svn commit: r336698 - in branches/2014Q1: security/vuxml www/phpmyfaq

Tue Dec 17 08:20:46 UTC 2013

Author: bapt
Date: Tue Dec 17 08:20:44 2013
New Revision: 336698
URL: http://svnweb.freebsd.org/changeset/ports/336698

Log:
  MFH: r336678
  
  - update to 2.8.4
  - add stage support
  
  Security:	3b86583a-66a7-11e3-868f-0025905a4771

Modified:
  branches/2014Q1/security/vuxml/vuln.xml
  branches/2014Q1/www/phpmyfaq/Makefile
  branches/2014Q1/www/phpmyfaq/distinfo
  branches/2014Q1/www/phpmyfaq/pkg-plist
Directory Properties:
  branches/2014Q1/   (props changed)

Modified: branches/2014Q1/security/vuxml/vuln.xml
==============================================================================

--- branches/2014Q1/security/vuxml/vuln.xml	Tue Dec 17 08:08:59 2013	(r336697)
+++ branches/2014Q1/security/vuxml/vuln.xml	Tue Dec 17 08:20:44 2013	(r336698)
@@ -51,6 +51,36 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="3b86583a-66a7-11e3-868f-0025905a4771">
+    <topic>phpmyfaq -- arbitrary PHP code execution vulnerability</topic>
+    <affects>
+      <package>
+	<name>phpmyfaq</name>
+	<range><lt>2.8.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The phpMyFAQ team reports:</p>
+	<blockquote cite="http://www.phpmyfaq.de/advisory_2013-11-26.php">
+	  <p>Secunia noticed while analysing the advisory that authenticated
+	    users with "Right to add attachments" are able to exploit an already
+	    publicly known issue in the bundled Ajax File Manager of phpMyFAQ version
+	    2.8.3, which leads to arbitrary PHP code execution for authenticated
+	    users with the permission "Right to add attachments".</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://www.phpmyfaq.de/advisory_2013-11-26.php</url>
+      <url>http://en.securitylab.ru/lab/PT-2013-41</url>
+    </references>
+    <dates>
+      <discovery>2013-11-26</discovery>
+      <entry>2013-12-16</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="44d0f8dc-6607-11e3-bb11-0025900931f8">
     <topic>zabbix -- shell command injection vulnerability</topic>
     <affects>

Modified: branches/2014Q1/www/phpmyfaq/Makefile
==============================================================================
--- branches/2014Q1/www/phpmyfaq/Makefile	Tue Dec 17 08:08:59 2013	(r336697)
+++ branches/2014Q1/www/phpmyfaq/Makefile	Tue Dec 17 08:20:44 2013	(r336698)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	phpmyfaq
-PORTVERSION=	2.8.2
+PORTVERSION=	2.8.4
 CATEGORIES=	www
 MASTER_SITES=	http://www.phpmyfaq.de/download/
 
@@ -11,20 +11,20 @@ COMMENT=	A multilingual, completely data
 
 WRKSRC=		${WRKDIR}/${PORTNAME}
 
+NEED_ROOT=	yes
+
 USE_PHP=	filter json mysql pcre pdf session xml xmlrpc xmlwriter zlib
 FAQ_DIR=	attachments data images inc pdf xml
 NO_BUILD=	YES
 WANT_PHP_WEB=	YES
+NO_ARCH=	YES
 
-NO_STAGE=	yes
 do-install:
-	-${MKDIR} ${WWWDIR}
-	@cd ${WRKSRC} && ${COPYTREE_SHARE} \* ${WWWDIR}
+	@${MKDIR} ${STAGEDIR}${WWWDIR}
+	@cd ${WRKSRC} && ${COPYTREE_SHARE} \* ${STAGEDIR}${WWWDIR}
 .for i in ${FAQ_DIR}
-	-@${MKDIR} ${WWWDIR}/${i}
-	@${CHMOD} 777 ${WWWDIR}/${i}
+	@${MKDIR} ${STAGEDIR}${WWWDIR}/${i}
+	@${CHOWN} ${WWWOWN}:${WWWGRP} ${STAGEDIR}${WWWDIR}/${i} ${STAGEDIR}${WWWDIR}/config
 .endfor
-	@${CHOWN} -R ${WWWOWN}:${WWWGRP} ${WWWDIR}
-	@${CAT} ${PKGMESSAGE}
 
