diff options
| author |   Peter Volkov <pva@gentoo.org> | 2007-12-30 19:17:36 +0000 |
|---|---|---|
| committer | Peter Volkov <pva@gentoo.org> | 2007-12-30 19:17:36 +0000 |
| commit | 41a1253c7021c23bead2fc4494ccc43d4b83be21 (patch) | |
| tree | d1ed312cbb8ba3c81da81797367bb6c9474ef0dd /www-apps | |
| parent | ppc/ppc64 love (diff) | |
| download | historical-41a1253c7021c23bead2fc4494ccc43d4b83be21.tar.gz historical-41a1253c7021c23bead2fc4494ccc43d4b83be21.tar.bz2 historical-41a1253c7021c23bead2fc4494ccc43d4b83be21.zip | |
Fixes "Upload File" Script Insertion Vulnerability, bug 203791, reported by Pierre-Yves Rofes <py AT gentoo.org>.
Package-Manager: portage-2.1.4_rc11
Diffstat (limited to 'www-apps')
| -rw-r--r-- | www-apps/mantisbt/ChangeLog | 10 | ||||
| -rw-r--r-- | www-apps/mantisbt/Manifest | 19 | ||||
| -rw-r--r-- | www-apps/mantisbt/files/digest-mantisbt-1.0.8-r1 | 3 | ||||
| -rw-r--r-- | www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch | 13 | ||||
| -rw-r--r-- | www-apps/mantisbt/mantisbt-1.0.8-r1.ebuild | 61 |
5 files changed, 101 insertions, 5 deletions
diff --git a/www-apps/mantisbt/ChangeLog b/www-apps/mantisbt/ChangeLog index 9199d0efa6a2..1280582c04c0 100644 --- a/www-apps/mantisbt/ChangeLog +++ b/www-apps/mantisbt/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for www-apps/mantisbt # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/www-apps/mantisbt/ChangeLog,v 1.48 2007/12/10 16:14:57 pva Exp $ +# $Header: /var/cvsroot/gentoo-x86/www-apps/mantisbt/ChangeLog,v 1.49 2007/12/30 19:17:36 pva Exp $ + +*mantisbt-1.0.8-r1 (30 Dec 2007) + + 30 Dec 2007; <pva@gentoo.org> + +files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch, + +mantisbt-1.0.8-r1.ebuild: + Fixes "Upload File" Script Insertion Vulnerability, bug 203791, reported by + Pierre-Yves Rofes <py AT gentoo.org>. 10 Dec 2007; <pva@gentoo.org> mantisbt-1.0.8.ebuild: Fixed apache2 DEPEND, bug #201822. Thank Nick Devito <nick AT nick125.com> diff --git a/www-apps/mantisbt/Manifest b/www-apps/mantisbt/Manifest index edbdba5d17fe..fed85280907b 100644 --- a/www-apps/mantisbt/Manifest +++ b/www-apps/mantisbt/Manifest @@ -2,19 +2,27 @@ AUX mantisbt-1.0.8-avoid-XS-type-in-schema.php.patch 3619 RMD160 48a428e041bc42d MD5 d44b8a9498da3ef05e8ffad82695497d files/mantisbt-1.0.8-avoid-XS-type-in-schema.php.patch 3619 RMD160 48a428e041bc42d3c927401577523948f88f15f4 files/mantisbt-1.0.8-avoid-XS-type-in-schema.php.patch 3619 SHA256 d90525a92c011545a2589bc61eef137e2e7ce7e5b2356ab5eeebf07443b832b7 files/mantisbt-1.0.8-avoid-XS-type-in-schema.php.patch 3619 +AUX mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch 586 RMD160 06ec3c8b966c5453aa5e899d7fc3b9697925e43a SHA1 9796453270af292edf529b2d00eaafe859a6612d SHA256 2e51de9684363a5593d2e9edc38c08c51123aba2fa58ec7abc7e28285fd4a38d +MD5 e480b193825cd39eb269eda446eb52df files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch 586 +RMD160 06ec3c8b966c5453aa5e899d7fc3b9697925e43a files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch 586 +SHA256 2e51de9684363a5593d2e9edc38c08c51123aba2fa58ec7abc7e28285fd4a38d files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch 586 AUX