CVS commit: [pkgsrc-2017Q1] pkgsrc/devel/mantis

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Mon Apr 17 15:52:46 UTC 2017

Modified Files:
        pkgsrc/devel/mantis [pkgsrc-2017Q1]: Makefile distinfo
Added Files:
        pkgsrc/devel/mantis/patches [pkgsrc-2017Q1]: patch-verify.php

Log Message:
Pullup ticket #5300 - requested by maya
devel/mantis: security fix

Revisions pulled up:
- devel/mantis/Makefile                                         1.49
- devel/mantis/distinfo                                         1.20
- devel/mantis/patches/patch-verify.php                         1.1

---
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Mon Apr 17 09:57:14 UTC 2017

   Modified Files:
           pkgsrc/devel/mantis: Makefile distinfo
   Added Files:
           pkgsrc/devel/mantis/patches: patch-verify.php

   Log Message:
   mantisBT: patch CVE-2017-7615, allowing any user to authenticate as admin
   using upstream provided patch.

   XXX THIS IS THE WRONG FIX, PACKAGE SHOULD BE UPDATED TO LATEST VERSION

   bump PKGREVISION


To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.48.6.1 pkgsrc/devel/mantis/Makefile
cvs rdiff -u -r1.19 -r1.19.6.1 pkgsrc/devel/mantis/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/devel/mantis/patches/patch-verify.php

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/mantis/Makefile
diff -u pkgsrc/devel/mantis/Makefile:1.48 pkgsrc/devel/mantis/Makefile:1.48.6.1
--- pkgsrc/devel/mantis/Makefile:1.48   Sun Sep 11 17:03:25 2016
+++ pkgsrc/devel/mantis/Makefile        Mon Apr 17 15:52:46 2017
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.48 2016/09/11 17:03:25 taca Exp $
+# $NetBSD: Makefile,v 1.48.6.1 2017/04/17 15:52:46 bsiegert Exp $
 
 DISTNAME=      mantisbt-1.3.1
-PKGREVISION=   1
+PKGREVISION=   2
 PKGNAME=       ${DISTNAME:S/mantisbt/mantis/}
 CATEGORIES=    devel www
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=mantisbt/}
@@ -53,6 +53,10 @@ INSTALLATION_DIRS+=  share/doc/mantis ${E
 post-extract:
        ${CP} ${FILESDIR}/mantis.conf ${WRKSRC}
 
+# Get rid of patch leftovers
+post-patch:
+       ${RM} ${WRKSRC}/*.orig
+
 do-install:
        cd ${WRKSRC}/doc && \
                pax -rwpppm en-US ${DESTDIR}${PREFIX}/share/doc/mantis

Index: pkgsrc/devel/mantis/distinfo
diff -u pkgsrc/devel/mantis/distinfo:1.19 pkgsrc/devel/mantis/distinfo:1.19.6.1
--- pkgsrc/devel/mantis/distinfo:1.19   Tue Aug 30 12:37:43 2016
+++ pkgsrc/devel/mantis/distinfo        Mon Apr 17 15:52:46 2017
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.19 2016/08/30 12:37:43 ryoon Exp $
+$NetBSD: distinfo,v 1.19.6.1 2017/04/17 15:52:46 bsiegert Exp $
 
 SHA1 (mantisbt-1.3.1.tar.gz) = baa398bd59356ed4142270b38fcdf67c6df54a4c
 RMD160 (mantisbt-1.3.1.tar.gz) = 828fc4f24dc17e77dacd20c12fc7917f1834a8bc
 SHA512 (mantisbt-1.3.1.tar.gz) = bac797f7d744b5f8911d2674779c790f6770fbbe7e28203a108cd51d8360cdd0830d3e68459a4d1892ca20c414f1ed37a8e71102bf804deba7073ea53885a1c1
 Size (mantisbt-1.3.1.tar.gz) = 13444685 bytes
+SHA1 (patch-verify.php) = 7e312200115639ad950009d75dae92b675166eb9

Added files:

Index: pkgsrc/devel/mantis/patches/patch-verify.php
diff -u /dev/null pkgsrc/devel/mantis/patches/patch-verify.php:1.1.2.2
--- /dev/null   Mon Apr 17 15:52:46 2017
+++ pkgsrc/devel/mantis/patches/patch-verify.php        Mon Apr 17 15:52:46 2017
@@ -0,0 +1,16 @@
+$NetBSD: patch-verify.php,v 1.1.2.2 2017/04/17 15:52:46 bsiegert Exp $
+
+Patch CVE-2017-7615
+from http://www.mantisbt.org/blog/?p=518
+
+--- verify.php.orig    2016-08-28 04:50:59.000000000 +0000
++++ verify.php
+@@ -63,7 +63,7 @@ if( auth_is_user_authenticated() ) {
+ 
+ $t_token_confirm_hash = token_get_value( TOKEN_ACCOUNT_ACTIVATION, $f_user_id );
+ 
+-if( $f_confirm_hash != $t_token_confirm_hash ) {
++if( $t_token_confirm_hash == null || $f_confirm_hash !== $t_token_confirm_hash ) {
+       trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
+ }
+