summaryrefslogtreecommitdiff
path: root/mail/mailman
diff options
context:
space:
mode:
authortv <tv@pkgsrc.org>2005-02-14 16:56:38 +0000
committertv <tv@pkgsrc.org>2005-02-14 16:56:38 +0000
commit094100f2ee1382fdbdd7a1a79ff7c4d4834e7746 (patch)
treed9a3ec39584aa30c9bf0ec0c0a28df5c90120ad7 /mail/mailman
parent7573aa3be588cc3a7a916d1ac6ffed0737d6fea4 (diff)
downloadpkgsrc-094100f2ee1382fdbdd7a1a79ff7c4d4834e7746.tar.gz
Apply patch from Mailman maintainers to fix vulnerability described in:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0202
Diffstat (limited to 'mail/mailman')
-rw-r--r--mail/mailman/Makefile4
-rw-r--r--mail/mailman/distinfo3
-rw-r--r--mail/mailman/patches/patch-ai30
3 files changed, 34 insertions, 3 deletions
diff --git a/mail/mailman/Makefile b/mail/mailman/Makefile
index 1bfaa983245..65de1a1fdff 100644
--- a/mail/mailman/Makefile
+++ b/mail/mailman/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.18 2005/01/23 20:41:48 recht Exp $
+# $NetBSD: Makefile,v 1.19 2005/02/14 16:56:38 tv Exp $
DISTNAME= mailman-2.1.4
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= mail www
MASTER_SITES= http://www.list.org/ \
${MASTER_SITE_GNU:=mailman/}
diff --git a/mail/mailman/distinfo b/mail/mailman/distinfo
index 8f2e2ce299c..c0874780a30 100644
--- a/mail/mailman/distinfo
+++ b/mail/mailman/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.4 2004/09/06 04:12:46 lukem Exp $
+$NetBSD: distinfo,v 1.5 2005/02/14 16:56:38 tv Exp $
SHA1 (mailman-2.1.4.tgz) = b77d22283d5780b6d8449f19f86c210e4e58a032
Size (mailman-2.1.4.tgz) = 5779983 bytes
@@ -10,3 +10,4 @@ SHA1 (patch-ae) = 6c17de398014217be8f1c7a3b3a6f8d379fc0fb2
SHA1 (patch-af) = 985a619a055151d998cefd0c1b7280a0d55f889e
SHA1 (patch-ag) = f94f190e69ce892841b88574ec8e9f100b182ed9
SHA1 (patch-ah) = 42296c52e30b1fcc1d42ef0f1b89c83414ca85df
+SHA1 (patch-ai) = 39288f7047063f77d0a94128f74ae4e9fa9e72e9
diff --git a/mail/mailman/patches/patch-ai b/mail/mailman/patches/patch-ai
new file mode 100644
index 00000000000..97c544aabb7
--- /dev/null
+++ b/mail/mailman/patches/patch-ai
@@ -0,0 +1,30 @@
+$NetBSD: patch-ai,v 1.1 2005/02/14 16:56:38 tv Exp $
+
+Index: private.py
+===================================================================
+RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/private.py,v
+retrieving revision 2.16.2.1
+diff -u -r2.16.2.1 private.py
+--- Mailman/Cgi/private.py 8 Feb 2003 07:13:50 -0000 2.16.2.1
++++ Mailman/Cgi/private.py 10 Feb 2005 03:34:21 -0000
+@@ -35,13 +35,17 @@
+ _ = i18n._
+ i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
+
++SLASH = '/'
++
+
+
+ def true_path(path):
+ "Ensure that the path is safe by removing .."
+- path = path.replace('../', '')
+- path = path.replace('./', '')
+- return path[1:]
++ parts = path.split(SLASH)
++ safe = [x for x in parts if x not in ('.', '..')]
++ if parts <> safe:
++ syslog('mischief', 'Directory traversal attack thwarted')
++ return SLASH.join(safe)[1:]
+
+
+
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-18 06:14:05 +0000