pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2017Q1]: pkgsrc/devel/mantis Pullup ticket #5300 - requested b...

details:   https://anonhg.NetBSD.org/pkgsrc/rev/f19e3f663096
branches:  pkgsrc-2017Q1
changeset: 360268:f19e3f663096
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Mon Apr 17 15:52:46 2017 +0000

description:
Pullup ticket #5300 - requested by maya
devel/mantis: security fix

Revisions pulled up:
- devel/mantis/Makefile                                         1.49
- devel/mantis/distinfo                                         1.20
- devel/mantis/patches/patch-verify.php                         1.1

---
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Mon Apr 17 09:57:14 UTC 2017

   Modified Files:
           pkgsrc/devel/mantis: Makefile distinfo
   Added Files:
           pkgsrc/devel/mantis/patches: patch-verify.php

   Log Message:
   mantisBT: patch CVE-2017-7615, allowing any user to authenticate as admin
   using upstream provided patch.

   XXX THIS IS THE WRONG FIX, PACKAGE SHOULD BE UPDATED TO LATEST VERSION

   bump PKGREVISION

diffstat:

 devel/mantis/Makefile                 |   8 ++++++--
 devel/mantis/distinfo                 |   3 ++-
 devel/mantis/patches/patch-verify.php |  16 ++++++++++++++++
 3 files changed, 24 insertions(+), 3 deletions(-)

diffs (56 lines):

diff -r d252e6650d82 -r f19e3f663096 devel/mantis/Makefile
--- a/devel/mantis/Makefile     Mon Apr 17 14:54:45 2017 +0000
+++ b/devel/mantis/Makefile     Mon Apr 17 15:52:46 2017 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.48 2016/09/11 17:03:25 taca Exp $
+# $NetBSD: Makefile,v 1.48.6.1 2017/04/17 15:52:46 bsiegert Exp $
 
 DISTNAME=      mantisbt-1.3.1
-PKGREVISION=   1
+PKGREVISION=   2
 PKGNAME=       ${DISTNAME:S/mantisbt/mantis/}
 CATEGORIES=    devel www
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=mantisbt/}
@@ -53,6 +53,10 @@
 post-extract:
        ${CP} ${FILESDIR}/mantis.conf ${WRKSRC}
 
+# Get rid of patch leftovers
+post-patch:
+       ${RM} ${WRKSRC}/*.orig
+
 do-install:
        cd ${WRKSRC}/doc && \
                pax -rwpppm en-US ${DESTDIR}${PREFIX}/share/doc/mantis
diff -r d252e6650d82 -r f19e3f663096 devel/mantis/distinfo
--- a/devel/mantis/distinfo     Mon Apr 17 14:54:45 2017 +0000
+++ b/devel/mantis/distinfo     Mon Apr 17 15:52:46 2017 +0000
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.19 2016/08/30 12:37:43 ryoon Exp $
+$NetBSD: distinfo,v 1.19.6.1 2017/04/17 15:52:46 bsiegert Exp $
 
 SHA1 (mantisbt-1.3.1.tar.gz) = baa398bd59356ed4142270b38fcdf67c6df54a4c
 RMD160 (mantisbt-1.3.1.tar.gz) = 828fc4f24dc17e77dacd20c12fc7917f1834a8bc
 SHA512 (mantisbt-1.3.1.tar.gz) = bac797f7d744b5f8911d2674779c790f6770fbbe7e28203a108cd51d8360cdd0830d3e68459a4d1892ca20c414f1ed37a8e71102bf804deba7073ea53885a1c1
 Size (mantisbt-1.3.1.tar.gz) = 13444685 bytes
+SHA1 (patch-verify.php) = 7e312200115639ad950009d75dae92b675166eb9
diff -r d252e6650d82 -r f19e3f663096 devel/mantis/patches/patch-verify.php
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/devel/mantis/patches/patch-verify.php     Mon Apr 17 15:52:46 2017 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-verify.php,v 1.1.2.2 2017/04/17 15:52:46 bsiegert Exp $
+
+Patch CVE-2017-7615
+from http://www.mantisbt.org/blog/?p=518
+
+--- verify.php.orig    2016-08-28 04:50:59.000000000 +0000
++++ verify.php
+@@ -63,7 +63,7 @@ if( auth_is_user_authenticated() ) {
+ 
+ $t_token_confirm_hash = token_get_value( TOKEN_ACCOUNT_ACTIVATION, $f_user_id );
+ 
+-if( $f_confirm_hash != $t_token_confirm_hash ) {
++if( $t_token_confirm_hash == null || $f_confirm_hash !== $t_token_confirm_hash ) {
+       trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
+ }
+
Home | Main Index | Thread Index | Old Index