pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2004Q4]: pkgsrc/mail/mailman Pullup ticket 304 - requested by ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/c5adda460a35
branches: pkgsrc-2004Q4
changeset: 485928:c5adda460a35
user: snj <snj%pkgsrc.org@localhost>
date: Tue Feb 22 22:13:28 2005 +0000
description:
Pullup ticket 304 - requested by Lubomir Sedlacik
security fix for mailman
Revisions pulled up:
- pkgsrc/mail/mailman/Makefile 1.16,1.19
- pkgsrc/mail/mailman/PLIST 1.5
- pkgsrc/mail/mailman/files/DEINSTALL 1.1
- pkgsrc/mail/mailman/files/INSTALL 1.1
- pkgsrc/mail/mailman/distinfo 1.5
- pkgsrc/mail/mailman/patches/patch-ai 1.1
Module Name: pkgsrc
Committed By: kim
Date: Sat Dec 25 16:55:33 UTC 2004
Modified Files:
pkgsrc/mail/mailman: Makefile PLIST
Added Files:
pkgsrc/mail/mailman/files: DEINSTALL INSTALL
Log Message:
Change permissions of installed files to match what is required by
the software to work. Run "check_perms -f" to make sure permissions
are correct (it still fixes a setgid problem with "mail/mailman").
Remove mm_cfg.pyc (compiled copy of mm_cfg.py) always, so the package
can be deinstalled cleanly.
Closes PR pkg/24041.
---
Module Name: pkgsrc
Committed By: tv
Date: Mon Feb 14 16:56:38 UTC 2005
Modified Files:
pkgsrc/mail/mailman: Makefile distinfo
Added Files:
pkgsrc/mail/mailman/patches: patch-ai
Log Message:
Apply patch from Mailman maintainers to fix vulnerability described in:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0202
diffstat:
mail/mailman/DEINSTALL | 8 ++++++++
mail/mailman/INSTALL | 8 ++++++++
mail/mailman/Makefile | 13 ++++++++-----
mail/mailman/PLIST | 3 ++-
mail/mailman/distinfo | 3 ++-
mail/mailman/patches/patch-ai | 30 ++++++++++++++++++++++++++++++
6 files changed, 58 insertions(+), 7 deletions(-)
diffs (132 lines):
diff -r 149be1c6e65c -r c5adda460a35 mail/mailman/DEINSTALL
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/mailman/DEINSTALL Tue Feb 22 22:13:28 2005 +0000
@@ -0,0 +1,8 @@
+# $NetBSD: DEINSTALL,v 1.1.2.1 2005/02/22 22:13:28 snj Exp $
+
+case ${STAGE} in
+DEINSTALL)
+ # Remove compiled copy of configuration
+ ${RM} -f ${PKG_PREFIX}/lib/mailman/Mailman/mm_cfg.pyc
+ ;;
+esac
diff -r 149be1c6e65c -r c5adda460a35 mail/mailman/INSTALL
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/mailman/INSTALL Tue Feb 22 22:13:28 2005 +0000
@@ -0,0 +1,8 @@
+# $NetBSD: INSTALL,v 1.1.2.1 2005/02/22 22:13:28 snj Exp $
+
+case ${STAGE} in
+POST-INSTALL)
+ # Fix file permissions
+ ${PKG_PREFIX}/lib/mailman/bin/check_perms -f
+ ;;
+esac
diff -r 149be1c6e65c -r c5adda460a35 mail/mailman/Makefile
--- a/mail/mailman/Makefile Mon Feb 21 17:43:27 2005 +0000
+++ b/mail/mailman/Makefile Tue Feb 22 22:13:28 2005 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.15 2004/12/19 21:25:42 wiz Exp $
+# $NetBSD: Makefile,v 1.15.2.1 2005/02/22 22:13:28 snj Exp $
DISTNAME= mailman-2.1.4
-PKGREVISION= 1
+PKGREVISION= 3
CATEGORIES= mail www
MASTER_SITES= http://www.list.org/ \
${MASTER_SITE_GNU:=mailman/}
@@ -44,7 +44,7 @@
PKG_GROUPS= ${MAILMAN_GROUP}
PKG_USERS= ${MAILMAN_USER}:${MAILMAN_GROUP}::Mailman\\ user::${SH}
-OWN_DIRS_PERMS+= ${EXECDIR} root ${MAILMAN_GROUP} 755
+OWN_DIRS_PERMS+= ${EXECDIR} root ${MAILMAN_GROUP} 775
OWN_DIRS_PERMS+= ${MAILMAN_DATADIR} ${MAILMAN_USER} ${MAILMAN_GROUP} 755
