Thu Sep 3 08:14:13 2020 UTC ()
miller: update to 5.9.1.

ChangeLog:

Security update: disallow --prepipe in .mlrrc

As of Miller 5.9.0, you can have a .mlrrc file containing preferred flags.

As reported in #363, it would be possible for someone to prepare a repository
or some other zipfile/tarfile, for example, containing datasets, and send it
to you. They could have a line of the form prepipe do_something_bad; cat in
that repository, so when you ran any mlr commands in there, it would run the
do_something_bad command (whatever that might be).

The fix is (a) disallow prepipe within .mlrrc files; (b) as a consolation,
allow new prepipe-zcat and prepipe-gunzip options which are safe to use.

Fixes CVE-2020-15167.


(fcambus)
diff -r1.19 -r1.20 pkgsrc/textproc/miller/Makefile
diff -r1.18 -r1.19 pkgsrc/textproc/miller/distinfo
cvs diff -r1.19 -r1.20 pkgsrc/textproc/miller/Makefile (expand / switch to unified diff)

--- pkgsrc/textproc/miller/Makefile 2020/08/20 14:01:27 1.19
+++ pkgsrc/textproc/miller/Makefile 2020/09/03 08:14:13 1.20
@@ -1,16 +1,16 @@ @@ -1,16 +1,16 @@
1# $NetBSD: Makefile,v 1.19 2020/08/20 14:01:27 fcambus Exp $ 1# $NetBSD: Makefile,v 1.20 2020/09/03 08:14:13 fcambus Exp $
2 2
3DISTNAME= mlr-5.9.0 3DISTNAME= mlr-5.9.1
4PKGNAME= ${DISTNAME:S/mlr/miller/} 4PKGNAME= ${DISTNAME:S/mlr/miller/}
5CATEGORIES= devel 5CATEGORIES= devel
6MASTER_SITES= ${MASTER_SITE_GITHUB:=johnkerl/} 6MASTER_SITES= ${MASTER_SITE_GITHUB:=johnkerl/}
7GITHUB_PROJECT= miller 7GITHUB_PROJECT= miller
8GITHUB_RELEASE= v${PKGVERSION_NOREV} 8GITHUB_RELEASE= v${PKGVERSION_NOREV}
9 9
10MAINTAINER= pkgsrc-users@NetBSD.org 10MAINTAINER= pkgsrc-users@NetBSD.org
11HOMEPAGE= https://github.com/johnkerl/miller/ 11HOMEPAGE= https://github.com/johnkerl/miller/
12COMMENT= Command-line CSV processor 12COMMENT= Command-line CSV processor
13LICENSE= 2-clause-bsd 13LICENSE= 2-clause-bsd
14 14
15BUILD_DEPENDS+= asciidoc-[0-9]*:../../textproc/asciidoc 15BUILD_DEPENDS+= asciidoc-[0-9]*:../../textproc/asciidoc
16 16
cvs diff -r1.18 -r1.19 pkgsrc/textproc/miller/distinfo (expand / switch to unified diff)

--- pkgsrc/textproc/miller/distinfo 2020/08/20 14:01:27 1.18
+++ pkgsrc/textproc/miller/distinfo 2020/09/03 08:14:13 1.19
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
1$NetBSD: distinfo,v 1.18 2020/08/20 14:01:27 fcambus Exp $ 1$NetBSD: distinfo,v 1.19 2020/09/03 08:14:13 fcambus Exp $
2 2
3SHA1 (mlr-5.9.0.tar.gz) = ed7e896f9d88cc7c9c082d7cc5ed5cd1082ab7be 3SHA1 (mlr-5.9.1.tar.gz) = 5493910bf727141df1aa6c2a2be60ed6e20d3a06
4RMD160 (mlr-5.9.0.tar.gz) = a8e5e43023c77831301eff884b5d46c41b21c3f0 4RMD160 (mlr-5.9.1.tar.gz) = de4c6e1f5f7b1a074d3c30a73be0f5aa5e0b69af
5SHA512 (mlr-5.9.0.tar.gz) = 45c67b0841417787ed1bd4c96f1d63d695c6b28dc7386eeb167aa5194ae0080c61be2aa69d39f80200bc3787dcfdb74a437005df2474bcd94eda03d510984eae 5SHA512 (mlr-5.9.1.tar.gz) = ea16a917c500be442a8a4bff37c5de92a4924f9adc1c121bb28a5b4aba87f9429bf17127718639544a6e83f0e2519e9fe5860ed961c4f83486105970b2be39be
6Size (mlr-5.9.0.tar.gz) = 1270452 bytes 6Size (mlr-5.9.1.tar.gz) = 1270739 bytes