[net-nds/phpldapadmin] Package bump to apply security fixes for bug 388349.

Package-Manager: portage-2.2.0_alpha69/cvs/Linux x86_64
author: Jorge Manuel B. S. Vicetto <jmbsvicetto@gentoo.org> 2011-10-25 18:18:44 +0000
committer: Jorge Manuel B. S. Vicetto <jmbsvicetto@gentoo.org> 2011-10-25 18:18:44 +0000
commit: f8fc71cbf9aacddaa80e229bba9a384538469190 (patch)
tree: 51bffdba010095965a2dd423b4fcc7bb951bc6d6 /net-nds
parent: version bump (diff)
download: historical-f8fc71cbf9aacddaa80e229bba9a384538469190.tar.gz
historical-f8fc71cbf9aacddaa80e229bba9a384538469190.tar.bz2
historical-f8fc71cbf9aacddaa80e229bba9a384538469190.zip
5 files changed, 118 insertions, 22 deletions
diff --git a/net-nds/phpldapadmin/ChangeLog b/net-nds/phpldapadmin/ChangeLog
index a93ffd5f912f..253242e6e39f 100644
--- a/net-nds/phpldapadmin/ChangeLog
+++ b/net-nds/phpldapadmin/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for net-nds/phpldapadmin
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-nds/phpldapadmin/ChangeLog,v 1.53 2011/10/20 19:38:09 jmbsvicetto Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-nds/phpldapadmin/ChangeLog,v 1.54 2011/10/25 18:18:43 jmbsvicetto Exp $
+
+*phpldapadmin-1.2.1.1-r1 (25 Oct 2011)
+
+  25 Oct 2011; <atlantis@gentoo.org> +phpldapadmin-1.2.1.1-r1.ebuild,
+  +files/phpldapadmin-1.2.1.1-fix-cmd-exploit.patch,
+  +files/phpldapadmin-1.2.1.1-fix-functions-exploit.patch:
+  [net-nds/phpldapadmin] Package bump to apply security fixes for bug 388349.
 
 *phpldapadmin-1.2.1.1 (20 Oct 2011)
 
diff --git a/net-nds/phpldapadmin/Manifest b/net-nds/phpldapadmin/Manifest
index a9701c919601..98fcac468235 100644
--- a/net-nds/phpldapadmin/Manifest
+++ b/net-nds/phpldapadmin/Manifest
@@ -1,6 +1,5 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
+AUX phpldapadmin-1.2.1.1-fix-cmd-exploit.patch 716 RMD160 53234a28cbba93e29be796c84b3f735065bef428 SHA1 bb26087375bdb8ace84254b9e9c4537ab691bbaf SHA256 b0c7822c7e36d037e15839046bdfc842540b972633e293c5d96e6d3117f782e0
+AUX phpldapadmin-1.2.1.1-fix-functions-exploit.patch 939 RMD160 7c4cd4aa9290ad298afe18ef78765ba0619a365b SHA1 6c7f3b29e696b1b16ffead286962dca98970674d SHA256 94344146e0434ac7c70375f4cbfef9bcd40897c06fb3eddc0b39eaed0c5c669d
 AUX phpldapadmin-1.2.1.1-fix-magic-quotes.patch 829 RMD160 085053d13ba91c8b69d5b0e4d6ce3fd0e627780b SHA1 8f6ea7971157091febc6a7ff2f6fe97ed908df38 SHA256 7cce069d30a5c4067743de8e91d0d6bd4d9faaaf169ed342a3890bf07ced8817
 AUX postinstall2-en.txt 131 RMD160 f1f681b3b5094f555e6adfca8d70d4ca1b14ae4b SHA1 deecc59339d6c83dad797c0f8cfab9ea0110153a SHA256 e2dc7bea366789a303eb9a90d1bced655cea00469202859af40bf19c00505d38
 DIST phpldapadmin-1.2.0.4.tgz 1291545 RMD160 23b6a9afd438add7ed48ff390d5b4d4400df54b4 SHA1 7b364065e91f4dca606432c42fa2ae48e54f04ce SHA256 e4887ed0db63c926162d79d603add21a669103ad2f75a7b90686a18eed8a6330
@@ -8,23 +7,7 @@ DIST phpldapadmin-1.2.0.5.tgz 1345901 RMD160 7b3e194420d7360001faa709b046423d8ac
 DIST phpldapadmin-1.2.1.1.tgz 1468961 RMD160 c78bd0f056f7f5f8b150360e6ee0ef3f37d6560c SHA1 f30d76205891fbd01fab468af1f8430597983787 SHA256 1fa6373c500a193a8868cb6a753f3b5218a92374b792994129c0c1b69d4d1090
 EBUILD phpldapadmin-1.2.0.4-r1.ebuild 983 RMD160 2228477215296b381a25ece0ac9f81d4cdead10e SHA1 340b6602090d046c526914f56a2ad55023f3e334 SHA256 cbb2de3c6c29336841d910feaf10b559158f85031f47b52d3f1574f2d985b79b
