pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2018Q4]: pkgsrc/lang/pear Pullup ticket #5912 - requested by taca



details:   https://anonhg.NetBSD.org/pkgsrc/rev/bcf3b62cb8ae
branches:  pkgsrc-2018Q4
changeset: 408318:bcf3b62cb8ae
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Mon Feb 18 14:17:59 2019 +0000

description:
Pullup ticket #5912 - requested by taca
lang/pear: security fix

Revisions pulled up:
- lang/pear/Makefile                                            1.45-1.46
- lang/pear/distinfo                                            1.32-1.33
- lang/pear/patches/patch-.._Archive__Tar-1.4.5_Archive_Tar.php 1.1

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Sun Feb  3 14:06:58 UTC 2019

   Modified Files:
        pkgsrc/lang/pear: Makefile distinfo

   Log Message:
   lang/pear: update Archive_Tar pear package to 1.4.6

   Update Archive_Tar pear package to 1.4.6.

   Bump PKGREVISION.

   1.4.4 (2018-12-20)

   * Fix Bug #21058: Long symlinks are not supported [mrook]

   * Fix Bug #23782: Prevent phar:// files from being extracted [mrook]

   1.4.5 (2019-02-01)

   * Fix Bug #23788: Relative symlinks are broken [mrook]

   1.4.6 (2019-02-01)

   * Improve path traversal detection for forward and backward slashes

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Thu Feb  7 13:40:57 UTC 2019

   Modified Files:
        pkgsrc/lang/pear: Makefile distinfo
   Added Files:
        pkgsrc/lang/pear/patches: patch-.._Archive__Tar-1.4.5_Archive_Tar.php

   Log Message:
   lang/pear: fix broken package with previous commit

   Fix broken package with previous commit.

   * Make Archive_Tar to 1.4.5 which I have the distfile.
   * Upload Archive_Tar-1.4.5.tgz to MASTER_SITE_LOCAL.
   * Add patch to update Archive/Tar.php to 1.4.6 from GitHub.

   No PKGREVISION bump since it was broken.

diffstat:

 lang/pear/Makefile                                            |   5 +-
 lang/pear/distinfo                                            |  11 +++--
 lang/pear/patches/patch-.._Archive__Tar-1.4.5_Archive_Tar.php |  20 +++++++++++
 3 files changed, 29 insertions(+), 7 deletions(-)

diffs (70 lines):

diff -r b6c4ab46b773 -r bcf3b62cb8ae lang/pear/Makefile
--- a/lang/pear/Makefile        Mon Feb 18 14:05:52 2019 +0000
+++ b/lang/pear/Makefile        Mon Feb 18 14:17:59 2019 +0000
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.44 2018/12/15 16:48:05 taca Exp $
+# $NetBSD: Makefile,v 1.44.2.1 2019/02/18 14:17:59 bsiegert Exp $
 #
 
 DISTNAME=      PEAR-1.10.7
 PKGNAME=       ${PHP_PKG_PREFIX}-${DISTNAME:S/PEAR/pear/}
+PKGREVISION=   1
 CATEGORIES=    lang
 MASTER_SITES=  http://download.pear.php.net/package/
 EXTRACT_SUFX=  .tgz
@@ -33,7 +34,7 @@
 DISTFILES+=            ${PEAR_SRCS}
 EXTRACT_ONLY+=         ${PEAR_SRCS}
 
-ARCHIVE_SRCS=          Archive_Tar-1.4.3${EXTRACT_SUFX}
+ARCHIVE_SRCS=          Archive_Tar-1.4.5${EXTRACT_SUFX}
 ARCHIVE_WRKSRC=                ${WRKDIR}/${ARCHIVE_SRCS:S/${EXTRACT_SUFX}//}
 DISTFILES+=            ${ARCHIVE_SRCS}
 EXTRACT_ONLY+=         ${ARCHIVE_SRCS}
diff -r b6c4ab46b773 -r bcf3b62cb8ae lang/pear/distinfo
--- a/lang/pear/distinfo        Mon Feb 18 14:05:52 2019 +0000
+++ b/lang/pear/distinfo        Mon Feb 18 14:17:59 2019 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.31 2018/12/15 16:48:05 taca Exp $
+$NetBSD: distinfo,v 1.31.2.1 2019/02/18 14:17:59 bsiegert Exp $
 
