svn commit: r389950 - in branches/2015Q2/japanese/mailman: . files

Xin LI delphij at FreeBSD.org
Wed Jun 17 17:21:19 UTC 2015 

Author: delphij
Date: Wed Jun 17 17:21:18 2015
New Revision: 389950
URL: https://svnweb.freebsd.org/changeset/ports/389950

Log:
  MFH: r389895 (requested by tato@)
  
  Apply patch for CVE-2015-2775.
  
  PR:		ports/200562
  Submitted by:	Yasuhito FUTATSUKI <freebsd-bug-report-yf yf bsdclub org>
  Approved by:	ports-secteam@

Added:
  branches/2015Q2/japanese/mailman/files/patch-CVE-2015-2775
     - copied unchanged from r389895, head/japanese/mailman/files/patch-CVE-2015-2775
Modified:
  branches/2015Q2/japanese/mailman/Makefile
Directory Properties:
  branches/2015Q2/   (props changed)

Modified: branches/2015Q2/japanese/mailman/Makefile
==============================================================================
--- branches/2015Q2/japanese/mailman/Makefile	Wed Jun 17 17:20:36 2015	(r389949)
+++ branches/2015Q2/japanese/mailman/Makefile	Wed Jun 17 17:21:18 2015	(r389950)
@@ -3,7 +3,7 @@
 
 PORTNAME=	mailman
 PORTVERSION=	2.1.14.j7
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	1
 CATEGORIES=	japanese mail
 MASTER_SITES=	http://www.python.jp/doc/contrib/mailman/_static/ \

Copied: branches/2015Q2/japanese/mailman/files/patch-CVE-2015-2775 (from r389895, head/japanese/mailman/files/patch-CVE-2015-2775)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2015Q2/japanese/mailman/files/patch-CVE-2015-2775	Wed Jun 17 17:21:18 2015	(r389950, copy of r389895, head/japanese/mailman/files/patch-CVE-2015-2775)
@@ -0,0 +1,15 @@
+--- Mailman/Utils.py.orig	2011-12-11 16:56:23.000000000 +0900
++++ Mailman/Utils.py	2015-06-01 13:25:26.000000000 +0900
+@@ -93,6 +93,12 @@
+     #
+     # The former two are for 2.1alpha3 and beyond, while the latter two are
+     # for all earlier versions.
++    #
++    # But first ensure the list name doesn't contain a path traversal
++    # attack.
++    if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
++        syslog('mischief', 'Hostile listname: %s', listname)
++        return False
+     basepath = Site.get_listpath(listname)
+     for ext in ('.pck', '.pck.last', '.db', '.db.last'):
+         dbfile = os.path.join(basepath, 'config' + ext)

More information about the svn-ports-branches mailing list