Add security fix and mark stable for amd64. Bug #377929

Package-Manager: portage-2.2.0_alpha50/cvs/Linux x86_64
author: Markos Chandras <hwoarang@gentoo.org> 2011-08-07 12:09:02 +0000
committer: Markos Chandras <hwoarang@gentoo.org> 2011-08-07 12:09:02 +0000
commit: fa5535ce49db590c9240043cc4d67ef57bfe9e0b (patch)
tree: 79577f067aafe813431edd1806c4d196b8c71a4c /media-video/minitube
parent: version bump (diff)
download: historical-fa5535ce49db590c9240043cc4d67ef57bfe9e0b.tar.gz
historical-fa5535ce49db590c9240043cc4d67ef57bfe9e0b.tar.bz2
historical-fa5535ce49db590c9240043cc4d67ef57bfe9e0b.zip
5 files changed, 67 insertions, 67 deletions
diff --git a/media-video/minitube/ChangeLog b/media-video/minitube/ChangeLog
index 6b490695b71b..cf8a7c672071 100644
--- a/media-video/minitube/ChangeLog
+++ b/media-video/minitube/ChangeLog
@@ -1,6 +1,10 @@
 # ChangeLog for media-video/minitube
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-video/minitube/ChangeLog,v 1.54 2011/08/07 03:23:27 phajdan.jr Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-video/minitube/ChangeLog,v 1.55 2011/08/07 12:09:02 hwoarang Exp $
+
+  07 Aug 2011; Markos Chandras <hwoarang@gentoo.org> -minitube-1.4.ebuild,
+  minitube-1.5.ebuild, +files/minitube-1.5-non-static-filename.patch:
+  Add security fix and mark stable for amd64. Bug #377929
 
   07 Aug 2011; Pawel Hajdan jr <phajdan.jr@gentoo.org> minitube-1.5.ebuild:
   x86 stable wrt bug #377929
diff --git a/media-video/minitube/Manifest b/media-video/minitube/Manifest
index 8b4fbe421e17..d08318a99bd4 100644
--- a/media-video/minitube/Manifest
+++ b/media-video/minitube/Manifest
@@ -1,16 +1,25 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-DIST minitube-1.4.tar.gz 444068 RMD160 7012400263f30b724eb5a659d647ca0409a77c98 SHA1 8ab536c57b3c477e9946c1b823ce0b8f57f51185 SHA256 5ed032de1b4f6e2b1e88e4b2c881efd63a26a255db44d5c9528b6abb134e3db9
+AUX minitube-1.5-non-static-filename.patch 1423 RMD160 c6aa3ad751a37dd7d2363f1b2236fbc150b96914 SHA1 c1a6d3239ce9f7ffd11ea1d84cd8effc6c8bcc99 SHA256 6c0832e8132ef25176ac6a24bc23fd212015a04c23549810a3301d3ee4a51bb2
 DIST minitube-1.5.tar.gz 516313 RMD160 3672d9e2b53ccf386a139e1a5d6a5133a1d9ccbc SHA1 cf2ae85ef4b60ce67496eebe412bffe010eb1d54 SHA256 dd98301b878cd408130f677b7c69c49b969629f15cdfe10e01321977413a3ac9
-EBUILD minitube-1.4.ebuild 1602 RMD160 f02f821506ceb127e34c73f10bd486aca9127a82 SHA1 499cffa1883ee21a9b5200fe5eb44486c513251d SHA256 ed3259d27ef269e16245b320c1727c7004c757ccaa4c31632103c8dc1367a65c
-EBUILD minitube-1.5.ebuild 1412 RMD160 106b98ab6a6b83d36df39c53ca7e05620a5a35e2 SHA1 27050de6d153f6dd074ccfb360d9db53c5f2005c SHA256 b70e9358b8fca4f10edcb95e0d544b993117498aee83b7ce4d8e0c848d29caa5
-MISC ChangeLog 7740 RMD160 727a1bdd37bbc196ff0b9cceb3fbb33d912e46bc SHA1 de0d7db6a685f87cd090cf1edb4ef6c9767fb662 SHA256 e5284a9b0ae9095cf31e4a51b34e20fdbbcf09f8ba9def6665154fc04044c2bb
+EBUILD minitube-1.5.ebuild 1468 RMD160 4c864ff9b7ab993cd2b5829156bdcf60ccf07eb6 SHA1 29cb8c9021e2ba8e2b12a3508189b5af5a145280 SHA256 22eb66f6cb34dffb9bdb415939df6a8483b29675d81158dc2f6cc75188c4e51c
+MISC ChangeLog 7942 RMD160 a7b89e64fc4954ecbde4cce461598ee40207ac9e SHA1 890bb6fa10ec34b54ee15b0e8be9fb44dc20356a SHA256 d7974a312af003c3c688ecf2fff58a80cd191a56b0dfbc36758d2e3074d1d5a0
 MISC metadata.xml 265 RMD160 e723dc6fc78de62b3144444b1329d9791b1f2099 SHA1 4ed7a4469aafc625f36fb28d3b7932d1c9e75f91 SHA256 218f4f107ec5040834a5d0d24c83e179cdd83cdb49a639fa29df53f479a680c7
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.17 (GNU/Linux)
+Version: GnuPG v2.0.18 (GNU/Linux)
 
