From b23a0f179fe212737cde2db28dc4493a0526295d Mon Sep 17 00:00:00 2001 From: salo Date: Sun, 20 Mar 2005 20:34:27 +0000 Subject: Security fix for CAN-2005-0085. "Cross-site scripting (XSS) vulnerability in ht://dig allows remote attackers to execute arbitrary web script or HTML via the config parameter, which is not properly sanitized before it is displayed in an error message." Patch from Debian. Bump PKGREVISION. --- www/htdig/Makefile | 4 ++-- www/htdig/distinfo | 5 ++++- www/htdig/patches/patch-af | 14 ++++++++++++++ www/htdig/patches/patch-ag | 14 ++++++++++++++ www/htdig/patches/patch-ah | 14 ++++++++++++++ 5 files changed, 48 insertions(+), 3 deletions(-) create mode 100644 www/htdig/patches/patch-af create mode 100644 www/htdig/patches/patch-ag create mode 100644 www/htdig/patches/patch-ah (limited to 'www') diff --git a/www/htdig/Makefile b/www/htdig/Makefile index 2a7d259f87a..d970e0f8e71 100644 --- a/www/htdig/Makefile +++ b/www/htdig/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.21 2005/01/12 21:31:29 jlam Exp $ +# $NetBSD: Makefile,v 1.22 2005/03/20 20:34:27 salo Exp $ DISTNAME= htdig-3.1.6 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= www databases MASTER_SITES= http://www.htdig.org/files/ \ ftp://ftp.htdig.org/ \ diff --git a/www/htdig/distinfo b/www/htdig/distinfo index 313cd8b722a..660af3c4893 100644 --- a/www/htdig/distinfo +++ b/www/htdig/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.4 2005/02/24 14:08:32 wiz Exp $ +$NetBSD: distinfo,v 1.5 2005/03/20 20:34:27 salo Exp $ SHA1 (htdig-3.1.6.tar.gz) = 603fc244ba59ee1efcbe8f2ba087567cb14468d0 RMD160 (htdig-3.1.6.tar.gz) = 1414943255f16cd278a31b8014a5bfe6c4400ead @@ -7,3 +7,6 @@ SHA1 (patch-ab) = 504136ce6ac0a2beed574c88ee6d9b8ef90d6564 SHA1 (patch-ac) = d1f6ef3c4c7a2995217f391a4bf9d544e10f5a00 SHA1 (patch-ad) = a727a2c3afdd697f0e2e46355f1e89bc70775bbf SHA1 (patch-ae) = 1be8e82b97bb9b16dcc301f3f02e642a41945878 +SHA1 (patch-af) = f9c83efb788cb735f42df606ee451324795140d6 +SHA1 (patch-ag) = d3c0c1b043e27706834aecf7ac0b07651ed5b438 +SHA1 (patch-ah) = e4df51f19717527c3a368cdcaffb4f3c8e7be521 diff --git a/www/htdig/patches/patch-af b/www/htdig/patches/patch-af new file mode 100644 index 00000000000..366ae85780e --- /dev/null +++ b/www/htdig/patches/patch-af @@ -0,0 +1,14 @@ +$NetBSD: patch-af,v 1.1 2005/03/20 20:34:27 salo Exp $ + +--- htsearch/htsearch.cc.orig 2002-02-01 00:47:18.000000000 +0100 ++++ htsearch/htsearch.cc 2005-03-20 21:15:02.000000000 +0100 +@@ -145,8 +145,7 @@ + if (access(configFile, R_OK) < 0) + { + if (filenameok) filenamemsg << " '" << configFile.get() << "'"; +- reportError(form("Unable to read configuration file%s", +- filenamemsg.get())); ++ reportError(form("Unable to read configuration file.")); + } + config.Read(configFile); + diff --git a/www/htdig/patches/patch-ag b/www/htdig/patches/patch-ag new file mode 100644 index 00000000000..475841a3c97 --- /dev/null +++ b/www/htdig/patches/patch-ag @@ -0,0 +1,14 @@ +$NetBSD: patch-ag,v 1.1 2005/03/20 20:34:27 salo Exp $ + +--- htfuzzy/htfuzzy.cc.orig 2002-02-01 00:47:17.000000000 +0100 ++++ htfuzzy/htfuzzy.cc 2005-03-20 21:16:14.000000000 +0100 +@@ -148,8 +148,7 @@ + config.Defaults(&defaults[0]); + if (access(configFile, R_OK) < 0) + { +- reportError(form("Unable to find configuration file '%s'", +- configFile.get())); ++ reportError(form("Unable to find configuration file.")); + } + config.Read(configFile); + diff --git a/www/htdig/patches/patch-ah b/www/htdig/patches/patch-ah new file mode 100644 index 00000000000..6aceb28ffd7 --- /dev/null +++ b/www/htdig/patches/patch-ah @@ -0,0 +1,14 @@ +$NetBSD: patch-ah,v 1.1 2005/03/20 20:34:27 salo Exp $ + +--- htmerge/htmerge.cc.orig 2002-02-01 00:47:18.000000000 +0100 ++++ htmerge/htmerge.cc 2005-03-20 21:24:02.000000000 +0100 +@@ -116,8 +116,7 @@ + + if (access(configfile, R_OK) < 0) + { +- reportError(form("Unable to find configuration file '%s'", +- configfile.get())); ++ reportError(form("Unable to find configuration file.")); + } + + config.Read(configfile); -- cgit v1.2.3