Date: Thu, 1 Sep 2005 20:58:19 +0800 (CST) From: chinsan <chinsan.tw@gmail.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/85568: [MAINTAINER] www/b2evo: fix security issue of xmlrpc Message-ID: <200509011258.j81CwJTW087866@polly.twbbs.org> Resent-Message-ID: <200509011300.j81D0exl024418@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 85568
>Category: ports
>Synopsis: [MAINTAINER] www/b2evo: fix security issue of xmlrpc
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Thu Sep 01 13:00:40 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: chinsan
>Release: FreeBSD 5.4-RELEASE i386
>Organization:
FreeBSD Taiwan
>Environment:
System: FreeBSD polly.twbbs.org 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC 2005 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
- Fix security issue of xmlrpc
- Add more infomation about installation
Thanks very much. :)
>How-To-Repeat:
>Fix:
--- b2evo.diff begins here ---
diff -ruN b2evo.orig/Makefile b2evo/Makefile
--- b2evo.orig/Makefile Thu Sep 1 08:33:38 2005
+++ b2evo/Makefile Thu Sep 1 20:52:19 2005
@@ -7,12 +7,12 @@
PORTNAME= b2evolution
PORTVERSION= 0.9.0.12
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= evocms
-DISTNAME= ${PORTNAME}-${PORTVERSION}-${B2EVO_DATE} \
- xmlrpc_fix_111
+DISTNAME= ${PORTNAME}-${PORTVERSION}-${B2EVO_DATE}${EXTRACT_SUFX} \
+ ${PATCH_VER}
EXTRACT_ONLY= ${PORTNAME}-${PORTVERSION}-${B2EVO_DATE}
# Maintainership available: drop me a line if interested :p
@@ -21,8 +21,9 @@
USE_ZIP= YES
+PATCH_VER= xmlrpc_fix_112
B2EVO_DATE?= 2005-05-06
-USE_PHP= mysql pcre session xml
+USE_PHP= mysql pcre session xml xmlrpc
PHP4_PORT?= www/mod_php4
NO_BUILD= YES
WANT_PHP_WEB= YES
@@ -30,28 +31,41 @@
TMPDIR?= ${PORTNAME}
WRKSRC= ${WRKDIR}/${TMPDIR}
-.if !defined(B2EVO_DIR)
+.if !defined(B2EVO_URL)
pre-fetch:
@${ECHO_MSG} ""
- @${ECHO_MSG} "Define B2EVO_DIR to override default of '${B2EVO_DIR}'."
+ @${ECHO_MSG} "Define B2EVO_URL to override default of ${PREFIX}/${WWWDOCROOT}/'${B2EVO_URL}'."
@${ECHO_MSG} ""
.endif
+# Get HOSTNAME
+.if exists(/sbin/sysctl)
+HOSTNAME!= /sbin/sysctl -n kern.hostname
+.else
+HOSTNAME!= /usr/sbin/sysctl -n kern.hostname
+.endif
+
WWWDOCROOT?= www/data
B2EVO_URL?= b2evo
WWWOWN?= www
WWWGRP?= www
B2EVO_DIR?= ${WWWDOCROOT}/${B2EVO_URL}
+HTACCESS= ${WRKSRC}/blogs/sample.htaccess
PLIST= ${WRKDIR}/pkg-plist
.include <bsd.port.pre.mk>
post-extract:
- cd ${WRKSRC}/blogs/b2evocore \
- && ${EXTRACT_CMD} ${EXTRACT_BEFORE_ARGS} ${DISTDIR}/xmlrpc_fix_111${EXTRACT_SUFX}
+ @${TR} -d \\r < ${HTACCESS} > ${HTACCESS}.unix
+
+post-patch:
+ @cd ${WRKSRC} \
+ && ${EXTRACT_CMD} ${EXTRACT_BEFORE_ARGS} ${DISTDIR}/${PATCH_VER}${EXTRACT_SUFX}
+ @${MV} -f ${WRKSRC}/${PATCH_VER}/b2evocore/* ${WRKSRC}/blogs/b2evocore
+ @${RM} -rf ${WRKSRC}/${PATCH_VER}
