Fix tomboy insecure LD_LIBRARY_PATH (CVE-2010-4005).

Package-Manager: portage-2.1.9.41/cvs/Linux x86_64

4 files changed, 113 insertions, 16 deletions

diff --git a/app-misc/tomboy/ChangeLog b/app-misc/tomboy/ChangeLog
index f6ff602ffcd7..ba2d9a8dbcd4 100644
--- a/app-misc/tomboy/ChangeLog
+++ b/app-misc/tomboy/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for app-misc/tomboy
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-misc/tomboy/ChangeLog,v 1.110 2011/01/29 17:03:44 hwoarang Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-misc/tomboy/ChangeLog,v 1.111 2011/02/26 17:10:21 pacho Exp $
+
+*tomboy-1.4.2-r1 (26 Feb 2011)
+
+  26 Feb 2011; Pacho Ramos <pacho@gentoo.org> +tomboy-1.4.2-r1.ebuild,
+  +files/tomboy-1.4.2-insecure-path.patch:
+  Fix tomboy insecure LD_LIBRARY_PATH (CVE-2010-4005).
 
   29 Jan 2011; Markos Chandras <hwoarang@gentoo.org> tomboy-1.4.2.ebuild:
   Stable on amd64 wrt bug #352808
diff --git a/app-misc/tomboy/Manifest b/app-misc/tomboy/Manifest
index e319356aecd8..55caac4f5510 100644
--- a/app-misc/tomboy/Manifest
+++ b/app-misc/tomboy/Manifest
@@ -1,27 +1,19 @@
 -----BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA512
+Hash: SHA1
 
 AUX tomboy-1.2.1-xmllint-validation.patch 3530 RMD160 296355050671f29196539190feadf86d20d2f1e2 SHA1 b56d095596742788cfe0cbdf5c06acc145d2f0ec SHA256 44e13f6be0bb21d14645f3f722484e84cd971dcd9d4326b762620fd2c6c67c33
+AUX tomboy-1.4.2-insecure-path.patch 1236 RMD160 3bb1753e9d50952931b57ae8fb99bf546df6f32f SHA1 bf8cc7c6aa4c20bcc6e41c7ebb6d658e7451235b SHA256 92d43d222009f066f86ecbc7164261f9348360df561a8af31eb8edab487a8837
 DIST tomboy-1.2.1.tar.bz2 6548915 RMD160 ddd17f0c53fd82490e66a2e7e769e5846a2ff0f4 SHA1 cf50b648dc40cf1ea066647ce6a6e818d160de26 SHA256 9cb69d399e25e2a773cce5518c60b65dfdb70a46f487527e38cc013688762f99
 DIST tomboy-1.4.2.tar.bz2 7095365 RMD160 5bd97008b34a9b133a9c9d7b3ae9fe2bd73af157 SHA1 34c9a569bfed659a2bdd7b095c736f7c8ded8fde SHA256 823270473c819d6592074a0dcd41c29fd857b29a0318061aaabfa38fff3cc7e7
 EBUILD tomboy-1.2.1.ebuild 1662 RMD160 8e50384844221588db2f44dfc22de5cded7363d4 SHA1 2a209d99bb49909ac407d42cbd214be3587cbcc3 SHA256 a77bd2f4a68f97caaba8a5a7ac35d437651b1d81ff9bdbd23a852ff3edc87837
+EBUILD tomboy-1.4.2-r1.ebuild 1730 RMD160 64bb263ebbfbfb1ee1be1074f2e925e6c934d780 SHA1 6dc0869d77fb0ffea430c3c221e76a34483f1680 SHA256 7e3be88c59b3a29c8fdc8bb19e138332b8fa4b038bf658741c6606dd14af12a3
 EBUILD tomboy-1.4.2.ebuild 1577 RMD160 4d797460a6010fc6af602470fd3bd0392fff3484 SHA1 032cfda5e4876c865f7f6481e4dae483610d5f80 SHA256 21ed8fbb705321748e735c03ecf3c0ec9783de53d7a88fbae6ea0153d3b71697
-MISC ChangeLog 16707 RMD160 8dcd1498e22a8b97b066b3eb06fb56fdc505c9e2 SHA1 67dd0dbc4a3581666ff0f379c32aebd5caece7dd SHA256 ca244e30886d7720630a1911cb6bfcf623e18e0a6e0506c1ba375a5979527bf8
+MISC ChangeLog 16906 RMD160 d7d14debf4af5bae85a2186bdd240c83cbef447a SHA1 73f94e5350a1db40b04e64c256ea641b44dd140a SHA256 0b376dce676fbdca0ce73106435da5157a907aabed7cbf6a396427d5a2657d60
 MISC metadata.xml 382 RMD160 7995d8c071dc3c111daa117243b916f7a5d8398c SHA1 85b1a41e0cf5c90a8ce9eecdec4abdd6297a4569 SHA256 3f7c4f99441bc78e86be2884a3e50a4d94a289b921a6d7a8d07af0c33270c4f7
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.17 (GNU/Linux)
 
