ports/148149: [patch] port devel/bugzilla update to 3.6.1 (security fix)

olli hauer ohauer at gmx.de
Fri Jun 25 21:50:01 UTC 2010 

>Number:         148149
>Category:       ports
>Synopsis:       [patch] port devel/bugzilla update to 3.6.1 (security fix)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 25 21:50:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     olli hauer <ohauer at gmx.de>
>Release:        
>Organization:
>Environment:


>Description:
Update bugzilla to 3.6.1 

Additional fixes in the port (my PR 145810 from 18 Apr 2010)
==================================================================
Since bugzilla 3.x the webserver group and the default database are 
defined in 'Bugzilla/Install/Localconfig.pm' (not in checksetup.pl)

The follwing patch correct this, additional if Pg is the default and
mysql is not selected as OPTIONS the default DB will be changed to Pg.


Release Notes for 3.6.1
==================================================================
This release fixes two security issues. See the Security Advisory for details.

In addition, the following important fixes/changes have been made in this release:

 * Using the "Change Columns" page would sometimes result in a plain-text page
   instead of HTML. (Bug 376044)
 * Extensions that have only templates and no code are now working. (Bug 562551)
 * install-module.pl has been fixed so that it installs modules properly on both
   new and old versions of Perl. (Bug 560318 and Bug 560330)
 * It is now possible to upgrade from 3.4 to 3.6 when using Oracle. (Bug 561379)
 * Editing a field value's name (using the Field Values admin control panel)
   wasn't working if the value was set as the default for that field. (Bug 561296)
 * If you had the noresolveonopenblockers parameter set, bugs couldn't be edited
   at all if they were marked FIXED and had any open blockers. (The parameter is
   only supposed to prevent changing bugs to FIXED, not modifying already-FIXED
   bugs.) (Bug 565314)
 * Some minor issues with Perl 5.12 were fixed (mostly warnings that Perl 5.12
   was throwing). Bugzilla now supports Perl 5.12.


Vulnerability Details http://www.bugzilla.org/security/3.2.6/
==================================================================
Class:       Remote Information Disclosure
Versions:    2.17.1 to 3.2.6, 3.3.1 to 3.4.6, 3.5.1 to 3.6, 3.7
Fixed In:    3.2.7, 3.4.7, 3.6.1, 3.7.1
Description: Normally, information about time-tracking (estimated
             hours, actual hours, hours worked, and deadlines) is
             restricted to users in the "time-tracking group".
             However, any user was able, by crafting their own
             search URL, to search for bugs based using those
             fields as criteria, thus possibly exposing sensitive
             time-tracking information by a user seeing that a bug
             matched their search.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=309952
CVE Number:  CVE-2010-1204


Class:       Local Information Disclosure
Versions:    3.5.1 to 3.6, 3.7
Fixed In:    3.6.1, 3.7.1
Description: If $use_suexec was set to "1" in the localconfig file,
             then the localconfig file's permissions were set as
             world-readable by checksetup.pl. This allowed any user
             with local shell access to see the contents of the file,
             including the database password and the site_wide_secret
             variable used for CSRF protection.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=561797
CVE Number:  CVE-2010-0180


Vulnerability Solutions
=======================

The fix for these issues are included in the 3.2.7, 3.4.7, 3.6.1, and
3.7.1 releases. Upgrading to a release with the relevant fix will
protect your installation from possible exploits of this issue.


>How-To-Repeat:
>Fix:
--- patch_bugzilla-3.6.1.txt begins here ---
Index: bugzilla/distinfo
===================================================================
--- bugzilla/distinfo	(revision 1)
+++ bugzilla/distinfo	(working copy)
@@ -1,3 +1,3 @@
-MD5 (bugzilla-3.6.tar.gz) = 9c0210131ca9915526f63c84030463e1
-SHA256 (bugzilla-3.6.tar.gz) = 9ea0c093113212db3e45963f19a1000b7204adae23982ec67b36c673a1d50a6e
-SIZE (bugzilla-3.6.tar.gz) = 2629396
+MD5 (bugzilla-3.6.1.tar.gz) = 74045f64fa7698f61ef24ef44b2e2074
+SHA256 (bugzilla-3.6.1.tar.gz) = a8e343558628ba020bbb92844f665650a90ade080b248e757a34aa958ca16573
+SIZE (bugzilla-3.6.1.tar.gz) = 2631968
Index: bugzilla/Makefile
===================================================================
--- bugzilla/Makefile	(revision 1)
+++ bugzilla/Makefile	(working copy)
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	bugzilla
-PORTVERSION=	3.6
+PORTVERSION=	3.6.1
 CATEGORIES=	devel
 MASTER_SITES=	${MASTER_SITE_MOZILLA}
 MASTER_SITE_SUBDIR=	webtools webtools/archived
@@ -163,8 +163,14 @@
 .endif
 
 post-patch:
-	@${PERL} -pi -e "s!(?<=webservergroup_default = ')apache!www!" \
-		${WRKSRC}/checksetup.pl
+	@${PERL} -pi -e 's/(default => ON_WINDOWS.+)apache/$$1www/' \
+		${WRKSRC}/Bugzilla/Install/Localconfig.pm
+.if defined(WITH_PGSQL) && !defined(WITH_MYSQL)
+	@${PERL} -pi -e 's/(default =>.+)mysql/$$1Pg/' \
+		${WRKSRC}/Bugzilla/Install/Localconfig.pm
+	@${PERL} -pi -e 's/(Default is )mysql/$$1Pg/' \
+		${WRKSRC}/Bugzilla/Install/Localconfig.pm
+.endif
 	@${FIND} ${WRKSRC} \( -name "CVS" -or -name ".cvsignore" -or -name "*.orig" \
 		-or -name ".bzr*" -or -name "README.docs" \) | ${XARGS} ${RM} -rf
 	${FIND} ${WRKSRC} -type f -exec ${REINPLACE_CMD} -i '' \
--- patch_bugzilla-3.6.1.txt ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list