head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.34
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.32
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2011Q4:1.2.0.30
	pkgsrc-2011Q4-base:1.2
	pkgsrc-2011Q2:1.2.0.28
	pkgsrc-2011Q2-base:1.2
	pkgsrc-2009Q4:1.2.0.26
	pkgsrc-2009Q4-base:1.2
	pkgsrc-2008Q4:1.2.0.24
	pkgsrc-2008Q4-base:1.2
	pkgsrc-2008Q3:1.2.0.22
	pkgsrc-2008Q3-base:1.2
	cube-native-xorg:1.2.0.20
	cube-native-xorg-base:1.2
	pkgsrc-2008Q2:1.2.0.18
	pkgsrc-2008Q2-base:1.2
	pkgsrc-2008Q1:1.2.0.16
	pkgsrc-2008Q1-base:1.2
	pkgsrc-2007Q4:1.2.0.14
	pkgsrc-2007Q4-base:1.2
	pkgsrc-2007Q3:1.2.0.12
	pkgsrc-2007Q3-base:1.2
	pkgsrc-2007Q2:1.2.0.10
	pkgsrc-2007Q2-base:1.2
	pkgsrc-2007Q1:1.2.0.8
	pkgsrc-2007Q1-base:1.2
	pkgsrc-2006Q4:1.2.0.6
	pkgsrc-2006Q4-base:1.2
	pkgsrc-2006Q3:1.2.0.4
	pkgsrc-2006Q3-base:1.2
	pkgsrc-2006Q2:1.2.0.2
	pkgsrc-2006Q2-base:1.2
	pkgsrc-2006Q1:1.1.0.6
	pkgsrc-2006Q1-base:1.1
	pkgsrc-2005Q4:1.1.0.4
	pkgsrc-2005Q4-base:1.1
	pkgsrc-2005Q3:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2006.05.02.19.06.45;	author wiz;	state dead;
branches;
next	1.1;

1.1
date	2005.10.06.14.23.39;	author salo;	state Exp;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2005.10.06.14.23.39;	author snj;	state dead;
branches;
next	1.1.2.2;

1.1.2.2
date	2005.10.08.06.27.21;	author snj;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update to 5.21o:

                        CHANGES IN VERSION 5.21o
                 (Howard Chu, 12 Oct 2005)

Silence warnings about unused results.


                        CHANGES IN VERSION 5.21n
                 (Howard Chu, 08 Oct 2005)

Better fix for temporary file creations, previous patch did not fix marc.
Silence all gcc-4.0.0 -Wall warnings.


                        CHANGES IN VERSION 5.21m
                 (Klaus Reimer, 21 Sep 2005)

Applied patch from Joey Schulze fixing the following problems:

  - Fixed insecure permissions of a temporary file [arcsvc.c, CAN-2005-2945]
  - Fixed insecure temporary file creation [arcsvc.c, CAN-2005-2992]



                        CHANGES IN VERSION 5.21l
                 (Klaus Reimer, 13 Mar 2005)

Fixed warnings because missing inclusion of string.h and fixed a gcc-4.0
problem with marc.c (Missing declaration of makefnam).



                        CHANGES IN VERSION 5.21k
                 (Klaus Reimer, 6 Nov 2004)

Ulf Harnhammar found some buffer overflows causing segfaults and provided a
patch which is now applied to arc to close these bugs.



                        CHANGES IN VERSION 5.21


The following changes have been made in ARC version 5.21, but have not
yet been included in the manual:

o   When adding files to an archive, ARC now shows the stowage facter
    achieved on each file.

o   A bug was found that would keep an archive entry from being
    encrypted if it was stored without compression.  This has now been
    fixed.

o   If changes are made to a corrupted archive, the corrupted entries
    are discarded.  This makes it possible to lose data accidentally.
    ARC will now only make changes to a corrupted archive if the W
    (suppress Warnings) option has been given.

o   The N (suppress Notes) option now suppresses the "Creating
    archive" note when a new archive is being created.

o   The N (suppress Notes) option formerly did nothing useful when
    used with the L (List files) command.  It now causes a terse
    listing of filenames only, suitable for use with pipes and
    redirection.

o   The list of filenames given to ARC may now include indirect
    references.  If a filename begins with an "at sign" ("@@"), it is
    taken to be the name of a file which contains a list of file
    names.  The list of file names may include further indirection.
    If no extension is given, ".CMD" is assumed.  For example, the
    command:

         arc a waste junk.txt @@trash

    would cause ARC to add JUNK.TXT plus all files listed in the file
    TRASH.CMD to an archive named WASTE.ARC.  If no file is specified,
    then the list is read from standard input.  For example, the
    command:

         arc ln waste | arc a trash @@

    would cause ARC to add files to TRASH.ARC based on the names of
    the files stored in WASTE.ARC.  It is probably a good idea to give
    the O (Overwrite) option if you are extracting files this way.

