Fix CVE-2007-4129, bug#191643

Package-Manager: portage-2.1.3.7

5 files changed, 237 insertions, 5 deletions

diff --git a/app-crypt/coolkey/ChangeLog b/app-crypt/coolkey/ChangeLog
index 4a7bf396cf0f..540726c45259 100644
--- a/app-crypt/coolkey/ChangeLog
+++ b/app-crypt/coolkey/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for app-crypt/coolkey
 # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-crypt/coolkey/ChangeLog,v 1.3 2007/05/06 15:41:37 dertobi123 Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/coolkey/ChangeLog,v 1.4 2007/09/08 08:20:52 alonbl Exp $
+
+*coolkey-1.1.0-r1 (08 Sep 2007)
+
+  08 Sep 2007; Alon Bar-Lev <alonbl@gentoo.org>
+  +files/coolkey-1.1.0-cache-move.patch, +coolkey-1.1.0-r1.ebuild:
+  Fix CVE-2007-4129, bug#191643
 
   06 May 2007; Tobias Scherbaum <dertobi123@gentoo.org>
   coolkey-1.1.0.ebuild:
diff --git a/app-crypt/coolkey/Manifest b/app-crypt/coolkey/Manifest
index eeca0ca43353..07b5b24685b9 100644
--- a/app-crypt/coolkey/Manifest
+++ b/app-crypt/coolkey/Manifest
@@ -1,12 +1,20 @@
+AUX coolkey-1.1.0-cache-move.patch 4176 RMD160 d93eb2865ca9351b83c5dff99cfbd25999d82102 SHA1 484584f25644eb7f8698979201b68151d014fc2f SHA256 18312c4097c0915fc89cc922127b4371c771ca22831cc8ed8681b529cd3b06a1
+MD5 49dd4c0c7f1f3ff444bd7a0a83290b8c files/coolkey-1.1.0-cache-move.patch 4176
+RMD160 d93eb2865ca9351b83c5dff99cfbd25999d82102 files/coolkey-1.1.0-cache-move.patch 4176
+SHA256 18312c4097c0915fc89cc922127b4371c771ca22831cc8ed8681b529cd3b06a1 files/coolkey-1.1.0-cache-move.patch 4176
 DIST coolkey-1.1.0.tar.gz 432808 RMD160 1873e85aecb30c5311444c76fd85ba79633dce23 SHA1 54136decf9dfd091c8b231cb77dac97db95e1866 SHA256 8448e3abb81bffc593c96b577dcfbc05b40e8684188456c31be15fae73d730f7
+EBUILD coolkey-1.1.0-r1.ebuild 882 RMD160 843bfa0fb060f810addcbcd8e45a2c431ada7b8e SHA1 92f200b45a244bf4757000c28f1f121351b34be2 SHA256 bdf21d603e89c94609a5b79debcf376a978aa78dbc5b896150426e482662a236
+MD5 c13e2c2a8b3521b1e2d1681d875e5c24 coolkey-1.1.0-r1.ebuild 882
+RMD160 843bfa0fb060f810addcbcd8e45a2c431ada7b8e coolkey-1.1.0-r1.ebuild 882
+SHA256 bdf21d603e89c94609a5b79debcf376a978aa78dbc5b896150426e482662a236 coolkey-1.1.0-r1.ebuild 882
 EBUILD coolkey-1.1.0.ebuild 736 RMD160 e399b4d55ca57eb6ef878471dc826932eeec12ec SHA1 63d423402e5e1a89080b418ad10a061dc58122b0 SHA256 233f2b40243435f21e15c6ea0ffabe46a50f16e965a6c72e00577d9f2a6b4c26
