer -really-quiet -nojoystick -nofs -zoom -vo xv,x11 -ao esd,alsa,oss,arts,null -osdlevel 0 $1 </dev/null])
-
-define(MP_EMBED,[embed noisy ignore_errors: MP_CMD(-xy $width -wid $window $1)])
-
-define(MP_NOEMBED,[noembed noisy ignore_errors maxaspect swallow(MPlayer): MP_CMD($1)])
-
-# If you want a small controls in top left corner of embedded window when using
-# mplayer then uncomment the first and comment the second below
-
-#define(MP_VIDEO_STREAM,[controls stream MP_EMBED($1 "$file")
-# stream MP_NOEMBED($1 "$file")])
-
-define(MP_VIDEO_STREAM,[stream MP_EMBED($1 "$file")
- stream MP_NOEMBED($1 "$file")])
-
-define(MP_VIDEO_PLAYLIST, [fmatch($1) MP_EMBED(-playlist "$file")
- fmatch($1) MP_NOEMBED(-playlist "$file")])
-# Special case for Quicktime
-define(MP_LINKS,[stream links noisy ignore_errors: MP_CMD($1)])
-
-define(MP_AUDIO,[mplayer -really-quiet -nojoystick $1 </dev/null])
-
-define(MP_AUDIO_STREAM,[controls stream noisy ignore_errors: mplayer -really-quiet -nojoystick $1 "$file" </dev/null])
-
-ifelse(esyscmd([mplayer -afm help 2>&1 | grep vorbis]),[],[
- define(MP_NO_VORBIS)
-],[
- define(MP_VORBIS)
-])
-
-### Totem
-
-define(TM_CMD,[totem $1</dev/null])
-
-define(TM_EMBED,[embed noisy ignore_errors hidden fill swallow(Totem): TM_CMD(--toggle-controls $1)])
-
-define(TM_NOEMBED,[nokill noembed noisy ignore_errors: TM_CMD($1)])
-
-
-define(TM_VIDEO_STREAM,[stream TM_EMBED("$file")
- stream TM_NOEMBED("$file")])
-
-# Special case for Quicktime
-define(TM_LINKS,[stream links nokill noembed noisy ignore_errors: TM_CMD($1)])
-
-define(TM_AUDIO_STREAM,[controls stream noisy ignore_errors: TM_CMD("$file")])
-
-### OpenOffice
-define([OO],[swallow(VCLSalFrame) fill: ooffice2.0 -nologo -norestore -view $1 "$file"
- swallow(VCLSalFrame) fill: ooffice -nologo -norestore -view $1 "$file"
- swallow(VCLSalFrame) fill: soffice -nologo $1 "$file"])
-
-### Acrobat Reader
-define(ACROREAD_OPTS,[-openInNewWindow /a "$fragment"])
-define(ACROREAD_OPTS5,[-geometry +9000+9000 +useFrontEndPanel /a "$fragment"])
-
-define(ACROREAD_FLAGS,[repeat swallow(acroread) fill])
-define(ACROREAD_FLAGS5,[repeat swallow(documentShell) fill])
-
-# Trap only version 5 assume the rest work OK (6 onwards...)
-ifelse(esyscmd([acroread -v | grep "^[^0-9]*5\..*$"]), [], [
- define(ACROREAD, [ACROREAD_FLAGS() : acroread ACROREAD_OPTS() "$file"])
-],[
- define(ACROREAD, [ACROREAD_FLAGS5() : acroread ACROREAD_OPTS5() "$file"])
-])
-
-### GV
-define(GV_OPTS,[--safer --quiet --antialias -geometry +9000+9000])
-define(GV_FLAGS,[repeat noisy swallow(gv) fill])
-define(GV,[GV_FLAGS(): gv GV_OPTS() "$file"])
-
-###################
-### Video ###
-###################
-
-video/mpeg:mpeg,mpg,mpe:MPEG animation
-video/x-mpeg:mpeg,mpg,mpe:MPEG animation
-video/x-mpeg2:mpv2,mp2ve:MPEG2 animation
- MP_VIDEO_STREAM()
- TM_VIDEO_STREAM()
- nokill noisy: xine -pq "$file"
- loop: mtvp -l -W$window "$file"
- : mtvp -W$window "$file"
- loop: xanim +Av100 -Zr +W$window +q +f "$file"
- : xanim +Av100 -Zr +W$window +q +Ze +f "$file"
-
-video/mp4:mp4:MPEG4 animation
- MP_VIDEO_STREAM()
- TM_VIDEO_STREAM()
- nokill noisy: xine -pq "$file"
-
-video/msvideo:avi:AVI animation
-video/x-msvideo:avi:AVI animation
-video/fli:fli,flc:FLI animation
-video/x-fli:fli,flc:FLI animation
