Pullup ticket #3338 - requested by tron

Security patch for "phpmyadmin" package

Revisions pulled up:
 - pkgsrc/databases/phpmyadmin/Makefile				1.86
 - pkgsrc/databases/phpmyadmin/PLIST				1.22
 - pkgsrc/databases/phpmyadmin/distinfo				1.47
 - pkgsrc/databases/phpmyadmin/patches/patch-CVE-2010-4480-1	1.1
 - pkgsrc/databases/phpmyadmin/patches/patch-CVE-2010-4480-2	1.1
 - pkgsrc/databases/phpmyadmin/patches/patch-CVE-2010-4480-3	1.1
 - pkgsrc/databases/phpmyadmin/patches/patch-CVE-2010-4481	1.1

-------------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Thu Jan 27 13:45:56 UTC 2011

   Modified Files:
   	pkgsrc/databases/phpmyadmin: Makefile PLIST distinfo
   Added Files:
   	pkgsrc/databases/phpmyadmin/patches: patch-CVE-2010-4480-1
   	    patch-CVE-2010-4480-2 patch-CVE-2010-4480-3 patch-CVE-2010-4481

   Log Message:
   Add fixes for the security vulnerabilities reported in CVE-2010-4480 and
   CVE-2010-4481 taken from the phpMyAdmin GIT repository.

   Thanks a lot to Tim Zingelman for pointing out that the fixes had
   finally been made available.


   To generate a diff of this commit:
   cvs rdiff -u -r1.85 -r1.86 pkgsrc/databases/phpmyadmin/Makefile
   cvs rdiff -u -r1.21 -r1.22 pkgsrc/databases/phpmyadmin/PLIST
   cvs rdiff -u -r1.46 -r1.47 pkgsrc/databases/phpmyadmin/distinfo
   cvs rdiff -u -r0 -r1.1 \
       pkgsrc/databases/phpmyadmin/patches/patch-CVE-2010-4480-1 \
       pkgsrc/databases/phpmyadmin/patches/patch-CVE-2010-4480-2 \
       pkgsrc/databases/phpmyadmin/patches/patch-CVE-2010-4480-3 \
       pkgsrc/databases/phpmyadmin/patches/patch-CVE-2010-4481

7 files changed, 144 insertions, 4 deletions

diff --git a/databases/phpmyadmin/Makefile b/databases/phpmyadmin/Makefile
index 64ab834244e..1c0021ff26c 100644
--- a/databases/phpmyadmin/Makefile
+++ b/databases/phpmyadmin/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.85 2010/11/29 19:13:30 tron Exp $
+# $NetBSD: Makefile,v 1.85.2.1 2011/01/27 21:18:32 sbd Exp $
 
 DISTNAME=	phpMyAdmin-${DIST_VERSION}-all-languages
 PKGNAME=	phpmyadmin-${DIST_VERSION:S/-//}
+PKGREVISION=	1
 CATEGORIES=	databases www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=phpmyadmin/}
 EXTRACT_SUFX=	.tar.bz2
@@ -55,6 +56,10 @@ INSTALL_DIRS=	js lang libraries libraries/auth libraries/dbg \
 		themes/darkblue_orange/css themes/darkblue_orange/img \
 		themes/original themes/original/css themes/original/img
 
