From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Jul 19 22:00:36 2005 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 945DA16A420 for ; Tue, 19 Jul 2005 22:00:36 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 39F9543D4C for ; Tue, 19 Jul 2005 22:00:34 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6JM0Y2u080664 for ; Tue, 19 Jul 2005 22:00:34 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6JM0Yp8080660; Tue, 19 Jul 2005 22:00:34 GMT (envelope-from gnats) Resent-Date: Tue, 19 Jul 2005 22:00:34 GMT Resent-Message-Id: <200507192200.j6JM0Yp8080660@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Vsevolod Stakhov Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23FCE16A41F for ; Tue, 19 Jul 2005 21:57:08 +0000 (GMT) (envelope-from vsevolod@highsecure.ru) Received: from waterwall.inec.ru (waterwall.inec.ru [213.148.3.225]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F3E243D46 for ; Tue, 19 Jul 2005 21:57:07 +0000 (GMT) (envelope-from vsevolod@highsecure.ru) Received: from waterwall.inec.ru (root@localhost) by waterwall.inec.ru (8.13.1/8.12.6) with SMTP id j6JLwBsk097046 for ; Wed, 20 Jul 2005 01:58:11 +0400 (MSD) Received: from core (postbox.inec.ru [213.148.3.226]) by waterwall.inec.ru (8.13.1/8.12.6) with ESMTP id j6JLwBTH097040 for ; Wed, 20 Jul 2005 01:58:11 +0400 (MSD) Received: from [213.219.249.64] (helo=spray.anyhost.ru) by core with esmtp (Exim 4.51 (FreeBSD)) id 1Dv04a-00091p-KO for FreeBSD-gnats-submit@freebsd.org; Wed, 20 Jul 2005 01:56:20 +0400 Received: from cebka by spray.anyhost.ru with local (Exim 4.51 (FreeBSD)) id 1Dv05J-0000Fx-Gt for FreeBSD-gnats-submit@freebsd.org; Wed, 20 Jul 2005 01:57:05 +0400 Message-Id: Date: Wed, 20 Jul 2005 01:57:05 +0400 From: Vsevolod Stakhov Sender: Vsevolod Stakhov To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/83753: Update port: devel/viewcvs to 0.9.3 (security fix) X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2005 22:00:36 -0000 >Number: 83753 >Category: ports >Synopsis: Update port: devel/viewcvs to 0.9.3 (security fix) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Tue Jul 19 22:00:33 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Vsevolod Stakhov >Release: FreeBSD 5.4-RELEASE i386 >Organization: >Environment: >Description: Update to 0.9.3. Security fixes are included: * security fix: disallow bad "content-type" input [CAN-2004-1062] * security fix: disallow bad "sortby" and "cvsroot" input [CAN-2002-0771] * security fix: omit forbidden/hidden modules from tarballs [CAN-2004-0915] Removed file(s): - files/patch-CAN-2004-0915 >How-To-Repeat: >Fix: --- viewcvs-0.9.3.patch begins here --- diff -ruN --exclude=CVS viewcvs.orig/Makefile viewcvs/Makefile --- viewcvs.orig/Makefile Wed Jul 20 01:45:45 2005 +++ viewcvs/Makefile Wed Jul 20 01:49:50 2005 @@ -6,8 +6,7 @@ # PORTNAME= viewcvs -PORTVERSION= 0.9.2 -PORTREVISION= 3 +PORTVERSION= 0.9.3 CATEGORIES= devel python MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} @@ -22,7 +21,7 @@ PLIST_SUB= INSTDIR=${INSTDIR} do-install: - @ cd ${WRKSRC} && INSTDIR=${PREFIX}/${INSTDIR} ${PYTHON_CMD} viewcvs-install + @(cd ${WRKSRC} && INSTDIR=${PREFIX}/${INSTDIR} ${PYTHON_CMD} viewcvs-install) post-install: @ ${SED} -e "s:%%INSTDIR%%:${PREFIX}/${INSTDIR}:g" ${MASTERDIR}/pkg-message >${PKGMESSAGE} diff -ruN --exclude=CVS viewcvs.orig/distinfo viewcvs/distinfo --- viewcvs.orig/distinfo Wed Jul 20 01:45:45 2005 +++ viewcvs/distinfo Wed Jul 20 01:46:39 2005 @@ -1,2 +1,2 @@ -MD5 (viewcvs-0.9.2.tar.gz) = c7857b1ed05240ad1f691ea40044daf2 -SIZE (viewcvs-0.9.2.tar.gz) = 140063 +MD5 (viewcvs-0.9.3.tar.gz) = 8be527279feaaa6ecf184bcf714e2f22 +SIZE (viewcvs-0.9.3.tar.gz) = 140215 diff -ruN --exclude=CVS viewcvs.orig/files/patch-CAN-2004-0915 viewcvs/files/patch-CAN-2004-0915 --- viewcvs.orig/files/patch-CAN-2004-0915 Wed Jul 20 01:45:45 2005 +++ viewcvs/files/patch-CAN-2004-0915 Thu Jan 1 03:00:00 1970 @@ -1,37 +0,0 @@ ---- lib/viewcvs.py.orig 2004-10-20 15:03:41.000000000 +0200 -+++ lib/viewcvs.py 2004-10-20 16:37:35.000000000 +0200 -@@ -2455,10 +2455,17 @@ def generate_tarball_header(out, name, s - def generate_tarball(out, relative, directory, tag, stack=[]): - subdirs = [ ] - rcs_files = [ ] -+ if relative == 'CVSROOT' and cfg.options.hide_cvsroot: -+ return -+ - for file, pathname, isdir in get_file_data(directory): - if pathname == _UNREADABLE_MARKER: - continue - if isdir: -+ if file == 'CVSROOT' and relative.find('/') == -1 and cfg.options.hide_cvsroot: -+ continue -+ if relative.find('/') == -1 and cfg.is_forbidden(file): -+ continue - subdirs.append(file) - else: - rcs_files.append(file) -@@ -2583,6 +2590,16 @@ def main(): - '\n') - return - -+ if where == 'CVSROOT' and cfg.options.hide_cvsroot: -+ print "Status: 400" -+ http_header() -+ print ('\n' -+ '\n400 Bad Request\n' -+ '\n' -+ '

Bad Request

\n Listing of CVSROOT is disallowed.

\n' -+ '\n') -+ return -+ - ### look for GZIP binary - - # if we have a directory and the request didn't end in "/", then redirect --- viewcvs-0.9.3.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: