- Add CVE-2018-5950 patch [1]

- Update MASTER_SITES [1] - USES shebangfix - Regenerate patches with makepatch - Fix pkg-plist to make portlint happy PR: 225703 [1] Submitted by: Yasuhito FUTATSUKI MFH: 2018Q1 Security: CVE-2018-5950
author: TAKATSU Tomonari <tota@FreeBSD.org> 2018-02-25 10:44:59 +0000
committer: TAKATSU Tomonari <tota@FreeBSD.org> 2018-02-25 10:44:59 +0000
commit: 84f5aa46719291d12e31846bd58568e16d5e651b (patch)
tree: c75277a9a89cbc0e64c29dfc4cc1541439f78904 /japanese
parent: - Fix range for ja-mailman in CVE-2018-5950 (diff)
8 files changed, 91 insertions, 44 deletions
diff --git a/japanese/mailman/Makefile b/japanese/mailman/Makefile
index c78294a8ea2c..9734777acbf3 100644
--- a/japanese/mailman/Makefile
+++ b/japanese/mailman/Makefile
@@ -3,10 +3,10 @@
 
 PORTNAME=	mailman
 PORTVERSION=	2.1.14.j7
-PORTREVISION=	3
+PORTREVISION=	4
 PORTEPOCH=	1
 CATEGORIES=	japanese mail
-MASTER_SITES=	http://www.python.jp/doc/contrib/mailman/_static/ \
+MASTER_SITES=	https://docs.python.jp/contrib/mailman/_static/ \
 		LOCAL/tota/${PORTNAME}
 DISTNAME=	${PORTNAME}-${PORTVERSION:S/.j/+j/}
 DIST_SUBDIR=	mailman
@@ -21,7 +21,7 @@ CONFLICTS=	mailman-2.1.*
 
 PORTSCOUT=	limit:.*\.j\d+$$
 
-USES=		autoreconf gettext python:2.7 tar:tgz
+USES=		autoreconf gettext python:2.7 shebangfix tar:tgz
 USE_RC_SUBR=	mailman
 
 GNU_CONFIGURE=	yes
@@ -53,6 +53,10 @@ PLIST_SUB=	MMDIR=${MM_DIR} IMGDIR=${IMGDIR}
 SUB_FILES=	pkg-message pkg-install pkg-deinstall
 SUB_LIST=	MAILMANDIR=${MAILMANDIR} USER=${MM_USERNAME} GROUP=${MM_GROUPNAME}
 
+SHEBANG_FILES=	bin/msgfmt.py \
+		tests/onebounce.py \
+		tests/fblast.py
+
 IMGFILES=	PythonPowered.png mailman.jpg mm-icon.png
 