pre-install:
- cd ${WRKSRC} && ${FIND} -s . -type f | \
+ @cd ${WRKSRC} && ${FIND} -s . -type f | \
${SED} -e 's|^./||;s|^|${B2EVO_DIR}/|' > ${PLIST} \
&& ${FIND} -d * -type d | \
${SED} -e 's|^|@dirrm ${B2EVO_DIR}/|' >> ${PLIST} \
@@ -59,11 +73,13 @@
do-install:
-${MKDIR} ${PREFIX}/${B2EVO_DIR}
- @${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${B2EVO_DIR}
@${CHMOD} 755 ${PREFIX}/${B2EVO_DIR}
@${CP} -R ${WRKSRC}/ ${PREFIX}/${B2EVO_DIR}
+ @${CHOWN} -R ${WWWOWN}:${WWWGRP} ${PREFIX}/${B2EVO_DIR}
+ @${CHMOD} 665 ${PREFIX}/${B2EVO_DIR}/blogs/conf/_config.php
post-install:
- @${SED} -e 's|%%B2EVO_URL%%|${B2EVO_URL}|' ${PKGMESSAGE}
+ @${SED} -e 's|%%HOSTNAME%%|${HOSTNAME}|; s|%%B2EVO_URL%%|${B2EVO_URL}|' \
+ ${PKGMESSAGE}
.include <bsd.port.post.mk>
diff -ruN b2evo.orig/distinfo b2evo/distinfo
--- b2evo.orig/distinfo Thu Sep 1 08:33:38 2005
+++ b2evo/distinfo Thu Sep 1 19:32:14 2005
@@ -1,4 +1,4 @@
-MD5 (b2evolution-0.9.0.12-2005-05-06) = 7f08250c3d08c2c55e75655fbffa2d98
-SIZE (b2evolution-0.9.0.12-2005-05-06) = 2857939
-MD5 (xmlrpc_fix_111.zip) = b57b76bc30d8cb4857fc66ea53f78344
-SIZE (xmlrpc_fix_111.zip) = 20432
+MD5 (b2evolution-0.9.0.12-2005-05-06.zip) = 7f08250c3d08c2c55e75655fbffa2d98
+SIZE (b2evolution-0.9.0.12-2005-05-06.zip) = 2857939
+MD5 (xmlrpc_fix_112.zip) = 3083b4118e72e1ef87a827c20522bda6
+SIZE (xmlrpc_fix_112.zip) = 22264
diff -ruN b2evo.orig/pkg-message b2evo/pkg-message
--- b2evo.orig/pkg-message Thu Sep 1 08:33:38 2005
+++ b2evo/pkg-message Thu Sep 1 20:47:30 2005
@@ -1,7 +1,29 @@
+==================================================================
+b2evolution is now installed. If you intall it for the first time,
+you may have to follow this steps to make it work correctly.
- **** NOTE ****
-For first use of b2evolution, remember to point your browser to
+1. Create the MySQL database:
- http://localhost/%%B2EVO_URL%%/blogs/install/
+ # mysqladmin --user=root -p create b2evolution
-and follow the instructions.
+2. Create a mysql user/password for b2evolution(database):
+ (change user and/or password if requered)
+
+ # mysql -u root -p
+ mysql> GRANT ALL ON b2evolution.* TO b2evouser@localhost
+ IDENTIFIED BY 'b2evopassword';
+ mysql> FLUSH PRIVILEGES;
+ mysql> QUIT;
+
+3.Open b2evo installation page in your web browser
+ and login with b2evouser/b2evopassword
+
+ http://%%HOSTNAME%%/%%B2EVO_URL%%/blogs/install/
+
+ If you are doing a fresh install...
+ Note that password carefully! It is a random password that is given to you
+ when you install b2evolution.
+ If you lose it, you will have to delete the database tables and reinstall.
+
+ Have fun!
+==================================================================
--- b2evo.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200509011258.j81CwJTW087866>