[arch-commits] Commit in mailman/trunk (02-fix-CVE-2015-2775.patch PKGBUILD)
Sébastien Luttringer
seblu at archlinux.org
Tue Mar 31 15:54:32 UTC 2015
Date: Tuesday, March 31, 2015 @ 17:54:32
Author: seblu
Revision: 130414
upgpkg: mailman 2.1.19-2
- fix CVE-2015-2775
Added:
mailman/trunk/02-fix-CVE-2015-2775.patch
Modified:
mailman/trunk/PKGBUILD
----------------------------+
02-fix-CVE-2015-2775.patch | 17 +++++++++++++++++
PKGBUILD | 17 ++++++++++++-----
2 files changed, 29 insertions(+), 5 deletions(-)
Added: 02-fix-CVE-2015-2775.patch
===================================================================
--- 02-fix-CVE-2015-2775.patch (rev 0)
+++ 02-fix-CVE-2015-2775.patch 2015-03-31 15:54:32 UTC (rev 130414)
@@ -0,0 +1,17 @@
+--- a/Mailman/Utils.py 2015-01-23 23:50:47 +0000
++++ b/Mailman/Utils.py 2015-03-27 18:14:06 +0000
+@@ -100,6 +100,12 @@
+ #
+ # The former two are for 2.1alpha3 and beyond, while the latter two are
+ # for all earlier versions.
++ #
++ # But first ensure the list name doesn't contain a path traversal
++ # attack.
++ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
++ syslog('mischief', 'Hostile listname: %s', listname)
++ return False
+ basepath = Site.get_listpath(listname)
+ for ext in ('.pck', '.pck.last', '.db', '.db.last'):
+ dbfile = os.path.join(basepath, 'config' + ext)
+
+
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2015-03-31 15:03:57 UTC (rev 130413)
+++ PKGBUILD 2015-03-31 15:54:32 UTC (rev 130414)
@@ -5,7 +5,7 @@
pkgname=mailman
_pkgver=2.1.19
pkgver=${_pkgver//-/.}
-pkgrel=1
+pkgrel=2
pkgdesc='The GNU Mailing List Manager'
arch=(i686 x86_64)
license=('GPL')
@@ -35,7 +35,8 @@
'mailman-nightlygzip.timer'
'mailman-senddigests.service'
'mailman-senddigests.timer'
- '01-mailman-2.1-build.patch')
+ '01-mailman-2.1-build.patch'
+ '02-fix-CVE-2015-2775.patch')
md5sums=('13a33d758f8a6308c91dd267fc3ba123'
'a9c71ec940c56173415fbd49087d10b0'
'85a8c30ffc444e677b286f54df530482'
@@ -55,7 +56,8 @@
'3af65082d3cd4d5746944890c7a72962'
'350dac1e350691e3d9cb8f99fd4b669a'
'52917f62441ac5d950789e8f8af28f09'
- 'ed04d062379eb21e39ce1e70e6b1ade2')
+ 'ed04d062379eb21e39ce1e70e6b1ade2'
+ 'c80ee5b3e14df0a0c6a499b81e0726b4')
prepare() {
# some files in mailman doesn't use configure parameter
@@ -62,8 +64,13 @@
find $pkgname-$_pkgver -type f -exec \
sed -i '1s,^#! \?/usr/bin/\(env \|\)python$,#!/usr/bin/python2,' {} \;
- # fix directory permissions to satisfy check_perms
- patch -p1 -d $pkgname-$_pkgver < 01-mailman-2.1-build.patch
+ # apply patch from sources
+ for _p in "${source[@]}"; do
+ if [[ "$_p" =~ .+\.patch$ ]]; then
+ msg2 "Applying patch $_p"
+ patch -p1 -d $pkgname-$_pkgver < "$_p"
+ fi
+ done
}
build() {
More information about the arch-commits
mailing list