 PORTDOCS=	ACKNOWLEDGMENTS BUGS FAQ INSTALL NEWS NEWS.japan.utf-8 \
diff --git a/japanese/mailman/files/patch-CVE-2015-2775 b/japanese/mailman/files/patch-CVE-2015-2775
index e570e6fa9fc8..d610317cfe2e 100644
--- a/japanese/mailman/files/patch-CVE-2015-2775
+++ b/japanese/mailman/files/patch-CVE-2015-2775
@@ -1,6 +1,6 @@
---- Mailman/Utils.py.orig	2011-12-11 16:56:23.000000000 +0900
-+++ Mailman/Utils.py	2015-06-01 13:25:26.000000000 +0900
-@@ -93,6 +93,12 @@
+--- Mailman/Utils.py.orig	2011-12-11 07:56:23 UTC
++++ Mailman/Utils.py
+@@ -93,6 +93,12 @@ def list_exists(listname):
      #
      # The former two are for 2.1alpha3 and beyond, while the latter two are
      # for all earlier versions.
diff --git a/japanese/mailman/files/patch-CVE-2018-5950 b/japanese/mailman/files/patch-CVE-2018-5950
new file mode 100644
index 000000000000..99ce4ae6ab1d
--- /dev/null
+++ b/japanese/mailman/files/patch-CVE-2018-5950
@@ -0,0 +1,52 @@
+--- Mailman/Cgi/options.py.orig	2011-12-11 07:56:23 UTC
++++ Mailman/Cgi/options.py
+@@ -1,4 +1,4 @@
+-# Copyright (C) 1998-2011 by the Free Software Foundation, Inc.
++# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
+ #
+ # This program is free software; you can redistribute it and/or
+ # modify it under the terms of the GNU General Public License
+@@ -165,20 +165,6 @@ def main():
+     doc.set_language(userlang)
+     i18n.set_language(userlang)
+ 
+-    # See if this is VARHELP on topics.
+-    varhelp = None
+-    if cgidata.has_key('VARHELP'):
+-        varhelp = cgidata['VARHELP'].value
+-    elif os.environ.get('QUERY_STRING'):
+-        # POST methods, even if their actions have a query string, don't get
+-        # put into FieldStorage's keys :-(
+-        qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
+-        if qs and type(qs) == types.ListType:
+-            varhelp = qs[0]
+-    if varhelp:
+-        topic_details(mlist, doc, user, cpuser, userlang, varhelp)
+-        return
+-
+     # Are we processing an unsubscription request from the login screen?
+     if cgidata.has_key('login-unsub'):
+         # Because they can't supply a password for unsubscribing, we'll need
+@@ -290,6 +276,22 @@ def main():
+         print doc.Format()
+         return
+ 
++    # See if this is VARHELP on topics.
++    varhelp = None
++    if cgidata.has_key('VARHELP'):
++        varhelp = cgidata['VARHELP'].value
++    elif os.environ.get('QUERY_STRING'):
++        # POST methods, even if their actions have a query string, don't get
++        # put into FieldStorage's keys :-(
++        qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
++        if qs and type(qs) == types.ListType:
++            varhelp = qs[0]
++    if varhelp:
++        # Sanitize the topic name.
++        varhelp = re.sub('<.*', '', varhelp)
++        topic_details(mlist, doc, user, cpuser, userlang, varhelp)
++        return
++
+     if cgidata.has_key('logout'):
+         print mlist.ZapCookie(mm_cfg.AuthUser, user)
+         loginpage(mlist, doc, user, language)
diff --git a/japanese/mailman/files/patch-Mailman-Defaults.py.in b/japanese/mailman/files/patch-Mailman-Defaults.py.in
index 71816b12cc6b..e71a402c4fe7 100644
--- a/japanese/mailman/files/patch-Mailman-Defaults.py.in
+++ b/japanese/mailman/files/patch-Mailman-Defaults.py.in
@@ -1,6 +1,6 @@
---- Mailman/Defaults.py.in.orig	2011-12-11 16:56:23.000000000 +0900
-+++ Mailman/Defaults.py.in	2012-02-15 05:39:56.000000000 +0900
-@@ -62,7 +62,7 @@
+--- Mailman/Defaults.py.in.orig	2011-12-11 07:56:23 UTC
++++ Mailman/Defaults.py.in
+@@ -62,7 +62,7 @@ SHORTCUT_ICON = 'mm-icon.png'
  # Banner images
  DELIVERED_BY = 'mailman.jpg'
  PYTHON_POWERED = 'PythonPowered.png'
@@ -9,7 +9,7 @@
  
  # Don't change MAILMAN_URL, unless you want to point it at one of the mirrors.
  MAILMAN_URL = 'http://www.gnu.org/software/mailman/index.html'
-@@ -119,7 +119,7 @@
+@@ -119,7 +119,7 @@ FORM_LIFETIME = hours(1)
  # Command that is used to convert text/html parts into plain text.  This
  # should output results to standard output.  %(filename)s will contain the
  # name of the temporary file that the program should operate on.
@@ -18,7 +18,7 @@
  
  # A Python regular expression character class which defines the characters
  # allowed in list names.  Lists cannot be created with names containing any
-@@ -460,8 +460,8 @@
+@@ -460,8 +460,8 @@ VIRTUAL_MAILMAN_LOCAL_DOMAIN = None
  # and virtual-mailman.db files, respectively, from the associated plain text
  # files.  The file being updated will be appended to this string (with a
  # separating space), so it must be appropriate for os.system().
@@ -29,7 +29,7 @@
  