- MP_VIDEO_STREAM()
- TM_VIDEO_STREAM()
- nokill noisy: xine -pq "$file"
-
-application/x-mplayer2:*:Windows Media video
-video/x-ms-asf:asf,asx:Windows Media video
-video/x-ms-wm:wm:Windows Media video
-video/x-ms-wmv:wmv:Windows Media video
-video/x-ms-wvx:wvx:Windows Media video
-video/x-ms-asf-plugin:*:Window Media video
- MP_VIDEO_PLAYLIST(%.asx)
- MP_VIDEO_STREAM()
- TM_VIDEO_STREAM()
-
-application/asx:asx:Windows Media video
- MP_VIDEO_STREAM(-playlist)
- TM_VIDEO_STREAM()
-
-application/x-quicktimeplayer:mov:Quicktime animation
-image/x-macpaint:pntg,mov:Quicktime animation
-video/quicktime:mov,qt:Quicktime animation
-video/x-quicktime:mov,qt:Quicktime animation
- MP_VIDEO_STREAM()
- MP_LINKS("$file")
- TM_VIDEO_STREAM()
- TM_LINKS("$file")
- stream links : xine -pq "$file"
- nokill noisy: xine -pq "$file"
-
-video/x-theora:ogg:OGG stream with video
-video/theora:ogg:OGG stream with video
-video/ogg:ogg:OGG stream with video
-video/x-ogg:ogm,ogv:OGG stream with video
-ifdef([MP_VORBIS],[ MP_VIDEO_STREAM()
-]) TM_VIDEO_STREAM()
-
-video/dl:dl:DL animation
-video/x-dl:dl:DL animation
-video/sgi-movie:movie,movi,mv:SGI animation
-video/x-sgi-movie:movie,movi,mv:SGI animation
-video/anim:iff,anim5,anim3,anim7:IFF animation
-video/x-anim:iff,anim5,anim3,anim7:IFF animation
- loop: xanim +Av100 -Zr +W$window +q +f "$file"
- : xanim +Av100 -Zr +W$window +q +Ze +f "$file"
-
-
-##################
-### Audio ###
-##################
-
-audio/mid:midi,mid:MIDI audio file
-audio/x-mid:midi,mid:MIDI audio file
-audio/midi:midi,mid:MIDI audio file
-audio/x-midi:midi,mid:MIDI audio file
- controls noisy stream: timidity -Od "$file"
- controls: playmidi "$file"
-
-audio/mod:mod:Soundracker audio Module
-audio/x-mod:mod:Soundracker audio Module
- controls loop noisy: mikmod -q --interpolate "$file"
- controls noisy: mikmod -q --interpolate "$file"
- controls loop noisy: xmp -l --nocmd "$file"
- controls noisy: xmp --nocmd "$file"
-
-audio/mp3:mp3:MPEG audio
-audio/x-mp3:mp3:MPEG audio
-audio/mpeg2:mp2:MPEG audio
-audio/x-mpeg2:mp2:MPEG audio
-audio/mpeg3:mp3:MPEG audio
-audio/x-mpeg3:mp3:MPEG audio
-audio/mpeg:mpa,abs,mpega:MPEG audio
-audio/x-mpeg:mpa,abs,mpega:MPEG audio
- MP_AUDIO_STREAM()
- TM_AUDIO_STREAM()
- controls: mpg321 -q "$file"
- controls: mpg123 -q "$file"
- controls: splay -t 200 "$file"
- controls: amp -b 200 -q "$file"
- controls: maplay "$file"
- controls: mpeg3play "$file"
- nokill noisy : xmms -e -p "$file"
- repeat noisy swallow(alsaplayer): alsaplayer -q "$file"
-
-audio/mpeg-url:m3u:MPEG music resource locator
-audio/x-mpeg-url:m3u:MPEG music resource locator
-audio/mpegurl:m3u:MPEG music resource locator
-audio/x-mpegurl:m3u:MPEG music resource locator
-audio/x-scpls:pls:Shoutcast Playlists
-# controls: mpg321 -q -@ "$file"
- nokill noisy : xmms -e -p "$file"
-
-audio/x-ogg:ogg:OGG audio
-application/x-ogg:ogg:OGG audio
-application/ogg:ogg:OGG audio
-ifdef([MP_VORBIS],[ MP_AUDIO_STREAM()
-]) TM_AUDIO_STREAM()
- controls stream noisy: ogg123 -q -b 128 "$file"
- nokill noisy : xmms -e -p "$file"
-
-audio/x-flac:flac:FLAC audio
-application/x-flac:flac:FLAC audio
- MP_AUDIO_STREAM()
- nokill noisy : xmms -e -p "$file"
-
-audio/x-sidtune:sid,psid:Commodore 64 Audio
