[pkgsrc/trunk]: pkgsrc/mail Add fix for security issue 2006-06-01 from Squirr...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/mail Add fix for security issue 2006-06-01 from Squirr...
From: tron <tron%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 03:33:34 +0000
details:   https://anonhg.NetBSD.org/pkgsrc/rev/33d76e54adc8
branches:  trunk
changeset: 513831:33d76e54adc8
user:      tron <tron%pkgsrc.org@localhost>
date:      Sun Jun 04 12:31:31 2006 +0000

description:
Add fix for security issue 2006-06-01 from SquirrelMail CVS repository.
Bump package revision.

diffstat:

 mail/ja-squirrelmail/Makefile         |   4 +-
 mail/ja-squirrelmail/distinfo         |   3 +-
 mail/ja-squirrelmail/patches/patch-ac |  59 +++++++++++++++++++++++++++++++++++
 mail/squirrelmail/Makefile            |   4 +-
 mail/squirrelmail/distinfo            |   3 +-
 mail/squirrelmail/patches/patch-ac    |  59 +++++++++++++++++++++++++++++++++++
 6 files changed, 126 insertions(+), 6 deletions(-)

diffs (180 lines):

diff -r 0ea7caa3932c -r 33d76e54adc8 mail/ja-squirrelmail/Makefile
--- a/mail/ja-squirrelmail/Makefile     Sun Jun 04 12:21:24 2006 +0000
+++ b/mail/ja-squirrelmail/Makefile     Sun Jun 04 12:31:31 2006 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.29 2006/06/02 18:27:56 joerg Exp $
+# $NetBSD: Makefile,v 1.30 2006/06/04 12:31:31 tron Exp $
 
 DISTNAME=      squirrelmail-1.4.6
 PKGNAME=       ja-${DISTNAME}
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    mail www
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=squirrelmail/}
 EXTRACT_SUFX=  .tar.bz2
diff -r 0ea7caa3932c -r 33d76e54adc8 mail/ja-squirrelmail/distinfo
--- a/mail/ja-squirrelmail/distinfo     Sun Jun 04 12:21:24 2006 +0000
+++ b/mail/ja-squirrelmail/distinfo     Sun Jun 04 12:31:31 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.10 2006/05/05 05:32:36 martti Exp $
+$NetBSD: distinfo,v 1.11 2006/06/04 12:31:31 tron Exp $
 
 SHA1 (squirrelmail-1.4.6.tar.bz2) = b813aa9f736b4b6c41d1afd35bcbd01604e85cf7
 RMD160 (squirrelmail-1.4.6.tar.bz2) = 3cee894b392620af3e35ef1d00e35775559dd4f7
@@ -8,3 +8,4 @@
 Size (squirrelmail-1.4.6-ja-20060504-patch) = 29808 bytes
 SHA1 (patch-aa) = c96e85a28464c414bef744f9d1398fc9dd49549a
 SHA1 (patch-ab) = a7648438c9764e432e5d040e8e3aebb0ab48730e
+SHA1 (patch-ac) = 393579f9276169d2c765726fb1249160a270e983
diff -r 0ea7caa3932c -r 33d76e54adc8 mail/ja-squirrelmail/patches/patch-ac
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/ja-squirrelmail/patches/patch-ac     Sun Jun 04 12:31:31 2006 +0000
@@ -0,0 +1,59 @@
+$NetBSD: patch-ac,v 1.3 2006/06/04 12:31:31 tron Exp $
+
+--- functions/global.php.orig  2006-02-03 22:27:47.000000000 +0000
++++ functions/global.php       2006-06-04 13:22:14.000000000 +0100
+@@ -62,6 +62,47 @@
+     sqstripslashes($_POST);
+ }
+ 
++/**
++ * If register_globals are on, unregister globals.
++ * Code requires PHP 4.1.0 or newer.
++ * Second test covers boolean set as string (php_value register_globals off).
++ */
++if ((bool) @ini_get('register_globals') &&
++    strtolower(ini_get('register_globals'))!='off') {
++    /**
++     * Remove all globals from $_GET, $_POST, and $_COOKIE.
++     */
++    foreach ($_REQUEST as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++    /**
++     * Remove globalized $_FILES variables
++     * Before 4.3.0 $_FILES are included in $_REQUEST.
++     * Unglobalize them in separate call in order to remove dependency
++     * on PHP version.
++     */
++    foreach ($_FILES as $key => $value) {
++        unset($GLOBALS[$key]);
++        // there are three undocumented $_FILES globals.
++        unset($GLOBALS[$key.'_type']);
++        unset($GLOBALS[$key.'_name']);
++        unset($GLOBALS[$key.'_size']);
++    }
++    /**
++     * Remove globalized environment variables.
++     */
++    foreach ($_ENV as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++    /**
++     * Remove globalized server variables.
++     */
++    foreach ($_SERVER as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++}
++
++
+ /* strip any tags added to the url from PHP_SELF.
+    This fixes hand crafted url XXS expoits for any
+    page that uses PHP_SELF as the FORM action */
+@@ -336,4 +377,4 @@
+ }
+ 
+ // vim: et ts=4
+-?>
+\ No newline at end of file
++?>
diff -r 0ea7caa3932c -r 33d76e54adc8 mail/squirrelmail/Makefile
--- a/mail/squirrelmail/Makefile        Sun Jun 04 12:21:24 2006 +0000
+++ b/mail/squirrelmail/Makefile        Sun Jun 04 12:31:31 2006 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.72 2006/06/02 18:27:56 joerg Exp $
+# $NetBSD: Makefile,v 1.73 2006/06/04 12:31:31 tron Exp $
 
