diff options
author | sbd <sbd> | 2011-01-27 21:18:32 +0000 |
---|---|---|
committer | sbd <sbd> | 2011-01-27 21:18:32 +0000 |
commit | 330794f2e9e9ca6af8ef195de847804ffab08e1c (patch) | |
tree | 8bce9d43ded89ad0d9868511aa29fd47683ca479 | |
parent | e6a4caae0a94168d5b053c4615b0fafb18297c95 (diff) | |
download | pkgsrc-330794f2e9e9ca6af8ef195de847804ffab08e1c.tar.gz |
Pullup ticket #3338 - requested by tron
Security patch for "phpmyadmin" package
Revisions pulled up:
- pkgsrc/databases/phpmyadmin/Makefile 1.86
- pkgsrc/databases/phpmyadmin/PLIST 1.22
- pkgsrc/databases/phpmyadmin/distinfo 1.47
- pkgsrc/databases/phpmyadmin/patches/patch-CVE-2010-4480-1 1.1
- pkgsrc/databases/phpmyadmin/patches/patch-CVE-2010-4480-2 1.1
- pkgsrc/databases/phpmyadmin/patches/patch-CVE-2010-4480-3 1.1
- pkgsrc/databases/phpmyadmin/patches/patch-CVE-2010-4481 1.1
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Thu Jan 27 13:45:56 UTC 2011
Modified Files:
pkgsrc/databases/phpmyadmin: Makefile PLIST distinfo
Added Files:
pkgsrc/databases/phpmyadmin/patches: patch-CVE-2010-4480-1
patch-CVE-2010-4480-2 patch-CVE-2010-4480-3 patch-CVE-2010-4481
Log Message:
Add fixes for the security vulnerabilities reported in CVE-2010-4480 and
CVE-2010-4481 taken from the phpMyAdmin GIT repository.
Thanks a lot to Tim Zingelman for pointing out that the fixes had
finally been made available.
To generate a diff of this commit:
cvs rdiff -u -r1.85 -r1.86 pkgsrc/databases/phpmyadmin/Makefile
cvs rdiff -u -r1.21 -r1.22 pkgsrc/databases/phpmyadmin/PLIST
cvs rdiff -u -r1.46 -r1.47 pkgsrc/databases/phpmyadmin/distinfo
cvs rdiff -u -r0 -r1.1 \
pkgsrc/databases/phpmyadmin/patches/patch-CVE-2010-4480-1 \
pkgsrc/databases/phpmyadmin/patches/patch-CVE-2010-4480-2 \
pkgsrc/databases/phpmyadmin/patches/patch-CVE-2010-4480-3 \
pkgsrc/databases/phpmyadmin/patches/patch-CVE-2010-4481
-rw-r--r-- | databases/phpmyadmin/Makefile | 7 | ||||
-rw-r--r-- | databases/phpmyadmin/PLIST | 4 | ||||
-rw-r--r-- | databases/phpmyadmin/distinfo | 6 | ||||
-rw-r--r-- | databases/phpmyadmin/patches/patch-CVE-2010-4480-1 | 16 | ||||
-rw-r--r-- | databases/phpmyadmin/patches/patch-CVE-2010-4480-2 | 33 | ||||
-rw-r--r-- | databases/phpmyadmin/patches/patch-CVE-2010-4480-3 | 66 | ||||
-rw-r--r-- | databases/phpmyadmin/patches/patch-CVE-2010-4481 | 16 |
7 files changed, 144 insertions, 4 deletions
diff --git a/databases/phpmyadmin/Makefile b/databases/phpmyadmin/Makefile index 64ab834244e..1c0021ff26c 100644 --- a/databases/phpmyadmin/Makefile +++ b/databases/phpmyadmin/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.85 2010/11/29 19:13:30 tron Exp $ +# $NetBSD: Makefile,v 1.85.2.1 2011/01/27 21:18:32 sbd Exp $ DISTNAME= phpMyAdmin-${DIST_VERSION}-all-languages PKGNAME= phpmyadmin-${DIST_VERSION:S/-//} +PKGREVISION= 1 CATEGORIES= databases www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=phpmyadmin/} EXTRACT_SUFX= .tar.bz2 @@ -55,6 +56,10 @@ INSTALL_DIRS= js lang libraries libraries/auth libraries/dbg \ themes/darkblue_orange/css themes/darkblue_orange/img \ themes/original themes/original/css themes/original/img +# Part of the fix for CVE-2010-4480. +post-extract: + ${RM} -f ${WRKSRC}/error.php + do-configure: ${SED} -e "s|@PMDIR@|${PMDIR}|g" ${FILESDIR}/phpmyadmin.conf \ >${WRKDIR}/phpmyadmin.conf diff --git a/databases/phpmyadmin/PLIST b/databases/phpmyadmin/PLIST index d7a68daca03..eb8c69a1b25 