-SHA1 (pear20151210/Archive_Tar-1.4.3.tgz) = 947d43997ca0c0074b2f154b6487b41aec0e4aa7
-RMD160 (pear20151210/Archive_Tar-1.4.3.tgz) = 792fa16c1db820465687a12d79750520e05f4ae5
-SHA512 (pear20151210/Archive_Tar-1.4.3.tgz) = 62e60d59266c5d19b131f769f4d71d4cee6bf8964b0c6610c4f1381500ced582865bff26c608479b2678dda1e7407ba39a7ec84b31fed13e3875f1947ce5bd6c
-Size (pear20151210/Archive_Tar-1.4.3.tgz) = 20682 bytes
+SHA1 (pear20151210/Archive_Tar-1.4.5.tgz) = 1697a5baa9666174b64c48fcdd1b9c4d311100fa
+RMD160 (pear20151210/Archive_Tar-1.4.5.tgz) = c2a81c901a4b38f46d7035f3b169296f9969b592
+SHA512 (pear20151210/Archive_Tar-1.4.5.tgz) = 7a7e16e37b0c7112a77333ed2c4d0a0ae57cc1e971191c79b1858227b46f967aee915757a81bdfef3a9487a53b81a99bfbe84f78a346671fe44ac9f1f203a358
+Size (pear20151210/Archive_Tar-1.4.5.tgz) = 20919 bytes
 SHA1 (pear20151210/Console_Getopt-1.4.1.tgz) = 1db5b48e15547be532a9c836cd7ef448a3758ddc
 RMD160 (pear20151210/Console_Getopt-1.4.1.tgz) = 54d397e321a0168a33a92c98cf39f9f6456d49ea
 SHA512 (pear20151210/Console_Getopt-1.4.1.tgz) = e66a78077593ade78a40c59297a24242b0177d21b0e02b08d4fb5e25d8a57a96353c50a9dcc968f60af7458d40443061e0c1cdb11ad3180c7ffed8f0b314b089
@@ -20,3 +20,4 @@
 RMD160 (pear20151210/XML_Util-1.4.3.tgz) = 55308486e8a32d7bcb775c286d487b1db4a3f00b
 SHA512 (pear20151210/XML_Util-1.4.3.tgz) = c21a7cef90743e124c4bc8e0453b634de8f6a6b0aac060acc1a17f481a2eb8757d322b05c69151280b7651cea927b2c64b7d49b9fd815dcdc606d0472d967310
 Size (pear20151210/XML_Util-1.4.3.tgz) = 18842 bytes
+SHA1 (patch-.._Archive__Tar-1.4.5_Archive_Tar.php) = fa693b0c8d89b550952fc4a43a7319b87053c821
diff -r b6c4ab46b773 -r bcf3b62cb8ae lang/pear/patches/patch-.._Archive__Tar-1.4.5_Archive_Tar.php
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/pear/patches/patch-.._Archive__Tar-1.4.5_Archive_Tar.php     Mon Feb 18 14:17:59 2019 +0000
@@ -0,0 +1,20 @@
+$NetBSD: patch-.._Archive__Tar-1.4.5_Archive_Tar.php,v 1.1.2.2 2019/02/18 14:18:00 bsiegert Exp $
+
+* Fix from Archive_Tar-1.4.6.
+
+--- ../Archive_Tar-1.4.5/Archive/Tar.php.orig  2019-01-02 21:45:20.000000000 +0000
++++ ../Archive_Tar-1.4.5/Archive/Tar.php
+@@ -1770,11 +1770,8 @@ class Archive_Tar extends PEAR
+         if (strpos($file, 'phar://') === 0) {
+             return true;
+         }
+-        if (strpos($file, DIRECTORY_SEPARATOR . '..' . DIRECTORY_SEPARATOR) !== false) {
+-            return true;
+-        }
+-        if (strpos($file, '..' . DIRECTORY_SEPARATOR) === 0) {
+-            return true;
++        if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
++                return true;
+         }
+         return false;
+     }



Home | Main Index | Thread Index | Old Index