aboutsummaryrefslogtreecommitdiffstats
path: root/mail
diff options
context:
space:
mode:
authorpav <pav@FreeBSD.org>2005-02-11 06:25:02 +0800
committerpav <pav@FreeBSD.org>2005-02-11 06:25:02 +0800
commitb6113f014ba989705e587c8471448638828da999 (patch)
treeea79da79be2d331caf3a3546181b15f547c397e8 /mail
parent21cd6ee7daaa51f1e233a1b9c9a7b98dfda7d873 (diff)
downloadfreebsd-ports-gnome-b6113f014ba989705e587c8471448638828da999.tar.gz
freebsd-ports-gnome-b6113f014ba989705e587c8471448638828da999.tar.zst
freebsd-ports-gnome-b6113f014ba989705e587c8471448638828da999.zip
- Fix a security problem in private mailing list archives could allow anyone to
read any file on web server. - Minor port changes PR: ports/77364 Submitted by: Vivek Khera <vivek@khera.org> (maintainer) Security: CVE number CAN-2005-0202
Diffstat (limited to 'mail')
-rw-r--r--mail/mailman/Makefile6
-rw-r--r--mail/mailman/files/patch-Mailman::Cgi::private.py34
-rw-r--r--mail/mailman/pkg-deinstall26
-rw-r--r--mail/mailman/pkg-install18
4 files changed, 69 insertions, 15 deletions
diff --git a/mail/mailman/Makefile b/mail/mailman/Makefile
index 7ae3d023512d..ea3f497528ab 100644
--- a/mail/mailman/Makefile
+++ b/mail/mailman/Makefile
@@ -7,7 +7,7 @@
PORTNAME= mailman
PORTVERSION= 2.1.5
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES?= mail
MASTER_SITES= http://www.list.org/ \
${MASTER_SITE_GNU} \
@@ -125,6 +125,10 @@ post-configure:
@ ${SED} -e 's#%%MAILMANDIR%%#${MAILMANDIR}#g' \
-e 's#%%DOCSDIR%%#${DOCSDIR}#g' -e 's#%%LOCALBASE%%#${LOCALBASE}#g' \
${MASTERDIR}/pkg-message > ${PKGMESSAGE}
+# port system auditors complain if dir is created prior to install
+# but configure demands it be there. we delete it now if empty,
+# so it will be re-created. For existing installs, this is ignored
+ @- rmdir ${MAILMANDIR} 2> /dev/null
pre-install:
@ ${SH} ${PKGREQ} INSTALL
diff --git a/mail/mailman/files/patch-Mailman::Cgi::private.py b/mail/mailman/files/patch-Mailman::Cgi::private.py
new file mode 100644
index 000000000000..08fd1390c7a6
--- /dev/null
+++ b/mail/mailman/files/patch-Mailman::Cgi::private.py
@@ -0,0 +1,34 @@
+Index: Mailman/Cgi/private.py
+===================================================================
+RCS file: /cvsroot/mailman/mailman/Mailman/Cgi/private.py,v
+retrieving revision 2.16.2.1
+diff -u -r2.16.2.1 private.py
+--- private.py 8 Feb 2003 07:13:50 -0000 2.16.2.1
++++ private.py 10 Feb 2005 03:34:21 -0000
+@@ -1,4 +1,4 @@
+-# Copyright (C) 1998-2003 by the Free Software Foundation, Inc.
++# Copyright (C) 1998-2005 by the Free Software Foundation, Inc.
+ #
+ # This program is free software; you can redistribute it and/or
+ # modify it under the terms of the GNU General Public License
+@@ -35,13 +35,17 @@
+ _ = i18n._
+ i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
+
++SLASH = '/'
++
+
+
+ def true_path(path):
+ "Ensure that the path is safe by removing .."
+- path = path.replace('../', '')
+- path = path.replace('./', '')
+- return path[1:]
++ parts = path.split(SLASH)
++ safe = [x for x in parts if x not in ('.', '..')]
