add a security patch. bug #135921.

(Portage version: 2.1)
author: Tuan Van <langthang@gentoo.org> 2006-06-13 19:59:14 +0000
committer: Tuan Van <langthang@gentoo.org> 2006-06-13 19:59:14 +0000
commit: 226e207599adf364241033bcf137a4fbd3f94749 (patch)
tree: 87fa6eda41a07a7f785990bc1900d67378ccfabe /mail-client/squirrelmail
parent: add virtual/perl-ExtUtils-MakeMaker to the EU::MM block -thanks mr.b (diff)
download: gentoo-2-226e207599adf364241033bcf137a4fbd3f94749.tar.gz
gentoo-2-226e207599adf364241033bcf137a4fbd3f94749.tar.bz2
gentoo-2-226e207599adf364241033bcf137a4fbd3f94749.zip
4 files changed, 322 insertions, 1 deletions
diff --git a/mail-client/squirrelmail/ChangeLog b/mail-client/squirrelmail/ChangeLog
index a7f77987a905..d433b708fd8f 100644
--- a/mail-client/squirrelmail/ChangeLog
+++ b/mail-client/squirrelmail/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for mail-client/squirrelmail
 # Copyright 2002-2006 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/mail-client/squirrelmail/ChangeLog,v 1.51 2006/05/24 20:16:43 hansmi Exp $
+# $Header: /var/cvsroot/gentoo-x86/mail-client/squirrelmail/ChangeLog,v 1.52 2006/06/13 19:59:14 langthang Exp $
+
+*squirrelmail-1.4.6-r3 (13 Jun 2006)
+
+  13 Jun 2006; Tuấn Văn <langthang@gentoo.org> +files/sec-135921.patch,
+  +squirrelmail-1.4.6-r3.ebuild:
+  add a security patch. bug #135921.
 
   24 May 2006; Michael Hanselmann <hansmi@gentoo.org>
   squirrelmail-1.4.6-r2.ebuild:
diff --git a/mail-client/squirrelmail/files/digest-squirrelmail-1.4.6-r3 b/mail-client/squirrelmail/files/digest-squirrelmail-1.4.6-r3
new file mode 100644
index 000000000000..8b65672f432a
--- /dev/null
+++ b/mail-client/squirrelmail/files/digest-squirrelmail-1.4.6-r3
@@ -0,0 +1,30 @@
+MD5 c321d0f7efa624f6bc3f3a4d1bf08782 admin_add.0.1-1.4.0.tar.gz 2388
+RMD160 6847934c59ae73119a796c6fef251de26a2ea531 admin_add.0.1-1.4.0.tar.gz 2388
+SHA256 25ec999eea098a509f7d49cfe368b0557b64c698f86b2a2c951617f67735dabc admin_add.0.1-1.4.0.tar.gz 2388
+MD5 29dfec2e0f71fba368a89c36c51881c2 all_locales-1.4.6-20060221.tar.bz2 2448102
+RMD160 c108485b090ffc8ea96b1384c9cf588adade7ed2 all_locales-1.4.6-20060221.tar.bz2 2448102
+SHA256 e29b017deb84e7a3656ed846b2387911e4c7275e88fd3d6761528dbaa7510ac4 all_locales-1.4.6-20060221.tar.bz2 2448102
+MD5 4766f5f6706e086d5c9370bef9e7629f amavisnewsql-0.8.0-1.4.tar.gz 101008
+RMD160 72b796565f128354c51e8a04384e49621371cf16 amavisnewsql-0.8.0-1.4.tar.gz 101008
+SHA256 f9ef453f80e0a44a22c695712b44af935f6d1a505239bd0cb6470fc27608041c amavisnewsql-0.8.0-1.4.tar.gz 101008
