- Add CVE-2018-5950 patch [1]

- Update MASTER_SITES [1] - USES shebangfix - Regenerate patches with makepatch - Fix pkg-plist to make portlint happy PR: 225703 [1] Submitted by: Yasuhito FUTATSUKI MFH: 2018Q1 Security: CVE-2018-5950
svn path=/head/; revision=462947
2018-02-25 10:44:59 +00:00 · 2018-02-25 10:44:59 +00:00 · 84f5aa4671 · 2021-03-31 03:12:20 +00:00
commit 84f5aa4671
parent 2c75753c6b
8 changed files with 91 additions and 44 deletions
--- a/japanese/mailman/Makefile
+++ b/japanese/mailman/Makefile
@ -3,10 +3,10 @@

 PORTNAME=	mailman
 PORTVERSION=	2.1.14.j7
-PORTREVISION=	3
+PORTREVISION=	4
 PORTEPOCH=	1
 CATEGORIES=	japanese mail
-MASTER_SITES=	http://www.python.jp/doc/contrib/mailman/_static/ \
+MASTER_SITES=	https://docs.python.jp/contrib/mailman/_static/ \
 		LOCAL/tota/${PORTNAME}
 DISTNAME=	${PORTNAME}-${PORTVERSION:S/.j/+j/}
 DIST_SUBDIR=	mailman
@ -21,7 +21,7 @@ CONFLICTS=	mailman-2.1.*

 PORTSCOUT=	limit:.*\.j\d+$$

-USES=		autoreconf gettext python:2.7 tar:tgz
+USES=		autoreconf gettext python:2.7 shebangfix tar:tgz
 USE_RC_SUBR=	mailman

 GNU_CONFIGURE=	yes
@ -53,6 +53,10 @@ PLIST_SUB=	MMDIR=${MM_DIR} IMGDIR=${IMGDIR}
 SUB_FILES=	pkg-message pkg-install pkg-deinstall
 SUB_LIST=	MAILMANDIR=${MAILMANDIR} USER=${MM_USERNAME} GROUP=${MM_GROUPNAME}

+SHEBANG_FILES=	bin/msgfmt.py \
+		tests/onebounce.py \
+		tests/fblast.py
+
 IMGFILES=	PythonPowered.png mailman.jpg mm-icon.png

 PORTDOCS=	ACKNOWLEDGMENTS BUGS FAQ INSTALL NEWS NEWS.japan.utf-8 \
--- a/japanese/mailman/files/patch-CVE-2015-2775
+++ b/japanese/mailman/files/patch-CVE-2015-2775
@ -1,6 +1,6 @@
--- Mailman/Utils.py.orig	2011-12-11 16:56:23.000000000 +0900
-+++ Mailman/Utils.py	2015-06-01 13:25:26.000000000 +0900
-@@ -93,6 +93,12 @@
+--- Mailman/Utils.py.orig	2011-12-11 07:56:23 UTC
+++ Mailman/Utils.py
+@@ -93,6 +93,12 @@ def list_exists(listname):
     #
     # The former two are for 2.1alpha3 and beyond, while the latter two are
     # for all earlier versions.
--- a/japanese/mailman/files/patch-CVE-2018-5950
+++ b/japanese/mailman/files/patch-CVE-2018-5950
@ -0,0 +1,52 @@
+--- Mailman/Cgi/options.py.orig	2011-12-11 07:56:23 UTC
+++ Mailman/Cgi/options.py
+@@ -1,4 +1,4 @@
+-# Copyright (C) 1998-2011 by the Free Software Foundation, Inc.
+# Copyright (C) 1998-2018 by the Free Software Foundation, Inc.
+ #
+ # This program is free software; you can redistribute it and/or
+ # modify it under the terms of the GNU General Public License
+@@ -165,20 +165,6 @@ def main():
+     doc.set_language(userlang)
+     i18n.set_language(userlang)
+ 
+-    # See if this is VARHELP on topics.
+-    varhelp = None
+-    if cgidata.has_key('VARHELP'):
+-        varhelp = cgidata['VARHELP'].value
+-    elif os.environ.get('QUERY_STRING'):
+-        # POST methods, even if their actions have a query string, don't get
+-        # put into FieldStorage's keys :-(
+-        qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
+-        if qs and type(qs) == types.ListType:
+-            varhelp = qs[0]
+-    if varhelp:
+-        topic_details(mlist, doc, user, cpuser, userlang, varhelp)
+-        return
+-
+     # Are we processing an unsubscription request from the login screen?
+     if cgidata.has_key('login-unsub'):
+         # Because they can't supply a password for unsubscribing, we'll need
+@@ -290,6 +276,22 @@ def main():
+         print doc.Format()
+         return
+ 
+    # See if this is VARHELP on topics.
+    varhelp = None
+    if cgidata.has_key('VARHELP'):
+        varhelp = cgidata['VARHELP'].value
+    elif os.environ.get('QUERY_STRING'):
+        # POST methods, even if their actions have a query string, don't get
+        # put into FieldStorage's keys :-(
+        qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
+        if qs and type(qs) == types.ListType:
+            varhelp = qs[0]
+    if varhelp:
+        # Sanitize the topic name.
+        varhelp = re.sub('<.*', '', varhelp)
+        topic_details(mlist, doc, user, cpuser, userlang, varhelp)
+        return
+
+     if cgidata.has_key('logout'):
+         print mlist.ZapCookie(mm_cfg.AuthUser, user)
+         loginpage(mlist, doc, user, language)
--- a/japanese/mailman/files/patch-Mailman-Defaults.py.in
+++ b/japanese/mailman/files/patch-Mailman-Defaults.py.in
@ -1,6 +1,6 @@
--- Mailman/Defaults.py.in.orig	2011-12-11 16:56:23.000000000 +0900
-+++ Mailman/Defaults.py.in	2012-02-15 05:39:56.000000000 +0900
-@@ -62,7 +62,7 @@
+--- Mailman/Defaults.py.in.orig	2011-12-11 07:56:23 UTC
+++ Mailman/Defaults.py.in
+@@ -62,7 +62,7 @@ SHORTCUT_ICON = 'mm-icon.png'
 # Banner images
 DELIVERED_BY = 'mailman.jpg'
 PYTHON_POWERED = 'PythonPowered.png'
@ -9,7 +9,7 @@
 