postinstall-en-1.0.0.txt 488 RMD160 cbfd8696f29c0064c98503ba6342947525771f17 SHA1 4e7c8eaca91db2b7e56dd277dfd939e403b2f2b1 SHA256 f4f06fdb8e6b7724e072a3a3bf77b4ee1fddd270cb2f6e5e8f46de795bc9a6f0 MD5 97c947f30d07a6405194bed5981ceceb files/postinstall-en-1.0.0.txt 488 RMD160 cbfd8696f29c0064c98503ba6342947525771f17 files/postinstall-en-1.0.0.txt 488 SHA256 f4f06fdb8e6b7724e072a3a3bf77b4ee1fddd270cb2f6e5e8f46de795bc9a6f0 files/postinstall-en-1.0.0.txt 488 DIST mantis-1.0.8.tar.gz 1549854 RMD160 02e349a05d8d5c190d943ee4dc430a6adaffe1a0 SHA1 979947bc1f39d8471e48b3c914c46a91d6af3c38 SHA256 c22a3ad2f532addc70f8f266c83a360dfea685de79ebf713801b3f4fb556b501 +EBUILD mantisbt-1.0.8-r1.ebuild 1558 RMD160 8d0a35cf713026bf510a5e7fff59e3b45ab88444 SHA1 b9e834e9f7f9ff11a51479275e7e60e75df841ad SHA256 1d12d78940c194dc6e4f3e8b8be61c823cefc6aef5d2f2c7b771c793cd6d0d9a +MD5 7e1cbe7e0d61cc001ea3f3d82b4e6850 mantisbt-1.0.8-r1.ebuild 1558 +RMD160 8d0a35cf713026bf510a5e7fff59e3b45ab88444 mantisbt-1.0.8-r1.ebuild 1558 +SHA256 1d12d78940c194dc6e4f3e8b8be61c823cefc6aef5d2f2c7b771c793cd6d0d9a mantisbt-1.0.8-r1.ebuild 1558 EBUILD mantisbt-1.0.8.ebuild 1444 RMD160 5fd001c022945cf80d979ecf9c1f2b9e58365afc SHA1 511e36d760624b8048a603e8f22f63137cf7feb6 SHA256 ab210c0ce0b9a4d627dafe1b1c0e1e13b6445a3ac206eeb1082554f6469d485b MD5 3c9ee39ebcf9e05260f7e5e074c62607 mantisbt-1.0.8.ebuild 1444 RMD160 5fd001c022945cf80d979ecf9c1f2b9e58365afc mantisbt-1.0.8.ebuild 1444 SHA256 ab210c0ce0b9a4d627dafe1b1c0e1e13b6445a3ac206eeb1082554f6469d485b mantisbt-1.0.8.ebuild 1444 -MISC ChangeLog 6983 RMD160 c481b91763a7498d4e8abb3265b0c66d10e62094 SHA1 505bfd4dc7bf4ff59f75099a942deb155c7a77c0 SHA256 6f3f6f0a7aa2a86ef37ea7dc8137c50d707e8c968ee58f723d399bdbc0579729 -MD5 2a448ca3b3dd3756ad5709e330374794 ChangeLog 6983 -RMD160 c481b91763a7498d4e8abb3265b0c66d10e62094 ChangeLog 6983 -SHA256 6f3f6f0a7aa2a86ef37ea7dc8137c50d707e8c968ee58f723d399bdbc0579729 ChangeLog 6983 +MISC ChangeLog 7254 RMD160 adab2d74a6d3d4c8ff55a147e24f5f1f32726fcf SHA1 503e52734e4dfde46ca0ee97ed380a7b9d3a2919 SHA256 af54f231ab6043a642b3ede0c9b07c66689c10035306ef51355947f2b7ceeb75 +MD5 eaa97efb4c7a731bcb3f9a78a73b44b7 ChangeLog 7254 +RMD160 adab2d74a6d3d4c8ff55a147e24f5f1f32726fcf ChangeLog 7254 +SHA256 af54f231ab6043a642b3ede0c9b07c66689c10035306ef51355947f2b7ceeb75 ChangeLog 7254 MISC metadata.xml 248 RMD160 ab7babc36756e7653aba440cf96e8aafcbe1c016 SHA1 792d5b97943c78fda8d723180d146a516543cdf5 SHA256 063b8d771f4ba27785d3a58df69e0ae8b29d883a4e2a696a7238bdf1fcfce7ff MD5 5fd748d41ac80abb373fecca33efcf54 metadata.xml 248 RMD160 ab7babc36756e7653aba440cf96e8aafcbe1c016 metadata.xml 248 @@ -22,3 +30,6 @@ SHA256 063b8d771f4ba27785d3a58df69e0ae8b29d883a4e2a696a7238bdf1fcfce7ff metadata MD5 4a8b25a89315f40d37d72a1b6d4ecc83 files/digest-mantisbt-1.0.8 241 RMD160 692a0420d69c6057e203a7e5838a71647256a0fa files/digest-mantisbt-1.0.8 241 SHA256 4e5cc37ae2b3b481615343a7afd63d67ac51a48c4c6f3b37d9ad6616f9fa9138 files/digest-mantisbt-1.0.8 241 +MD5 4a8b25a89315f40d37d72a1b6d4ecc83 files/digest-mantisbt-1.0.8-r1 241 +RMD160 692a0420d69c6057e203a7e5838a71647256a0fa files/digest-mantisbt-1.0.8-r1 241 +SHA256 