From 36115e102859badb08cb5b2398de6b0ba45421d3 Mon Sep 17 00:00:00 2001
From: Jan Vcelak <jvcelak@redhat.com>
Date: Tue, 4 Nov 2014 14:36:47 +0100
Subject: [PATCH] various security fixes

CVE-2009-5044 (#709413)
CVE-2009-5080 (#720058)
CVE-2009-5081 (#720057)

Based on: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff?rev=1.2;content-type=text%2Fplain
Resolves: #709415, #720060
Signed-off-by: Jan Vcelak <jvcelak@redhat.com>
---
 contrib/eqn2graph/eqn2graph.sh    |  2 ++
 contrib/gdiffmk/tests/runtests.in |  5 +++--
 contrib/grap2graph/grap2graph.sh  |  2 ++
 contrib/groffer/main_subs.pl      | 10 +++++-----
 contrib/groffer/roff2.pl          |  2 +-
 contrib/pdfmark/pdfroff.man       |  5 +++--
 contrib/pic2graph/pic2graph.sh    |  2 ++
 doc/fixinfo.sh                    |  5 +++--
 doc/groff.info-2                  |  6 +++---
 doc/groff.texinfo                 |  6 +++---
 gendef.sh                         | 10 +++-------
 11 files changed, 30 insertions(+), 25 deletions(-)

diff --git a/contrib/eqn2graph/eqn2graph.sh b/contrib/eqn2graph/eqn2graph.sh
index 3e9c374..4e4f11e 100644
--- a/contrib/eqn2graph/eqn2graph.sh
+++ b/contrib/eqn2graph/eqn2graph.sh
@@ -74,6 +74,8 @@ then
     # but is supported by the stripped-down dash shell, for instance.
     tmp="$d/eqn2graph$$-${RANDOM:-$PPID}"
     (umask 077 && mkdir "$tmp") 2> /dev/null
+
+    tmp=
 fi
 
 if ! test -d "$tmp"
diff --git a/contrib/grap2graph/grap2graph.sh b/contrib/grap2graph/grap2graph.sh
index 29df25b..94c436b 100644
--- a/contrib/grap2graph/grap2graph.sh
+++ b/contrib/grap2graph/grap2graph.sh
@@ -76,6 +76,8 @@ then
     # but is supported by the stripped-down dash shell, for instance.
     tmp="$d/grap2graph$$-${RANDOM:-$PPID}"
     (umask 077 && mkdir "$tmp") 2> /dev/null
+
+    tmp=
 fi
 
 if ! test -d "$tmp"
diff --git a/contrib/groffer/main_subs.pl b/contrib/groffer/main_subs.pl
index a40e356..c8c4e53 100644
--- a/contrib/groffer/main_subs.pl
+++ b/contrib/groffer/main_subs.pl
@@ -1244,7 +1244,7 @@ sub main_temp {
   our $fh_stdin;
   our $tmp_cat;
   our $tmp_stdin;
-  my $template = 'groffer_' . "$$" . '_XXXX';
+  my $template = 'groffer_' . "$$" . '_XXXXXXXXXX';
   foreach ($ENV{'GROFF_TMPDIR'}, $ENV{'TMPDIR'}, $ENV{'TMP'}, $ENV{'TEMP'},
 	   $ENV{'TEMPDIR'}, File::Spec->catfile($ENV{'HOME'}, 'tmp')) {
     if ($_ && -d $_ && -w $_) {
@@ -1276,12 +1276,12 @@ sub main_temp {
 
   # further argument: SUFFIX => '.sh'
   if ($Debug{'KEEP'}) {
-    ($fh_cat, $tmp_cat) = tempfile(',cat_XXXX', DIR => $tmpdir);
-    ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXX', DIR => $tmpdir);
+    ($fh_cat, $tmp_cat) = tempfile(',cat_XXXXXXXXXX', DIR => $tmpdir);
+    ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXXXXXXXX', DIR => $tmpdir);
   } else {
-    ($fh_cat, $tmp_cat) = tempfile(',cat_XXXX', UNLINK => 1,
+    ($fh_cat, $tmp_cat) = tempfile(',cat_XXXXXXXXXX', UNLINK => 1,
 				   DIR => $tmpdir);
-    ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXX', UNLINK => 1,
+    ($fh_stdin, $tmp_stdin) = tempfile(',stdin_XXXXXXXXXX', UNLINK => 1,
 				       DIR => $tmpdir);
   }
 }				# main_temp()
diff --git a/contrib/groffer/roff2.pl b/contrib/groffer/roff2.pl
index cf5c583..24af006 100755
--- a/contrib/groffer/roff2.pl
+++ b/contrib/groffer/roff2.pl
@@ -123,7 +123,7 @@ if ($Has_Groffer) {
 	last;
       }
     }
-    my $template = $Name . '_XXXX';
+    my $template = $Name . '_XXXXXXXXXX';
     my ($fh, $stdin);
     if ($tempdir) {
       ($fh, $stdin) = tempfile($template, UNLINK => 1, DIR => $tempdir) ||
diff --git a/contrib/pic2graph/pic2graph.sh b/contrib/pic2graph/pic2graph.sh
index b229914..2d6e77c 100644
--- a/contrib/pic2graph/pic2graph.sh
+++ b/contrib/pic2graph/pic2graph.sh
@@ -89,6 +89,8 @@ then
     # but is supported by the stripped-down dash shell, for instance.
     tmp="$d/pic2graph$$-${RANDOM:-$PPID}"
     (umask 077 && mkdir "$tmp") 2> /dev/null
+
+    tmp=
 fi
 
 if ! test -d "$tmp"
diff --git a/doc/fixinfo.sh b/doc/fixinfo.sh
index 47127f8..ce0f565 100644
--- a/doc/fixinfo.sh
+++ b/doc/fixinfo.sh
@@ -24,7 +24,9 @@
 #
 # 09-2014: no more problem with texinfo 5.0 or higher
 #
-t=${TMPDIR-.}/gro$$.tmp
+t="`mktemp -t groff-fixinfo.XXXXXXXXXX`" || exit
+trap 'rm -f -- "$t"' EXIT
+trap 'trap - EXIT; rm -f -- "$t"; exit 1' HUP INT QUIT TERM
 
 cat $1 | sed '
 1 {
diff --git a/gendef.sh b/gendef.sh
index be41dbe..4770bae 100644
--- a/gendef.sh
+++ b/gendef.sh
@@ -33,11 +33,9 @@ do
 #define $def"
 done
 
-# Use $TMPDIR if defined.  Default to cwd, for non-Unix systems
-# which don't have /tmp on each drive (we are going to remove
-# the file before we exit anyway).  Put the PID in the basename,
-# since the extension can only hold 3 characters on MS-DOS.
-t=${TMPDIR-.}/gro$$.tmp
+t="`mktemp -t groff-gendef.XXXXXXXXXX`" || exit
+trap 'rm -f -- "$t"' EXIT
+trap 'trap - EXIT; rm -f -- "$t"; exit 1' HUP INT QUIT TERM
 
 sed -e 's/=/ /' >$t <<EOF
 $defs
@@ -45,8 +43,6 @@ EOF
 
 test -r $file && cmp -s $t $file || cp $t $file
 
-rm -f $t
-
 exit 0
 
 # eof
-- 
2.19.1