  # Ceiling on the number of recipients that can be specified in a single SMTP
  # transaction.  Set to 0 to submit the entire recipient list in one
-@@ -495,7 +495,7 @@
+@@ -495,7 +495,7 @@ SMTPPORT = 0                            
  
  # Command for direct command pipe delivery to sendmail compatible program,
  # when DELIVERY_MODULE is 'Sendmail'.
@@ -38,7 +38,7 @@
  
  # Set these variables if you need to authenticate to your NNTP server for
  # Usenet posting or reading.  If no authentication is necessary, specify None
-@@ -747,6 +747,13 @@
+@@ -747,6 +747,13 @@ VERP_CONFIRMATIONS = No
  # debugging).
  MAX_AUTORESPONSES_PER_DAY = 10
  
diff --git a/japanese/mailman/files/patch-Mailman-htmlformat.py b/japanese/mailman/files/patch-Mailman-htmlformat.py
index a0e3af23115c..31d74f8b9c90 100644
--- a/japanese/mailman/files/patch-Mailman-htmlformat.py
+++ b/japanese/mailman/files/patch-Mailman-htmlformat.py
@@ -1,6 +1,6 @@
---- Mailman/htmlformat.py.orig	2011-12-11 16:56:23.000000000 +0900
-+++ Mailman/htmlformat.py	2012-02-15 16:46:34.000000000 +0900
-@@ -621,13 +621,13 @@
+--- Mailman/htmlformat.py.orig	2011-12-11 07:56:23 UTC
++++ Mailman/htmlformat.py
+@@ -621,13 +621,13 @@ class DefinitionList(Container):
  #
  from mm_cfg import MAILMAN_URL
  PYTHON_URL  = 'http://www.python.org/'
@@ -16,7 +16,7 @@
  
  
  def MailmanLogo():
-@@ -641,18 +641,18 @@
+@@ -641,18 +641,18 @@ def MailmanLogo():
          pylink = '<img src="%s" alt="Python Powered" ' \
                   'title="Python Powered" border=0>' % \
                   logo(PYTHON_POWERED)
diff --git a/japanese/mailman/files/patch-configure.in b/japanese/mailman/files/patch-configure.in
index 46ea32b0da75..aca4fc4aac8b 100644
--- a/japanese/mailman/files/patch-configure.in
+++ b/japanese/mailman/files/patch-configure.in
@@ -3,9 +3,9 @@ this creates a problem; we create the users just before install.
 
 We remove the testing part.
 
---- configure.in.orig	2011-12-11 16:56:23.000000000 +0900
-+++ configure.in	2012-02-15 06:11:05.000000000 +0900
-@@ -341,28 +341,7 @@
+--- configure.in.orig	2011-12-11 07:56:23 UTC
++++ configure.in
+@@ -341,28 +341,7 @@ AC_DEFUN([MM_FIND_GROUP_NAME], [
  # $2 == user id to check for
  AC_SUBST($1)
  changequote(,)
@@ -35,7 +35,7 @@ We remove the testing part.
  changequote([, ])
  rm -f conftest.out conftest.py])
  
