pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2004Q4]: pkgsrc/mail/mailman Pullup ticket 304 - requested by ...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/c5adda460a35
branches:  pkgsrc-2004Q4
changeset: 485928:c5adda460a35
user:      snj <snj%pkgsrc.org@localhost>
date:      Tue Feb 22 22:13:28 2005 +0000

description:
Pullup ticket 304 - requested by Lubomir Sedlacik
security fix for mailman

Revisions pulled up:
- pkgsrc/mail/mailman/Makefile          1.16,1.19
- pkgsrc/mail/mailman/PLIST             1.5
- pkgsrc/mail/mailman/files/DEINSTALL   1.1
- pkgsrc/mail/mailman/files/INSTALL     1.1
- pkgsrc/mail/mailman/distinfo          1.5
- pkgsrc/mail/mailman/patches/patch-ai  1.1


    Module Name:    pkgsrc
    Committed By:   kim
    Date:           Sat Dec 25 16:55:33 UTC 2004

    Modified Files:
            pkgsrc/mail/mailman: Makefile PLIST
    Added Files:
            pkgsrc/mail/mailman/files: DEINSTALL INSTALL

    Log Message:
    Change permissions of installed files to match what is required by
    the software to work.  Run "check_perms -f" to make sure permissions
    are correct (it still fixes a setgid problem with "mail/mailman").

    Remove mm_cfg.pyc (compiled copy of mm_cfg.py) always, so the package
    can be deinstalled cleanly.

    Closes PR pkg/24041.

    ---

    Module Name:    pkgsrc
    Committed By:   tv
    Date:           Mon Feb 14 16:56:38 UTC 2005

    Modified Files:
            pkgsrc/mail/mailman: Makefile distinfo
    Added Files:
            pkgsrc/mail/mailman/patches: patch-ai

    Log Message:
    Apply patch from Mailman maintainers to fix vulnerability described in:
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0202

diffstat:

 mail/mailman/DEINSTALL        |   8 ++++++++
 mail/mailman/INSTALL          |   8 ++++++++
 mail/mailman/Makefile         |  13 ++++++++-----
 mail/mailman/PLIST            |   3 ++-
 mail/mailman/distinfo         |   3 ++-
 mail/mailman/patches/patch-ai |  30 ++++++++++++++++++++++++++++++
 6 files changed, 58 insertions(+), 7 deletions(-)

diffs (132 lines):

diff -r 149be1c6e65c -r c5adda460a35 mail/mailman/DEINSTALL
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/mailman/DEINSTALL    Tue Feb 22 22:13:28 2005 +0000
@@ -0,0 +1,8 @@
+# $NetBSD: DEINSTALL,v 1.1.2.1 2005/02/22 22:13:28 snj Exp $
+
+case ${STAGE} in
+DEINSTALL)
+    # Remove compiled copy of configuration
+    ${RM} -f ${PKG_PREFIX}/lib/mailman/Mailman/mm_cfg.pyc
+    ;;
+esac
diff -r 149be1c6e65c -r c5adda460a35 mail/mailman/INSTALL
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/mailman/INSTALL      Tue Feb 22 22:13:28 2005 +0000
@@ -0,0 +1,8 @@
+# $NetBSD: INSTALL,v 1.1.2.1 2005/02/22 22:13:28 snj Exp $
+
+case ${STAGE} in
+POST-INSTALL)
+    # Fix file permissions
+    ${PKG_PREFIX}/lib/mailman/bin/check_perms -f
+    ;;
+esac
diff -r 149be1c6e65c -r c5adda460a35 mail/mailman/Makefile
--- a/mail/mailman/Makefile     Mon Feb 21 17:43:27 2005 +0000
+++ b/mail/mailman/Makefile     Tue Feb 22 22:13:28 2005 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.15 2004/12/19 21:25:42 wiz Exp $
+# $NetBSD: Makefile,v 1.15.2.1 2005/02/22 22:13:28 snj Exp $
 
 DISTNAME=      mailman-2.1.4
-PKGREVISION=   1
+PKGREVISION=   3
 CATEGORIES=    mail www
 MASTER_SITES=  http://www.list.org/ \
                ${MASTER_SITE_GNU:=mailman/}
@@ -44,7 +44,7 @@
 PKG_GROUPS=            ${MAILMAN_GROUP}
 PKG_USERS=             ${MAILMAN_USER}:${MAILMAN_GROUP}::Mailman\\ user::${SH}
 
-OWN_DIRS_PERMS+=       ${EXECDIR} root ${MAILMAN_GROUP} 755
+OWN_DIRS_PERMS+=       ${EXECDIR} root ${MAILMAN_GROUP} 775
 OWN_DIRS_PERMS+=       ${MAILMAN_DATADIR} ${MAILMAN_USER} ${MAILMAN_GROUP} 755
 MAKE_DIRS_PERMS+=      ${MAILMAN_DATADIR}/archives ${MAILMAN_USER} ${MAILMAN_GROUP} 775
 MAKE_DIRS_PERMS+=      ${MAILMAN_DATADIR}/archives/public ${MAILMAN_USER} ${MAILMAN_GROUP} 775
@@ -61,7 +61,10 @@
 