-iQIcBAEBCgAGBQJNREgwAAoJEPqDWhW0r/LCdUIQALT4TH4G6h4yEnmvB1B0qwzZ
-RoLpr5T+/dE21bzuChNSm65LoRIU0KIIDuumayQKR0i6z/AaLTfjHHYJ5KYMgIIi
-M+H54hTkPqvhLGe4T6H2IjlgyDT9tdMI+Mj7ofMVjxW0z016CVQJw4yxUMwcL+i1
-Tp4vQazs+40dTQCJHeqSdfOZ5z/mZ2qOFNVaJ16j/03DxCEkA+vkomYyyacQeLVW
-0OQMFePa312wKj5M7/mmH2QT5f9fAEGg4FfURwBHZTJGGbSZtBZLpWN6YYFBQQYo
-8pr5Zl8yQiZdUwbpirJurSfu4MB+cVWavk9kqQcTjcdl8cuuhaduY96lQ1SZi8ws
-RFEy/Oflyn7YvdWCRGV7Sfoimp4PCQL90xvk1LsuXddaWkFOpTHJ1tXmWAY/an7W
-KN4zLLu03LJsN4DfU4uN+nMCzYdB5MupfmM3odDKbkagHu4xtuBH3/ffN5Kn4l9m
-dDnqbmJXPu6NyXrVWfAJCRCVvsVw8u+T72vbC2pUmGNvwv4C7QqTz2pHuYZV+xPs
-ZAFvrtaIvY/o5vj1IOmuW7wsDqqKOVeUNyncSRZksbJDh6n57rRDhEBNxJQ2GnpV
-e9ojseot0NCkge70z2vsLhhxyR+62rWpz2x2XccG+Wo5KsG+W8BP+ObxUH7J3kLt
-plLZrRtLuhzpQmB4EKMP
-=Km+u
+iEYEARECAAYFAk1pNAMACgkQCaWpQKGI+9Q5HQCdEjXL2PIouou+NXbpsbtuUEky
+jZUAoIQ/lsBm4o4qOHZHMkdhATAB3MjW
+=eQL0
 -----END PGP SIGNATURE-----
diff --git a/app-misc/tomboy/files/tomboy-1.4.2-insecure-path.patch b/app-misc/tomboy/files/tomboy-1.4.2-insecure-path.patch
new file mode 100644
index 000000000000..c7a51bd96f05
--- /dev/null
+++ b/app-misc/tomboy/files/tomboy-1.4.2-insecure-path.patch
@@ -0,0 +1,33 @@
+From 3f7cba58132c2d27714a5c9a76768a244758f534 Mon Sep 17 00:00:00 2001
+From: Luis Medinas <lmedinas@gnome.org>
+Date: Fri, 03 Dec 2010 13:46:41 +0000
+Subject: Fix Bug 635614 - tomboy insecure LD_LIBRARY_PATH
+
+Fix CVE-2010-4005. Originally found by Ludwig Nussel <lnussel@novell.com>.
+---
+diff --git a/Tomboy/tomboy-panel.in b/Tomboy/tomboy-panel.in
+index 206a21f..0caeee0 100644
+--- a/Tomboy/tomboy-panel.in
++++ b/Tomboy/tomboy-panel.in
+@@ -1,6 +1,6 @@
+ #!/usr/bin/env bash
+ 
+-export LD_LIBRARY_PATH="@pkglibdir@${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}"
++export LD_LIBRARY_PATH="@pkglibdir@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
+ export MONO_PATH=$MONO_PATH:@pkglibdir@:@pkglibdir@/addins
+ export TOMBOY_WRAPPER_PATH="@bindir@/@wrapper@"
+ TOMBOY_CONFIG_DIR="${XDG_CONFIG_HOME:-$HOME/.config}/tomboy"
+diff --git a/Tomboy/tomboy.in b/Tomboy/tomboy.in
+index 4512746..a69ddb1 100644
+--- a/Tomboy/tomboy.in
++++ b/Tomboy/tomboy.in
+@@ -1,6 +1,6 @@
+ #!/usr/bin/env bash
+ 