 EBUILD phpldapadmin-1.2.0.5.ebuild 970 RMD160 702248b5bf778558a6704f761755f82060f0d053 SHA1 aea420c3f57d9de49e731ab8b6e3b7cc806c36ee SHA256 b785da167be298f837071d8e8d5a741d2c6f1e18038badd54349ed111f0e04d5
+EBUILD phpldapadmin-1.2.1.1-r1.ebuild 1359 RMD160 7459adeaca2213071d4adc19e0d8417f19a1d959 SHA1 cca736aaa69b6728ca6f03ff68135f75da60b315 SHA256 f1f21dc696d4f862bfffdf45bd8b0b5d32d62fa9731713ae3dbc3c447ea3b5e4
 EBUILD phpldapadmin-1.2.1.1.ebuild 1129 RMD160 37a8f6d38c93c7eef6aa7c04e73c2e66f2df498f SHA1 ec4b1fd9da21bee274d685efda10cd81cc417005 SHA256 40f439fbda56140a71f345358aeb603b17440464497a0168b28368a157ca5591
-MISC ChangeLog 8739 RMD160 e7f46a91444c702d3fb1dcdffef2cd37f54a1b0d SHA1 cfe01976a8cc4e6b86fdf238b7c246951590ca0d SHA256 44543871ea4864ddd156d30ea197d48f4e90b6e42a8a932bfc19438c56b4e4c9
+MISC ChangeLog 9040 RMD160 164da373a94995f0768f7ae06eaf4e047125e031 SHA1 d2d95b3cc4ce6c172e184a64c6ab9980dac0a678 SHA256 c2131f81a7b00630dcd40b14889bea39ccdb2ffe565eb3c10db4db33552c7cfc
 MISC metadata.xml 483 RMD160 9f29226203f0c22470a627939b84edbe57d40a7c SHA1 69affdfca1b1dd98d302336a0e47d708e96317ba SHA256 4da024bde528d8117f42de927efa5e86dd4445b018a818608e1db16969957186
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.18 (GNU/Linux)
-
-iQIcBAEBAgAGBQJOoHiTAAoJEC8ZTXQF1qEPfzEP/1yIegcgSXa5CgtLlW0J7Xzy
-p2WLH0M5AFTY9oigP+idTwDMjMwi+ofT6ObKC4Y0I2MiJgeSGfZh7P28S3itNJJT
-GlPXHXMC3d6E97asPShZ8M3YPOyepD8j/EkfjIwCzKyfgQhMSndSB+uQvIGhoppi
-G5DY6aWzctiaZtApmGeqIleECHgP/4QCDcBmYCZ/x0vdyd8WJvp9qT2nGHQ9Glwd
-LpxtOrOwTHnOqAiIzsiG84vMoW/TgASRmmHdExWYG57NhvUN6O7mZ7IBxWoUzb8K
-ZU8eFx5CJiyyOQCTewWYEK7AG/nNQioJW2bI+G9O7Dlp9yHg6hHPLawOsm2WIOJs
-ujl7m2hqi53ySAGQfzcK7byUMDGXmEt/hexayUmKVAzLJpsGRI7mkj7ThfqafeAC
-7e6arzp8JMWSNLh70Q2/ommmfrYZ9O2SSs4mXpr3b21AZn3zVZ00KfbB4iZK2qov
-KXNV7Ebt3fVXOH+V5Sxsw4Sln4oL18gQqmAB9poF8gU31Pm2PzCgbyWni+9YmpJU
-UZ5x0mKHyaYrpp5+PVwDDWN3Ehb/QUbnRI+xeVCu6pZoubvm7473eTI1sxq8z8rk
-BcchD4FGqFYYXBOF4nBHRU0KQmHkKhFfItrHg5atKqea0Ic+KLgpFRGoQdbyfes/
-Y6unEOVGHmrDoplPbDNT
-=HZGa
------END PGP SIGNATURE-----
diff --git a/net-nds/phpldapadmin/files/phpldapadmin-1.2.1.1-fix-cmd-exploit.patch b/net-nds/phpldapadmin/files/phpldapadmin-1.2.1.1-fix-cmd-exploit.patch
new file mode 100644
index 000000000000..b5ae92d0425c
--- /dev/null
+++ b/net-nds/phpldapadmin/files/phpldapadmin-1.2.1.1-fix-cmd-exploit.patch
@@ -0,0 +1,27 @@
+From 64668e882b8866fae0fa1b25375d1a2f3b4672e2 Mon Sep 17 00:00:00 2001
+From: Deon George <wurley@users.sf.net>
+Date: Wed, 27 Jul 2011 07:30:06 +1000
+Subject: [PATCH] Remove XSS vulnerabilty in debug code
+
+---
+ htdocs/cmd.php |    4 ----
+ 1 files changed, 0 insertions(+), 4 deletions(-)
+
+diff --git a/htdocs/cmd.php b/htdocs/cmd.php
+index 34f3848..0ddf004 100644
+--- a/htdocs/cmd.php
++++ b/htdocs/cmd.php
+@@ -19,10 +19,6 @@ $www['meth'] = get_request('meth','REQUEST');
+ ob_start();
+ 
+ switch ($www['cmd']) {
+-	case '_debug':
+-		debug_dump($_REQUEST,1);
+-		break;
+-
+ 	default:
+ 		if (defined('HOOKSDIR') && file_exists(HOOKSDIR.$www['cmd'].'.php'))
+ 			$app['script_cmd'] = HOOKSDIR.$www['cmd'].'.php';
+-- 
+1.7.4.1
+