MAKE_DIRS_PERMS+= ${MAILMAN_DATADIR}/archives ${MAILMAN_USER} ${MAILMAN_GROUP} 775
MAKE_DIRS_PERMS+= ${MAILMAN_DATADIR}/archives/public ${MAILMAN_USER} ${MAILMAN_GROUP} 775
@@ -61,7 +61,10 @@
RCD_SCRIPTS= mailman
-PYTHON_VERSIONS_ACCEPTED= 23 23pth 22 22pth 21 21pth
+INSTALL_EXTRA_TMPL+= ${FILESDIR}/INSTALL
+DEINSTALL_EXTRA_TMPL+= ${FILESDIR}/DEINSTALL
+
+PYTHON_VERSIONS_ACCEPTED= 24 24pth 23 23pth 22 22pth 21 21pth
PYTHON_PATCH_SCRIPTS+= Mailman/Archiver/pipermail.py
PYTHON_PATCH_SCRIPTS+= Mailman/Post.py
PYTHON_PATCH_SCRIPTS+= admin/bin/Release.py
@@ -108,7 +111,7 @@
${INSTALL_DATA_DIR} ${EGDIR}
${INSTALL_DATA} ${WRKDIR}/mailman.conf.dist ${EGDIR}/mailman.conf
${CHOWN} -R root:${MAILMAN_GROUP} ${EXECDIR}
- ${CHMOD} -R g-w ${EXECDIR}
+ ${CHMOD} -R g+w ${EXECDIR}
${CHMOD} g+s ${EXECDIR}/cgi-bin/*
.include "../../lang/python/application.mk"
diff -r 149be1c6e65c -r c5adda460a35 mail/mailman/PLIST
--- a/mail/mailman/PLIST Mon Feb 21 17:43:27 2005 +0000
+++ b/mail/mailman/PLIST Tue Feb 22 22:13:28 2005 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.4 2004/01/14 01:46:29 xtraeme Exp $
+@comment $NetBSD: PLIST,v 1.4.8.1 2005/02/22 22:13:28 snj Exp $
lib/mailman/Mailman/Archiver/Archiver.py
lib/mailman/Mailman/Archiver/Archiver.pyc
lib/mailman/Mailman/Archiver/HyperArch.py
@@ -313,6 +313,7 @@
lib/mailman/bin/msgfmt.py
lib/mailman/bin/newlist
lib/mailman/bin/paths.py
+lib/mailman/bin/paths.pyc
lib/mailman/bin/qrunner
lib/mailman/bin/rb-archfix
lib/mailman/bin/remove_members
diff -r 149be1c6e65c -r c5adda460a35 mail/mailman/distinfo
--- a/mail/mailman/distinfo Mon Feb 21 17:43:27 2005 +0000
+++ b/mail/mailman/distinfo Tue Feb 22 22:13:28 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.4 2004/09/06 04:12:46 lukem Exp $
+$NetBSD: distinfo,v 1.4.4.1 2005/02/22 22:13:28 snj Exp $
SHA1 (mailman-2.1.4.tgz) = b77d22283d5780b6d8449f19f86c210e4e58a032
Size (mailman-2.1.4.tgz) = 5779983 bytes
@@ -10,3 +10,4 @@
SHA1 (patch-af) = 985a619a055151d998cefd0c1b7280a0d55f889e
SHA1 (patch-ag) = f94f190e69ce892841b88574ec8e9f100b182ed9
SHA1 (patch-ah) = 42296c52e30b1fcc1d42ef0f1b89c83414ca85df
+SHA1 (patch-ai) = 39288f7047063f77d0a94128f74ae4e9fa9e72e9
diff -r 149be1c6e65c -r c5adda460a35 mail/mailman/patches/patch-ai
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/mailman/patches/patch-ai Tue Feb 22 22:13:28 2005 +0000
@@ -0,0 +1,30 @@
+$NetBSD: patch-ai,v 1.1.2.2 2005/02/22 22:13:28 snj Exp $
+
+Index: private.py
+===================================================================
+RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/private.py,v
+retrieving revision 2.16.2.1
+diff -u -r2.16.2.1 private.py
+--- Mailman/Cgi/private.py 8 Feb 2003 07:13:50 -0000 2.16.2.1
++++ Mailman/Cgi/private.py 10 Feb 2005 03:34:21 -0000
+@@ -35,13 +35,17 @@
+ _ = i18n._
+ i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
+
++SLASH = '/'
++
+
+
+ def true_path(path):
+ "Ensure that the path is safe by removing .."
+- path = path.replace('../', '')
+- path = path.replace('./', '')
+- return path[1:]
++ parts = path.split(SLASH)
++ safe = [x for x in parts if x not in ('.', '..')]
++ if parts <> safe:
++ syslog('mischief', 'Directory traversal attack thwarted')
++ return SLASH.join(safe)[1:]
+
+
+
Home |
Main Index |
Thread Index |
Old Index