-@@ -373,28 +352,7 @@
+@@ -373,28 +352,7 @@ AC_DEFUN([MM_FIND_USER_NAME], [
  # $2 == user id to check for
  AC_SUBST($1)
  changequote(,)
diff --git a/japanese/mailman/files/patch-misc-mailman.in b/japanese/mailman/files/patch-misc-mailman.in
index c754ef0c93ed..09e600aafb9b 100644
--- a/japanese/mailman/files/patch-misc-mailman.in
+++ b/japanese/mailman/files/patch-misc-mailman.in
@@ -1,6 +1,6 @@
---- misc/mailman.in.orig	2011-12-11 16:56:23.000000000 +0900
-+++ misc/mailman.in	2012-02-15 06:27:15.000000000 +0900
-@@ -39,16 +39,20 @@
+--- misc/mailman.in.orig	2011-12-11 07:56:23 UTC
++++ misc/mailman.in
+@@ -39,16 +39,20 @@ MAILMANCTL=$MAILMANHOME/bin/mailmanctl
  case "$1" in
  'start')
      #rm -f $MAILMANHOME/locks/*
diff --git a/japanese/mailman/pkg-plist b/japanese/mailman/pkg-plist
index 4c792298b9c7..0b7a9a553d77 100644
--- a/japanese/mailman/pkg-plist
+++ b/japanese/mailman/pkg-plist
@@ -1,12 +1,5 @@
-@stopdaemon mailman
-@exec mkdir -p %D/%%MMDIR%%/archives
-@exec mkdir -p %D/%%MMDIR%%/archives/private
-@exec mkdir -p %D/%%MMDIR%%/archives/public
-@exec mkdir -p %D/%%MMDIR%%/lists
-@exec mkdir -p %D/%%MMDIR%%/locks
-@exec mkdir -p %D/%%MMDIR%%/logs
-@exec mkdir -p %D/%%MMDIR%%/qfiles
-@exec mkdir -p %D/%%MMDIR%%/spam
+@postunexec if cmp -s %D/%%MMDIR%%/Mailman/mm_cfg.py %D/%%MMDIR%%/Mailman/mm_cfg.py.dist; then rm -f %D/%%MMDIR%%/Mailman/mm_cfg.py; fi
+@postunexec rm -f %D/%%MMDIR%%/Mailman/mm_cfg.pyc
 %%IMGDIR%%/PythonPowered.png
 %%IMGDIR%%/mailman.jpg
 %%IMGDIR%%/mm-icon.png
@@ -305,10 +298,7 @@
 %%MMDIR%%/Mailman/htmlformat.pyc
 %%MMDIR%%/Mailman/i18n.py
 %%MMDIR%%/Mailman/i18n.pyc
-@unexec if cmp -s %D/%%MMDIR%%/Mailman/mm_cfg.py.dist %D/%%MMDIR%%/Mailman/mm_cfg.py; then rm -f %D/%%MMDIR%%/Mailman/mm_cfg.py; fi
-%%MMDIR%%/Mailman/mm_cfg.py.dist
-@exec if [ ! -f %B/mm_cfg.py ] ; then cp -p %D/%F %B/mm_cfg.py; fi
-@unexec rm -f %D/%%MMDIR%%/Mailman/mm_cfg.pyc
+@sample %%MMDIR%%/Mailman/mm_cfg.py.dist %%MMDIR%%/Mailman/mm_cfg.py
 %%MMDIR%%/Mailman/versions.py
 %%MMDIR%%/Mailman/versions.pyc
 %%MMDIR%%/bin/add_members
@@ -375,7 +365,7 @@
 %%MMDIR%%/cron/mailpasswds
 %%MMDIR%%/cron/nightly_gzip
 %%MMDIR%%/cron/paths.py
-@unexec rm -f %%MMDIR%%/cron/paths.pyc
+@postunexec rm -f %%MMDIR%%/cron/paths.pyc
 %%MMDIR%%/cron/senddigests
 %%MMDIR%%/data/sitelist.cfg
 %%MMDIR%%/icons/PythonPowered.png
@@ -2249,10 +2239,11 @@
 %%MMDIR%%/tests/test_smtp.py
 %%MMDIR%%/tests/testall.py
 %%PYTHON_SITELIBDIR%%/mailman-info.txt
-@dir %%MMDIR%%/archives/private
-@dir %%MMDIR%%/archives/public
-@dir %%MMDIR%%/lists
-@dir %%MMDIR%%/locks
-@dir %%MMDIR%%/logs
-@dir %%MMDIR%%/qfiles
 @dir %%MMDIR%%/spam
+@dir %%MMDIR%%/qfiles
+@dir %%MMDIR%%/logs
+@dir %%MMDIR%%/locks
+@dir %%MMDIR%%/lists
+@dir %%MMDIR%%/archives/public
+@dir %%MMDIR%%/archives/private
+@dir %%MMDIR%%/archives
author	TAKATSU Tomonari <tota@FreeBSD.org>	2018-02-25 10:44:59 +0000
committer	TAKATSU Tomonari <tota@FreeBSD.org>	2018-02-25 10:44:59 +0000
commit	84f5aa46719291d12e31846bd58568e16d5e651b (patch)
tree	c75277a9a89cbc0e64c29dfc4cc1541439f78904 /japanese
parent	- Fix range for ja-mailman in CVE-2018-5950 (diff)