pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2017Q1]: pkgsrc/devel/mantis Pullup ticket #5300 - requested b...
details: https://anonhg.NetBSD.org/pkgsrc/rev/f19e3f663096
branches: pkgsrc-2017Q1
changeset: 360268:f19e3f663096
user: bsiegert <bsiegert%pkgsrc.org@localhost>
date: Mon Apr 17 15:52:46 2017 +0000
description:
Pullup ticket #5300 - requested by maya
devel/mantis: security fix
Revisions pulled up:
- devel/mantis/Makefile 1.49
- devel/mantis/distinfo 1.20
- devel/mantis/patches/patch-verify.php 1.1
---
Module Name: pkgsrc
Committed By: maya
Date: Mon Apr 17 09:57:14 UTC 2017
Modified Files:
pkgsrc/devel/mantis: Makefile distinfo
Added Files:
pkgsrc/devel/mantis/patches: patch-verify.php
Log Message:
mantisBT: patch CVE-2017-7615, allowing any user to authenticate as admin
using upstream provided patch.
XXX THIS IS THE WRONG FIX, PACKAGE SHOULD BE UPDATED TO LATEST VERSION
bump PKGREVISION
diffstat:
devel/mantis/Makefile | 8 ++++++--
devel/mantis/distinfo | 3 ++-
devel/mantis/patches/patch-verify.php | 16 ++++++++++++++++
3 files changed, 24 insertions(+), 3 deletions(-)
diffs (56 lines):
diff -r d252e6650d82 -r f19e3f663096 devel/mantis/Makefile
--- a/devel/mantis/Makefile Mon Apr 17 14:54:45 2017 +0000
+++ b/devel/mantis/Makefile Mon Apr 17 15:52:46 2017 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.48 2016/09/11 17:03:25 taca Exp $
+# $NetBSD: Makefile,v 1.48.6.1 2017/04/17 15:52:46 bsiegert Exp $
DISTNAME= mantisbt-1.3.1
-PKGREVISION= 1
+PKGREVISION= 2
PKGNAME= ${DISTNAME:S/mantisbt/mantis/}
CATEGORIES= devel www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=mantisbt/}
@@ -53,6 +53,10 @@
post-extract:
${CP} ${FILESDIR}/mantis.conf ${WRKSRC}
+# Get rid of patch leftovers
+post-patch:
+ ${RM} ${WRKSRC}/*.orig
+
do-install:
cd ${WRKSRC}/doc && \
pax -rwpppm en-US ${DESTDIR}${PREFIX}/share/doc/mantis
diff -r d252e6650d82 -r f19e3f663096 devel/mantis/distinfo
--- a/devel/mantis/distinfo Mon Apr 17 14:54:45 2017 +0000
+++ b/devel/mantis/distinfo Mon Apr 17 15:52:46 2017 +0000
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.19 2016/08/30 12:37:43 ryoon Exp $
+$NetBSD: distinfo,v 1.19.6.1 2017/04/17 15:52:46 bsiegert Exp $
SHA1 (mantisbt-1.3.1.tar.gz) = baa398bd59356ed4142270b38fcdf67c6df54a4c
RMD160 (mantisbt-1.3.1.tar.gz) = 828fc4f24dc17e77dacd20c12fc7917f1834a8bc
SHA512 (mantisbt-1.3.1.tar.gz) = bac797f7d744b5f8911d2674779c790f6770fbbe7e28203a108cd51d8360cdd0830d3e68459a4d1892ca20c414f1ed37a8e71102bf804deba7073ea53885a1c1
Size (mantisbt-1.3.1.tar.gz) = 13444685 bytes
+SHA1 (patch-verify.php) = 7e312200115639ad950009d75dae92b675166eb9
diff -r d252e6650d82 -r f19e3f663096 devel/mantis/patches/patch-verify.php
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/devel/mantis/patches/patch-verify.php Mon Apr 17 15:52:46 2017 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-verify.php,v 1.1.2.2 2017/04/17 15:52:46 bsiegert Exp $
+
+Patch CVE-2017-7615
+from http://www.mantisbt.org/blog/?p=518
+
+--- verify.php.orig 2016-08-28 04:50:59.000000000 +0000
++++ verify.php
+@@ -63,7 +63,7 @@ if( auth_is_user_authenticated() ) {
+
+ $t_token_confirm_hash = token_get_value( TOKEN_ACCOUNT_ACTIVATION, $f_user_id );
+
+-if( $f_confirm_hash != $t_token_confirm_hash ) {
++if( $t_token_confirm_hash == null || $f_confirm_hash !== $t_token_confirm_hash ) {
+ trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
+ }
+
Home |
Main Index |
Thread Index |
Old Index