ports/83753: Update port: devel/viewcvs to 0.9.3 (security fix)

Tue Jul 19 22:00:36 UTC 2005

>Number:         83753
>Category:       ports
>Synopsis:       Update port: devel/viewcvs to 0.9.3 (security fix)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 19 22:00:33 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Vsevolod Stakhov
>Release:        FreeBSD 5.4-RELEASE i386
>Organization:
>Environment:
>Description:
Update to 0.9.3.
Security fixes are included:
* security fix: disallow bad "content-type" input [CAN-2004-1062]
* security fix: disallow bad "sortby" and "cvsroot" input [CAN-2002-0771]
* security fix: omit forbidden/hidden modules from tarballs [CAN-2004-0915]

Removed file(s):
- files/patch-CAN-2004-0915
>How-To-Repeat:
>Fix:

--- viewcvs-0.9.3.patch begins here ---
diff -ruN --exclude=CVS viewcvs.orig/Makefile viewcvs/Makefile
--- viewcvs.orig/Makefile	Wed Jul 20 01:45:45 2005
+++ viewcvs/Makefile	Wed Jul 20 01:49:50 2005
@@ -6,8 +6,7 @@
 #
 
 PORTNAME=	viewcvs
-PORTVERSION=	0.9.2
-PORTREVISION=	3
+PORTVERSION=	0.9.3
 CATEGORIES=	devel python
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
@@ -22,7 +21,7 @@
 PLIST_SUB=	INSTDIR=${INSTDIR}
 
 do-install:
-	@ cd ${WRKSRC} && INSTDIR=${PREFIX}/${INSTDIR} ${PYTHON_CMD} viewcvs-install
+	@(cd ${WRKSRC} && INSTDIR=${PREFIX}/${INSTDIR} ${PYTHON_CMD} viewcvs-install)
 
 post-install:
 	@ ${SED} -e "s:%%INSTDIR%%:${PREFIX}/${INSTDIR}:g" ${MASTERDIR}/pkg-message >${PKGMESSAGE}
diff -ruN --exclude=CVS viewcvs.orig/distinfo viewcvs/distinfo
--- viewcvs.orig/distinfo	Wed Jul 20 01:45:45 2005
+++ viewcvs/distinfo	Wed Jul 20 01:46:39 2005
@@ -1,2 +1,2 @@
-MD5 (viewcvs-0.9.2.tar.gz) = c7857b1ed05240ad1f691ea40044daf2
-SIZE (viewcvs-0.9.2.tar.gz) = 140063
+MD5 (viewcvs-0.9.3.tar.gz) = 8be527279feaaa6ecf184bcf714e2f22
+SIZE (viewcvs-0.9.3.tar.gz) = 140215
diff -ruN --exclude=CVS viewcvs.orig/files/patch-CAN-2004-0915 viewcvs/files/patch-CAN-2004-0915
--- viewcvs.orig/files/patch-CAN-2004-0915	Wed Jul 20 01:45:45 2005
+++ viewcvs/files/patch-CAN-2004-0915	Thu Jan  1 03:00:00 1970
@@ -1,37 +0,0 @@
---- lib/viewcvs.py.orig	2004-10-20 15:03:41.000000000 +0200
-+++ lib/viewcvs.py	2004-10-20 16:37:35.000000000 +0200
-@@ -2455,10 +2455,17 @@ def generate_tarball_header(out, name, s
- def generate_tarball(out, relative, directory, tag, stack=[]):
-   subdirs = [ ]
-   rcs_files = [ ]
-+  if relative == 'CVSROOT' and cfg.options.hide_cvsroot:
-+    return
-+
-   for file, pathname, isdir in get_file_data(directory):
-     if pathname == _UNREADABLE_MARKER:
-       continue
-     if isdir:
-+      if file == 'CVSROOT' and relative.find('/') == -1 and cfg.options.hide_cvsroot:
-+        continue
-+      if relative.find('/') == -1 and cfg.is_forbidden(file):
-+        continue
-       subdirs.append(file)
-     else:
-       rcs_files.append(file)
-@@ -2583,6 +2590,16 @@ def main():
-            '</body></html>\n')
-     return
- 
-+  if where == 'CVSROOT' and cfg.options.hide_cvsroot:
-+    print "Status: 400"
-+    http_header()
-+    print ('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n'
-+           '<html><head>\n<title>400 Bad Request</title>\n'
-+           '</head><body>\n'
-+           '<H1>Bad Request</H1>\n Listing of CVSROOT is disallowed.<p>\n'
-+           '</body></html>\n')
-+    return
-+
-   ### look for GZIP binary
- 
-   # if we have a directory and the request didn't end in "/", then redirect
--- viewcvs-0.9.3.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