 # Don't change MAILMAN_URL, unless you want to point it at one of the mirrors.
 MAILMAN_URL = 'http://www.gnu.org/software/mailman/index.html'
-@@ -119,7 +119,7 @@
+@@ -119,7 +119,7 @@ FORM_LIFETIME = hours(1)
 # Command that is used to convert text/html parts into plain text.  This
 # should output results to standard output.  %(filename)s will contain the
 # name of the temporary file that the program should operate on.
@ -18,7 +18,7 @@
 
 # A Python regular expression character class which defines the characters
 # allowed in list names.  Lists cannot be created with names containing any
-@@ -460,8 +460,8 @@
+@@ -460,8 +460,8 @@ VIRTUAL_MAILMAN_LOCAL_DOMAIN = None
 # and virtual-mailman.db files, respectively, from the associated plain text
 # files.  The file being updated will be appended to this string (with a
 # separating space), so it must be appropriate for os.system().
@ -29,7 +29,7 @@
 
 # Ceiling on the number of recipients that can be specified in a single SMTP
 # transaction.  Set to 0 to submit the entire recipient list in one
-@@ -495,7 +495,7 @@
+@@ -495,7 +495,7 @@ SMTPPORT = 0                            
 
 # Command for direct command pipe delivery to sendmail compatible program,
 # when DELIVERY_MODULE is 'Sendmail'.
@ -38,7 +38,7 @@
 
 # Set these variables if you need to authenticate to your NNTP server for
 # Usenet posting or reading.  If no authentication is necessary, specify None
-@@ -747,6 +747,13 @@
+@@ -747,6 +747,13 @@ VERP_CONFIRMATIONS = No
 # debugging).
 MAX_AUTORESPONSES_PER_DAY = 10
 
--- a/japanese/mailman/files/patch-Mailman-htmlformat.py
+++ b/japanese/mailman/files/patch-Mailman-htmlformat.py
@ -1,6 +1,6 @@
--- Mailman/htmlformat.py.orig	2011-12-11 16:56:23.000000000 +0900
-+++ Mailman/htmlformat.py	2012-02-15 16:46:34.000000000 +0900
-@@ -621,13 +621,13 @@
+--- Mailman/htmlformat.py.orig	2011-12-11 07:56:23 UTC
+++ Mailman/htmlformat.py
+@@ -621,13 +621,13 @@ class DefinitionList(Container):
 #
 from mm_cfg import MAILMAN_URL
 PYTHON_URL  = 'http://www.python.org/'
@ -16,7 +16,7 @@
 
 
 def MailmanLogo():
-@@ -641,18 +641,18 @@
+@@ -641,18 +641,18 @@ def MailmanLogo():
         pylink = '<img src="%s" alt="Python Powered" ' \
                  'title="Python Powered" border=0>' % \
                  logo(PYTHON_POWERED)
--- a/japanese/mailman/files/patch-configure.in
+++ b/japanese/mailman/files/patch-configure.in
@ -3,9 +3,9 @@ this creates a problem; we create the users just before install.

 We remove the testing part.