+MD5 cfc3279a613b917fcba8200c596dadb0 compatibility-2.0.4.tar.gz 18703
+RMD160 f5b272fb1598c28be70e16ed4251eefa57f46f8e compatibility-2.0.4.tar.gz 18703
+SHA256 5aa1bbf871a131eeb3d64e9c89b239231927ebc9aee81a272a31d014ccae667e compatibility-2.0.4.tar.gz 18703
+MD5 88f80922e2a060f5277fd2192404efab gpg.2.0.1-1.4.2.tar.gz 383592
+RMD160 f8e53570494b84d61bb467e1fcb368decb9bbd2a gpg.2.0.1-1.4.2.tar.gz 383592
+SHA256 b4fa8f4112ef8b69d9b79fbc43c8bde3523de5487e1447445deee67b6c66091b gpg.2.0.1-1.4.2.tar.gz 383592
+MD5 c836661e8360358b94df4e153e449b2c ldapuserdata-0.4.tar.gz 67439
+RMD160 6f7fa3eab6eb2877057fc4d9d360da2e10858ba6 ldapuserdata-0.4.tar.gz 67439
+SHA256 ee10b97e99c35b0656e7e87f60785408f3d26a53ee2a0107d8aa04f7947c3ff7 ldapuserdata-0.4.tar.gz 67439
+MD5 dfe469f7ab473fd2292b30800e3141d5 retrieveuserdata.0.9-1.4.0.tar.gz 10448
+RMD160 942d073f86947295ed069ed04e4fc268857932af retrieveuserdata.0.9-1.4.0.tar.gz 10448
+SHA256 086796d858e781c518b538b37e9ec011d51a2aebd6d14aeba1aa330b58626b8d retrieveuserdata.0.9-1.4.0.tar.gz 10448
+MD5 73d2c111579e2fad17c289f62e0be855 secure_login-1.2-1.2.8.tar.gz 6361
+RMD160 e3e35d7acf5f427592915d541ca2aaad79d37b1d secure_login-1.2-1.2.8.tar.gz 6361
+SHA256 b3cf5fbf15206ca9f0e00b573408fc78b287fbb2e0d5fcbba93fe6e75ceb4a0b secure_login-1.2-1.2.8.tar.gz 6361
+MD5 a14a46388ed710a81c356d69276844c1 show_ssl_link-2.1-1.2.8.tar.gz 5950
+RMD160 58f202d7febcde55efdf8a6f312caebf3d4e0d45 show_ssl_link-2.1-1.2.8.tar.gz 5950
+SHA256 a5eb5c1eade9fb6fda5f0f9279a8bb186e9d249cae67a98eaf125845f4d177d2 show_ssl_link-2.1-1.2.8.tar.gz 5950
+MD5 300ddcf66b7907a61b6e9404840e35de squirrelmail-1.4.6.tar.bz2 484099
+RMD160 3cee894b392620af3e35ef1d00e35775559dd4f7 squirrelmail-1.4.6.tar.bz2 484099
+SHA256 8694412708eeb1f4029a4850e69f4a6891b0959e6315572013f4db9d3addc9d3 squirrelmail-1.4.6.tar.bz2 484099
diff --git a/mail-client/squirrelmail/files/sec-135921.patch b/mail-client/squirrelmail/files/sec-135921.patch
new file mode 100644
index 000000000000..88c4387c28b8
--- /dev/null
+++ b/mail-client/squirrelmail/files/sec-135921.patch
@@ -0,0 +1,75 @@
+--- functions/global.php	2006-02-03 14:27:47.000000000 -0800
++++ functions/global.php.new	2006-06-13 12:28:12.000000000 -0700
+@@ -3,14 +3,13 @@
+ /**
+  * global.php
+  *
+- * Copyright (c) 1999-2006 The SquirrelMail Project Team
+- * Licensed under the GNU GPL. For full terms see the file COPYING.
+- *
+  * This includes code to update < 4.1.0 globals to the newer format
+  * It also has some session register functions that work across various
+  * php versions.