+-export LD_LIBRARY_PATH="@pkglibdir@${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}"
++export LD_LIBRARY_PATH="@pkglibdir@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
+ export MONO_PATH=$MONO_PATH:@pkglibdir@:@pkglibdir@/addins
+ export TOMBOY_WRAPPER_PATH="@bindir@/@wrapper@"
+ 
+--
+cgit v0.8.3.4
diff --git a/app-misc/tomboy/tomboy-1.4.2-r1.ebuild b/app-misc/tomboy/tomboy-1.4.2-r1.ebuild
new file mode 100644
index 000000000000..402e28a63b5b
--- /dev/null
+++ b/app-misc/tomboy/tomboy-1.4.2-r1.ebuild
@@ -0,0 +1,66 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-misc/tomboy/tomboy-1.4.2-r1.ebuild,v 1.1 2011/02/26 17:10:21 pacho Exp $
+
+EAPI="3"
+GCONF_DEBUG="no"
+
+inherit gnome2 mono eutils
+
+DESCRIPTION="Desktop note-taking application"
+HOMEPAGE="http://projects.gnome.org/tomboy/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~x86"
+IUSE="+applet eds galago"
+
+RDEPEND=">=dev-lang/mono-2
+	>=dev-dotnet/gtk-sharp-2.12.6-r1
+	>=dev-dotnet/gconf-sharp-2.24.0
+	>=dev-dotnet/gnome-sharp-2.24.0
+	>=dev-dotnet/gnome-panel-sharp-2.24.0
+	>=dev-dotnet/gnome-desktop-sharp-2.24.0
+	>=dev-dotnet/dbus-sharp-0.4
+	>=dev-dotnet/dbus-glib-sharp-0.3
+	>=dev-dotnet/mono-addins-0.3[gtk]
+	>=x11-libs/gtk+-2.12.0:2
+	>=dev-libs/atk-1.2.4
+	>=gnome-base/gconf-2
+	>=app-text/gtkspell-2.0.9
+	applet? ( || ( gnome-base/gnome-panel[bonobo] <gnome-base/gnome-panel-2.32 ) )
+	eds? ( dev-libs/gmime:2.4[mono] )
+	galago? ( =dev-dotnet/galago-sharp-0.5* )"
+DEPEND="${RDEPEND}
+	>=app-text/gnome-doc-utils-0.17.3
+	app-text/rarian
+	dev-libs/libxml2[python]
+	sys-devel/gettext
+	dev-util/pkgconfig
+	>=dev-util/intltool-0.35"
+
+pkg_setup() {
+	G2CONF="${G2CONF}
+		$(use_enable applet panel-applet)
+		$(use_enable eds evolution)
+		$(use_enable galago)
+		--disable-update-mimedb"
+	DOCS="AUTHORS ChangeLog NEWS README"
+}
+
+src_prepare() {
+	gnome2_src_prepare
+
+	# Fix tomboy insecure LD_LIBRARY_PATH (CVE-2010-4005)
+	epatch "${FILESDIR}/${P}-insecure-path.patch"
+}
+
+src_compile() {
+	# Not parallel build safe due upstream bug #631546
+	MAKEOPTS="${MAKEOPTS} -j1" gnome2_src_compile
+}
+
+src_install() {
+	gnome2_src_install
+	find "${ED}" -name "*.la" -delete || die "remove of la files failed"
+}