    Version 5.21 of MARC also allows for indirection.
@
text
@$NetBSD: patch-ae,v 1.1 2005/10/06 14:23:39 salo Exp $

Security fix for CAN-2005-2945 and CAN-2005-2992, from Debian.

--- arcsvc.c.orig	1992-04-15 00:58:40.000000000 +0200
+++ arcsvc.c	2005-10-06 16:07:28.000000000 +0200
@@@@ -17,6 +17,9 @@@@
 	 Computer Innovations Optimizing C86
 */
 #include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
 #include "arc.h"
 #if	_MTS
 #include <mts.h>
@@@@ -52,7 +55,12 @@@@
 	}
 #endif
 	if (chg) {		/* if opening for changes */
-		if (!(new = fopen(newname, OPEN_W)))
+		int fd;
+
+		if ((fd = open(newname, O_CREAT|O_EXCL|O_RDWR, S_IREAD|S_IWRITE)) == -1)
+			arcdie("Cannot create archive copy: %s", newname);
+
+		if (!(new = fdopen(fd, OPEN_W)))
 			arcdie("Cannot create archive copy: %s", newname);
 
 	changing = chg;		/* note if open for changes */
@


1.1
log
@Security fix for CAN-2005-2945 and CAN-2005-2992:

"arc 5.21j and earlier create temporary files with world-readable permissions,
which allows local users to read sensitive information from files created by
arc or marc."

http://www.zataz.net/adviso/arc-09052005.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2945

Patch from Debian.
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-ae was added on branch pkgsrc-2005Q3 on 2005-10-06 14:23:39 +0000
@
text
@d1 30
@


1.1.2.2
log
@Pullup ticket 810 - requested by Lubomir Sedlacik
security fix for arc

Revisions pulled up:
- pkgsrc/archivers/arc/Makefile		1.24
- pkgsrc/archivers/arc/distinfo		1.9
- pkgsrc/archivers/arc/patches/patch-ae	1.1

   Module Name:    pkgsrc
   Committed By:   salo
   Date:           Thu Oct  6 14:23:39 UTC 2005

   Modified Files:
           pkgsrc/archivers/arc: Makefile distinfo
   Added Files:
           pkgsrc/archivers/arc/patches: patch-ae

   Log Message:
   Security fix for CAN-2005-2945 and CAN-2005-2992:

   "arc 5.21j and earlier create temporary files with world-readable
   permissions, which allows local users to read sensitive information
   from files created by arc or marc."

   http://www.zataz.net/adviso/arc-09052005.txt
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2945

   Patch from Debian.
@
text
@a0 30
$NetBSD: patch-ae,v 1.1.2.1 2005/10/08 06:27:21 snj Exp $

Security fix for CAN-2005-2945 and CAN-2005-2992, from Debian.

--- arcsvc.c.orig	1992-04-15 00:58:40.000000000 +0200
+++ arcsvc.c	2005-10-06 16:07:28.000000000 +0200
@@@@ -17,6 +17,9 @@@@
 	 Computer Innovations Optimizing C86
 */
 #include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
 #include "arc.h"
 #if	_MTS
 #include <mts.h>
@@@@ -52,7 +55,12 @@@@
 	}
 #endif
 	if (chg) {		/* if opening for changes */
-		if (!(new = fopen(newname, OPEN_W)))
+		int fd;
+
+		if ((fd = open(newname, O_CREAT|O_EXCL|O_RDWR, S_IREAD|S_IWRITE)) == -1)
+			arcdie("Cannot create archive copy: %s", newname);
+
+		if (!(new = fdopen(fd, OPEN_W)))
 			arcdie("Cannot create archive copy: %s", newname);
 
 	changing = chg;		/* note if open for changes */
@