Date: Wed, 20 Jul 2005 01:57:05 +0400 From: Vsevolod Stakhov <vsevolod@highsecure.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/83753: Update port: devel/viewcvs to 0.9.3 (security fix) Message-ID: <E1Dv05J-0000Fx-Gt@spray.anyhost.ru> Resent-Message-ID: <200507192200.j6JM0Yp8080660@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 83753
>Category: ports
>Synopsis: Update port: devel/viewcvs to 0.9.3 (security fix)
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 19 22:00:33 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Vsevolod Stakhov
>Release: FreeBSD 5.4-RELEASE i386
>Organization:
>Environment:
>Description:
Update to 0.9.3.
Security fixes are included:
* security fix: disallow bad "content-type" input [CAN-2004-1062]
* security fix: disallow bad "sortby" and "cvsroot" input [CAN-2002-0771]
* security fix: omit forbidden/hidden modules from tarballs [CAN-2004-0915]
Removed file(s):
- files/patch-CAN-2004-0915
>How-To-Repeat:
>Fix:
--- viewcvs-0.9.3.patch begins here ---
diff -ruN --exclude=CVS viewcvs.orig/Makefile viewcvs/Makefile
--- viewcvs.orig/Makefile Wed Jul 20 01:45:45 2005
+++ viewcvs/Makefile Wed Jul 20 01:49:50 2005
@@ -6,8 +6,7 @@
#
PORTNAME= viewcvs
-PORTVERSION= 0.9.2
-PORTREVISION= 3
+PORTVERSION= 0.9.3
CATEGORIES= devel python
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME}
@@ -22,7 +21,7 @@
PLIST_SUB= INSTDIR=${INSTDIR}
do-install:
- @ cd ${WRKSRC} && INSTDIR=${PREFIX}/${INSTDIR} ${PYTHON_CMD} viewcvs-install
+ @(cd ${WRKSRC} && INSTDIR=${PREFIX}/${INSTDIR} ${PYTHON_CMD} viewcvs-install)
post-install:
@ ${SED} -e "s:%%INSTDIR%%:${PREFIX}/${INSTDIR}:g" ${MASTERDIR}/pkg-message >${PKGMESSAGE}
diff -ruN --exclude=CVS viewcvs.orig/distinfo viewcvs/distinfo
--- viewcvs.orig/distinfo Wed Jul 20 01:45:45 2005
+++ viewcvs/distinfo Wed Jul 20 01:46:39 2005
@@ -1,2 +1,2 @@
-MD5 (viewcvs-0.9.2.tar.gz) = c7857b1ed05240ad1f691ea40044daf2
-SIZE (viewcvs-0.9.2.tar.gz) = 140063
+MD5 (viewcvs-0.9.3.tar.gz) = 8be527279feaaa6ecf184bcf714e2f22
+SIZE (viewcvs-0.9.3.tar.gz) = 140215
diff -ruN --exclude=CVS viewcvs.orig/files/patch-CAN-2004-0915 viewcvs/files/patch-CAN-2004-0915
--- viewcvs.orig/files/patch-CAN-2004-0915 Wed Jul 20 01:45:45 2005
+++ viewcvs/files/patch-CAN-2004-0915 Thu Jan 1 03:00:00 1970
@@ -1,37 +0,0 @@
---- lib/viewcvs.py.orig 2004-10-20 15:03:41.000000000 +0200
-+++ lib/viewcvs.py 2004-10-20 16:37:35.000000000 +0200
-@@ -2455,10 +2455,17 @@ def generate_tarball_header(out, name, s
- def generate_tarball(out, relative, directory, tag, stack=[]):
- subdirs = [ ]
- rcs_files = [ ]
-+ if relative == 'CVSROOT' and cfg.options.hide_cvsroot:
-+ return
-+
- for file, pathname, isdir in get_file_data(directory):
- if pathname == _UNREADABLE_MARKER:
- continue
- if isdir:
-+ if file == 'CVSROOT' and relative.find('/') == -1 and cfg.options.hide_cvsroot:
-+ continue
-+ if relative.find('/') == -1 and cfg.is_forbidden(file):
-+ continue
- subdirs.append(file)
- else:
- rcs_files.append(file)
-@@ -2583,6 +2590,16 @@ def main():
- '</body></html>\n')
- return
-
-+ if where == 'CVSROOT' and cfg.options.hide_cvsroot:
-+ print "Status: 400"
-+ http_header()
-+ print ('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n'
-+ '<html><head>\n<title>400 Bad Request</title>\n'
-+ '</head><body>\n'
-+ '<H1>Bad Request</H1>\n Listing of CVSROOT is disallowed.<p>\n'
-+ '</body></html>\n')
-+ return
-+
- ### look for GZIP binary
-
- # if we have a directory and the request didn't end in "/", then redirect
--- viewcvs-0.9.3.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1Dv05J-0000Fx-Gt>