+# Part of the fix for CVE-2010-4480.
+post-extract:
+	${RM} -f ${WRKSRC}/error.php
+
 do-configure:
 	${SED} -e "s|@PMDIR@|${PMDIR}|g" ${FILESDIR}/phpmyadmin.conf	\
 		>${WRKDIR}/phpmyadmin.conf
diff --git a/databases/phpmyadmin/PLIST b/databases/phpmyadmin/PLIST
index d7a68daca03..eb8c69a1b25 100644
--- a/databases/phpmyadmin/PLIST
+++ b/databases/phpmyadmin/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.21 2009/06/14 17:43:21 joerg Exp $
+@comment $NetBSD: PLIST,v 1.21.14.1 2011/01/27 21:18:32 sbd Exp $
 share/doc/phpmyadmin/CREDITS
 share/doc/phpmyadmin/ChangeLog
 share/doc/phpmyadmin/Documentation.txt
@@ -26,7 +26,6 @@ share/phpmyadmin/db_search.php
 share/phpmyadmin/db_sql.php
 share/phpmyadmin/db_structure.php
 share/phpmyadmin/docs.css
-share/phpmyadmin/error.php
 share/phpmyadmin/export.php
 share/phpmyadmin/import.php
 share/phpmyadmin/index.php
@@ -197,6 +196,7 @@ share/phpmyadmin/libraries/engines/merge.lib.php
 share/phpmyadmin/libraries/engines/mrg_myisam.lib.php
 share/phpmyadmin/libraries/engines/myisam.lib.php
 share/phpmyadmin/libraries/engines/ndbcluster.lib.php
+share/phpmyadmin/libraries/error.inc.php
 share/phpmyadmin/libraries/export/csv.php
 share/phpmyadmin/libraries/export/excel.php
 share/phpmyadmin/libraries/export/htmlexcel.php
diff --git a/databases/phpmyadmin/distinfo b/databases/phpmyadmin/distinfo
index bb2b51f0d12..1ae7d782c4a 100644
--- a/databases/phpmyadmin/distinfo
+++ b/databases/phpmyadmin/distinfo
@@ -1,5 +1,9 @@
-$NetBSD: distinfo,v 1.46 2010/11/29 19:13:30 tron Exp $
+$NetBSD: distinfo,v 1.46.2.1 2011/01/27 21:18:32 sbd Exp $
 