-audio/sidtune:sid,psid:Commodore 64 Audio
-audio/psid:psid,sid:Commodore 64 Audio
-audio/x-psid:psid,sid:Commodore 64 Audio
- controls noisy: sidplay -16 -f44100 -a "$file"
-
-audio/basic:au,snd:Basic audio file
-audio/x-basic:au,snd:Basic audio file
- controls: play "$file"
- controls: sox "$file" -t .au - > /dev/audio
-
-audio/wav:wav:Microsoft wave file
-audio/x-wav:wav:Microsoft wave file
-audio/x-pn-wav:wav:Microsoft wave file
-audio/x-pn-windows-acm:wav:Microsoft wave file
- controls: play "$file"
- controls: wavplay -q "$file"
- controls noisy: bplay "$file"
- controls: splay "$file"
- nokill noisy : xmms -e -p "$file"
- repeat noisy swallow(alsaplayer): alsaplayer -q "$file"
-
-audio/x-pn-realaudio-plugin:rpm:RealPlayer Plugin Metafile
-audio/x-pn-realaudio:ra,rm,ram:Realaudio-plugin resource locator
-audio/x-realaudio:ra,rm,ram:RealAudio file
-application/vnd.rn-realmedia:rm:RealMedia file
-application/smil:smi:RealPlayer
-audio/vnd.rn-realaudio:ra,ram:RealAudio file
-audio/vnd.rn-realvideo:rv:RealVideo file
- nokill stream: hxplay "$file"
- nokill stream: realplay "$file"
-
-audio/x-ms-wax:wax:Windows Media Audio
- MP_AUDIO_STREAM(-playlist-playlist))
- TM_AUDIO_STREAM()
-
-audio/x-ms-wma:wma:Windows Media Audio
- MP_AUDIO_STREAM()
- TM_AUDIO_STREAM()
-
-#######################
-### Documents ###
-#######################
-
-image/sun-raster:rs:SUN raster image
-image/x-sun-raster:rs:SUN raster image
-image/x-rgb:rgb:RGB Image
-image/x-portable-pixmap:ppm:PPM Image
-image/x-portable-graymap:pgm:PGM Image
-image/x-portable-bitmap:pbm:PBM Image
-image/x-portable-anymap:pnm:PBM Image
-image/tiff:tiff,tif:TIFF image
-image/x-tiff:tiff,tif:TIFF image
- exits: display -window $window -backdrop "$file"
- repeat noisy swallow(gqview) fill: gqview -t "$file"
- swallow(:) maxaspect: xv -ima -igeom +9000+9000 -geometry +9000+9000 "$file"
- repeat swallow(display): display "$file"
- repeat swallow(Sdtimage) fill: sdtimage "$file"
- swallow(*qiv:) fill maxaspect: qiv -n "$file"
-
-image/x-xcf:xcf:Gimp Image
-image/xcf:xcf:Gimp Image
-application/x-gimp:xcf:Gimp Image
-application/gimp:xcf:Gimp Image
- exits: display -window $window -backdrop "$file"
- repeat swallow(display) fill: display "$file"
-
-application/photoshop:psd:PhotoShop Image
-application/x-photoshop:psd:PhotoShop Image
- exits: display -window $window -backdrop "$file"
- repeat swallow(display) fill: display "$file"
-
-application/pdf:pdf:PDF file
-application/x-pdf:pdf:PDF file
-text/pdf:pdf:PDF file
-text/x-pdf:pdf:PDF file
- ACROREAD()
- repeat noisy swallow(evince) fill: evince "$file"
- repeat noisy swallow(kpdf) fill: kpdf "$file"
- repeat noisy swallow(Xpdf) fill: xpdf -g +9000+9000 "$file"
- repeat noisy swallow(okular) fill: okular "$file"
- GV()
-
-application/x-dvi:dvi:DVI file
- repeat swallow(kdvi) fill: kdvi "$file"
- repeat swallow(xdvi) fill: xdvi -safer -hush -geometry +9000+9000 "$file"
-
-application/x-postscript:ps:PostScript file
-application/postscript:ps:PostScript file
- GV()
- repeat noisy swallow(evince) fill: evince "$file"
-
-application/x-rtf:rtf:Rich Text Format
-application/rtf:rtf:Rich Text Format
-text/rtf:rtf:Rich Text Format
- OO()
- repeat noisy swallow(AbiWord) fill: abiword --nosplash --geometry +9000+9000 "$file"
