miller: update to 5.9.1. ChangeLog: Security update: disallow --prepipe in .mlrrc As of Miller 5.9.0, you can have a .mlrrc file containing preferred flags. As reported in #363, it would be possible for someone to prepare a repository or some other zipfile/tarfile, for example, containing datasets, and send it to you. They could have a line of the form prepipe do_something_bad; cat in that repository, so when you ran any mlr commands in there, it would run the do_something_bad command (whatever that might be). The fix is (a) disallow prepipe within .mlrrc files; (b) as a consolation, allow new prepipe-zcat and prepipe-gunzip options which are safe to use. Fixes CVE-2020-15167.diff -r1.19 -r1.20 pkgsrc/textproc/miller/Makefile
(fcambus)
@@ -1,16 +1,16 @@ | @@ -1,16 +1,16 @@ | |||
1 | # $NetBSD: Makefile,v 1.19 2020/08/20 14:01:27 fcambus Exp $ | 1 | # $NetBSD: Makefile,v 1.20 2020/09/03 08:14:13 fcambus Exp $ | |
2 | 2 | |||
3 | DISTNAME= mlr-5.9.0 | 3 | DISTNAME= mlr-5.9.1 | |
4 | PKGNAME= ${DISTNAME:S/mlr/miller/} | 4 | PKGNAME= ${DISTNAME:S/mlr/miller/} | |
5 | CATEGORIES= devel | 5 | CATEGORIES= devel | |
6 | MASTER_SITES= ${MASTER_SITE_GITHUB:=johnkerl/} | 6 | MASTER_SITES= ${MASTER_SITE_GITHUB:=johnkerl/} | |
7 | GITHUB_PROJECT= miller | 7 | GITHUB_PROJECT= miller | |
8 | GITHUB_RELEASE= v${PKGVERSION_NOREV} | 8 | GITHUB_RELEASE= v${PKGVERSION_NOREV} | |
9 | 9 | |||
10 | MAINTAINER= pkgsrc-users@NetBSD.org | 10 | MAINTAINER= pkgsrc-users@NetBSD.org | |
11 | HOMEPAGE= https://github.com/johnkerl/miller/ | 11 | HOMEPAGE= https://github.com/johnkerl/miller/ | |
12 | COMMENT= Command-line CSV processor | 12 | COMMENT= Command-line CSV processor | |
13 | LICENSE= 2-clause-bsd | 13 | LICENSE= 2-clause-bsd | |
14 | 14 | |||
15 | BUILD_DEPENDS+= asciidoc-[0-9]*:../../textproc/asciidoc | 15 | BUILD_DEPENDS+= asciidoc-[0-9]*:../../textproc/asciidoc | |
16 | 16 |
@@ -1,6 +1,6 @@ | @@ -1,6 +1,6 @@ | |||
1 | $NetBSD: distinfo,v 1.18 2020/08/20 14:01:27 fcambus Exp $ | 1 | $NetBSD: distinfo,v 1.19 2020/09/03 08:14:13 fcambus Exp $ | |
2 | 2 | |||
3 | SHA1 (mlr-5.9.0.tar.gz) = ed7e896f9d88cc7c9c082d7cc5ed5cd1082ab7be | 3 | SHA1 (mlr-5.9.1.tar.gz) = 5493910bf727141df1aa6c2a2be60ed6e20d3a06 | |
4 | RMD160 (mlr-5.9.0.tar.gz) = a8e5e43023c77831301eff884b5d46c41b21c3f0 | 4 | RMD160 (mlr-5.9.1.tar.gz) = de4c6e1f5f7b1a074d3c30a73be0f5aa5e0b69af | |
5 | SHA512 (mlr-5.9.0.tar.gz) = 45c67b0841417787ed1bd4c96f1d63d695c6b28dc7386eeb167aa5194ae0080c61be2aa69d39f80200bc3787dcfdb74a437005df2474bcd94eda03d510984eae | 5 | SHA512 (mlr-5.9.1.tar.gz) = ea16a917c500be442a8a4bff37c5de92a4924f9adc1c121bb28a5b4aba87f9429bf17127718639544a6e83f0e2519e9fe5860ed961c4f83486105970b2be39be | |
6 | Size (mlr-5.9.0.tar.gz) = 1270452 bytes | 6 | Size (mlr-5.9.1.tar.gz) = 1270739 bytes |