ports/85568: [MAINTAINER] www/b2evo: fix security issue of xmlrpc

chinsan chinsan.tw at gmail.com
Thu Sep 1 13:00:41 UTC 2005 

>Number:         85568
>Category:       ports
>Synopsis:       [MAINTAINER] www/b2evo: fix security issue of xmlrpc
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 01 13:00:40 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     chinsan
>Release:        FreeBSD 5.4-RELEASE i386
>Organization:
FreeBSD Taiwan
>Environment:
System: FreeBSD polly.twbbs.org 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC 2005 root at harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:

	- Fix security issue of xmlrpc
	- Add more infomation about installation

	Thanks very much. :)
	
>How-To-Repeat:
>Fix:

--- b2evo.diff begins here ---
diff -ruN b2evo.orig/Makefile b2evo/Makefile
--- b2evo.orig/Makefile	Thu Sep  1 08:33:38 2005
+++ b2evo/Makefile	Thu Sep  1 20:52:19 2005
@@ -7,12 +7,12 @@
 
 PORTNAME=	b2evolution
 PORTVERSION=	0.9.0.12
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	evocms
-DISTNAME=	${PORTNAME}-${PORTVERSION}-${B2EVO_DATE} \
-		xmlrpc_fix_111
+DISTNAME=	${PORTNAME}-${PORTVERSION}-${B2EVO_DATE}${EXTRACT_SUFX} \
+		${PATCH_VER}
 EXTRACT_ONLY=	${PORTNAME}-${PORTVERSION}-${B2EVO_DATE}
 
 # Maintainership available: drop me a line if interested :p
@@ -21,8 +21,9 @@
 
 USE_ZIP=	YES
 
+PATCH_VER=	xmlrpc_fix_112
 B2EVO_DATE?=	2005-05-06
-USE_PHP=	mysql pcre session xml
+USE_PHP=	mysql pcre session xml xmlrpc
 PHP4_PORT?=	www/mod_php4
 NO_BUILD=	YES
 WANT_PHP_WEB=	YES
@@ -30,28 +31,41 @@
 TMPDIR?=	${PORTNAME}
 WRKSRC=		${WRKDIR}/${TMPDIR}
 
-.if !defined(B2EVO_DIR)
+.if !defined(B2EVO_URL)
 pre-fetch:
 	@${ECHO_MSG} ""
-	@${ECHO_MSG} "Define B2EVO_DIR to override default of '${B2EVO_DIR}'."
+	@${ECHO_MSG} "Define B2EVO_URL to override default of ${PREFIX}/${WWWDOCROOT}/'${B2EVO_URL}'."
 	@${ECHO_MSG} ""
 .endif
 
+# Get HOSTNAME
+.if exists(/sbin/sysctl)
+HOSTNAME!=	/sbin/sysctl -n kern.hostname
+.else
+HOSTNAME!=	/usr/sbin/sysctl -n kern.hostname
+.endif
+
 WWWDOCROOT?=	www/data
 B2EVO_URL?=	b2evo
 WWWOWN?=	www
 WWWGRP?=	www
 B2EVO_DIR?=	${WWWDOCROOT}/${B2EVO_URL}
+HTACCESS=	${WRKSRC}/blogs/sample.htaccess
 PLIST=		${WRKDIR}/pkg-plist
 
 .include <bsd.port.pre.mk>
 
 post-extract:
-	cd ${WRKSRC}/blogs/b2evocore \
-		&& ${EXTRACT_CMD} ${EXTRACT_BEFORE_ARGS} ${DISTDIR}/xmlrpc_fix_111${EXTRACT_SUFX}
+	@${TR} -d \\r < ${HTACCESS} > ${HTACCESS}.unix
+
+post-patch:
+	@cd ${WRKSRC} \
+		&& ${EXTRACT_CMD} ${EXTRACT_BEFORE_ARGS} ${DISTDIR}/${PATCH_VER}${EXTRACT_SUFX}
+	@${MV} -f ${WRKSRC}/${PATCH_VER}/b2evocore/* ${WRKSRC}/blogs/b2evocore
+	@${RM} -rf ${WRKSRC}/${PATCH_VER}
 