 RCD_SCRIPTS=           mailman
 
-PYTHON_VERSIONS_ACCEPTED= 23 23pth 22 22pth 21 21pth
+INSTALL_EXTRA_TMPL+=   ${FILESDIR}/INSTALL
+DEINSTALL_EXTRA_TMPL+= ${FILESDIR}/DEINSTALL
+
+PYTHON_VERSIONS_ACCEPTED= 24 24pth 23 23pth 22 22pth 21 21pth
 PYTHON_PATCH_SCRIPTS+= Mailman/Archiver/pipermail.py
 PYTHON_PATCH_SCRIPTS+= Mailman/Post.py
 PYTHON_PATCH_SCRIPTS+= admin/bin/Release.py
@@ -108,7 +111,7 @@
        ${INSTALL_DATA_DIR} ${EGDIR}
        ${INSTALL_DATA} ${WRKDIR}/mailman.conf.dist ${EGDIR}/mailman.conf
        ${CHOWN} -R root:${MAILMAN_GROUP} ${EXECDIR}
-       ${CHMOD} -R g-w ${EXECDIR}
+       ${CHMOD} -R g+w ${EXECDIR}
        ${CHMOD} g+s ${EXECDIR}/cgi-bin/*
 
 .include "../../lang/python/application.mk"
diff -r 149be1c6e65c -r c5adda460a35 mail/mailman/PLIST
--- a/mail/mailman/PLIST        Mon Feb 21 17:43:27 2005 +0000
+++ b/mail/mailman/PLIST        Tue Feb 22 22:13:28 2005 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.4 2004/01/14 01:46:29 xtraeme Exp $
+@comment $NetBSD: PLIST,v 1.4.8.1 2005/02/22 22:13:28 snj Exp $
 lib/mailman/Mailman/Archiver/Archiver.py
 lib/mailman/Mailman/Archiver/Archiver.pyc
 lib/mailman/Mailman/Archiver/HyperArch.py
@@ -313,6 +313,7 @@
 lib/mailman/bin/msgfmt.py
 lib/mailman/bin/newlist
 lib/mailman/bin/paths.py
+lib/mailman/bin/paths.pyc
 lib/mailman/bin/qrunner
 lib/mailman/bin/rb-archfix
 lib/mailman/bin/remove_members
diff -r 149be1c6e65c -r c5adda460a35 mail/mailman/distinfo
--- a/mail/mailman/distinfo     Mon Feb 21 17:43:27 2005 +0000
+++ b/mail/mailman/distinfo     Tue Feb 22 22:13:28 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.4 2004/09/06 04:12:46 lukem Exp $
+$NetBSD: distinfo,v 1.4.4.1 2005/02/22 22:13:28 snj Exp $
 
 SHA1 (mailman-2.1.4.tgz) = b77d22283d5780b6d8449f19f86c210e4e58a032
 Size (mailman-2.1.4.tgz) = 5779983 bytes
@@ -10,3 +10,4 @@
 SHA1 (patch-af) = 985a619a055151d998cefd0c1b7280a0d55f889e
 SHA1 (patch-ag) = f94f190e69ce892841b88574ec8e9f100b182ed9
 SHA1 (patch-ah) = 42296c52e30b1fcc1d42ef0f1b89c83414ca85df
+SHA1 (patch-ai) = 39288f7047063f77d0a94128f74ae4e9fa9e72e9
diff -r 149be1c6e65c -r c5adda460a35 mail/mailman/patches/patch-ai
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/mailman/patches/patch-ai     Tue Feb 22 22:13:28 2005 +0000
@@ -0,0 +1,30 @@
+$NetBSD: patch-ai,v 1.1.2.2 2005/02/22 22:13:28 snj Exp $
+
+Index: private.py
+===================================================================
+RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/private.py,v
+retrieving revision 2.16.2.1
+diff -u -r2.16.2.1 private.py
+--- Mailman/Cgi/private.py     8 Feb 2003 07:13:50 -0000       2.16.2.1
++++ Mailman/Cgi/private.py     10 Feb 2005 03:34:21 -0000
+@@ -35,13 +35,17 @@
+ _ = i18n._
+ i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
+ 
++SLASH = '/'
++
+ 
+ 
+ def true_path(path):
+     "Ensure that the path is safe by removing .."
+-    path = path.replace('../', '')
+-    path = path.replace('./', '')
+-    return path[1:]
++    parts = path.split(SLASH)
++    safe = [x for x in parts if x not in ('.', '..')]
++    if parts <> safe:
++        syslog('mischief', 'Directory traversal attack thwarted')
++    return SLASH.join(safe)[1:]
+ 
+ 
+ 



Home | Main Index | Thread Index | Old Index