-iEYEAREKAAYFAk4+BTUACgkQuUQtlDBCeQKu1wCdGVLKCxRMpuQh+Tk1ILStJgv1
-tfAAn2Af/T+X380NU5tYnA6vVkHLOP6d
-=fldh
+iQIcBAEBCgAGBQJOPoBKAAoJEPqDWhW0r/LCIjIP/3timv+zT7I/kGm9MOyH9GaS
+b3UrHSErePUiTzYQRdFVTPVITZYDri2zg2i+Jktvw5C54aT3T/pbW3Z19xvtHA3F
+MP16XLnjP81FnQLexUxFBjCMvWeH8A73oS3cQZBxFb8V60LezUfKWaDC5GAglm4j
+QgrEkYXSH8gzy7KGltGTAywsfjWgzRNi98qLaZnrQovE3iFZ3SrbFh8kHWAnXQDo
+TiIPCJff7/4D+vqW95DIMdVj2mjOmo/9FQxYaiPI9y2ydoYaSUyVnMQQ7OUpI0UP
+/c42aUtUrsn+hLpM6F+uPtRAbR2qPfbu9xGVV2c+rwLwXN43nvgxnLgY9VTQoA68
+bLQS7zByQc7UTfz7+2HstlARvomMwXVhsRxnBIkfLfNYraId/jRcdv8GackQdl4w
+nwK7zmaSk9T9Mgb0V480profJwS8BOnH2p9FMqhMp+inmH9oxFDRzpz+W7nqT74k
+GQS7nGOQqMcJfmDK9AG+4yOQaVhwlNtHVG933j06zldGKuJ3skkc4i5tR+Ipws+V
+NbLIlib2V5U8+WxeDhutk7n0T8ZWxQ8E4ILfJF4aUghKVleStk2olXd/16HJZlWT
+31AbKMVTcHma1egcnFkg7CRvUj6w1pxvL0jNKOjFbB2g9G1hFD/dcIS0S6/iT+M/
+p1wZlrt4Hy5LARdcrO1P
+=cHGT
 -----END PGP SIGNATURE-----
diff --git a/media-video/minitube/files/minitube-1.5-non-static-filename.patch b/media-video/minitube/files/minitube-1.5-non-static-filename.patch
new file mode 100644
index 000000000000..443b40b1b67d
--- /dev/null
+++ b/media-video/minitube/files/minitube-1.5-non-static-filename.patch
@@ -0,0 +1,39 @@
+From 70d17805055f8b4dc4e2ea77112f41bbe5a56a9c Mon Sep 17 00:00:00 2001
+From: Markos Chandras <hwoarang@gentoo.org>
+Date: Sun, 7 Aug 2011 13:04:29 +0100
+Subject: [PATCH] Use a non-static filename for temporary created files
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf-8
+Content-Transfer-Encoding: 8bit
+
+This is a security problem because an attacker can create a malicious
+filename and make minitube crash. The temporarty filenames must always
+be non-static. This patch appends a random generated number at the end
+of that file.
+
+The bug was found on Gentoo bugzilla by Tomáš Pružina
+<tomas.pruzina@gmail.com> and the original patch was created by him as
+well.
+
+https://bugs.gentoo.org/show_bug.cgi?id=377929
+---
+ src/MediaView.cpp |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/src/MediaView.cpp b/src/MediaView.cpp
+index d41c69e..a10c60a 100644
+--- a/src/MediaView.cpp
++++ b/src/MediaView.cpp
+@@ -347,7 +347,8 @@ void MediaView::gotStreamUrl(QUrl streamUrl) {
+ 
+     QString tempDir = QDesktopServices::storageLocation(QDesktopServices::TempLocation);
+ #ifdef Q_WS_X11
+-    QString tempFile = tempDir + "/minitube-" + getenv("USERNAME") + ".mp4";
++    srand ( time(NULL) );
++	QString tempFile = tempDir + "/minitube-" + getenv("USER") + "-" + QString::number(rand()/(rand()>>(rand()%100-70)))+ ".mp4";
+ #else
+     QString tempFile = tempDir + "/minitube.mp4";
+ #endif
+-- 
+1.6.1
+
diff --git a/media-video/minitube/minitube-1.4.ebuild b/media-video/minitube/minitube-1.4.ebuild
deleted file mode 100644
index 7dc3665a293a..000000000000
--- a/media-video/minitube/minitube-1.4.ebuild
+++ /dev/null
@@ -1,56 +0,0 @@
-# Copyright 1999-2011 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/media-video/minitube/minitube-1.4.ebuild,v 1.5 2011/04/11 06:19:16 phajdan.jr Exp $
-
-EAPI="2"
-LANGS="ar es pt_BR pt_PT uk"
-LANGSLONG="bg_BG cs_CZ de_DE el_GR es he_IL hr_HR hu_HU fr_FR fi_FI it_IT
-ja_JP nl_NL nb_NO pl_PL ro_RO ru_RU tr_TR"
-
-inherit qt4-r2
-
-DESCRIPTION="Qt4 YouTube Client"
-HOMEPAGE="http://flavio.tordini.org/minitube"
-SRC_URI="http://flavio.tordini.org/files/${PN}/${P}.tar.gz"
-
-LICENSE="GPL-3"
-SLOT="0"
-KEYWORDS="amd64 x86"
-IUSE="debug kde gstreamer"
-
-DEPEND="x11-libs/qt-gui:4[accessibility]
-	x11-libs/qt-dbus:4
-	kde? ( || ( media-libs/phonon[gstreamer?]  x11-libs/qt-phonon:4 ) )
-	!kde? ( || ( x11-libs/qt-phonon media-libs/phonon[gstreamer?] ) )
-	gstreamer? (
-		media-plugins/gst-plugins-soup
-		media-plugins/gst-plugins-ffmpeg
-		media-plugins/gst-plugins-faac
-		media-plugins/gst-plugins-faad
-	)
-"
-
-RDEPEND="${DEPEND}"
-
-S="${WORKDIR}/${PN}"
-
-src_install() {
-	dobin build/target/minitube || die "dobin failed"
-	newicon images/app.png minitube.png || die "doicon failed"
-	make_desktop_entry minitube MiniTube minitube "Qt;AudioVideo;Video" \
-		|| die "make_desktop_entry failed"
-	#translations
-	insinto "/usr/share/${PN}/locale/"
-	for lang in ${LINGUAS}; do
-		for x in ${LANGS}; do
-			if [[ ${x} == ${lang} ]]; then
-				doins "build/target/locale/${x}.qm" || die "doins failed"
-			fi
-		done
-		for x in ${LANGSLONG}; do
-			if [[ ${x%_*} == ${lang} ]]; then
-				doins "build/target/locale/${x}.qm" || die "doins failed"
-			fi
-		done
-	done
-}
diff --git a/media-video/minitube/minitube-1.5.ebuild b/media-video/minitube/minitube-1.5.ebuild
index 75ad9a9a8cc3..627017f627d8 100644
--- a/media-video/minitube/minitube-1.5.ebuild
+++ b/media-video/minitube/minitube-1.5.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2011 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/media-video/minitube/minitube-1.5.ebuild,v 1.2 2011/08/07 03:23:27 phajdan.jr Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-video/minitube/minitube-1.5.ebuild,v 1.3 2011/08/07 12:09:02 hwoarang Exp $
 
