Add patch for pear-MDB2 arbitrary file reading vulnerability (CVE-2007-5934).

4 files changed, 30 insertions, 6 deletions

diff --git a/databases/pear-MDB2_Driver_pgsql/Makefile b/databases/pear-MDB2_Driver_pgsql/Makefile
index 9f73a592967..7fadc5e095d 100644
--- a/databases/pear-MDB2_Driver_pgsql/Makefile
+++ b/databases/pear-MDB2_Driver_pgsql/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.1.1.1 2008/04/30 21:06:04 adrianp Exp $
+# $NetBSD: Makefile,v 1.2 2008/07/13 17:55:38 tonnerre Exp $
 
 DISTNAME=	MDB2_Driver_pgsql-1.4.1
+PKGREVISION=	1
 CATEGORIES=	databases
 
 MAINTAINER=	adrianp@NetBSD.org
diff --git a/databases/pear-MDB2_Driver_pgsql/distinfo b/databases/pear-MDB2_Driver_pgsql/distinfo
index 75667ad30fa..d7ced35bcf1 100644
--- a/databases/pear-MDB2_Driver_pgsql/distinfo
+++ b/databases/pear-MDB2_Driver_pgsql/distinfo
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.1.1.1 2008/04/30 21:06:04 adrianp Exp $
+$NetBSD: distinfo,v 1.2 2008/07/13 17:55:38 tonnerre Exp $
 
 SHA1 (pear/MDB2_Driver_pgsql-1.4.1.tgz) = 07a69e5ebd8a0d920ac372f3666b39f2601c2a82
 RMD160 (pear/MDB2_Driver_pgsql-1.4.1.tgz) = 0a102683779d3b8ee38ce7716221fec14ab7c25c
 Size (pear/MDB2_Driver_pgsql-1.4.1.tgz) = 33839 bytes
-SHA1 (patch-aa) = 090e9761c9bb3a23d77458f3dcb7c415868b032f
+SHA1 (patch-aa) = 6099865afba02de82ad9d00508d67d6800684316
+SHA1 (patch-ab) = a9507bf0adc0d7ab50d0e825e0018d27fbf6ecc4
diff --git a/databases/pear-MDB2_Driver_pgsql/patches/patch-aa b/databases/pear-MDB2_Driver_pgsql/patches/patch-aa
index a7346b37770..5c5ddc52ddf 100644
--- a/databases/pear-MDB2_Driver_pgsql/patches/patch-aa
+++ b/databases/pear-MDB2_Driver_pgsql/patches/patch-aa
@@ -1,7 +1,16 @@
-$NetBSD: patch-aa,v 1.1.1.1 2008/04/30 21:06:04 adrianp Exp $
+$NetBSD: patch-aa,v 1.2 2008/07/13 17:55:38 tonnerre Exp $
 
---- package.xml.orig	2007-05-03 20:07:38.000000000 +0100
-+++ package.xml
+--- ../package.xml.orig	2007-05-03 21:07:38.000000000 +0200
++++ ../package.xml
+@@ -63,7 +63,7 @@ open todo items:
+    <file baseinstalldir="/" md5sum="4d4cf683f8847cede4f8b298a492f777" name="MDB2/Driver/Reverse/pgsql.php" role="php">
+     <tasks:replace from="@package_version@" to="version" type="package-info" />
+    </file>
+-   <file baseinstalldir="/" md5sum="d995b8777e9a44fd123fd97ae32578f7" name="MDB2/Driver/pgsql.php" role="php">
++   <file baseinstalldir="/" md5sum="818fd28ff1e7dd933eaccd20f0a264ab" name="MDB2/Driver/pgsql.php" role="php">
+     <tasks:replace from="@package_version@" to="version" type="package-info" />
+    </file>
+    <file baseinstalldir="/" md5sum="3e790ed8bf0b3b91ec518cdab9eba271" name="tests/MDB2_nonstandard_pgsql.php" role="test" />
 @@ -83,9 +83,6 @@ open todo items:
      <channel>pear.php.net</channel>
      <min>2.4.1</min>
diff --git a/databases/pear-MDB2_Driver_pgsql/patches/patch-ab b/databases/pear-MDB2_Driver_pgsql/patches/patch-ab
new file mode 100644
index 00000000000..9c155b94221
--- /dev/null
+++ b/databases/pear-MDB2_Driver_pgsql/patches/patch-ab
@@ -0,0 +1,13 @@
+$NetBSD: patch-ab,v 1.1 2008/07/13 17:55:38 tonnerre Exp $
+
+--- MDB2/Driver/pgsql.php.orig	2007-05-03 21:07:38.000000000 +0200
++++ MDB2/Driver/pgsql.php
+@@ -1351,7 +1351,7 @@ class MDB2_Statement_pgsql extends MDB2_
+                 }
+                 $value = $this->values[$parameter];
+                 $type = array_key_exists($parameter, $this->types) ? $this->types[$parameter] : null;
+-                if (is_resource($value) || $type == 'clob' || $type == 'blob') {
++                if (is_resource($value) || $type == 'clob' || $type == 'blob' || $this->options['lob_allow_url_include']) {
+                     if (!is_resource($value) && preg_match('/^(\w+:\/\/)(.*)$/', $value, $match)) {
+                         if ($match[1] == 'file://') {
+                             $value = $match[2];