+  *
+- * @version $Id: global.php,v 1.27.2.15 2006/02/03 22:27:47 jervfors Exp $
++ * @copyright &copy; 1999-2006 The SquirrelMail Project Team
++ * @license http://opensource.org/licenses/gpl-license.php GNU Public License
++ * @version $Id: global.php,v 1.27.2.17 2006/06/02 02:52:15 jangliss Exp $
+  * @package squirrelmail
+  */
+ 
+@@ -62,6 +61,47 @@
+     sqstripslashes($_POST);
+ }
+ 
++/**
++ * If register_globals are on, unregister globals.
++ * Code requires PHP 4.1.0 or newer.
++ * Second test covers boolean set as string (php_value register_globals off).
++ */
++if ((bool) @ini_get('register_globals') &&
++    strtolower(ini_get('register_globals'))!='off') {
++    /**
++     * Remove all globals from $_GET, $_POST, and $_COOKIE.
++     */
++    foreach ($_REQUEST as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++    /**
++     * Remove globalized $_FILES variables
++     * Before 4.3.0 $_FILES are included in $_REQUEST.
++     * Unglobalize them in separate call in order to remove dependency
++     * on PHP version.
++     */
++    foreach ($_FILES as $key => $value) {
++        unset($GLOBALS[$key]);
++        // there are three undocumented $_FILES globals.
++        unset($GLOBALS[$key.'_type']);
++        unset($GLOBALS[$key.'_name']);
++        unset($GLOBALS[$key.'_size']);
++    }
++    /**
++     * Remove globalized environment variables.
++     */
++    foreach ($_ENV as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++    /**
++     * Remove globalized server variables.
++     */
++    foreach ($_SERVER as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++}
++
++
+ /* strip any tags added to the url from PHP_SELF.
+    This fixes hand crafted url XXS expoits for any
+    page that uses PHP_SELF as the FORM action */
+@@ -336,4 +376,4 @@
+ }
+ 
+ // vim: et ts=4
+-?>
+\ No newline at end of file
++?>
diff --git a/mail-client/squirrelmail/squirrelmail-1.4.6-r3.ebuild b/mail-client/squirrelmail/squirrelmail-1.4.6-r3.ebuild
new file mode 100644
index 000000000000..735341a70b4b
--- /dev/null
+++ b/mail-client/squirrelmail/squirrelmail-1.4.6-r3.ebuild
@@ -0,0 +1,210 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/mail-client/squirrelmail/squirrelmail-1.4.6-r3.ebuild,v 1.1 2006/06/13 19:59:14 langthang Exp $
+
+IUSE="crypt ldap spell ssl filter mysql postgres nls"
+
+inherit webapp eutils
+
+DESCRIPTION="Webmail for nuts!"
+
+# Plugin Versions
+COMPATIBILITY_VER=2.0.4
+USERDATA_VER=0.9-1.4.0
+ADMINADD_VER=0.1-1.4.0
+AMAVIS_VER=0.8.0-1.4
+GPG_VER=2.0.1-1.4.2
+LDAP_USERDATA_VER=0.4
+SECURELOGIN_VER=1.2-1.2.8
+SHOWSSL_VER=2.1-1.2.8
+LOCALES_VER=1.4.6-20060221