 MD5 b7ae600ce3d5d0fc17d45cfadb8d88d2 coolkey-1.1.0.ebuild 736
 RMD160 e399b4d55ca57eb6ef878471dc826932eeec12ec coolkey-1.1.0.ebuild 736
 SHA256 233f2b40243435f21e15c6ea0ffabe46a50f16e965a6c72e00577d9f2a6b4c26 coolkey-1.1.0.ebuild 736
-MISC ChangeLog 591 RMD160 0b399bf710b7c26e83bfbbc8b78c0d4aeb224873 SHA1 f25d3c8a46724a8f9feb1b50d133b7b14a7952ac SHA256 89a8b0f86f7083bd9d8cad82b41d34e5a992b02f5dc3bcfa5e2bfdfbd07c0b05
-MD5 cb4fe6a0f76196599dec0d80dba21947 ChangeLog 591
-RMD160 0b399bf710b7c26e83bfbbc8b78c0d4aeb224873 ChangeLog 591
-SHA256 89a8b0f86f7083bd9d8cad82b41d34e5a992b02f5dc3bcfa5e2bfdfbd07c0b05 ChangeLog 591
+MISC ChangeLog 768 RMD160 c689a092dd4635f5084a81cf366f913192997a34 SHA1 d6e2a722dcdedcd64a4ffe7273eb3345ebd23e72 SHA256 307237631feaea9758b28b5e2af117c6602bbc9ac9b5edf2373f0ccbdd8836a9
+MD5 9a60eb6216cab5207ed0e58fec13127b ChangeLog 768
+RMD160 c689a092dd4635f5084a81cf366f913192997a34 ChangeLog 768
+SHA256 307237631feaea9758b28b5e2af117c6602bbc9ac9b5edf2373f0ccbdd8836a9 ChangeLog 768
 MISC metadata.xml 224 RMD160 74db96ad8aa1d285d83ae93a9f4a767335f55c15 SHA1 d86a171d981b45e7ed0c0b3b5059d2a63c811001 SHA256 9e9ce661a9fdb45a535ad875a247b700a70745359b27533ec29a6a46fa708e86
 MD5 566cf4f89e44670d0aba4a745913d748 metadata.xml 224
 RMD160 74db96ad8aa1d285d83ae93a9f4a767335f55c15 metadata.xml 224
@@ -14,3 +22,6 @@ SHA256 9e9ce661a9fdb45a535ad875a247b700a70745359b27533ec29a6a46fa708e86 metadata
 MD5 e5642ba817e6a4696c1c9ec9f2b301df files/digest-coolkey-1.1.0 241
 RMD160 e06282bce4cf3f80c5a4fa9050a80141a101ee1d files/digest-coolkey-1.1.0 241
 SHA256 4ca64118d409ee2afe5efec4fe637d538dd41ef12dc454c86af9d3e82fd0dd75 files/digest-coolkey-1.1.0 241
+MD5 e5642ba817e6a4696c1c9ec9f2b301df files/digest-coolkey-1.1.0-r1 241
+RMD160 e06282bce4cf3f80c5a4fa9050a80141a101ee1d files/digest-coolkey-1.1.0-r1 241
+SHA256 4ca64118d409ee2afe5efec4fe637d538dd41ef12dc454c86af9d3e82fd0dd75 files/digest-coolkey-1.1.0-r1 241
diff --git a/app-crypt/coolkey/coolkey-1.1.0-r1.ebuild b/app-crypt/coolkey/coolkey-1.1.0-r1.ebuild
new file mode 100644
index 000000000000..3213f99e094a
--- /dev/null
+++ b/app-crypt/coolkey/coolkey-1.1.0-r1.ebuild