 SHA1 (phpMyAdmin-2.11.11.1-all-languages.tar.bz2) = da1b74626a24dd296ed0ccad04ad8d1e49b7c398
 RMD160 (phpMyAdmin-2.11.11.1-all-languages.tar.bz2) = bda8a90444df683eea585769a186df42498a96cf
 Size (phpMyAdmin-2.11.11.1-all-languages.tar.bz2) = 3122604 bytes
+SHA1 (patch-CVE-2010-4480-1) = e2a36a254e573406bc8aeb027935b1dde5717c03
+SHA1 (patch-CVE-2010-4480-2) = 650f0a8d60a1ad1e1a14c8c66c715d4304138433
+SHA1 (patch-CVE-2010-4480-3) = 403dbfdd099e5928f38fa1a9beac210b26e8ab89
+SHA1 (patch-CVE-2010-4481) = 3bbf3576d8c39df22613ac2560cadb6f890f534e
diff --git a/databases/phpmyadmin/patches/patch-CVE-2010-4480-1 b/databases/phpmyadmin/patches/patch-CVE-2010-4480-1
new file mode 100644
index 00000000000..7f8c1a8d6a5
--- /dev/null
+++ b/databases/phpmyadmin/patches/patch-CVE-2010-4480-1
@@ -0,0 +1,16 @@
+$NetBSD: patch-CVE-2010-4480-1,v 1.1.2.2 2011/01/27 21:18:33 sbd Exp $
+
+Fix for CVE-2010-4480 taken from the phpMyAdmin GIT repository:
+
+http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=b01a58118f973f98ab99a4bb28d340af49fa251f
+
+--- libraries/common.inc.php.orig	2010-11-29 17:18:35.000000000 +0000
++++ libraries/common.inc.php	2011-01-27 13:21:56.000000000 +0000
+@@ -305,7 +305,6 @@
+     'db_printview.php',
+     'db_search.php',
+     //'Documentation.html',
+-    //'error.php',
+     'export.php',
+     'import.php',
+     //'index.php',
diff --git a/databases/phpmyadmin/patches/patch-CVE-2010-4480-2 b/databases/phpmyadmin/patches/patch-CVE-2010-4480-2
new file mode 100644
index 00000000000..1475e22f6be
--- /dev/null
+++ b/databases/phpmyadmin/patches/patch-CVE-2010-4480-2
@@ -0,0 +1,33 @@
+$NetBSD: patch-CVE-2010-4480-2,v 1.1.2.2 2011/01/27 21:18:33 sbd Exp $
+
+Fix for CVE-2010-4480 taken from the phpMyAdmin GIT repository:
+
+http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=b01a58118f973f98ab99a4bb28d340af49fa251f
+
+--- libraries/core.lib.php.orig	2010-11-29 17:18:35.000000000 +0000
++++ libraries/core.lib.php	2011-01-27 13:21:56.000000000 +0000
+@@ -241,18 +241,18 @@
+     $error_message = strtr($error_message, array('<br />' => '[br]'));
+ 
+     // Displays the error message
+-    // (do not use &amp; for parameters sent by header)
+-    header('Location: ' . (defined('PMA_SETUP') ? '../' : '') . 'error.php'
+-            . '?lang='  . urlencode($GLOBALS['available_languages'][$GLOBALS['lang']][2])
+-            . '&dir='   . urlencode($GLOBALS['text_dir'])
+-            . '&type='  . urlencode($GLOBALS['strError'])
+-            . '&error=' . urlencode($error_message));
++    $lang = $GLOBALS['available_languages'][$GLOBALS['lang']][2];
++    $dir = $GLOBALS['text_dir'];
++    $type = $GLOBALS['strError'];
++    $error = $error_message;
+ 
+     // on fatal errors it cannot hurt to always delete the current session
+     if (isset($GLOBALS['session_name']) && isset($_COOKIE[$GLOBALS['session_name']])) {
+         PMA_removeCookie($GLOBALS['session_name']);
+     }
+ 
++    require('./libraries/error.inc.php');
++
+     exit;
+ }
+ 
diff --git a/databases/phpmyadmin/patches/patch-CVE-2010-4480-3 b/databases/phpmyadmin/patches/patch-CVE-2010-4480-3
new file mode 100644
index 00000000000..aa0b8ff61dc
--- /dev/null
+++ b/databases/phpmyadmin/patches/patch-CVE-2010-4480-3
@@ -0,0 +1,66 @@
+$NetBSD: patch-CVE-2010-4480-3,v 1.1.2.2 2011/01/27 21:18:33 sbd Exp $
+
+Fix for CVE-2010-4480 taken from the phpMyAdmin GIT repository:
+
+http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=b01a58118f973f98ab99a4bb28d340af49fa251f
+
+--- /dev/null			2011-01-27 13:21:56.000000000 +0000
++++ libraries/error.inc.php	2011-01-27 13:21:56.000000000 +0000
+@@ -0,0 +1,57 @@
++<?php
++/* vim: set expandtab sw=4 ts=4 sts=4: */
++/**
++ * phpMyAdmin fatal error display page
++ *
++ * @package phpMyAdmin
++ */
++
++if (! defined('PHPMYADMIN')) {
++    exit;
++}
++
++header('Content-Type: text/html; charset=utf-8');
++?>
++<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
++<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo $lang; ?>" dir="<?php echo $dir; ?>">
++<head>
++    <link rel="icon" href="./favicon.ico" type="image/x-icon" />
++    <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" />
++    <title>phpMyAdmin</title>
++    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
++    <style type="text/css">
++    <!--
++    html {
++        padding: 0;
++        margin: 0;
++    }
++    body  {
++        font-family: sans-serif;
++        font-size: small;
++        color: #000000;
++        background-color: #F5F5F5;
++        margin: 1em;
++    }
++    h1 {
++        margin: 0;
++        padding: 0.3em;
++        font-size: 1.4em;
++        font-weight: bold;
++        color: #ffffff;
++        background-color: #ff0000;
++    }
++    p {
++        margin: 0;
++        padding: 0.5em;
++        border: 0.1em solid red;
++        background-color: #ffeeee;
++    }
++    //-->
++    </style>
++</head>
++<body>
++<h1>phpMyAdmin - <?php echo $error_header; ?></h1>
++<p><?php echo PMA_sanitize($error_message); ?></p>
++</body>
++</html>
++
diff --git a/databases/phpmyadmin/patches/patch-CVE-2010-4481 b/databases/phpmyadmin/patches/patch-CVE-2010-4481
new file mode 100644
index 00000000000..46b24fb5a80
--- /dev/null
+++ b/databases/phpmyadmin/patches/patch-CVE-2010-4481
@@ -0,0 +1,16 @@
+$NetBSD: patch-CVE-2010-4481,v 1.1.2.2 2011/01/27 21:18:33 sbd Exp $
+
+Fix for CVE-2010-4481 taken from the phpMyAdmin GIT repository:
+
+http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=373a6626ade37c0fee1dfc7c757ca55c7652874b
+
+--- phpinfo.php.orig	2010-11-29 17:18:35.000000000 +0000
++++ phpinfo.php	2011-01-27 13:33:04.000000000 +0000
+@@ -8,7 +8,6 @@
+ /**
+  * Gets core libraries and defines some variables
+  */
+-define('PMA_MINIMUM_COMMON', true);
+ require_once './libraries/common.inc.php';
+ 
+