- repeat noisy swallow(kword): kword "$file"
- repeat noisy swallow(Ted) fill: Ted "$file"
-
-application/x-msword:doc,dot:Microsoft Word Document
-application/msword:doc,dot:Microsoft Word Document
- OO()
- repeat noisy swallow(kword): kword "$file"
- repeat noisy swallow(AbiWord) fill: abiword --nosplash --geometry +9000+9000 "$file"
-
-application/vnd.ms-excel:xls,xlb:Microsoft Excel Document
- OO()
- repeat swallow(Gnumeric) fill: gnumeric "$file"
-
-# OpenOffice MimeTypes (http://framework.openoffice.org/documentation/mimetypes/mimetypes.html)
-application/vnd.sun.xml.writer:sxw:OpenOffice Writer 6.0 documents
-application/so7_vnd.sun.xml.writer:sxw:OpenOffice Writer 7.0 documents
-application/vnd.sun.xml.writer.template:stw:OpenOffice Writer 6.0 templates
-application/vnd.sun.xml.writer.global:sxg:OpenOffice Writer 6.0 global documents
-application/vnd.stardivision.writer:sdw:StarWriter 5.x documents
-application/vnd.stardivision.writer-global:sgl:StarWriter 5.x global documents
-application/x-starwriter:sdw:StarWriter 4.x documents
- OO()
-
-application/vnd.sun.xml.calc:sxc:OpenOffice Calc 6.0 spreadsheets
-application/so7_vnd.sun.xml.calc:sxc:OpenOffice Calc 7.0 spreadsheets
-application/vnd.sun.xml.calc.template:stc:OpenOffice Calc 6.0 templates
-application/vnd.stardivision.calc:sdc:StarCalc 5.x spreadsheets
-application/x-starcalc:sdc:StarCalc 4.x spreadsheets
-application/vnd.lotus-1-2-3: 123, wk1: Lotus 1-2-3 Document
- OO()
-
-application/vnd.sun.xml.draw:sxd:OpenOffice Draw 6.0 documents
-application/so7_vnd.sun.xml.draw:sxc:StarOffice Draw 7.0 documents
-application/vnd.sun.xml.draw.template:std:OpenOffice Draw 6.0 templates
-application/vnd.stardivision.draw:sda:StarDraw 5.x documents
-application/x-stardraw:sda:StarDraw 4.x documents
- OO()
-
-application/vnd.sun.xml.impress:sxi:OpenOffice Impress 6.0 presentations
-application/so7_vnd.sun.xml.impress:sxi:StarOffice 7.0 Impress presentations
-application/vnd.sun.xml.impress.template:sti:OpenOffice Impress 6.0 templates
-application/vnd.stardivision.impress:sdd:StarImpress 5.x presentations
-application/vnd.stardivision.impress-packed:sdp:StarImpress Packed 5.x files
-application/x-starimpress:sdd:StarImpress 4.x presentations
-application/vnd.ms-powerpoint:ppt:PowerPoint Slideshow
-application/mspowerpoint:ppt,ppz,pps,pot:PowerPoint Slideshow
- OO()
-
-application/vnd.sun.xml.math:sxm:OpenOffice Math 6.0 documents
-application/so7_vnd.sun.xml.math:sxm:StarOffice 7.0 Math documents
-application/vnd.stardivision.math:smf:StarMath 5.x documents
-application/x-starmath:smf:StarMath 4.x documents
- OO()
-
-application/vnd.oasis.opendocument.text:odt,ODT:OASIS OpenDocument Text
- OO()
-
-application/vnd.oasis.opendocument.spreadsheet:ods,ODS:OASIS OpenDocument SpreadSheet
- OO()
-
-application/vnd.oasis.opendocument.presentation:odp,ODP:OASIS OpenDocument Presentation
- OO()
-
-chemical/x-pdb:pdb: Protein Data Bank file
-model/x-pdb:pdb: Protein Data Bank file
- swallow(rasmol) fill: rasmol "$file"
- swallow(molecule) fill: /usr/X11R6/lib/xscreensaver/molecule -delay 20000 -geometry +9000+9000 -no-spin -molecule "$file"
-
-mozplugger/xterm:xterm: xterm
- stream swallow(xterm) fill: xterm -title xterm $VAR_arg
projects / mkbuilds.git / commitdiff