diff --git a/net-nds/phpldapadmin/files/phpldapadmin-1.2.1.1-fix-functions-exploit.patch b/net-nds/phpldapadmin/files/phpldapadmin-1.2.1.1-fix-functions-exploit.patch
new file mode 100644
index 000000000000..bc18b452ca02
--- /dev/null
+++ b/net-nds/phpldapadmin/files/phpldapadmin-1.2.1.1-fix-functions-exploit.patch
@@ -0,0 +1,28 @@
+From 76e6dad13ef77c5448b8dfed1a61e4acc7241165 Mon Sep 17 00:00:00 2001
+From: Deon George <wurley@users.sf.net>
+Date: Thu, 6 Oct 2011 09:03:20 +1100
+Subject: [PATCH] SF Bug #3417184 - PHP Code Injection Vulnerability
+
+---
+ lib/functions.php |    5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/functions.php b/lib/functions.php
+index 19fde99..eb160dc 100644
+--- a/lib/functions.php
++++ b/lib/functions.php
+@@ -1003,8 +1003,9 @@ function masort(&$data,$sortby,$rev=0) {
+ 	if (defined('DEBUG_ENABLED') && DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
+ 		debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);
+ 
+-	# if the array to sort is null or empty
+-	if (! $data) return;
++	# if the array to sort is null or empty, or if we have some nasty chars
++	if (! preg_match('/^[a-zA-Z0-9_]+(\([a-zA-Z0-9_,]*\))?$/',$sortby) || ! $data)
++		return;
+ 
+ 	static $CACHE = array();
+ 
+-- 
+1.7.4.1
+
diff --git a/net-nds/phpldapadmin/phpldapadmin-1.2.1.1-r1.ebuild b/net-nds/phpldapadmin/phpldapadmin-1.2.1.1-r1.ebuild
new file mode 100644
index 000000000000..11f9926b4054
--- /dev/null
+++ b/net-nds/phpldapadmin/phpldapadmin-1.2.1.1-r1.ebuild
@@ -0,0 +1,51 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-nds/phpldapadmin/phpldapadmin-1.2.1.1-r1.ebuild,v 1.1 2011/10/25 18:18:43 jmbsvicetto Exp $
+
+EAPI="2"
+
+inherit webapp depend.php
+
+DESCRIPTION="phpLDAPadmin is a web-based tool for managing all aspects of your LDAP server."
+HOMEPAGE="http://phpldapadmin.sourceforge.net"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tgz"
+
+LICENSE="GPL-2"
+KEYWORDS="~alpha ~amd64 ~ia64 ~ppc ~sparc ~x86"
+IUSE=""
+
+RDEPEND="dev-lang/php[hash,ldap,session,xml,nls]
+		 || ( <dev-lang/php-5.3[pcre] >=dev-lang/php-5.3 )"
+
+need_httpd_cgi
+need_php_httpd
+
+src_prepare() {
+	mv config/config.php.example config/config.php
+	epatch "${FILESDIR}/${P}-fix-magic-quotes.patch"
+
+	# Security patches for secunia advisory 46551
+	# https://secunia.com/advisories/46551/
+	# CVE-2011-4075
+	epatch "${FILESDIR}/${P}-fix-functions-exploit.patch"
+	# CVE-2011-4074
+	epatch "${FILESDIR}/${P}-fix-cmd-exploit.patch"
+}
+
+src_install() {
+	webapp_src_preinst
+
+	dodoc INSTALL
+
+	# Restrict config file access - bug 280836
+	chown root:apache "config/config.php"
+	chmod 640 "config/config.php"
+
+	insinto "${MY_HTDOCSDIR}"
+	doins -r *
+
+	webapp_configfile "${MY_HTDOCSDIR}/config/config.php"
+	webapp_postinst_txt en "${FILESDIR}"/postinstall2-en.txt
+
+	webapp_src_install
+}
author	Jorge Manuel B. S. Vicetto <jmbsvicetto@gentoo.org>	2011-10-25 18:18:44 +0000
committer	Jorge Manuel B. S. Vicetto <jmbsvicetto@gentoo.org>	2011-10-25 18:18:44 +0000
commit	f8fc71cbf9aacddaa80e229bba9a384538469190 (patch)
tree	51bffdba010095965a2dd423b4fcc7bb951bc6d6 /net-nds
parent	version bump (diff)
download	historical-f8fc71cbf9aacddaa80e229bba9a384538469190.tar.gz historical-f8fc71cbf9aacddaa80e229bba9a384538469190.tar.bz2 historical-f8fc71cbf9aacddaa80e229bba9a384538469190.zip