++ if parts <> safe:
++ syslog('mischief', 'Directory traversal attack thwarted')
++ return SLASH.join(safe)[1:]
+
+
+
diff --git a/mail/mailman/pkg-deinstall b/mail/mailman/pkg-deinstall
index 180ac640fa0d..1ab07c748f92 100644
--- a/mail/mailman/pkg-deinstall
+++ b/mail/mailman/pkg-deinstall
@@ -9,9 +9,15 @@ case $2 in
DEINSTALL)
echo "---> Starting deinstall script:"
- echo "---> Zeroing crontab(5) file belonging to user \"%%USER%%\""
- /usr/bin/crontab -u %%USER%% /dev/null
- echo " (The crontab(5) will be deleted completely when user %%USER%% is removed.)"
+ if /usr/bin/crontab -u "%%USER%%" -l | \
+ /usr/bin/diff - %%MAILMANDIR%%/cron/crontab.in >/dev/null 2>&1 ; then
+ echo "---> Zeroing crontab for \"%%USER%%\""
+ /usr/bin/crontab -u "%%USER%%" /dev/null
+ else
+ echo "---> Crontab for \"%%USER%%\" not removed: please deinstall"
+ echo "---> manually if you no-longer wish to use Mailman. eg:"
+ echo "---> /usr/bin/crontab -u "%%USER%%" -r"
+ fi
echo "---> Stopping Mailman's qrunner daemon"
%%PREFIX%%/etc/rc.d/mailman.sh stop >/dev/null 2>&1
@@ -36,19 +42,15 @@ POST-DEINSTALL)
if [ -d %%MAILMANDIR%% ]; then
echo '---> %%MAILMANDIR%% is not empty - this installation may have active lists!'
- echo '---> - The "%%USER%%" user and "%%GROUP%%" group were therefore not deleted.'
- echo '---> - You may delete them with "pw groupdel %%GROUP%%; pw userdel %%USER%%".'
-
echo "---> Restoring \"last_mailman_version\" file"
[ -d %%MAILMANDIR%%/data ] || /bin/mkdir %%MAILMANDIR%%/data
/bin/mv -f /var/tmp/last_mailman_version %%MAILMANDIR%%/data/
-
- else
- echo "---> Removing group \"%%GROUP%%\""
- /usr/sbin/pw groupdel -n %%GROUP%%
- echo "---> Removing user \"%%USER%%\""
- echo 'y' | /usr/sbin/pw userdel -n %%USER%%
fi
+
+ echo '---> - If you are not using Mailman any more, you should manually delete'
+ echo '---> - the "%%USER%%" user and "%%GROUP%%" group.'
+ echo '---> - You may delete them with "pw groupdel %%GROUP%%; pw userdel %%USER%%".'
+
;;
esac
diff --git a/mail/mailman/pkg-install b/mail/mailman/pkg-install
index 214bf3df6499..fc2dd3e53bc7 100644
--- a/mail/mailman/pkg-install
+++ b/mail/mailman/pkg-install
@@ -49,8 +49,22 @@ PRE-INSTALL)
POST-INSTALL)
echo "---> Starting post-install script:"
- echo "---> Creating crontab(5) file for user \"%%USER%%\""
- /usr/bin/crontab -u "%%USER%%" "%%MAILMANDIR%%/cron/crontab.in" || exit 1
+ echo "---> Checking crontab(5) file for user \"%%USER%%\""
+
+ if /usr/bin/crontab -u "%%USER%%" -l >/tmp/mmctab$$ 2>&1 ; then
+ if test -s /tmp/mmctab$$; then
+ echo "---> \"%%USER%%\" already has a crontab. Not overwriting it"
+ echo "---> Please merge any changes from the standard crontab file"
+ echo "---> %%MAILMANDIR%%/cron/crontab.in"
+ else
+ echo "---> Installing crontab(5) file for user \"%%USER%%\""
+ /usr/bin/crontab -u "%%USER%%" "%%MAILMANDIR%%/cron/crontab.in" || exit 1
+ fi
+ else
+ echo "---> Creating crontab(5) file for user \"%%USER%%\""
+ /usr/bin/crontab -u "%%USER%%" "%%MAILMANDIR%%/cron/crontab.in" || exit 1
+ fi
+ rm -f /tmp/mmctab$$
echo "---> Checking (and fixing) file and directory permissions"
%%MAILMANDIR%%/bin/check_perms -f >/dev/null 2>&1