Pullup ticket #5033 - requested by taca

mail/roundcube: security fix Revisions pulled up: - mail/roundcube/Makefile 1.81-1.83 - mail/roundcube/PLIST 1.40-1.41 - mail/roundcube/distinfo 1.49-1.51 - mail/roundcube/patches/patch-config.inc.php deleted - mail/roundcube/patches/patch-plugins_password_helpers_passwd-expect 1.1 - mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php 1.3 --- Module Name: pkgsrc Committed By: taca Date: Thu May 26 03:20:37 UTC 2016 Modified Files: pkgsrc/mail/roundcube: Makefile PLIST distinfo Removed Files: pkgsrc/mail/roundcube/patches: patch-config.inc.php Log Message: Update roundcube to 1.1.5, including security fix. RELEASE 1.1.5 ------------- - Plugin API: Add html2text hook - Plugin API: Added addressbook_export hook - Fix missing emoticons on html-to-text conversion - Fix random "access to this resource is secured against CSRF" message at logout (#4956) - Fix missing language name in "Add to Dictionary" request in HTML mode (#4951) - Enable use of TLSv1.1 and TLSv1.2 for IMAP (#4955) - Fix XSS issue in SVG images handling (#4949) - Fix (again) security issue in DBMail driver of password plugin [CVE-2015-2181] (#4958) - Fix bug where Archive/Junk buttons were not active after page jump with select=all mode (#4961) - Fix bug in long recipients list parsing for cases where recipient name contained @-char (#4964) - Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9 (#4966) - Hide DSN option in Preferences when smtp_server is not used (#4967) - Protect download urls against CSRF using unique request tokens (#4957) - newmail_notifier: Refactor desktop notifications - Fix so contactlist_fields option can be set via config file - Fix so SPECIAL-USE assignments are forced only until user sets special folders (#4782) - Fix performance in reverting order of THREAD result - Fix converting mail addresses with @www. into mailto links (#5197) --- Module Name: pkgsrc Committed By: taca Date: Thu May 26 03:23:39 UTC 2016 Added Files: pkgsrc/mail/roundcube/patches: patch-plugins_password_helpers_passwd-expect Log Message: Oops, forgot to add a patch file for NetBSD (and perhaps for *BSD) to make password plugin work. --- Module Name: pkgsrc Committed By: taca Date: Thu May 26 23:22:17 UTC 2016 Modified Files: pkgsrc/mail/roundcube: Makefile distinfo Added Files: pkgsrc/mail/roundcube/patches: patch-program_lib_Roundcube_rcube__washtml.php Log Message: Update security path for CVE-2016-5103 (XSS) from upstream. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Sun May 29 15:46:59 UTC 2016 Modified Files: pkgsrc/mail/roundcube: Makefile PLIST distinfo Log Message: Switch to get distfiles from GitHub, noted by David Brownlee via private e-mail. And some installed files are changed, bump PKGREVISION.
author: bsiegert <bsiegert> 2016-06-04 19:39:34 +0000
committer: bsiegert <bsiegert> 2016-06-04 19:39:34 +0000
commit: 42b937fba8a29951d8633c1f76097f4076e196b1 (patch)
tree: c3f64a5e812179a1f430c92493f12927863ad5a4
parent: e4e247c3257ca19b86cefffb8c73156ed340bed2 (diff)
download: pkgsrc-42b937fba8a29951d8633c1f76097f4076e196b1.tar.gz
5 files changed, 54 insertions, 26 deletions
diff --git a/mail/roundcube/Makefile b/mail/roundcube/Makefile
index 5b02a2a824c..a82de28c1b0 100644
--- a/mail/roundcube/Makefile
+++ b/mail/roundcube/Makefile
@@ -1,9 +1,14 @@
-# $NetBSD: Makefile,v 1.80 2016/03/16 13:36:52 taca Exp $
+# $NetBSD: Makefile,v 1.80.2.1 2016/06/04 19:39:34 bsiegert Exp $
 
-DISTNAME=	roundcubemail-1.1.4
+DISTNAME=	roundcubemail-1.1.5
 PKGNAME=	${PHP_PKG_PREFIX}-${DISTNAME:S/mail-/-/}
+PKGREVISION=	2
 CATEGORIES=	mail
-MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=roundcubemail/}
+MASTER_SITES=   ${MASTER_SITE_GITHUB:=roundcube/}
+GITHUB_PROJECT= roundcubemail
+GITHUB_RELEASE= 1.1.5
+GITHUB_TYPE=    release
+DIST_SUBDIR=	roundcubemail-1.1.5
 
 MAINTAINER=	taca@NetBSD.org
 HOMEPAGE=	http://roundcube.net/
diff --git a/mail/roundcube/distinfo b/mail/roundcube/distinfo
index 50dd2f3def4..844201c63e9 100644
--- a/mail/roundcube/distinfo
+++ b/mail/roundcube/distinfo
@@ -1,10 +1,11 @@
-$NetBSD: distinfo,v 1.48 2015/12/26 14:24:48 taca Exp $
+$NetBSD: distinfo,v 1.48.4.1 2016/06/04 19:39:34 bsiegert Exp $
 
