diff --git a/inkscape-0.46pre1-ocal1.patch b/inkscape-0.46pre1-ocal1.patch new file mode 100644 index 0000000..e0177cf --- /dev/null +++ b/inkscape-0.46pre1-ocal1.patch @@ -0,0 +1,139 @@ +This solves the insecure temporary file usage for clip art thumbnails, +however in a totally crappy way -- leaves stale files in /tmp. +Not much worse than original though, as it was also leaving the files in place. + +Lubomir Kundrak + +diff -urp inkscape-0.45.1+0.46pre1.orig/src/ui/dialog/ocaldialogs.cpp inkscape-0.45.1+0.46pre1/src/ui/dialog/ocaldialogs.cpp +--- inkscape-0.45.1+0.46pre1.orig/src/ui/dialog/ocaldialogs.cpp 2008-01-15 00:24:56.000000000 +0100 ++++ inkscape-0.45.1+0.46pre1/src/ui/dialog/ocaldialogs.cpp 2008-02-14 15:53:00.000000000 +0100 +@@ -14,6 +14,8 @@ + # include + #endif + ++#include ++ + #include "ocaldialogs.h" + #include "filedialogimpl-gtkmm.h" + #include "interface.h" +@@ -260,23 +262,35 @@ FileExportToOCALPasswordDialog::change_t + void FileListViewText::on_cursor_changed() + { + // create file path +- myFilename = Glib::get_tmp_dir(); +- myFilename.append(G_DIR_SEPARATOR_S); + std::vector pathlist; + pathlist = this->get_selection()->get_selected_rows(); + std::vector posArray(1); + posArray = pathlist[0].get_indices(); +- myFilename.append(get_text(posArray[0], 2)); + + #ifdef WITH_GNOME_VFS + gnome_vfs_init(); + GnomeVFSHandle *from_handle = NULL; +- GnomeVFSHandle *to_handle = NULL; ++ int to_fd = 0; + GnomeVFSFileSize bytes_read; +- GnomeVFSFileSize bytes_written; ++ size_t bytes_written; + GnomeVFSResult result; + guint8 buffer[8192]; + ++ // create the temp file ++ myFilename = Glib::get_tmp_dir(); ++ myFilename.append(G_DIR_SEPARATOR_S); ++ myFilename.append("XXXXXX"); ++ ++ char tmpfn[strlen (myFilename.c_str ())+1]; ++ strcpy (tmpfn, myFilename.c_str ()); ++ to_fd = mkstemp (tmpfn); ++ myFilename = tmpfn; ++ ++ if (to_fd == -1) { ++ sp_ui_error_dialog(_("Could not create temp file name with unique name.")); ++ return; ++ } ++ + //get file url + Glib::ustring fileUrl = get_text(posArray[0], 1); //http url + +@@ -290,51 +304,42 @@ void FileListViewText::on_cursor_changed + if (!Glib::get_charset()) //If we are not utf8 + fileUrl = Glib::filename_to_utf8(fileUrl); + +- // verifies if the file wasn't previously downloaded +- if(gnome_vfs_open(&to_handle, myFilename.c_str(), GNOME_VFS_OPEN_READ) == GNOME_VFS_ERROR_NOT_FOUND) +- { +- // open the temp file to receive +- result = gnome_vfs_open (&to_handle, myFilename.c_str(), GNOME_VFS_OPEN_WRITE); +- if (result == GNOME_VFS_ERROR_NOT_FOUND){ +- result = gnome_vfs_create (&to_handle, myFilename.c_str(), GNOME_VFS_OPEN_WRITE, FALSE, GNOME_VFS_PERM_USER_ALL); ++ result = gnome_vfs_open (&from_handle, fileUrl.c_str(), GNOME_VFS_OPEN_READ); ++ if (result != GNOME_VFS_OK) { ++ sp_ui_error_dialog(_("Could not find the file in Open Clip Art Library.")); ++ g_warning("%s", gnome_vfs_result_to_string(result)); ++ return; ++ } ++ ++ // copy the file ++ while (1) { ++ ++ result = gnome_vfs_read (from_handle, buffer, 8192, &bytes_read); ++ ++ if ((result == GNOME_VFS_ERROR_EOF) &&(!bytes_read)){ ++ result = gnome_vfs_close (from_handle); ++ break; + } ++ + if (result != GNOME_VFS_OK) { +- g_warning("Error creating temp file: %s", gnome_vfs_result_to_string(result)); ++ sp_ui_error_dialog(_("Error while downloading the file.")); ++ g_warning("%s", gnome_vfs_result_to_string(result)); + return; + } +- result = gnome_vfs_open (&from_handle, fileUrl.c_str(), GNOME_VFS_OPEN_READ); +- if (result != GNOME_VFS_OK) { +- g_warning("Could not find the file in Open Clip Art Library."); ++ ++ bytes_written = write (to_fd, buffer, (size_t)bytes_read); ++ ++ if ((size_t)bytes_read != bytes_written){ ++ sp_ui_error_dialog(_("Error while downloading the file.")); ++ g_warning("Bytes read not equal to bytes written"); + return; + } +- // copy the file +- while (1) { +- result = gnome_vfs_read (from_handle, buffer, 8192, &bytes_read); +- if ((result == GNOME_VFS_ERROR_EOF) &&(!bytes_read)){ +- result = gnome_vfs_close (from_handle); +- result = gnome_vfs_close (to_handle); +- break; +- } +- if (result != GNOME_VFS_OK) { +- g_warning("%s", gnome_vfs_result_to_string(result)); +- return; +- } +- result = gnome_vfs_write (to_handle, buffer, bytes_read, &bytes_written); +- if (result != GNOME_VFS_OK) { +- g_warning("%s", gnome_vfs_result_to_string(result)); +- return; +- } +- if (bytes_read != bytes_written){ +- g_warning("Bytes read not equal to bytes written"); +- return; +- } +- } +- } +- else +- { +- gnome_vfs_close(to_handle); ++ + } ++ ++ close (to_fd); + myPreview->showImage(myFilename); ++ //unlink (myFilename.c_str ()); + myLabel->set_text(get_text(posArray[0], 4)); + #endif + } diff --git a/inkscape-0.46pre1-ocal2.patch b/inkscape-0.46pre1-ocal2.patch new file mode 100644 index 0000000..e4ebcca --- /dev/null +++ b/inkscape-0.46pre1-ocal2.patch @@ -0,0 +1,120 @@ +Avoid use of temporary file for OCAL RSS feed as a fix for insecure temporary file usage. +Add XML_PARSE_RECOVER, so that we don't fail in case of stupid errors in feed, such as +undefined XML entities. + +Lubomir Kundrak + +diff -urp inkscape-0.45.1+0.46pre1.orig/src/ui/dialog/ocaldialogs.cpp inkscape-0.45.1+0.46pre1/src/ui/dialog/ocaldialogs.cpp +--- inkscape-0.45.1+0.46pre1.orig/src/ui/dialog/ocaldialogs.cpp 2008-01-15 00:24:56.000000000 +0100 ++++ inkscape-0.45.1+0.46pre1/src/ui/dialog/ocaldialogs.cpp 2008-02-14 15:54:22.000000000 +0100 +@@ -359,6 +359,27 @@ Glib::ustring FileListViewText::getFilen + } + + /** ++ * Read callback for xmlReadIO(), used below ++ */ ++static int vfs_read_callback (GnomeVFSHandle *handle, char* buf, int nb) ++{ ++ GnomeVFSFileSize ndone; ++ GnomeVFSResult result; ++ ++ result = gnome_vfs_read (handle, buf, nb, &ndone); ++ ++ if (result == GNOME_VFS_OK) { ++ return (int)ndone; ++ } else { ++ if (result != GNOME_VFS_ERROR_EOF) { ++ sp_ui_error_dialog(_("Error while reading the Open Clip Art RSS feed")); ++ g_warning("%s\n", gnome_vfs_result_to_string(result)); ++ } ++ return -1; ++ } ++} ++ ++/** + * Callback for user input into searchTagEntry + */ + void FileImportFromOCALDialog::searchTagEntryChangedCallback() +@@ -380,74 +401,30 @@ void FileImportFromOCALDialog::searchTag + + #ifdef WITH_GNOME_VFS + +- // get the rss feed ++ // open the rss feed + gnome_vfs_init(); + GnomeVFSHandle *from_handle = NULL; +- GnomeVFSHandle *to_handle = NULL; +- GnomeVFSFileSize bytes_read; +- GnomeVFSFileSize bytes_written; + GnomeVFSResult result; +- guint8 buffer[8192]; +- +- // create the temp file name +- Glib::ustring fileName = Glib::get_tmp_dir (); +- fileName.append(G_DIR_SEPARATOR_S); +- fileName.append("ocalfeed.xml"); +- +- // open the temp file to receive +- result = gnome_vfs_open (&to_handle, fileName.c_str(), GNOME_VFS_OPEN_WRITE); +- if (result == GNOME_VFS_ERROR_NOT_FOUND){ +- result = gnome_vfs_create (&to_handle, fileName.c_str(), GNOME_VFS_OPEN_WRITE, FALSE, GNOME_VFS_PERM_USER_ALL); +- } +- if (result != GNOME_VFS_OK) { +- g_warning("Error creating temp file: %s", gnome_vfs_result_to_string(result)); +- return; +- } + +- // open the rss feed + result = gnome_vfs_open (&from_handle, uri.c_str(), GNOME_VFS_OPEN_READ); + if (result != GNOME_VFS_OK) { + sp_ui_error_dialog(_("Failed to receive the Open Clip Art Library RSS feed. Verify if the server name is correct in Configuration->Misc (e.g.: openclipart.org)")); + return; + } + +- // copy the file +- while (1) { +- +- result = gnome_vfs_read (from_handle, buffer, 8192, &bytes_read); +- +- if ((result == GNOME_VFS_ERROR_EOF) &&(!bytes_read)){ +- result = gnome_vfs_close (from_handle); +- result = gnome_vfs_close (to_handle); +- break; +- } +- +- if (result != GNOME_VFS_OK) { +- g_warning("%s", gnome_vfs_result_to_string(result)); +- return; +- } +- result = gnome_vfs_write (to_handle, buffer, bytes_read, &bytes_written); +- if (result != GNOME_VFS_OK) { +- g_warning("%s", gnome_vfs_result_to_string(result)); +- return; +- } +- +- if (bytes_read != bytes_written){ +- g_warning("Bytes read not equal to bytes written"); +- return; +- } +- +- } +- + // create the resulting xml document tree + // this initialize the library and test mistakes between compiled and shared library used + LIBXML_TEST_VERSION + xmlDoc *doc = NULL; + xmlNode *root_element = NULL; +- doc = xmlReadFile(fileName.c_str(), NULL, 0); ++ ++ doc = xmlReadIO ((xmlInputReadCallback) vfs_read_callback, ++ (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL, ++ XML_PARSE_RECOVER); + if (doc == NULL) { +- g_warning("Failed to parse %s\n", fileName.c_str()); +- return; ++ sp_ui_error_dialog(_("Server supplied malformed Clip Art feed")); ++ g_warning("Failed to parse %s\n", uri.c_str()); ++ return; + } + + // get the root element node diff --git a/inkscape.spec b/inkscape.spec index bbe644a..278088c 100644 --- a/inkscape.spec +++ b/inkscape.spec @@ -1,6 +1,6 @@ Name: inkscape Version: 0.45.1+0.46pre1 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Vector-based drawing program using SVG Group: Applications/Productivity @@ -11,6 +11,9 @@ Patch0: inkscape-16571-cxxinclude.patch Patch1: inkscape-0.45.1-desktop.patch Patch2: inkscape-0.46pre1-gcc43.patch Patch3: inkscape-0.46pre1-vectors.patch +Patch4: inkscape-0.46pre1-ocal1.patch +Patch5: inkscape-0.46pre1-ocal2.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: atk-devel @@ -66,6 +69,8 @@ C and C++, using the Gtk+ toolkit and optionally some Gnome libraries. %patch1 -p1 -b .desktop %patch2 -p1 -b .gcc43 %patch3 -p1 -b .vectors +%patch4 -p1 -b .ocal1 +%patch5 -p1 -b .ocal2 find -type f -regex '.*\.\(cpp\|h\)' -perm +111 -exec chmod -x {} ';' find share/extensions/ -type f -regex '.*\.py' -perm +111 -exec chmod -x {} ';' dos2unix share/extensions/*.py @@ -125,6 +130,10 @@ update-desktop-database %{_datadir}/applications > /dev/null 2>&1 || : %changelog +* Thu Feb 14 2008 Lubomir Kundrak - 0.45.1+0.46pre1-4 +- Tolerate recoverable errors in OCAL feeds +- Fix OCAL insecure temporary file usage (#432807) + * Wed Feb 13 2008 Lubomir Kundrak - 0.45.1+0.46pre1-3 - Fix crash when adding text objects (#432220)