4e5cc37ae2b3b481615343a7afd63d67ac51a48c4c6f3b37d9ad6616f9fa9138 files/digest-mantisbt-1.0.8-r1 241 diff --git a/www-apps/mantisbt/files/digest-mantisbt-1.0.8-r1 b/www-apps/mantisbt/files/digest-mantisbt-1.0.8-r1 new file mode 100644 index 000000000000..2fb7b1796f2d --- /dev/null +++ b/www-apps/mantisbt/files/digest-mantisbt-1.0.8-r1 @@ -0,0 +1,3 @@ +MD5 fab90748346fe9a8276a71f59c1a245a mantis-1.0.8.tar.gz 1549854 +RMD160 02e349a05d8d5c190d943ee4dc430a6adaffe1a0 mantis-1.0.8.tar.gz 1549854 +SHA256 c22a3ad2f532addc70f8f266c83a360dfea685de79ebf713801b3f4fb556b501 mantis-1.0.8.tar.gz 1549854 diff --git a/www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch b/www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch new file mode 100644 index 000000000000..274d9692fc1e --- /dev/null +++ b/www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch @@ -0,0 +1,13 @@ +Index: core/file_api.php +=================================================================== +--- core/file_api.php (リビジョン 4833) ++++ core/file_api.php (作業コピー) +@@ -163,7 +163,7 @@ + $row = $t_attachment_rows[$i]; + extract( $row, EXTR_PREFIX_ALL, 'v' ); + +- $t_file_display_name = file_get_display_name( $v_filename ); ++ $t_file_display_name = string_html_specialchars( file_get_display_name( $v_filename ) ); + $t_filesize = number_format( $v_filesize ); + $t_date_added = date( config_get( 'normal_date_format' ), db_unixtimestamp( $v_date_added ) ); + diff --git a/www-apps/mantisbt/mantisbt-1.0.8-r1.ebuild b/www-apps/mantisbt/mantisbt-1.0.8-r1.ebuild new file mode 100644 index 000000000000..b0e1e15d48e0 --- /dev/null +++ b/www-apps/mantisbt/mantisbt-1.0.8-r1.ebuild @@ -0,0 +1,61 @@ +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/www-apps/mantisbt/mantisbt-1.0.8-r1.ebuild,v 1.1 2007/12/30 19:17:36 pva Exp $ + +inherit eutils webapp + +IUSE="bundled-adodb" +MY_P=mantis-${PV} + +DESCRIPTION="PHP/MySQL/Web based bugtracking system" +HOMEPAGE="http://www.mantisbt.org/" +SRC_URI="mirror://sourceforge/${PN}/${MY_P}.tar.gz" + +S=${WORKDIR}/${MY_P} + +KEYWORDS="~amd64 ~ppc ~x86" + +RDEPEND=" + virtual/httpd-php + virtual/httpd-cgi + !bundled-adodb? ( dev-php/adodb ) +" + +LICENSE="GPL-2" + +src_unpack() { + unpack ${A} + cd "${S}" + + # http://www.mantisbt.org/bugs/view.php?id=8256 + epatch "${FILESDIR}"/${P}-avoid-XS-type-in-schema.php.patch + # http://www.mantisbt.org/bugs/view.php?id=8679 + epatch "${FILESDIR}"/${P}-avoid-XSS-in-file_api.php.patch + + if use bundled-adodb ; then + sed -ie \ + "s:require_once( 'adodb/adodb.inc.php' );:require_once( \$t_core_dir . 'adodb/adodb.inc.php' );:" \ + "${S}"/core/database_api.php + else + rm -r "${S}"/core/adodb/ + fi + + # Fix permitions. Should be fixed in 1.0.9 + find "${S}" -type f -exec chmod 644 \{\} \; + find "${S}" -type d -exec chmod 755 \{\} \; +} + +src_install() { + webapp_src_preinst + rm doc/{LICENSE,INSTALL} + dodoc doc/* + + cp -R . "${D}"/${MY_HTDOCSDIR} + rm -rf "${D}"/${MY_HTDOCSDIR}/doc + + mv "${D}"/${MY_HTDOCSDIR}/config_inc.php.sample "${D}"/${MY_HTDOCSDIR}/config_inc.php + + webapp_configfile ${MY_HTDOCSDIR}/config_inc.php + webapp_postinst_txt en "${FILESDIR}"/postinstall-en-1.0.0.txt + webapp_src_install +} |