diff options
author | bsiegert <bsiegert@pkgsrc.org> | 2019-02-18 14:17:59 +0000 |
---|---|---|
committer | bsiegert <bsiegert@pkgsrc.org> | 2019-02-18 14:17:59 +0000 |
commit | ced9b0173ff97c43b947e1541cbce55096309613 (patch) | |
tree | 1edfc71676d6d1195839e2077d9b9f537627dfe6 | |
parent | 9e4dffda20fcf6ceb1aff168ac1e35063f0630f3 (diff) | |
download | pkgsrc-ced9b0173ff97c43b947e1541cbce55096309613.tar.gz |
Pullup ticket #5912 - requested by taca
lang/pear: security fix
Revisions pulled up:
- lang/pear/Makefile 1.45-1.46
- lang/pear/distinfo 1.32-1.33
- lang/pear/patches/patch-.._Archive__Tar-1.4.5_Archive_Tar.php 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Feb 3 14:06:58 UTC 2019
Modified Files:
pkgsrc/lang/pear: Makefile distinfo
Log Message:
lang/pear: update Archive_Tar pear package to 1.4.6
Update Archive_Tar pear package to 1.4.6.
Bump PKGREVISION.
1.4.4 (2018-12-20)
* Fix Bug #21058: Long symlinks are not supported [mrook]
* Fix Bug #23782: Prevent phar:// files from being extracted [mrook]
1.4.5 (2019-02-01)
* Fix Bug #23788: Relative symlinks are broken [mrook]
1.4.6 (2019-02-01)
* Improve path traversal detection for forward and backward slashes
---
Module Name: pkgsrc
Committed By: taca
Date: Thu Feb 7 13:40:57 UTC 2019
Modified Files:
pkgsrc/lang/pear: Makefile distinfo
Added Files:
pkgsrc/lang/pear/patches: patch-.._Archive__Tar-1.4.5_Archive_Tar.php
Log Message:
lang/pear: fix broken package with previous commit
Fix broken package with previous commit.
* Make Archive_Tar to 1.4.5 which I have the distfile.
* Upload Archive_Tar-1.4.5.tgz to MASTER_SITE_LOCAL.
* Add patch to update Archive/Tar.php to 1.4.6 from GitHub.
No PKGREVISION bump since it was broken.
-rw-r--r-- | lang/pear/Makefile | 5 | ||||
-rw-r--r-- | lang/pear/distinfo | 11 | ||||
-rw-r--r-- | lang/pear/patches/patch-.._Archive__Tar-1.4.5_Archive_Tar.php | 20 |
3 files changed, 29 insertions, 7 deletions
diff --git a/lang/pear/Makefile b/lang/pear/Makefile index 9d614d5dc82..581abcf5a2d 100644 --- a/lang/pear/Makefile +++ b/lang/pear/Makefile @@ -1,8 +1,9 @@ -# $NetBSD: Makefile,v 1.44 2018/12/15 16:48:05 taca Exp $ +# $NetBSD: Makefile,v 1.44.2.1 2019/02/18 14:17:59 bsiegert Exp $ # DISTNAME= PEAR-1.10.7 PKGNAME= ${PHP_PKG_PREFIX}-${DISTNAME:S/PEAR/pear/} +PKGREVISION= 1 CATEGORIES= lang MASTER_SITES= http://download.pear.php.net/package/ EXTRACT_SUFX= .tgz @@ -33,7 +34,7 @@ PEAR_SRCS= ${DISTNAME}${EXTRACT_SUFX} DISTFILES+= ${PEAR_SRCS} EXTRACT_ONLY+= ${PEAR_SRCS} -ARCHIVE_SRCS= Archive_Tar-1.4.3${EXTRACT_SUFX} +ARCHIVE_SRCS= Archive_Tar-1.4.5${EXTRACT_SUFX} ARCHIVE_WRKSRC= ${WRKDIR}/${ARCHIVE_SRCS:S/${EXTRACT_SUFX}//} DISTFILES+= ${ARCHIVE_SRCS} EXTRACT_ONLY+= ${ARCHIVE_SRCS} diff --git a/lang/pear/distinfo b/lang/pear/distinfo index 78603155cf4..8199c73e12c 100644 --- a/lang/pear/distinfo +++ b/lang/pear/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.31 2018/12/15 16:48:05 taca Exp $ +$NetBSD: distinfo,v 1.31.2.1 2019/02/18 14:17:59 bsiegert Exp $ -SHA1 (pear20151210/Archive_Tar-1.4.3.tgz) = 947d43997ca0c0074b2f154b6487b41aec0e4aa7 -RMD160 (pear20151210/Archive_Tar-1.4.3.tgz) = 792fa16c1db820465687a12d79750520e05f4ae5 -SHA512 (pear20151210/Archive_Tar-1.4.3.tgz) = 62e60d59266c5d19b131f769f4d71d4cee6bf8964b0c6610c4f1381500ced582865bff26c608479b2678dda1e7407ba39a7ec84b31fed13e3875f1947ce5bd6c -Size (pear20151210/Archive_Tar-1.4.3.tgz) = 20682 bytes +SHA1 (pear20151210/Archive_Tar-1.4.5.tgz) = 1697a5baa9666174b64c48fcdd1b9c4d311100fa +RMD160 (pear20151210/Archive_Tar-1.4.5.tgz) = c2a81c901a4b38f46d7035f3b169296f9969b592 +SHA512 (pear20151210/Archive_Tar-1.4.5.tgz) = 7a7e16e37b0c7112a77333ed2c4d0a0ae57cc1e971191c79b1858227b46f967aee915757a81bdfef3a9487a53b81a99bfbe84f78a346671fe44ac9f1f203a358 +Size (pear20151210/Archive_Tar-1.4.5.tgz) = 20919 bytes SHA1 (pear20151210/Console_Getopt-1.4.1.tgz) = 1db5b48e15547be532a9c836cd7ef448a3758ddc RMD160 (pear20151210/Console_Getopt-1.4.1.tgz) = 54d397e321a0168a33a92c98cf39f9f6456d49ea SHA512 (pear20151210/Console_Getopt-1.4.1.tgz) = e66a78077593ade78a40c59297a24242b0177d21b0e02b08d4fb5e25d8a57a96353c50a9dcc968f60af7458d40443061e0c1cdb11ad3180c7ffed8f0b314b089 @@ -20,3 +20,4 @@ SHA1 (pear20151210/XML_Util-1.4.3.tgz) = 95e07febe0b6c843c51bfd0157e61fd1ba1e562 RMD160 (pear20151210/XML_Util-1.4.3.tgz) = 55308486e8a32d7bcb775c286d487b1db4a3f00b SHA512 (pear20151210/XML_Util-1.4.3.tgz) = c21a7cef90743e124c4bc8e0453b634de8f6a6b0aac060acc1a17f481a2eb8757d322b05c69151280b7651cea927b2c64b7d49b9fd815dcdc606d0472d967310 Size (pear20151210/XML_Util-1.4.3.tgz) = 18842 bytes +SHA1 (patch-.._Archive__Tar-1.4.5_Archive_Tar.php) = fa693b0c8d89b550952fc4a43a7319b87053c821 diff --git a/lang/pear/patches/patch-.._Archive__Tar-1.4.5_Archive_Tar.php b/lang/pear/patches/patch-.._Archive__Tar-1.4.5_Archive_Tar.php new file mode 100644 index 00000000000..6ccc61070f2 --- /dev/null +++ b/lang/pear/patches/patch-.._Archive__Tar-1.4.5_Archive_Tar.php @@ -0,0 +1,20 @@ +$NetBSD: patch-.._Archive__Tar-1.4.5_Archive_Tar.php,v 1.1.2.2 2019/02/18 14:18:00 bsiegert Exp $ + +* Fix from Archive_Tar-1.4.6. + +--- ../Archive_Tar-1.4.5/Archive/Tar.php.orig 2019-01-02 21:45:20.000000000 +0000 ++++ ../Archive_Tar-1.4.5/Archive/Tar.php +@@ -1770,11 +1770,8 @@ class Archive_Tar extends PEAR + if (strpos($file, 'phar://') === 0) { + return true; + } +- if (strpos($file, DIRECTORY_SEPARATOR . '..' . DIRECTORY_SEPARATOR) !== false) { +- return true; +- } +- if (strpos($file, '..' . DIRECTORY_SEPARATOR) === 0) { +- return true; ++ if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) { ++ return true; + } + return false; + } |