[arch-commits] Commit in mantisbt/repos/community-any (3 files)

Maxime Gauduin alucryd at archlinux.org
Mon Dec 1 09:09:01 UTC 2014


    Date: Monday, December 1, 2014 @ 10:09:01
  Author: alucryd
Revision: 123317

archrelease: copy trunk to community-any

Deleted:
  mantisbt/repos/community-any/CVE-2014-8554.patch
  mantisbt/repos/community-any/PKGBUILD
  mantisbt/repos/community-any/mantisbt.install

---------------------+
 CVE-2014-8554.patch |   35 -------------------------------
 PKGBUILD            |   56 --------------------------------------------------
 mantisbt.install    |   17 ---------------
 3 files changed, 108 deletions(-)

Deleted: CVE-2014-8554.patch
===================================================================
--- CVE-2014-8554.patch	2014-12-01 09:07:07 UTC (rev 123316)
+++ CVE-2014-8554.patch	2014-12-01 09:09:01 UTC (rev 123317)
@@ -1,35 +0,0 @@
-From 99ffb0afaff3409d0eaec78ac963214da0d2a079 Mon Sep 17 00:00:00 2001
-From: Damien Regad <dregad at mantisbt.org>
-Date: Thu, 30 Oct 2014 15:31:36 +0100
-Subject: [PATCH] SQL injection in mc_project_get_attachments()
-
-This is a follow-up on CVE-2014-1609 / issue #16880.
-
-Edwin Gozeling and Wim Visser from ITsec Security Services BV
-(http://www.itsec.nl) discovered that the fix in #16880 did not fully
-address the problem. Their research demonstrate that using a specially
-crafted project id parameter, an attacker could still perform an SQL
-injection.
-
-The same issue was also reported by Paul Richards in issue #17823.
-
-This patch fixes the problem by typecasting the Project ID parameter
-to Integer.
-
-Fixes #17812, CVE-2014-8554
----
- api/soap/mc_project_api.php | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/api/soap/mc_project_api.php b/api/soap/mc_project_api.php
-index 8e6aae9..fe57b7b 100644
---- a/api/soap/mc_project_api.php
-+++ b/api/soap/mc_project_api.php
-@@ -655,6 +655,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) {
- 		return mci_soap_fault_login_failed();
- 	}
- 
-+	$p_project_id = (int)$p_project_id;
- 	$g_project_override = $p_project_id;
- 
- 	# Check if project documentation feature is enabled.

Deleted: PKGBUILD
===================================================================
--- PKGBUILD	2014-12-01 09:07:07 UTC (rev 123316)
+++ PKGBUILD	2014-12-01 09:09:01 UTC (rev 123317)
@@ -1,56 +0,0 @@
-# $Id$
-# Maintainer: Maxime Gauduin <alucryd at archlinux.org>
-# Contributor: Alexander 'gridcol' Griesbaum <agrsbm at gmail.com>
-# Contributor: Ravenman <correo.cuervo at gmail.com>
-# Contributor: Anton Bazhenov <anton.bazhenov at gmail>
-# Contributor: Angel 'angvp' Velasquez <angvp at archlinux.com.ve>
-
-pkgname=mantisbt
-pkgver=1.2.17
-pkgrel=4
-pkgdesc='Web-based issue tracking system'
-arch=('any')
-url='http://www.mantisbt.org/'
-license=('GPL')
-depends=('php')
-optdepends=('apache: Web server to run MantisBT'
-            'curl: Twitter integration'
-            'gd: Graphs support'
-            'lighttpd: Web server to run MantisBT'
-            'mariadb: SQL database'
-            'nginx: Web server to run MantisBT'
-            'php-pgsql: PostgreSQL database')
-backup=('etc/webapps/mantisbt/config_inc.php')
-install='mantisbt.install'
-source=("http://downloads.sourceforge.net/mantisbt/mantisbt-${pkgver}.tar.gz"
-        'CVE-2014-7146.patch'
-        'CVE-2014-8554.patch'
-        'CVE-2014-8598.patch')
-sha256sums=('4305295a1d3910516b6fa238e03e710c0bb5b30a01b3a908865799096207b243'
-            '5660d838efa89f5cc391df902979faa024a26faa698ab0845a458bf3a5fdcd08'
-            '3183477bcc3b69fc969b9d9502070816b2f8bd1ec387d02805b1bd901b471908'
-            '3bfb9a6e118678f80a244ca13f527d5589da094491e910d95c53dd5c10d048ed')
-
-prepare() {
-  cd mantisbt-${pkgver}
-
-  patch -Np1 -i ../CVE-2014-7146.patch
-  patch -Np1 -i ../CVE-2014-8554.patch
-  patch -Np1 -i ../CVE-2014-8598.patch
-}
-
-package() {
-  install -dm 755 "${pkgdir}"/{etc,usr/share}/webapps/mantisbt
-  cp -dr --no-preserve='ownership' mantisbt-${pkgver}/* "${pkgdir}"/usr/share/webapps/mantisbt
-
-  for f in {config_inc.php,custom_strings_inc.php,custom_constants_inc.php,custom_functions_inc.php}; do
-    ln -s /etc/webapps/mantisbt/${f} "${pkgdir}"/usr/share/webapps/mantisbt/
-  done
-  cp "${pkgdir}"/usr/share/webapps/mantisbt/config_inc.php.sample "${pkgdir}"/etc/webapps/mantisbt/config_inc.php
-
-  find "${pkgdir}" -type d -exec chmod 755 {} +
-  find "${pkgdir}" -type f -exec chmod 644 {} +
-  chown http:http -R "${pkgdir}"/usr/share/webapps/mantisbt
-}
-
-# vim: ts=2 sw=2 et:

Deleted: mantisbt.install
===================================================================
--- mantisbt.install	2014-12-01 09:07:07 UTC (rev 123316)
+++ mantisbt.install	2014-12-01 09:09:01 UTC (rev 123317)
@@ -1,17 +0,0 @@
-pre_upgrade() {
-  cd /usr/share/webapps/mantisbt
-
-  cp mantis_offline.php.sample mantis_offline.php
-}
-
-post_upgrade() {
-  cd /usr/share/webapps/mantisbt
-
-  rm mantis_offline.php
-}
-
-post_remove() {
-  rm -rf /usr/share/webapps/mantisbt
-}
-
-# vim: ts=2 sw=2 et:



More information about the arch-commits mailing list