Fixed bug #193121. the patch is from debian.

(Portage version: 2.1.3.9)

2 files changed, 87 insertions, 0 deletions

diff --git a/app-i18n/skktools/files/digest-skktools-1.2-r1 b/app-i18n/skktools/files/digest-skktools-1.2-r1
new file mode 100644
index 000000000000..8a3d31a1ecc1
--- /dev/null
+++ b/app-i18n/skktools/files/digest-skktools-1.2-r1
@@ -0,0 +1,3 @@
+MD5 eec35c1ce3fedf9b5d3939d4e625cf4d skktools-1.2.tar.gz 206799
+RMD160 cb157d231bf3132b6a9476fcafbeb30ec019811d skktools-1.2.tar.gz 206799
+SHA256 e68b6b2b3f6a62bc37e35aca42bbff69ab5bcd4d7e7061354f1a6f3419f14e80 skktools-1.2.tar.gz 206799
diff --git a/app-i18n/skktools/files/skktools-1.2-CVE-2007-3916.patch b/app-i18n/skktools/files/skktools-1.2-CVE-2007-3916.patch
new file mode 100644
index 000000000000..afbac64bb1d8
--- /dev/null
+++ b/app-i18n/skktools/files/skktools-1.2-CVE-2007-3916.patch
@@ -0,0 +1,84 @@
+--- skktools-1.2+0.20061004.orig/skkdic-expr.c
++++ skktools-1.2+0.20061004/skkdic-expr.c
+@@ -92,6 +92,7 @@
+ char file_name[256];
+ char okuri_tail_name[256];
+ char okuri_head_name[256];
++char tmpsubdir[256];
+ 
+ /* 作業用データベース */
+ DBM *db;
+@@ -127,28 +128,28 @@
+     char dir_name[256];
+ 
+     db_remove_file(file_name);
+-    sprintf(pag_name, "%s.pag", file_name);
++    snprintf(pag_name, sizeof(pag_name), "%s.pag", file_name);
+     db_remove_file(pag_name);
+-    sprintf(dir_name, "%s.dir", file_name);
++    snprintf(dir_name, sizeof(dir_name), "%s.dir", file_name);
+     db_remove_file(dir_name);
+-    sprintf(dir_name, "%s.db", file_name);
++    snprintf(dir_name, sizeof(dir_name), "%s.db", file_name);
+     db_remove_file(dir_name);
+ 
+     if (okurigana_flag) {
+ 	db_remove_file(okuri_head_name);
+-	sprintf(pag_name, "%s.pag", okuri_head_name);
++	snprintf(pag_name, sizeof(pag_name), "%s.pag", okuri_head_name);
+ 	db_remove_file(pag_name);
+-	sprintf(dir_name, "%s.dir", okuri_head_name);
++	snprintf(dir_name, sizeof(dir_name), "%s.dir", okuri_head_name);
+ 	db_remove_file(dir_name);
+-	sprintf(dir_name, "%s.db", okuri_head_name);
++	snprintf(dir_name, sizeof(dir_name), "%s.db", okuri_head_name);
+ 	db_remove_file(dir_name);
+ 
+ 	db_remove_file(okuri_tail_name);
+-	sprintf(pag_name, "%s.pag", okuri_tail_name);
++	snprintf(pag_name, sizeof(pag_name), "%s.pag", okuri_tail_name);
+ 	db_remove_file(pag_name);
+-	sprintf(dir_name, "%s.dir", okuri_tail_name);
++	snprintf(dir_name, sizeof(dir_name), "%s.dir", okuri_tail_name);
+ 	db_remove_file(dir_name);
+-	sprintf(dir_name, "%s.db", okuri_tail_name);
++	snprintf(dir_name, sizeof(dir_name), "%s.db", okuri_tail_name);
+ 	db_remove_file(dir_name);
+     }
+ }
+@@ -235,6 +236,7 @@
+      int signo;
+ {
+     db_remove_files();
++    rmdir(tmpsubdir);
+     signal(signo, SIG_DFL);
+     kill(getpid(), signo);
+ }
+@@ -816,10 +818,16 @@
+ 	exit(1);
+     }
+ 
+-    sprintf(file_name, "%s/skkdic%d", tmpdir, getpid());
++    snprintf(tmpsubdir, sizeof(tmpsubdir), "%s/skkdic%d", tmpdir, getpid());
++    if (mkdir(tmpsubdir, 0700)) {
++	perror(tmpsubdir);
++	exit(1);
++    }
++    tmpdir = tmpsubdir;
++    snprintf(file_name, sizeof(file_name), "%s/skkdic%d", tmpdir, getpid());
+     if (okurigana_flag) {
+-	sprintf(okuri_head_name, "%s/skkhead%d", tmpdir, getpid());
+-	sprintf(okuri_tail_name, "%s/skktail%d", tmpdir, getpid());
++	snprintf(okuri_head_name, sizeof(okuri_head_name), "%s/skkhead%d", tmpdir, getpid());
++	snprintf(okuri_tail_name, sizeof(okuri_tail_name), "%s/skktail%d", tmpdir, getpid());
+     }
+     set_signal_handler();
+     db_make_files();
+@@ -845,6 +853,7 @@
+     }
+     type_out(output);
+     db_remove_files();
++    rmdir(tmpsubdir);
+     return 0;
+ }
+