100644 --- a/databases/phpmyadmin/PLIST +++ b/databases/phpmyadmin/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.21 2009/06/14 17:43:21 joerg Exp $ +@comment $NetBSD: PLIST,v 1.21.14.1 2011/01/27 21:18:32 sbd Exp $ share/doc/phpmyadmin/CREDITS share/doc/phpmyadmin/ChangeLog share/doc/phpmyadmin/Documentation.txt @@ -26,7 +26,6 @@ share/phpmyadmin/db_search.php share/phpmyadmin/db_sql.php share/phpmyadmin/db_structure.php share/phpmyadmin/docs.css -share/phpmyadmin/error.php share/phpmyadmin/export.php share/phpmyadmin/import.php share/phpmyadmin/index.php @@ -197,6 +196,7 @@ share/phpmyadmin/libraries/engines/merge.lib.php share/phpmyadmin/libraries/engines/mrg_myisam.lib.php share/phpmyadmin/libraries/engines/myisam.lib.php share/phpmyadmin/libraries/engines/ndbcluster.lib.php +share/phpmyadmin/libraries/error.inc.php share/phpmyadmin/libraries/export/csv.php share/phpmyadmin/libraries/export/excel.php share/phpmyadmin/libraries/export/htmlexcel.php diff --git a/databases/phpmyadmin/distinfo b/databases/phpmyadmin/distinfo index bb2b51f0d12..1ae7d782c4a 100644 --- a/databases/phpmyadmin/distinfo +++ b/databases/phpmyadmin/distinfo @@ -1,5 +1,9 @@ -$NetBSD: distinfo,v 1.46 2010/11/29 19:13:30 tron Exp $ +$NetBSD: distinfo,v 1.46.2.1 2011/01/27 21:18:32 sbd Exp $ SHA1 (phpMyAdmin-2.11.11.1-all-languages.tar.bz2) = da1b74626a24dd296ed0ccad04ad8d1e49b7c398 RMD160 (phpMyAdmin-2.11.11.1-all-languages.tar.bz2) = bda8a90444df683eea585769a186df42498a96cf Size (phpMyAdmin-2.11.11.1-all-languages.tar.bz2) = 3122604 bytes +SHA1 (patch-CVE-2010-4480-1) = e2a36a254e573406bc8aeb027935b1dde5717c03 +SHA1 (patch-CVE-2010-4480-2) = 650f0a8d60a1ad1e1a14c8c66c715d4304138433 +SHA1 (patch-CVE-2010-4480-3) = 403dbfdd099e5928f38fa1a9beac210b26e8ab89 +SHA1 (patch-CVE-2010-4481) = 3bbf3576d8c39df22613ac2560cadb6f890f534e diff --git a/databases/phpmyadmin/patches/patch-CVE-2010-4480-1 b/databases/phpmyadmin/patches/patch-CVE-2010-4480-1 new file mode 100644 index 00000000000..7f8c1a8d6a5 --- /dev/null +++ b/databases/phpmyadmin/patches/patch-CVE-2010-4480-1 @@ -0,0 +1,16 @@ +$NetBSD: patch-CVE-2010-4480-1,v 1.1.2.2 2011/01/27 21:18:33 sbd Exp $ + +Fix for CVE-2010-4480 taken from the phpMyAdmin GIT repository: + +http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=b01a58118f973f98ab99a4bb28d340af49fa251f + +--- libraries/common.inc.php.orig 2010-11-29 17:18:35.000000000 +0000 ++++ libraries/common.inc.php 2011-01-27 13:21:56.000000000 +0000 +@@ -305,7 +305,6 @@ + 'db_printview.php', + 'db_search.php', + //'Documentation.html', +- //'error.php', + 'export.php', + 'import.php', + //'index.php', diff --git a/databases/phpmyadmin/patches/patch-CVE-2010-4480-2 b/databases/phpmyadmin/patches/patch-CVE-2010-4480-2 new file mode 100644 index 00000000000..1475e22f6be --- /dev/null +++ b/databases/phpmyadmin/patches/patch-CVE-2010-4480-2 @@ -0,0 +1,33 @@ +$NetBSD: patch-CVE-2010-4480-2,v 1.1.2.2 2011/01/27 21:18:33 sbd Exp $ + +Fix for CVE-2010-4480 taken from the phpMyAdmin GIT repository: + +http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=b01a58118f973f98ab99a4bb28d340af49fa251f + +--- libraries/core.lib.php.orig 2010-11-29 17:18:35.000000000 +0000 ++++ libraries/core.lib.php 2011-01-27 13:21:56.000000000 +0000 +@@ -241,18 +241,18 @@ + $error_message = strtr($error_message, array('<br />' => '[br]')); + + // Displays the error message +- // (do not use & for parameters sent by header) +- header('Location: ' . (defined('PMA_SETUP') ? '../' : '') . 