@@ -0,0 +1,35 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/coolkey/coolkey-1.1.0-r1.ebuild,v 1.1 2007/09/08 08:20:52 alonbl Exp $
+
+inherit eutils
+
+DESCRIPTION="Linux Driver support for the CoolKey and CAC products"
+HOMEPAGE="http://directory.fedora.redhat.com/wiki/CoolKey"
+SRC_URI="http://directory.fedora.redhat.com/download/coolkey/${P}.tar.gz"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~ppc ~ppc64 ~x86"
+IUSE="debug"
+RDEPEND="sys-apps/pcsc-lite
+	sys-libs/zlib"
+DEPEND="${RDEPEND}
+	dev-util/pkgconfig"
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+	epatch "${FILESDIR}/${P}-cache-move.patch"
+}
+
+src_compile() {
+	econf $(use_enable debug) || die "configure failed"
+	emake || die "make failed"
+}
+
+src_install() {
+	emake install DESTDIR="${D}" || die
+	diropts -m 1777
+	keepdir /var/cache/coolkey
+}
diff --git a/app-crypt/coolkey/files/coolkey-1.1.0-cache-move.patch b/app-crypt/coolkey/files/coolkey-1.1.0-cache-move.patch
new file mode 100644
index 000000000000..7dbd0ec3070b
--- /dev/null
+++ b/app-crypt/coolkey/files/coolkey-1.1.0-cache-move.patch
@@ -0,0 +1,177 @@
+Index: src/coolkey/machdep.cpp
+===================================================================
+RCS file: /cvs/dirsec/coolkey/src/coolkey/machdep.cpp,v
+retrieving revision 1.4
+diff -u -r1.4 machdep.cpp
+--- src/coolkey/machdep.cpp	14 Feb 2007 00:46:28 -0000	1.4
++++ src/coolkey/machdep.cpp	15 Aug 2007 01:41:11 -0000
+@@ -185,12 +185,20 @@
+ #define MAP_INHERIT 0
+ #endif
+ 
++#ifndef BASEPATH
++#ifdef MAC
++#define BASEPATH "/var"
++#else
++#define BASEPATH "/var/cache"
++#endif
++#endif
++
+ #ifdef FULL_CLEANUP
+ #define RESERVED_OFFSET 256
+-#define MEMSEGPATH "/tmp/.pk11ipc"
++#define MEMSEGPATH BASEPATH"/coolkey-lock"
+ #else 
+ #define RESERVED_OFFSET 0
+-#define MEMSEGPATH "/tmp/.pk11ipc1"
++#define MEMSEGPATH BASEPATH"/coolkey"
+ #endif
+ 
+ struct SHMemData {
+@@ -208,11 +216,6 @@
+ #ifdef FULL_CLEANUP
+ 	flock(fd,LOCK_EX);
+ 	unsigned long ref = --(*(unsigned long *)addr); 
+-#ifdef notdef
+-	if (ref == 0) {
+-	    unlink(path);
+-	}
+-#endif
+ 	flock(fd, LOCK_UN);
+ #endif
+ 	munmap(addr,size+RESERVED_OFFSET);
+@@ -225,6 +228,73 @@
+     }
+ }
+ 
++/*
++ * The cache directory is shared and accessible by anyone, make
++ * sure the cache file we are opening is really a valid cache file.