+
+MY_P=${P/_rc/-RC}
+S="${WORKDIR}/${MY_P}"
+
+PLUGINS_LOC="http://www.squirrelmail.org/plugins"
+SRC_URI="mirror://sourceforge/${PN}/${MY_P}.tar.bz2
+	mirror://sourceforge/retruserdata/retrieveuserdata.${USERDATA_VER}.tar.gz
+	${PLUGINS_LOC}/compatibility-${COMPATIBILITY_VER}.tar.gz
+	ssl? ( ${PLUGINS_LOC}/secure_login-${SECURELOGIN_VER}.tar.gz )
+	ssl? ( ${PLUGINS_LOC}/show_ssl_link-${SHOWSSL_VER}.tar.gz )
+	${PLUGINS_LOC}/admin_add.${ADMINADD_VER}.tar.gz
+	filter? ( ${PLUGINS_LOC}/amavisnewsql-0.8.0-1.4.tar.gz )
+	crypt? ( ${PLUGINS_LOC}/gpg.${GPG_VER}.tar.gz )
+	ldap? ( ${PLUGINS_LOC}/ldapuserdata-${LDAP_USERDATA_VER}.tar.gz )
+	nls? ( mirror://sourceforge/${PN}/all_locales-${LOCALES_VER}.tar.bz2 )"
+
+HOMEPAGE="http://www.squirrelmail.org/"
+
+LICENSE="GPL-2"
+KEYWORDS="~alpha ~amd64 ~ppc ~ppc64 ~sparc ~x86"
+
+DEPEND=""
+
+RDEPEND="virtual/php
+	perl-core/DB_File
+	crypt? ( app-crypt/gnupg )
+	ldap? ( net-nds/openldap )
+	spell? ( || ( app-text/aspell app-text/ispell ) )
+	filter? ( mail-filter/amavisd-new dev-php/PEAR-Log dev-php/PEAR-DB dev-php/PEAR-Net_SMTP )
+	postgres? ( dev-php/PEAR-DB )
+	mysql? ( dev-php/PEAR-DB )"
+
+src_unpack() {
+	unpack ${MY_P}.tar.bz2
+
+	cd ${S}
+
+	mv config/config_default.php config/config.php
+
+	# Now do the plugins
+	cd ${S}/plugins
+
+	sed -i 's:/usr/games/fortune:/usr/bin/fortune:g' fortune/setup.php || die "Unable to fix fortunes plugin."
+
+	unpack compatibility-${COMPATIBILITY_VER}.tar.gz
+
+	unpack admin_add.${ADMINADD_VER}.tar.gz
+
+	unpack retrieveuserdata.${USERDATA_VER}.tar.gz
+
+	use filter &&
+		unpack amavisnewsql-${AMAVIS_VER}.tar.gz &&
+		mv amavisnewsql/config.php.dist amavisnewsql/config.php
+
+	use crypt &&
+		unpack gpg.${GPG_VER}.tar.gz
+
+	use ldap &&
+		unpack ldapuserdata-${LDAP_USERDATA_VER}.tar.gz &&
+		epatch ${FILESDIR}/ldapuserdata-${LDAP_USERDATA_VER}-gentoo.patch &&
+		mv ldapuserdata/config_sample.php ldapuserdata/config.php
+
+	use ssl &&
+		unpack secure_login-${SECURELOGIN_VER}.tar.gz &&
+		mv secure_login/config.php.sample secure_login/config.php &&
+		unpack show_ssl_link-${SHOWSSL_VER}.tar.gz &&
+		mv show_ssl_link/config.php.sample show_ssl_link/config.php
+
+	use nls &&
+		cd ${S} &&
+		unpack all_locales-${LOCALES_VER}.tar.bz2
+
+	# security patch. Bug #135921.
+	epatch "${FILESDIR}"/sec-135921.patch
+}
+
+src_compile() {
+	#we need to have this empty function ... default compile hangs
+	echo "Nothing to compile"
+}
+
+src_install() {
+	webapp_src_preinst
+
+	# handle documentation files
+	#
+	# NOTE that doc files go into /usr/share/doc as normal; they do NOT
+	# get installed per vhost!
