From owner-svn-ports-all@freebsd.org Sun Jul 29 03:40:19 2018 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B200E1047A12; Sun, 29 Jul 2018 03:40:19 +0000 (UTC) (envelope-from tota@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5F5068EB67; Sun, 29 Jul 2018 03:40:19 +0000 (UTC) (envelope-from tota@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3EF571057C; Sun, 29 Jul 2018 03:40:19 +0000 (UTC) (envelope-from tota@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w6T3eJnl052845; Sun, 29 Jul 2018 03:40:19 GMT (envelope-from tota@FreeBSD.org) Received: (from tota@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w6T3eI7d052839; Sun, 29 Jul 2018 03:40:18 GMT (envelope-from tota@FreeBSD.org) Message-Id: <201807290340.w6T3eI7d052839@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: tota set sender to tota@FreeBSD.org using -f From: TAKATSU Tomonari Date: Sun, 29 Jul 2018 03:40:18 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r475623 - in head/japanese/mailman: . files X-SVN-Group: ports-head X-SVN-Commit-Author: tota X-SVN-Commit-Paths: in head/japanese/mailman: . files X-SVN-Commit-Revision: 475623 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jul 2018 03:40:19 -0000 Author: tota Date: Sun Jul 29 03:40:17 2018 New Revision: 475623 URL: https://svnweb.freebsd.org/changeset/ports/475623 Log: - Rename patches * extra-patch-Mailman-Cgi-private.py to extra-patch-Mailman_Cgi_private.py * patch-CVE-2015-2775 to patch-Mailman_Utils.py * patch-CVE-2018-5950 to patch-Mailman_Cgi_options.py - Apply CVE-2018-0618 patches [1] PR: 229351 [1] Submitted by: Yasuhito FUTATSUKI MFH: 2018Q3 Security: CVE-2018-0618 Added: head/japanese/mailman/files/extra-patch-Mailman_Cgi_private.py - copied unchanged from r475622, head/japanese/mailman/files/extra-patch-Mailman-Cgi-private.py head/japanese/mailman/files/patch-Mailman_Cgi_admin.py (contents, props changed) head/japanese/mailman/files/patch-Mailman_Cgi_options.py - copied unchanged from r475622, head/japanese/mailman/files/patch-CVE-2018-5950 head/japanese/mailman/files/patch-Mailman_Gui_General.py (contents, props changed) head/japanese/mailman/files/patch-Mailman_Utils.py - copied, changed from r475622, head/japanese/mailman/files/patch-CVE-2015-2775 Deleted: head/japanese/mailman/files/extra-patch-Mailman-Cgi-private.py head/japanese/mailman/files/patch-CVE-2015-2775 head/japanese/mailman/files/patch-CVE-2018-5950 Modified: head/japanese/mailman/Makefile Modified: head/japanese/mailman/Makefile ============================================================================== --- head/japanese/mailman/Makefile Sun Jul 29 02:01:15 2018 (r475622) +++ head/japanese/mailman/Makefile Sun Jul 29 03:40:17 2018 (r475623) @@ -3,7 +3,7 @@ PORTNAME= mailman PORTVERSION= 2.1.14.j7 -PORTREVISION= 4 +PORTREVISION= 5 PORTEPOCH= 1 CATEGORIES= japanese mail MASTER_SITES= https://docs.python.jp/contrib/mailman/_static/ \ @@ -105,7 +105,7 @@ MAIL_GID?= courier .if ${PORT_OPTIONS:MNAMAZU2} RUN_DEPENDS+= mknmz:japanese/namazu2 -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Mailman-Cgi-private.py +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Mailman_Cgi_private.py .endif pre-everything:: Copied: head/japanese/mailman/files/extra-patch-Mailman_Cgi_private.py (from r475622, head/japanese/mailman/files/extra-patch-Mailman-Cgi-private.py) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/japanese/mailman/files/extra-patch-Mailman_Cgi_private.py Sun Jul 29 03:40:17 2018 (r475623, copy of r475622, head/japanese/mailman/files/extra-patch-Mailman-Cgi-private.py) @@ -0,0 +1,30 @@ +--- Mailman/Cgi/private.py.orig 2010-09-21 03:18:27.000000000 +0900 ++++ Mailman/Cgi/private.py 2011-04-08 22:28:09.000000000 +0900 +@@ -116,6 +116,7 @@ + + i18n.set_language(mlist.preferred_language) + doc.set_language(mlist.preferred_language) ++ is_cgi = 0 + + cgidata = cgi.FieldStorage() + username = cgidata.getvalue('username', '') +@@ -179,6 +180,10 @@ + elif true_filename.endswith('.gz'): + import gzip + f = gzip.open(true_filename, 'r') ++ elif true_filename.endswith('namazu.cgi'): ++ os.putenv('SCRIPT_NAME', 'namazu.cgi') ++ f = os.popen(true_filename, 'r') ++ is_cgi = 1 + else: + f = open(true_filename, 'r') + except IOError: +@@ -188,6 +193,7 @@ + print doc.Format() + syslog('error', 'Private archive file not found: %s', true_filename) + else: +- print 'Content-type: %s\n' % ctype ++ if not is_cgi: ++ print 'Content-type: %s\n' % ctype + sys.stdout.write(f.read()) + f.close() Added: head/japanese/mailman/files/patch-Mailman_Cgi_admin.py ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/japanese/mailman/files/patch-Mailman_Cgi_admin.py Sun Jul 29 03:40:17 2018 (r475623) @@ -0,0 +1,11 @@ +--- Mailman/Cgi/admin.py.orig 2011-12-11 07:56:23 UTC ++++ Mailman/Cgi/admin.py +@@ -266,7 +266,7 @@ def admin_overview(msg=''): + else: + advertised.append((mlist.GetScriptURL('admin'), + mlist.real_name, +- mlist.description)) ++ Utils.websafe(mlist.description))) + # Greeting depends on whether there was an error or not + if msg: + greeting = FontAttr(msg, color="ff5060", size="+1") Copied: head/japanese/mailman/files/patch-Mailman_Cgi_options.py (from r475622, head/japanese/mailman/files/patch-CVE-2018-5950) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/japanese/mailman/files/patch-Mailman_Cgi_options.py Sun Jul 29 03:40:17 2018 (r475623, copy of r475622, head/japanese/mailman/files/patch-CVE-2018-5950) @@ -0,0 +1,52 @@ +--- Mailman/Cgi/options.py.orig 2011-12-11 07:56:23 UTC ++++ Mailman/Cgi/options.py +@@ -1,4 +1,4 @@ +-# Copyright (C) 1998-2011 by the Free Software Foundation, Inc. ++# Copyright (C) 1998-2018 by the Free Software Foundation, Inc. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of the GNU General Public License +@@ -165,20 +165,6 @@ def main(): + doc.set_language(userlang) + i18n.set_language(userlang) + +- # See if this is VARHELP on topics. +- varhelp = None +- if cgidata.has_key('VARHELP'): +- varhelp = cgidata['VARHELP'].value +- elif os.environ.get('QUERY_STRING'): +- # POST methods, even if their actions have a query string, don't get +- # put into FieldStorage's keys :-( +- qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP') +- if qs and type(qs) == types.ListType: +- varhelp = qs[0] +- if varhelp: +- topic_details(mlist, doc, user, cpuser, userlang, varhelp) +- return +- + # Are we processing an unsubscription request from the login screen? + if cgidata.has_key('login-unsub'): + # Because they can't supply a password for unsubscribing, we'll need +@@ -290,6 +276,22 @@ def main(): + print doc.Format() + return + ++ # See if this is VARHELP on topics. ++ varhelp = None ++ if cgidata.has_key('VARHELP'): ++ varhelp = cgidata['VARHELP'].value ++ elif os.environ.get('QUERY_STRING'): ++ # POST methods, even if their actions have a query string, don't get ++ # put into FieldStorage's keys :-( ++ qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP') ++ if qs and type(qs) == types.ListType: ++ varhelp = qs[0] ++ if varhelp: ++ # Sanitize the topic name. ++ varhelp = re.sub('<.*', '', varhelp) ++ topic_details(mlist, doc, user, cpuser, userlang, varhelp) ++ return ++ + if cgidata.has_key('logout'): + print mlist.ZapCookie(mm_cfg.AuthUser, user) + loginpage(mlist, doc, user, language) Added: head/japanese/mailman/files/patch-Mailman_Gui_General.py ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/japanese/mailman/files/patch-Mailman_Gui_General.py Sun Jul 29 03:40:17 2018 (r475623) @@ -0,0 +1,23 @@ +--- Mailman/Gui/General.py.orig 2011-12-11 07:56:23 UTC ++++ Mailman/Gui/General.py +@@ -1,4 +1,4 @@ +-# Copyright (C) 2001-2011 by the Free Software Foundation, Inc. ++# Copyright (C) 2001-2018 by the Free Software Foundation, Inc. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of the GNU General Public License +@@ -493,6 +493,14 @@ mlist.info. + or not isinstance(val, IntType)): + doc.addError(_("""admin_member_chunksize attribute not + changed! It must be an integer > 0.""")) ++ elif property == 'host_name': ++ try: ++ Utils.ValidateEmail('user@' + val) ++ except Errors.EmailAddressError: ++ doc.addError(_("""host_name attribute not changed! ++ It must be a valid domain name.""")) ++ else: ++ GUIBase._setValue(self, mlist, property, val, doc) + else: + GUIBase._setValue(self, mlist, property, val, doc) + Copied and modified: head/japanese/mailman/files/patch-Mailman_Utils.py (from r475622, head/japanese/mailman/files/patch-CVE-2015-2775) ============================================================================== --- head/japanese/mailman/files/patch-CVE-2015-2775 Sun Jul 29 02:01:15 2018 (r475622, copy source) +++ head/japanese/mailman/files/patch-Mailman_Utils.py Sun Jul 29 03:40:17 2018 (r475623) @@ -1,5 +1,11 @@ --- Mailman/Utils.py.orig 2011-12-11 07:56:23 UTC +++ Mailman/Utils.py +@@ -1,4 +1,4 @@ +-# Copyright (C) 1998-2011 by the Free Software Foundation, Inc. ++# Copyright (C) 1998-2018 by the Free Software Foundation, Inc. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of the GNU General Public License @@ -93,6 +93,12 @@ def list_exists(listname): # # The former two are for 2.1alpha3 and beyond, while the latter two are @@ -13,3 +19,99 @@ basepath = Site.get_listpath(listname) for ext in ('.pck', '.pck.last', '.db', '.db.last'): dbfile = os.path.join(basepath, 'config' + ext) +@@ -952,6 +958,7 @@ _badwords = [ + '