++ */
++int safe_open(char *path, int flags, int mode, int size)
++{
++    struct stat buf;
++    int fd, ret;
++
++    fd = open (path, flags|O_NOFOLLOW, mode);
++
++    if (fd < 0) {
++	return fd;
++    }
++
++    ret = fstat(fd, &buf);
++    if (ret < 0) {
++	close (fd);
++	return ret;
++    }
++
++    /* our cache files are pretty specific, make sure we are looking
++     * at the correct one */
++
++    /* first, we should own the file ourselves, don't open a file
++     * that someone else wanted us to see. */
++    if (buf.st_uid != getuid()) {
++	close(fd);
++	errno = EACCES;
++	return -1;
++    }
++
++    /* next, there should only be one link in this file. Don't
++     * use this code to trash another file */
++    if (buf.st_nlink != 1) {
++	close(fd);
++	errno = EMLINK;
++	return -1;
++    }
++
++    /* next, This better be a regular file */
++    if (!S_ISREG(buf.st_mode)) {
++	close(fd);
++	errno = EACCES;
++	return -1;
++    }
++
++    /* if the permissions don't match, something is wrong */
++    if ((buf.st_mode & 03777) != mode) {
++	close(fd);
++	errno = EACCES;
++	return -1;
++    }
++
++    /* finally the file should be the correct size. This 
++     * check isn't so much to protect from an attack, as it is to
++     * detect a corrupted cache file */
++    if (buf.st_size != size) {
++	close(fd);
++	errno = EACCES;
++	return -1;
++    }
++
++    /* OK, the file checked out, ok to continue */
++    return fd;
++}
++
+ SHMem::SHMem(): shmemData(0) {}
+ 
+ SHMem *
+@@ -248,7 +318,7 @@
+ 	return NULL;
+     }
+     int mask = umask(0);
+-    int ret = mkdir (MEMSEGPATH, 0777);
++    int ret = mkdir (MEMSEGPATH, 1777);
+     umask(mask);
+     if ((ret == -1) && (errno != EEXIST)) {
+ 	delete shmemData;
+@@ -264,21 +334,16 @@
+     shmemData->path[sizeof(MEMSEGPATH)-1] = '/';
+     strcpy(&shmemData->path[sizeof(MEMSEGPATH)],name);
+ 
+-    int mode = 0777;
+-    if (strcmp(name,"token_names") != 0) {
+-	/* each user gets his own uid array */
+-    	sprintf(uid_str, "-%u",getuid());
+-    	strcat(shmemData->path,uid_str);
+-	mode = 0700;
+-    } 
++    sprintf(uid_str, "-%u",getuid());
++    strcat(shmemData->path,uid_str);
++    int mode = 0600;
++
+     shmemData->fd = open(shmemData->path, 
+ 		O_CREAT|O_RDWR|O_EXCL|O_APPEND|O_EXLOCK, mode);
+-    if (shmemData->fd  < 0) {
+-	needInit = false;
+-	shmemData->fd = open(shmemData->path,O_RDWR|O_EXLOCK, mode);
+-    }  else {
++    if (shmemData->fd >= 0) {
+ 	char *buf;
+ 	int len = size+RESERVED_OFFSET;
++	int ret;
+ 
+ 	buf = (char *)calloc(1,len);
+ 	if (!buf) {
+@@ -289,8 +354,22 @@
+ 	    delete shmemData;
+ 	    return NULL;
+ 	}
+-	write(shmemData->fd,buf,len);
++	ret = write(shmemData->fd,buf,len);
++	if (ret != len) {
++	    unlink(shmemData->path);
++#ifdef FULL_CLEANUP
++	    flock(shmemData->fd, LOCK_UN);
++#endif
++	    delete shmemData;
++	    return NULL;
++	}
++	
+ 	free(buf);
++    } else if (errno == EEXIST) {
++	needInit = false;
++
++	shmemData->fd = safe_open(shmemData->path,O_RDWR|O_EXLOCK, mode,
++				  size+RESERVED_OFFSET);
+     }
+     if (shmemData->fd < 0) {
+ 	delete shmemData;
diff --git a/app-crypt/coolkey/files/digest-coolkey-1.1.0-r1 b/app-crypt/coolkey/files/digest-coolkey-1.1.0-r1
new file mode 100644
index 000000000000..dd78e72a41cb
--- /dev/null
+++ b/app-crypt/coolkey/files/digest-coolkey-1.1.0-r1
@@ -0,0 +1,3 @@
+MD5 815a1811a46bf9b8782107c073149cbe coolkey-1.1.0.tar.gz 432808
+RMD160 1873e85aecb30c5311444c76fd85ba79633dce23 coolkey-1.1.0.tar.gz 432808
+SHA256 8448e3abb81bffc593c96b577dcfbc05b40e8684188456c31be15fae73d730f7 coolkey-1.1.0.tar.gz 432808