head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.42 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.40 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.2.0.38 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q2:1.2.0.36 pkgsrc-2011Q2-base:1.2 pkgsrc-2009Q4:1.2.0.34 pkgsrc-2009Q4-base:1.2 pkgsrc-2008Q4:1.2.0.32 pkgsrc-2008Q4-base:1.2 pkgsrc-2008Q3:1.2.0.30 pkgsrc-2008Q3-base:1.2 cube-native-xorg:1.2.0.28 cube-native-xorg-base:1.2 pkgsrc-2008Q2:1.2.0.26 pkgsrc-2008Q2-base:1.2 pkgsrc-2008Q1:1.2.0.24 pkgsrc-2008Q1-base:1.2 pkgsrc-2007Q4:1.2.0.22 pkgsrc-2007Q4-base:1.2 pkgsrc-2007Q3:1.2.0.20 pkgsrc-2007Q3-base:1.2 pkgsrc-2007Q2:1.2.0.18 pkgsrc-2007Q2-base:1.2 pkgsrc-2007Q1:1.2.0.16 pkgsrc-2007Q1-base:1.2 pkgsrc-2006Q4:1.2.0.14 pkgsrc-2006Q4-base:1.2 pkgsrc-2006Q3:1.2.0.12 pkgsrc-2006Q3-base:1.2 pkgsrc-2006Q2:1.2.0.10 pkgsrc-2006Q2-base:1.2 pkgsrc-2006Q1:1.2.0.8 pkgsrc-2006Q1-base:1.2 pkgsrc-2005Q4:1.2.0.6 pkgsrc-2005Q4-base:1.2 pkgsrc-2005Q3:1.2.0.4 pkgsrc-2005Q3-base:1.2 pkgsrc-2005Q2:1.2.0.2 pkgsrc-2005Q2-base:1.2 pkgsrc-2005Q1:1.1.0.2 pkgsrc-2005Q1-base:1.1; locks; strict; comment @# @; 1.2 date 2005.04.22.19.05.28; author wiz; state dead; branches; next 1.1; 1.1 date 2005.01.20.14.15.04; author xtraeme; state Exp; branches; next ; desc @@ 1.2 log @Removed mysql3-{client,server} -- obsoleted by mysql-* and mysql4-* packages, and the original authors have stopped its maintenance. Thus, there are various vulnerabilities in them now. @ text @$NetBSD: patch-az,v 1.1 2005/01/20 14:15:04 xtraeme Exp $ mysqlaccess symlink vulnerability --- scripts/mysqlaccess.sh.orig 2005-01-16 14:28:38 -08:00 +++ scripts/mysqlaccess.sh 2005-01-16 14:28:38 -08:00 @@@@ -2,7 +2,7 @@@@ # **************************** package MySQLaccess; #use strict; -use POSIX qw(tmpnam); +use File::Temp qw(tempfile tmpnam); use Fcntl; BEGIN { @@@@ -32,7 +32,6 @@@@ $ACCESS_U_BCK = 'user_backup'; $ACCESS_D_BCK = 'db_backup'; $DIFF = '/usr/bin/diff'; - $TMP_PATH = '/tmp'; #path to writable tmp-directory $MYSQLDUMP = '@@bindir@@/mysqldump'; #path to mysqldump executable @@@@ -432,7 +431,7 @@@@ # no caching on STDOUT $|=1; - $MYSQL_CNF = POSIX::tmpnam(); + $MYSQL_CNF = tmpnam(); %MYSQL_CNF = (client => { }, mysql => { }, mysqldump => { }, @@@@ -577,8 +576,6 @@@@ push(@@MySQLaccess::Grant::Error,'not_found_mysql') if !(-x $MYSQL); push(@@MySQLaccess::Grant::Error,'not_found_diff') if !(-x $DIFF); push(@@MySQLaccess::Grant::Error,'not_found_mysqldump') if !(-x $MYSQLDUMP); -push(@@MySQLaccess::Grant::Error,'not_found_tmp') if !(-d $TMP_PATH); -push(@@MySQLaccess::Grant::Error,'write_err_tmp') if !(-w $TMP_PATH); if (@@MySQLaccess::Grant::Error) { MySQLaccess::Report::Print_Error_Messages() ; exit 0; @@@@ -1777,17 +1774,15 @@@@ @@before = sort(@@before); @@after = sort(@@after); - $before = "$MySQLaccess::TMP_PATH/$MySQLaccess::script.before.$$"; - $after = "$MySQLaccess::TMP_PATH/$MySQLaccess::script.after.$$"; - #$after = "/tmp/t0"; - open(BEFORE,"> $before") || - push(@@MySQLaccess::Report::Errors,"Can't open temporary file $before for writing"); - open(AFTER,"> $after") || - push(@@MySQLaccess::Report::Errors,"Can't open temporary file $after for writing"); - print BEFORE join("\n",@@before); - print AFTER join("\n",@@after); - close(BEFORE); - close(AFTER); + ($hb, $before) = tempfile("$MySQLaccess::script.XXXXXX") or + push(@@MySQLaccess::Report::Errors,"Can't create temporary file: $!"); + ($ha, $after) = tempfile("$MySQLaccess::script.XXXXXX") or + push(@@MySQLaccess::Report::Errors,"Can't create temporary file: $!"); + + print $hb join("\n",@@before); + print $ha join("\n",@@after); + close $hb; + close $ha; # ---------------------------------- # compute difference @@@@ -1800,8 +1795,8 @@@@ # ---------------------------------- # cleanup temp. files - unlink(BEFORE); - unlink(AFTER); + unlink($before); + unlink($after); return \@@diffs; } @@@@ -2316,14 +2311,6 @@@@ => "The diff program <$MySQLaccess::DIFF> could not be found.\n" ."+ Check your path, or\n" ."+ edit the source of this script to point \$DIFF to the diff program.\n" - ,'not_found_tmp' - => "The temporary directory <$MySQLaccess::TMP_PATH> could not be found.\n" - ."+ create this directory (writeable!), or\n" - ."+ edit the source of this script to point \$TMP_PATH to the right directory.\n" - ,'write_err_tmp' - => "The temporary directory <$MySQLaccess::TMP_PATH> is not writable.\n" - ."+ make this directory writeable!, or\n" - ."+ edit the source of this script to point \$TMP_PATH to another directory.\n" ,'Unrecognized_option' => "Sorry,\n" ."You are using an old version of the mysql-program,\n" @ 1.1 log @Apply patches from FreeBSD/ports to fix vulnerabilities in the mysqlaccess and mysqlhotcopy scripts. Bump PKGREVISION and BUILDLINK_RECOMMENDED. @ text @d1 1 a1 1 $NetBSD: patch-az,v 1.1 2005/01/20 13:37:48 xtraeme Exp $ @