 DISTNAME=      squirrelmail-1.4.6
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    mail www
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=squirrelmail/}
 EXTRACT_SUFX=  .tar.bz2
diff -r 0ea7caa3932c -r 33d76e54adc8 mail/squirrelmail/distinfo
--- a/mail/squirrelmail/distinfo        Sun Jun 04 12:21:24 2006 +0000
+++ b/mail/squirrelmail/distinfo        Sun Jun 04 12:31:31 2006 +0000
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.31 2006/04/11 05:24:20 martti Exp $
+$NetBSD: distinfo,v 1.32 2006/06/04 12:31:31 tron Exp $
 
 SHA1 (squirrelmail-1.4.6.tar.bz2) = b813aa9f736b4b6c41d1afd35bcbd01604e85cf7
 RMD160 (squirrelmail-1.4.6.tar.bz2) = 3cee894b392620af3e35ef1d00e35775559dd4f7
 Size (squirrelmail-1.4.6.tar.bz2) = 484099 bytes
 SHA1 (patch-aa) = cafc171ab1de5e2e1e83caff39f3bfb810fe2ab5
 SHA1 (patch-ab) = a7648438c9764e432e5d040e8e3aebb0ab48730e
+SHA1 (patch-ac) = 393579f9276169d2c765726fb1249160a270e983
diff -r 0ea7caa3932c -r 33d76e54adc8 mail/squirrelmail/patches/patch-ac
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/squirrelmail/patches/patch-ac        Sun Jun 04 12:31:31 2006 +0000
@@ -0,0 +1,59 @@
+$NetBSD: patch-ac,v 1.3 2006/06/04 12:31:31 tron Exp $
+
+--- functions/global.php.orig  2006-02-03 22:27:47.000000000 +0000
++++ functions/global.php       2006-06-04 13:22:14.000000000 +0100
+@@ -62,6 +62,47 @@
+     sqstripslashes($_POST);
+ }
+ 
++/**
++ * If register_globals are on, unregister globals.
++ * Code requires PHP 4.1.0 or newer.
++ * Second test covers boolean set as string (php_value register_globals off).
++ */
++if ((bool) @ini_get('register_globals') &&
++    strtolower(ini_get('register_globals'))!='off') {
++    /**
++     * Remove all globals from $_GET, $_POST, and $_COOKIE.
++     */
++    foreach ($_REQUEST as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++    /**
++     * Remove globalized $_FILES variables
++     * Before 4.3.0 $_FILES are included in $_REQUEST.
++     * Unglobalize them in separate call in order to remove dependency
++     * on PHP version.
++     */
++    foreach ($_FILES as $key => $value) {
++        unset($GLOBALS[$key]);
++        // there are three undocumented $_FILES globals.
++        unset($GLOBALS[$key.'_type']);
++        unset($GLOBALS[$key.'_name']);
++        unset($GLOBALS[$key.'_size']);
++    }
++    /**
++     * Remove globalized environment variables.
++     */
++    foreach ($_ENV as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++    /**
++     * Remove globalized server variables.
++     */
++    foreach ($_SERVER as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++}
++
++
+ /* strip any tags added to the url from PHP_SELF.
+    This fixes hand crafted url XXS expoits for any
+    page that uses PHP_SELF as the FORM action */
+@@ -336,4 +377,4 @@
+ }
+ 
+ // vim: et ts=4
+-?>
+\ No newline at end of file
++?>
Prev by Date: [pkgsrc/trunk]: pkgsrc/security/beecrypt Uses C++.
Next by Date: [pkgsrc/trunk]: pkgsrc/parallel/dqs Use config.* from pkgrsc.
Previous by Thread: [pkgsrc/trunk]: pkgsrc/security/beecrypt Uses C++.
Next by Thread: [pkgsrc/trunk]: pkgsrc/parallel/dqs Use config.* from pkgrsc.
Indexes:
Home | Main Index | Thread Index | Old Index