diff options
| author | spz <spz@pkgsrc.org> | 2015-03-01 22:45:26 +0000 |
|---|---|---|
| committer | spz <spz@pkgsrc.org> | 2015-03-01 22:45:26 +0000 |
| commit | 9c9a63c5ceba76517feba9f6e57786e92891a6a2 (patch) | |
| tree | 36c45dda3521792a9449f907f121773f7040aee0 | |
| parent | f94702d1b71f9209dd080aef18e524d6c4645467 (diff) | |
| download | pkgsrc-9c9a63c5ceba76517feba9f6e57786e92891a6a2.tar.gz | |
apply the Request Tracker 4.0.0 patch for CVE-2014-9472, CVE-2015-1165
and CVE-2015-1464.
| -rw-r--r-- | devel/rt3/Makefile | 4 | ||||
| -rw-r--r-- | devel/rt3/distinfo | 5 | ||||
| -rw-r--r-- | devel/rt3/patches/patch-lib_RT.pm | 18 | ||||
| -rw-r--r-- | devel/rt3/patches/patch-share_html_Search_Elements_ResultsRSSView | 59 |
4 files changed, 78 insertions, 8 deletions
diff --git a/devel/rt3/Makefile b/devel/rt3/Makefile index b3830bb759b..c9cf4fb4fad 100644 --- a/devel/rt3/Makefile +++ b/devel/rt3/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.55 2014/05/31 12:22:42 wiz Exp $ +# $NetBSD: Makefile,v 1.56 2015/03/01 22:45:26 spz Exp $ DISTNAME= rt-3.8.17 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= devel MASTER_SITES= http://download.bestpractical.com/pub/rt/release/ diff --git a/devel/rt3/distinfo b/devel/rt3/distinfo index 704a853b06a..76ec6b4a13a 100644 --- a/devel/rt3/distinfo +++ b/devel/rt3/distinfo @@ -1,16 +1,17 @@ -$NetBSD: distinfo,v 1.24 2013/05/26 16:55:53 spz Exp $ +$NetBSD: distinfo,v 1.25 2015/03/01 22:45:26 spz Exp $ SHA1 (rt-3.8.17.tar.gz) = 4765c68f91a0e8e21ed0fd39397cd8e3970ca992 RMD160 (rt-3.8.17.tar.gz) = 6da8fca56976233417bd47b26e1a7326fde5d2d0 Size (rt-3.8.17.tar.gz) = 5728368 bytes SHA1 (patch-aa) = 6f78710f4460a25c75afbdf7128c0fe34914927c SHA1 (patch-ab) = ee455dd683c84d3a745a29a132e28903ba03144d -SHA1 (patch-lib_RT.pm) = f72c6cb6f94acf1296076423d26d7efa4ed78293 +SHA1 (patch-lib_RT.pm) = 4a4b56128c266aeadde8f254210aa1942430744a SHA1 (patch-lib_RT_CustomFieldValues_External.pm) = 4404ca98c9e50687323892df1aa95c8b5a6dedd9 SHA1 (patch-lib_RT_Interface_Email.pm) = 60d0c2c46ac3dc8172bdf16bbf43099b7dd87542 SHA1 (patch-lib_RT_Interface_Email_Auth_GnuPG.pm) = 60d53a4dcda8f3cda14350f34f74fddc6091c3ce SHA1 (patch-sbin_rt-attributes-viewer) = e1c963800b76282cda4ca46e006f30d9abfc29c9 SHA1 (patch-sbin_rt-attributes-viewer.in) = 99a15cca9a394b5743edc3929f43593f1384c8da SHA1 (patch-share_html_Helpers_CalPopup.html) = 3920ac6448d1d21c7ff32ef67344b19aa53616a4 +SHA1 (patch-share_html_Search_Elements_ResultsRSSView) = 62eeea9f4bea1bb98fd3509748123ecca3256185 SHA1 (patch-t_approval_admincc.t) = 4fddf5fa844d15e8698e00fe6863daaafa661315 SHA1 (patch-t_approval_basic.t) = 209303cc34370518a2600e28570627e1dc7e698b diff --git a/devel/rt3/patches/patch-lib_RT.pm b/devel/rt3/patches/patch-lib_RT.pm index c376293302a..1f7b6a2cb60 100644 --- a/devel/rt3/patches/patch-lib_RT.pm +++ b/devel/rt3/patches/patch-lib_RT.pm @@ -1,10 +1,20 @@ -$NetBSD: patch-lib_RT.pm,v 1.1 2011/10/25 19:38:10 spz Exp $ +$NetBSD: patch-lib_RT.pm,v 1.2 2015/03/01 22:45:26 spz Exp $ perl 5.14 qw() in for* fixes +Fix for CVE-2014-9472 taken from the patch for RT 4.0.0 ---- lib/RT.pm.orig 2011-04-14 01:10:13.000000000 +0000 +--- lib/RT.pm.orig 2013-05-22 19:04:26.000000000 +0000 +++ lib/RT.pm -@@ -459,7 +459,7 @@ sub InitClasses { +@@ -362,6 +362,8 @@ sub InitSignalHandlers { + ## mechanism (see above). + + $SIG{__WARN__} = sub { ++ return 'IGNORE' if $_[0] and $_[0] =~ /^Code point \S+ is not Unicode, may not be portable/; ++ + # The 'wide character' warnings has to be silenced for now, at least + # until HTML::Mason offers a sane way to process both raw output and + # unicode strings. +@@ -459,7 +461,7 @@ sub InitClasses { # in the session, as we deserialize it so we never call constructor # of the class, so the list of accessible fields is empty and we die # with "Method xxx is not implemented in RT::SomeClass" @@ -13,7 +23,7 @@ perl 5.14 qw() in for* fixes RT::Ticket RT::Transaction RT::Attachment -@@ -477,7 +477,7 @@ sub InitClasses { +@@ -477,7 +479,7 @@ sub InitClasses { RT::ObjectCustomField RT::ObjectCustomFieldValue RT::Attribute diff --git a/devel/rt3/patches/patch-share_html_Search_Elements_ResultsRSSView b/devel/rt3/patches/patch-share_html_Search_Elements_ResultsRSSView new file mode 100644 index 00000000000..dac39f5e33c --- /dev/null +++ b/devel/rt3/patches/patch-share_html_Search_Elements_ResultsRSSView @@ -0,0 +1,59 @@ +$NetBSD: patch-share_html_Search_Elements_ResultsRSSView,v 1.1 2015/03/01 22:45:26 spz Exp $ + +fixes for CVE-2015-1165 and CVE-2015-1464 taken from the patch for RT 4.0.0 + +--- share/html/Search/Elements/ResultsRSSView.orig 2013-05-22 19:03:04.000000000 +0000 ++++ share/html/Search/Elements/ResultsRSSView +@@ -48,7 +48,7 @@ + <%INIT> + use Encode (); + +-my $old_current_user; ++my $current_user = $session{CurrentUser}; + + if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) { + my $path = $m->dhandler_arg; +@@ -78,13 +78,11 @@ if ( $m->request_comp->path =~ RT->Confi + unless $user->ValidateAuthString( $auth, + $ARGS{Query} . $ARGS{Order} . $ARGS{OrderBy} ); + +- $old_current_user = $session{'CurrentUser'}; +- my $cu = RT::CurrentUser->new; +- $cu->Load($user); +- $session{'CurrentUser'} = $cu; ++ $current_user = RT::CurrentUser->new; ++ $current_user->Load($user); + } + +-my $Tickets = RT::Tickets->new($session{'CurrentUser'}); ++my $Tickets = RT::Tickets->new($current_user); + $Tickets->FromSQL($ARGS{'Query'}); + if ($OrderBy =~ /\|/) { + # Multiple Sorts +@@ -121,10 +119,17 @@ $r->content_type('application/rss+xml'); + while ( my $Ticket = $Tickets->Next()) { + my $creator_str = $m->scomp('/Elements/ShowUser', User => $Ticket->CreatorObj); + $creator_str =~ s/[\r\n]//g; ++ ++ # Get the plain-text content; it is interpreted as HTML by RSS ++ # readers, so it must be escaped (and is escaped _again_ when ++ # inserted into the XML). ++ my $content = $Ticket->Transactions->First->Content; ++ $content = $m->interp->apply_escapes( $content, 'h'); ++ + $rss->add_item( + title => $Ticket->Subject || loc('No Subject'), + link => RT->Config->Get('WebURL')."Ticket/Display.html?id=".$Ticket->id, +- description => $Ticket->Transactions->First->Content, ++ description => $content, + dc => { creator => $creator_str, + date => $Ticket->CreatedObj->RFC2822, + }, +@@ -133,7 +138,6 @@ $r->content_type('application/rss+xml'); + } + + $m->out($rss->as_string); +-$session{'CurrentUser'} = $old_current_user if $old_current_user; + $m->abort(); + </%INIT> + <%ARGS> |