 .include <bsd.port.mk>

Modified: branches/2014Q1/www/phpmyfaq/distinfo
==============================================================================
--- branches/2014Q1/www/phpmyfaq/distinfo	Tue Dec 17 08:08:59 2013	(r336697)
+++ branches/2014Q1/www/phpmyfaq/distinfo	Tue Dec 17 08:20:44 2013	(r336698)
@@ -1,2 +1,2 @@
-SHA256 (phpmyfaq-2.8.2.tar.gz) = 2ab6452da45dacd3bd771597671371881a4c9d13352b4c70d608b686779c3db6
-SIZE (phpmyfaq-2.8.2.tar.gz) = 3896352
+SHA256 (phpmyfaq-2.8.4.tar.gz) = da4762ce824a973f0303762e9028ea9c7e1b1b0bc0f7721388046bd1c35b0164
+SIZE (phpmyfaq-2.8.4.tar.gz) = 3903889

Modified: branches/2014Q1/www/phpmyfaq/pkg-plist
==============================================================================
--- branches/2014Q1/www/phpmyfaq/pkg-plist	Tue Dec 17 08:08:59 2013	(r336697)
+++ branches/2014Q1/www/phpmyfaq/pkg-plist	Tue Dec 17 08:20:44 2013	(r336698)
@@ -1,3 +1,16 @@
+ at exec mkdir -p %D/www/phpmyfaq/attachments
+ at exec mkdir -p %D/www/phpmyfaq/data
+ at exec mkdir -p %D/www/phpmyfaq/images
+ at exec mkdir -p %D/www/phpmyfaq/inc
+ at exec mkdir -p %D/www/phpmyfaq/pdf
+ at exec mkdir -p %D/www/phpmyfaq/xml
+ at exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/attachments
+ at exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/config
+ at exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/data
+ at exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/images
+ at exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/inc
+ at exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/pdf
+ at exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/xml
 %%WWWDIR%%/_.htaccess
 %%WWWDIR%%/_httpd.ini
 %%WWWDIR%%/_lighttpd.conf
@@ -24,6 +37,7 @@
 %%WWWDIR%%/admin/assets/font/fontawesome-webfont.svg
 %%WWWDIR%%/admin/assets/font/fontawesome-webfont.ttf
 %%WWWDIR%%/admin/assets/font/fontawesome-webfont.woff
+%%WWWDIR%%/admin/assets/js/record.js
 %%WWWDIR%%/admin/assets/js/uploadcheck.js
 %%WWWDIR%%/admin/assets/js/user.js
 %%WWWDIR%%/admin/assets/less/style.less
@@ -876,6 +890,7 @@
 %%WWWDIR%%/assets/template/default/favicon.ico
 %%WWWDIR%%/assets/template/default/glossary.tpl
 %%WWWDIR%%/assets/template/default/images/arrow.gif
+%%WWWDIR%%/assets/template/default/indexPassword.tpl
 %%WWWDIR%%/assets/template/default/index.tpl
 %%WWWDIR%%/assets/template/default/indexLogin.tpl
 %%WWWDIR%%/assets/template/default/indexMaintenance.tpl
@@ -1264,7 +1279,7 @@
 @dirrm %%WWWDIR%%/xml
 @dirrm %%WWWDIR%%/services/twitter
 @dirrm %%WWWDIR%%/services
- at dirrmtry %%WWWDIR%%/pdf
+ at dirrm %%WWWDIR%%/pdf
 @dirrm %%WWWDIR%%/multisite
 @dirrm %%WWWDIR%%/lang
 @dirrm %%WWWDIR%%/install
@@ -1357,16 +1372,16 @@
 @dirrm %%WWWDIR%%/inc/PMF/Attachment
 @dirrm %%WWWDIR%%/inc/PMF
 @dirrm %%WWWDIR%%/inc
- at dirrmtry %%WWWDIR%%/images
+ at dirrm %%WWWDIR%%/images
 @dirrm %%WWWDIR%%/feed/topten
 @dirrm %%WWWDIR%%/feed/openquestions
 @dirrm %%WWWDIR%%/feed/news
 @dirrm %%WWWDIR%%/feed/latest
 @dirrm %%WWWDIR%%/feed/category
 @dirrm %%WWWDIR%%/feed
- at dirrmtry %%WWWDIR%%/data
- at dirrmtry %%WWWDIR%%/config
- at dirrmtry %%WWWDIR%%/attachments
+ at dirrm %%WWWDIR%%/data
+ at dirrm %%WWWDIR%%/config
+ at dirrm %%WWWDIR%%/attachments
 @dirrm %%WWWDIR%%/assets/template/default/less
 @dirrm %%WWWDIR%%/assets/template/default/images
 @dirrm %%WWWDIR%%/assets/template/default/css