--- configure.in.orig	2011-12-11 16:56:23.000000000 +0900
-+++ configure.in	2012-02-15 06:11:05.000000000 +0900
-@@ -341,28 +341,7 @@
+--- configure.in.orig	2011-12-11 07:56:23 UTC
+++ configure.in
+@@ -341,28 +341,7 @@ AC_DEFUN([MM_FIND_GROUP_NAME], [
 # $2 == user id to check for
 AC_SUBST($1)
 changequote(,)
@ -35,7 +35,7 @@ We remove the testing part.
 changequote([, ])
 rm -f conftest.out conftest.py])
 
-@@ -373,28 +352,7 @@
+@@ -373,28 +352,7 @@ AC_DEFUN([MM_FIND_USER_NAME], [
 # $2 == user id to check for
 AC_SUBST($1)
 changequote(,)
--- a/japanese/mailman/files/patch-misc-mailman.in
+++ b/japanese/mailman/files/patch-misc-mailman.in
@ -1,6 +1,6 @@
--- misc/mailman.in.orig	2011-12-11 16:56:23.000000000 +0900
-+++ misc/mailman.in	2012-02-15 06:27:15.000000000 +0900
-@@ -39,16 +39,20 @@
+--- misc/mailman.in.orig	2011-12-11 07:56:23 UTC
+++ misc/mailman.in
+@@ -39,16 +39,20 @@ MAILMANCTL=$MAILMANHOME/bin/mailmanctl
 case "$1" in
 'start')
     #rm -f $MAILMANHOME/locks/*
--- a/japanese/mailman/pkg-plist
+++ b/japanese/mailman/pkg-plist
@ -1,12 +1,5 @@
-@stopdaemon mailman
-@exec mkdir -p %D/%%MMDIR%%/archives
-@exec mkdir -p %D/%%MMDIR%%/archives/private
-@exec mkdir -p %D/%%MMDIR%%/archives/public
-@exec mkdir -p %D/%%MMDIR%%/lists
-@exec mkdir -p %D/%%MMDIR%%/locks
-@exec mkdir -p %D/%%MMDIR%%/logs
-@exec mkdir -p %D/%%MMDIR%%/qfiles
-@exec mkdir -p %D/%%MMDIR%%/spam
+@postunexec if cmp -s %D/%%MMDIR%%/Mailman/mm_cfg.py %D/%%MMDIR%%/Mailman/mm_cfg.py.dist; then rm -f %D/%%MMDIR%%/Mailman/mm_cfg.py; fi
+@postunexec rm -f %D/%%MMDIR%%/Mailman/mm_cfg.pyc
 %%IMGDIR%%/PythonPowered.png
 %%IMGDIR%%/mailman.jpg
 %%IMGDIR%%/mm-icon.png
@ -305,10 +298,7 @@
 %%MMDIR%%/Mailman/htmlformat.pyc
 %%MMDIR%%/Mailman/i18n.py
 %%MMDIR%%/Mailman/i18n.pyc
-@unexec if cmp -s %D/%%MMDIR%%/Mailman/mm_cfg.py.dist %D/%%MMDIR%%/Mailman/mm_cfg.py; then rm -f %D/%%MMDIR%%/Mailman/mm_cfg.py; fi
-%%MMDIR%%/Mailman/mm_cfg.py.dist
-@exec if [ ! -f %B/mm_cfg.py ] ; then cp -p %D/%F %B/mm_cfg.py; fi
-@unexec rm -f %D/%%MMDIR%%/Mailman/mm_cfg.pyc
+@sample %%MMDIR%%/Mailman/mm_cfg.py.dist %%MMDIR%%/Mailman/mm_cfg.py
 %%MMDIR%%/Mailman/versions.py
 %%MMDIR%%/Mailman/versions.pyc
 %%MMDIR%%/bin/add_members
@ -375,7 +365,7 @@
 %%MMDIR%%/cron/mailpasswds
 %%MMDIR%%/cron/nightly_gzip
 %%MMDIR%%/cron/paths.py
-@unexec rm -f %%MMDIR%%/cron/paths.pyc
+@postunexec rm -f %%MMDIR%%/cron/paths.pyc
 %%MMDIR%%/cron/senddigests
 %%MMDIR%%/data/sitelist.cfg
 %%MMDIR%%/icons/PythonPowered.png
@ -2249,10 +2239,11 @@
 %%MMDIR%%/tests/test_smtp.py
 %%MMDIR%%/tests/testall.py
 %%PYTHON_SITELIBDIR%%/mailman-info.txt
-@dir %%MMDIR%%/archives/private
-@dir %%MMDIR%%/archives/public
-@dir %%MMDIR%%/lists
-@dir %%MMDIR%%/locks
-@dir %%MMDIR%%/logs
-@dir %%MMDIR%%/qfiles
@dir %%MMDIR%%/spam
+@dir %%MMDIR%%/qfiles
+@dir %%MMDIR%%/logs
+@dir %%MMDIR%%/locks
+@dir %%MMDIR%%/lists
+@dir %%MMDIR%%/archives/public
+@dir %%MMDIR%%/archives/private
+@dir %%MMDIR%%/archives