From 3fcc99d8cb9f297f3670fadbf07002bb8a4331b4 Mon Sep 17 00:00:00 2001 From: Vijay Marcel Date: Sat, 21 Jan 2023 16:54:48 +0000 Subject: multimedia/winff: Updated for version 20220903_8e4491b. Signed-off-by: bedlam Signed-off-by: Willy Sudiarto Raharjo --- multimedia/winff/changelog | 30 ++++++++++++++++++++++++++++++ multimedia/winff/winff.SlackBuild | 27 +++++++++++++-------------- 2 files changed, 43 insertions(+), 14 deletions(-) (limited to 'multimedia') diff --git a/multimedia/winff/changelog b/multimedia/winff/changelog index 6da305c6fb..87fd59ce0f 100644 --- a/multimedia/winff/changelog +++ b/multimedia/winff/changelog @@ -70,3 +70,33 @@ in slackware. This build removes all other localization files except english since it contains outdated links and may pose security risk. Bumped the build no. + +20/01/2023: + +Fixed $ARCH issue for 32-bit systems. freepascal supports i386 +only. The SlackBuild is modified to reflect that.Bumped the +build no. + +Users of WinFF must be aware of these two security issues that are +still unresolved upstream. + +a. The first one is due to the way filenames are inserted in the +temporary shell scripts generated to convert the media. Due to the +lack of character escaping, it is possible to insert system command using +specially crafted filename such as 'aaa";xcalc;".avi' or "aaa$(xcalc).mp4' +Thus leading to an arbitrary command execution. + +b. The second issue is related to the permission of this temporary shell +script. every users can access to them and modify them. Even if those files +are only temporary and launched right after generation, it leads to a +race-condition case where another user may try to replace the script content +before its execution in order to execute its own command with the winff +user permission. + +you can read about this issue here: +https://github.com/WinFF/winff/issues/242 + +As for first issue check the filename before converting otherwise it +will compromise your system and don't download from untrusted sources. +For the second I have no clue and this is beyond my abilities.If you have +a patch for these issue feel free to send it to me. diff --git a/multimedia/winff/winff.SlackBuild b/multimedia/winff/winff.SlackBuild index 8f7b6ace10..f97fc8396b 100644 --- a/multimedia/winff/winff.SlackBuild +++ b/multimedia/winff/winff.SlackBuild @@ -28,7 +28,7 @@ cd $(dirname $0) ; CWD=$(pwd) PRGNAM=winff VERSION=${VERSION:-20220903_8e4491b} LONGNAM=${LONGNAM:-8e4491be149031916053378d859ce156cf9b43d3} -BUILD=${BUILD:-2} +BUILD=${BUILD:-3} TAG=${TAG:-_SBo} PKGTYPE=${PKGTYPE:-tgz} @@ -43,6 +43,7 @@ fi # If the variable PRINT_PACKAGE_NAME is set, then this script will report what # the name of the created package would be, and then exit. This information # could be useful to other scripts. + if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE" exit 0 @@ -52,19 +53,17 @@ TMP=${TMP:-/tmp/SBo} PKG=$TMP/package-$PRGNAM OUTPUT=${OUTPUT:-/tmp} -if [ "$ARCH" = "i586" ]; then - SLKCFLAGS="-O2 -march=i586 -mtune=i686" - LIBDIRSUFFIX="" -elif [ "$ARCH" = "i686" ]; then - SLKCFLAGS="-O2 -march=i686 -mtune=i686" - LIBDIRSUFFIX="" -elif [ "$ARCH" = "x86_64" ]; then - SLKCFLAGS="-O2 -fPIC" - LIBDIRSUFFIX="64" -else - SLKCFLAGS="-O2" - LIBDIRSUFFIX="" -fi +case "$ARCH" in + i?86) ARCH="i386" + LIBDIRSUFFIX="" + ;; + x86_64) ARCH="x86_64" + LIBDIRSUFFIX="64" + ;; + *) printf "$ARCH is not supported...\n" + exit 1 + ;; +esac set -e trap 'echo "$0 FAILED at line $LINENO!" | tee -a $OUTPUT/error-${PRGNAM}.log' ERR -- cgit v1.2.3