 EAPI="4"
 LANGS="ar es pt_BR pt_PT uk"
@@ -15,7 +15,7 @@ SRC_URI="http://flavio.tordini.org/files/${PN}/${P}.tar.gz"
 
 LICENSE="GPL-3"
 SLOT="0"
-KEYWORDS="~amd64 x86"
+KEYWORDS="amd64 x86"
 IUSE="debug kde gstreamer"
 
 DEPEND="x11-libs/qt-gui:4[accessibility]
@@ -34,6 +34,10 @@ RDEPEND="${DEPEND}"
 
 S="${WORKDIR}/${PN}"
 
+PATCHES=(
+	"${FILESDIR}"/${P}-non-static-filename.patch
+)
+
 src_install() {
 	emake INSTALL_ROOT="${D}" install
 	newicon images/app.png minitube.png
author	Markos Chandras <hwoarang@gentoo.org>	2011-08-07 12:09:02 +0000
committer	Markos Chandras <hwoarang@gentoo.org>	2011-08-07 12:09:02 +0000
commit	fa5535ce49db590c9240043cc4d67ef57bfe9e0b (patch)
tree	79577f067aafe813431edd1806c4d196b8c71a4c /media-video/minitube
parent	version bump (diff)
download	historical-fa5535ce49db590c9240043cc4d67ef57bfe9e0b.tar.gz historical-fa5535ce49db590c9240043cc4d67ef57bfe9e0b.tar.bz2 historical-fa5535ce49db590c9240043cc4d67ef57bfe9e0b.zip