-SHA1 (roundcubemail-1.1.4.tar.gz) = 4883c8bb39fadf8af94ffb09ee426cba9f8ef2e3
-RMD160 (roundcubemail-1.1.4.tar.gz) = 24f4bd093db74183132eba7ff610fcff9840541a
-SHA512 (roundcubemail-1.1.4.tar.gz) = 18c2422d65292cd13bc4ce592e8490cc0a9d3e9551ac4d188db93eb989525af7ccf519642dd2e68a7380ab0d0d4ad4f999af2b7e99da75d88274743949b42f8a
-Size (roundcubemail-1.1.4.tar.gz) = 3209549 bytes
+SHA1 (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 8a59d196ef0aa6d9c717b00699215135abcb99cf
+RMD160 (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 33cc523ccbc7a4437a2f1a9d67783ba4cfc3bd5d
+SHA512 (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 0202dfa5ae6bbc121bc07ccfe4fc5d5b3bc2ef84956c1ed1d5f0dac9290f945c0f09b6086484ff83eaec286b8083f0ce07c758ba76a13d0b1cb4571400140b1d
+Size (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 3212432 bytes
 SHA1 (patch-ac) = 235116580665d5d58edc218c063b41171a2d9227
 SHA1 (patch-af) = 1f95a7005569207469563aa37ff48da0383b7668
-SHA1 (patch-config.inc.php) = 6652bd2aaba06e1d1dd4a02d2390aa523f54e613
+SHA1 (patch-plugins_password_helpers_passwd-expect) = 9e0082f23e37bbab26e8bb1439668132d5aacca2
+SHA1 (patch-program_lib_Roundcube_rcube__washtml.php) = 3a38804d81ead4cd0271befaacc370e78c103b7a
 SHA1 (patch-rcube_mime_default) = fe6ff1bea0a2c4223b34e44a6d0ca76e6476d2aa
diff --git a/mail/roundcube/patches/patch-config.inc.php b/mail/roundcube/patches/patch-config.inc.php
deleted file mode 100644
index 0e0edab5184..00000000000
--- a/mail/roundcube/patches/patch-config.inc.php
+++ /dev/null
@@ -1,17 +0,0 @@
-$NetBSD: patch-config.inc.php,v 1.2 2015/12/26 14:24:48 taca Exp $
-
-Add default paths for log, tmp and MIME types.
-
---- config/config.inc.php.sample	2015-03-16 20:54:49.000000000 +0000
-+++ config/config.inc.php.sample.18555.sample
-@@ -83,3 +83,10 @@ $config['plugins'] = array(
- 
- // skin name: folder from skins/
- $config['skin'] = 'larry';
-+
-+// use this folder to store log files (must be writeable for apache user)
-+// This is used by the 'file' log driver.
-+$config['log_dir'] = '@VARBASE@/log/roundcube/';
-+
-+// use this folder to store temp files (must be writeable for apache user)
-+$config['temp_dir'] = '@VARBASE@/tmp/roundcube/';
diff --git a/mail/roundcube/patches/patch-plugins_password_helpers_passwd-expect b/mail/roundcube/patches/patch-plugins_password_helpers_passwd-expect
new file mode 100644
index 00000000000..6d7bb7054b5
--- /dev/null
+++ b/mail/roundcube/patches/patch-plugins_password_helpers_passwd-expect
@@ -0,0 +1,24 @@
+$NetBSD: patch-plugins_password_helpers_passwd-expect,v 1.1.2.2 2016/06/04 19:39:34 bsiegert Exp $
+
+Make password plugin work on NetBSD (and maybe other *BSD).
+
+--- plugins/password/helpers/passwd-expect.orig	2016-04-17 16:22:20.000000000 +0000
++++ plugins/password/helpers/passwd-expect
+@@ -49,7 +49,7 @@ set oldpassword_string "((O|o)ld|login|\
+ set newpassword_string "(N|n)ew.* (P|p)assword.*"
+ set badoldpassword_string "(Authentication token manipulation error).*"
+ set badpassword_string "((passwd|BAD PASSWORD).*|(passwd|Bad:).*\r)"
+-set verify_string      "((R|r)e-*enter.*(P|p)assword|Retype new( UNIX)? password|(V|v)erification|(V|v)erify|(A|a)gain).*"
++set verify_string      "((R|r)e-*enter.*(P|p)assword|Retype (N|n)ew( UNIX)? (P|p)assword|(V|v)erification|(V|v)erify|(A|a)gain).*"
+ set success_string     "((P|p)assword.* changed|successfully)"
+ set login_string       "(((L|l)ogin|(U|u)sername).*)"
+ set timeout            20
+@@ -251,6 +251,8 @@ expect {
+ expect {
+   -re $success_string {sleep .5
+                        send exit\r}
++  -re $prompt_string { sleep .5
++                       send exit\r}
+   -re $badpassword_string {puts $err "$expect_out(0,string)"
+                            close $err
+                            exit 1}
diff --git a/mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php b/mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php
new file mode 100644
index 00000000000..dbf8f6fdece
--- /dev/null
+++ b/mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php
@@ -0,0 +1,15 @@
+$NetBSD: patch-program_lib_Roundcube_rcube__washtml.php,v 1.3.2.2 2016/06/04 19:39:34 bsiegert Exp $
+
+Fix CVE-2016-5103, XSS from upstream.
+
+--- program/lib/Roundcube/rcube_washtml.php.orig	2016-04-17 16:22:20.000000000 +0000
++++ program/lib/Roundcube/rcube_washtml.php
+@@ -370,7 +370,7 @@ class rcube_washtml
+      */
+     private function is_link_attribute($tag, $attr)
+     {
+-        return $tag == 'a' && $attr == 'href';
++        return ($tag == 'a' || $tag == 'area') && $attr == 'href';
+     }
+ 
+     /**
author	bsiegert <bsiegert>	2016-06-04 19:39:34 +0000
committer	bsiegert <bsiegert>	2016-06-04 19:39:34 +0000
commit	42b937fba8a29951d8633c1f76097f4076e196b1 (patch)
tree	c3f64a5e812179a1f430c92493f12927863ad5a4
parent	e4e247c3257ca19b86cefffb8c73156ed340bed2 (diff)
download	pkgsrc-42b937fba8a29951d8633c1f76097f4076e196b1.tar.gz