 pre-install:
-	cd ${WRKSRC} && ${FIND} -s . -type f | \
+	@cd ${WRKSRC} && ${FIND} -s . -type f | \
 		${SED} -e 's|^./||;s|^|${B2EVO_DIR}/|' > ${PLIST} \
 		&& ${FIND} -d * -type d | \
 		${SED} -e 's|^|@dirrm ${B2EVO_DIR}/|' >> ${PLIST} \
@@ -59,11 +73,13 @@
 
 do-install:
 	-${MKDIR} ${PREFIX}/${B2EVO_DIR}
-	@${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${B2EVO_DIR}
 	@${CHMOD} 755 ${PREFIX}/${B2EVO_DIR}
 	@${CP} -R ${WRKSRC}/ ${PREFIX}/${B2EVO_DIR}
+	@${CHOWN} -R ${WWWOWN}:${WWWGRP} ${PREFIX}/${B2EVO_DIR}
+	@${CHMOD} 665 ${PREFIX}/${B2EVO_DIR}/blogs/conf/_config.php
 
 post-install:
-	@${SED} -e 's|%%B2EVO_URL%%|${B2EVO_URL}|' ${PKGMESSAGE}
+	@${SED} -e 's|%%HOSTNAME%%|${HOSTNAME}|; s|%%B2EVO_URL%%|${B2EVO_URL}|' \
+		${PKGMESSAGE}
 
 .include <bsd.port.post.mk>
diff -ruN b2evo.orig/distinfo b2evo/distinfo
--- b2evo.orig/distinfo	Thu Sep  1 08:33:38 2005
+++ b2evo/distinfo	Thu Sep  1 19:32:14 2005
@@ -1,4 +1,4 @@
-MD5 (b2evolution-0.9.0.12-2005-05-06) = 7f08250c3d08c2c55e75655fbffa2d98
-SIZE (b2evolution-0.9.0.12-2005-05-06) = 2857939
-MD5 (xmlrpc_fix_111.zip) = b57b76bc30d8cb4857fc66ea53f78344
-SIZE (xmlrpc_fix_111.zip) = 20432
+MD5 (b2evolution-0.9.0.12-2005-05-06.zip) = 7f08250c3d08c2c55e75655fbffa2d98
+SIZE (b2evolution-0.9.0.12-2005-05-06.zip) = 2857939
+MD5 (xmlrpc_fix_112.zip) = 3083b4118e72e1ef87a827c20522bda6
+SIZE (xmlrpc_fix_112.zip) = 22264
diff -ruN b2evo.orig/pkg-message b2evo/pkg-message
--- b2evo.orig/pkg-message	Thu Sep  1 08:33:38 2005
+++ b2evo/pkg-message	Thu Sep  1 20:47:30 2005
@@ -1,7 +1,29 @@
+==================================================================
+b2evolution is now installed. If you intall it for the first time,
+you may have to follow this steps to make it work correctly.
 
-          **** NOTE ****
-For first use of b2evolution, remember to point your browser to
+1. Create the MySQL database:
 
-  http://localhost/%%B2EVO_URL%%/blogs/install/
+  # mysqladmin --user=root -p create b2evolution
 
-and follow the instructions. 
+2. Create a mysql user/password for b2evolution(database):
+  (change user and/or password if requered)
+
+  # mysql -u root -p
+  mysql> GRANT ALL ON b2evolution.* TO b2evouser at localhost 
+	 IDENTIFIED BY 'b2evopassword';
+  mysql> FLUSH PRIVILEGES;
+  mysql> QUIT;
+
+3.Open b2evo installation page in your web browser 
+  and login with b2evouser/b2evopassword
+
+  http://%%HOSTNAME%%/%%B2EVO_URL%%/blogs/install/
+
+  If you are doing a fresh install...
+  Note that password carefully! It is a random password that is given to you 
+  when you install b2evolution.
+  If you lose it, you will have to delete the database tables and reinstall.
+
+  Have fun!
+==================================================================
--- b2evo.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list