'error.php' +- . '?lang=' . urlencode($GLOBALS['available_languages'][$GLOBALS['lang']][2]) +- . '&dir=' . urlencode($GLOBALS['text_dir']) +- . '&type=' . urlencode($GLOBALS['strError']) +- . '&error=' . urlencode($error_message)); ++ $lang = $GLOBALS['available_languages'][$GLOBALS['lang']][2]; ++ $dir = $GLOBALS['text_dir']; ++ $type = $GLOBALS['strError']; ++ $error = $error_message; + + // on fatal errors it cannot hurt to always delete the current session + if (isset($GLOBALS['session_name']) && isset($_COOKIE[$GLOBALS['session_name']])) { + PMA_removeCookie($GLOBALS['session_name']); + } + ++ require('./libraries/error.inc.php'); ++ + exit; + } + diff --git a/databases/phpmyadmin/patches/patch-CVE-2010-4480-3 b/databases/phpmyadmin/patches/patch-CVE-2010-4480-3 new file mode 100644 index 00000000000..aa0b8ff61dc --- /dev/null +++ b/databases/phpmyadmin/patches/patch-CVE-2010-4480-3 @@ -0,0 +1,66 @@ +$NetBSD: patch-CVE-2010-4480-3,v 1.1.2.2 2011/01/27 21:18:33 sbd Exp $ + +Fix for CVE-2010-4480 taken from the phpMyAdmin GIT repository: + +http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=b01a58118f973f98ab99a4bb28d340af49fa251f + +--- /dev/null 2011-01-27 13:21:56.000000000 +0000 ++++ libraries/error.inc.php 2011-01-27 13:21:56.000000000 +0000 +@@ -0,0 +1,57 @@ ++<?php ++/* vim: set expandtab sw=4 ts=4 sts=4: */ ++/** ++ * phpMyAdmin fatal error display page ++ * ++ * @package phpMyAdmin ++ */ ++ ++if (! defined('PHPMYADMIN')) { ++ exit; ++} ++ ++header('Content-Type: text/html; charset=utf-8'); ++?> ++<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> ++<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo $lang; ?>" dir="<?php echo $dir; ?>"> ++<head> ++ <link rel="icon" href="./favicon.ico" type="image/x-icon" /> ++ <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> ++ <title>phpMyAdmin</title> ++ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> ++ <style type="text/css"> ++ <!-- ++ html { ++ padding: 0; ++ margin: 0; ++ } ++ body { ++ font-family: sans-serif; ++ font-size: small; ++ color: #000000; ++ background-color: #F5F5F5; ++ margin: 1em; ++ } ++ h1 { ++ margin: 0; ++ padding: 0.3em; ++ font-size: 1.4em; ++ font-weight: bold; ++ color: #ffffff; ++ background-color: #ff0000; ++ } ++ p { ++ margin: 0; ++ padding: 0.5em; ++ border: 0.1em solid red; ++ background-color: #ffeeee; ++ } ++ //--> ++ </style> ++</head> ++<body> ++<h1>phpMyAdmin - <?php echo $error_header; ?></h1> ++<p><?php echo PMA_sanitize($error_message); ?></p> ++</body> ++</html> ++ diff --git a/databases/phpmyadmin/patches/patch-CVE-2010-4481 b/databases/phpmyadmin/patches/patch-CVE-2010-4481 new file mode 100644 index 00000000000..46b24fb5a80 --- /dev/null +++ b/databases/phpmyadmin/patches/patch-CVE-2010-4481 @@ -0,0 +1,16 @@ +$NetBSD: patch-CVE-2010-4481,v 1.1.2.2 2011/01/27 21:18:33 sbd Exp $ + +Fix for CVE-2010-4481 taken from the phpMyAdmin GIT repository: + +http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=373a6626ade37c0fee1dfc7c757ca55c7652874b + +--- phpinfo.php.orig 2010-11-29 17:18:35.000000000 +0000 ++++ phpinfo.php 2011-01-27 13:33:04.000000000 +0000 +@@ -8,7 +8,6 @@ + /** + * Gets core libraries and defines some variables + */ +-define('PMA_MINIMUM_COMMON', true); + require_once './libraries/common.inc.php'; + + |