+
+	for doc in AUTHORS COPYING ChangeLog INSTALL README ReleaseNotes UPGRADE; do
+		dodoc ${doc}
+		rm -f ${doc}
+	done
+
+	docinto compatibility
+	for doc in plugins/compatibility/INSTALL plugins/compatibility/README; do
+		dodoc ${doc}
+		rm -f ${doc}
+	done
+
+	docinto admin_add
+	for doc in plugins/admin_add/README; do
+		dodoc ${doc}
+		rm -f ${doc}
+	done
+
+	docinto retrieveuserdata
+	for doc in plugins/retrieveuserdata/INSTALL plugins/retrieveuserdata/changelog plugins/retrieveuserdata/users_example.txt; do
+		dodoc ${doc}
+		rm -f ${doc}
+	done
+
+	if use filter; then
+		docinto amavisnewsql
+		for doc in plugins/amavisnewsql/{CHANGELOG,README,UPGRADE}; do
+			dodoc ${doc}
+			rm -f ${doc}
+		done
+	fi
+
+	if use crypt; then
+		docinto gpg
+		for doc in plugins/gpg/README plugins/gpg/README.txt plugins/gpg/INSTALL plugins/gpg/INSTALL.txt plugins/gpg/TODO; do
+			dodoc ${doc}
+			rm -f ${doc}
+		done
+	fi
+
+	if use ldap; then
+		rm plugins/ldapuserdata/README
+		docinto ldapuserdata
+		for doc in plugins/ldapuserdata/doc/README; do
+			dodoc ${doc}
+			rm -f ${doc}
+		done
+	fi
+
+	if use ssl; then
+		docinto secure_login
+		for doc in plugins/secure_login/INSTALL plugins/secure_login/README; do
+			dodoc ${doc}
+			rm -f ${doc}
+		done
+
+		docinto show_ssl_link
+		for doc in plugins/show_ssl_link/INSTALL plugins/show_ssl_link/README; do
+			dodoc ${doc}
+			rm -f ${doc}
+		done
+	fi
+
+	# Copy the app's main files
+	einfo "Installing squirrelmail files."
+	cp -r . ${D}${MY_HTDOCSDIR}
+
+	# Identify the configuration files that this app uses
+	local configs="config/config.php config/config_local.php plugins/retrieveuserdata/config.php"
+	use filter && configs="${configs} plugins/amavisnewsql/config.php"
+	use crypt && configs="${configs} plugins/gpg/gpg_local_prefs.txt"
+	use ldap && configs="${configs} plugins/ldapuserdata/config.php"
+	use ssl && configs="${configs} plugins/show_ssl_link/config.php plugins/secure_login/config.php"
+
+	for file in ${configs}; do
+		webapp_configfile ${MY_HTDOCSDIR}/${file}
+	done
+
+	# Identify any script files that need #! headers adding to run under
+	# a CGI script (such as PHP/CGI)
+	#
+	# for phpmyadmin, we *assume* that all .php files that don't end in
+	# .inc.php need to have CGI/BIN support added
+
+	#for x in `find . -name '*.php' -print | grep -v 'inc.php'` ; do
+	#	webapp_runbycgibin php ${MY_HTDOCSDIR}/$x
+	#done
+
+	local server_owned="data index.php"
+	for file in ${server_owned}; do
+		webapp_serverowned ${MY_HTDOCSDIR}/${file}
+	done
+
+	# add the post-installation instructions
+	webapp_postinst_txt en ${FILESDIR}/postinstall-en.txt
+
+	# all done
+	#
+	# now we let the eclass strut its stuff ;-)
+
+	webapp_src_install
+}
author	Tuan Van <langthang@gentoo.org>	2006-06-13 19:59:14 +0000
committer	Tuan Van <langthang@gentoo.org>	2006-06-13 19:59:14 +0000
commit	226e207599adf364241033bcf137a4fbd3f94749 (patch)
tree	87fa6eda41a07a7f785990bc1900d67378ccfabe /mail-client/squirrelmail
parent	add virtual/perl-ExtUtils-MakeMaker to the EU::MM block -thanks mr.b (diff)
download	gentoo-2-226e207599adf364241033bcf137a4fbd3f94749.tar.gz gentoo-2-226e207599adf364241033bcf137a4fbd3f94749.tar.bz2 gentoo-2-226e207599adf364241033bcf137a4fbd3f94749.zip