Date: Sat, 19 Sep 2009 15:37:31 -0600 (MDT) From: hideo <hideo@lastamericanempire.com> To: FreeBSD-gnats-submit@FreeBSD.org Cc: daniel@otherware.org Subject: ports/138976: [patch] Restrict news/sabnzbd to python <= v2.5 Message-ID: <20090919213731.16D1C1CD75@darwin.lastamericanempire.com> Resent-Message-ID: <200909192140.n8JLe1w8093974@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 138976 >Category: ports >Synopsis: [patch] Restrict news/sabnzbd to python <= v2.5 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sat Sep 19 21:40:00 UTC 2009 >Closed-Date: >Last-Modified: >Originator: hideo >Release: FreeBSD 7.2-STABLE i386 >Organization: >Environment: System: FreeBSD darwin.lastamericanempire.com 7.2-STABLE FreeBSD 7.2-STABLE #0: Thu Sep 17 13:01:02 MDT 2009 hideo@darwin.lastamericanempire.com:/usr/obj/usr/src/sys/darwin i386 >Description: SABnzbd only works with python2.5 and lower. Also, due to the version of devel/py-cheetah in ports, it won't work unless the api key feature introduced in v0.4.9 is disabled in the user's ini file. This *may* expose a user to the vulnerability described here: http://sabnzbd.wikidot.com/cross-site-vulnerability/ Changes: * Restrict to python2.5 and lower * Bump PORTREVISION as python2.6 installs are broken * Change dependency on devel/py-celementtree for python2.4 only * Add pkg-message about api error and vulnerability >How-To-Repeat: >Fix: --- sabnzbdplus-0.4.11_1 begins here --- diff -ruN /usr/ports/news/sabnzbdplus/Makefile sabnzbdplus/Makefile --- /usr/ports/news/sabnzbdplus/Makefile 2009-08-22 03:46:07.000000000 -0600 +++ sabnzbdplus/Makefile 2009-09-19 13:20:36.000000000 -0600 @@ -7,6 +7,7 @@ PORTNAME= sabnzbdplus PORTVERSION= 0.4.11 +PORTREVISION= 1 CATEGORIES= news MASTER_SITES= SF/${PORTNAME}/${PORTNAME}/sabnzbd-${PORTVERSION} DISTNAME= SABnzbd-${PORTVERSION}-src @@ -16,11 +17,13 @@ RUN_DEPENDS= cheetah:${PORTSDIR}/devel/py-cheetah \ ${PYTHON_SITELIBDIR}/cherrypy/__init__.py:${PORTSDIR}/www/py-cherrypy-old \ - ${PYTHON_SITELIBDIR}/pythonutils/configobj.py:${PORTSDIR}/devel/py-utils \ - ${PYTHON_SITELIBDIR}/cElementTree.so:${PORTSDIR}/devel/py-celementtree + ${PYTHON_SITELIBDIR}/pythonutils/configobj.py:${PORTSDIR}/devel/py-utils BUILD_DEPENDS= ${RUN_DEPENDS} -USE_PYTHON= 2.4+ +USE_PYTHON= -2.5 + +PYVERSION= ${PYTHON_VERSION:S/^python//} + NO_BUILD= yes WRKSRC= ${WRKDIR}/SABnzbd-${PORTVERSION} PLIST_SUB= PORTNAME=${PORTNAME} @@ -34,6 +37,10 @@ .include <bsd.port.pre.mk> +.if defined(PYTHON_VERSION) && ${PYVERSION:S/.//} < 25 +RUN_DEPENDS+= ${PYTHON_SITELIBDIR}/cElementTree.so:${PORTSDIR}/devel/py-celementtree +.endif + .if !defined(WITHOUT_PAR2CMDLINE) RUN_DEPENDS+= par2repair:${PORTSDIR}/archivers/par2cmdline .endif @@ -72,5 +79,5 @@ ${CP} ${WRKSRC}/$i ${DOCSDIR} .endfor .endif - + @${CAT} pkg-message .include <bsd.port.post.mk> diff -ruN /usr/ports/news/sabnzbdplus/pkg-message sabnzbdplus/pkg-message --- /usr/ports/news/sabnzbdplus/pkg-message 1969-12-31 17:00:00.000000000 -0700 +++ sabnzbdplus/pkg-message 2009-09-19 12:54:29.000000000 -0600 @@ -0,0 +1,16 @@ + + +* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + +Due to the version of devel/py-cheetah in ports api keys do +not work. To get around the error modify the following line +in your sabnzbd.ini file: + + disable_api_key = 1 + +Note however that by disabling the api key feature you may +be at risk of the Cross-site Request Vulnerability described +here: http://sabnzbd.wikidot.com/cross-site-vulnerability/ + +* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + --- sabnzbdplus-0.4.11_1 ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090919213731.16D1C1CD75>