# ChangeLog for net-nds/phpldapadmin
# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-nds/phpldapadmin/ChangeLog,v 1.53 2011/10/20 19:38:09 jmbsvicetto Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-nds/phpldapadmin/ChangeLog,v 1.54 2011/10/25 18:18:43 jmbsvicetto Exp $
+
+*phpldapadmin-1.2.1.1-r1 (25 Oct 2011)
+
+ 25 Oct 2011; <atlantis@gentoo.org> +phpldapadmin-1.2.1.1-r1.ebuild,
+ +files/phpldapadmin-1.2.1.1-fix-cmd-exploit.patch,
+ +files/phpldapadmin-1.2.1.1-fix-functions-exploit.patch:
+ [net-nds/phpldapadmin] Package bump to apply security fixes for bug 388349.
*phpldapadmin-1.2.1.1 (20 Oct 2011)
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
+AUX phpldapadmin-1.2.1.1-fix-cmd-exploit.patch 716 RMD160 53234a28cbba93e29be796c84b3f735065bef428 SHA1 bb26087375bdb8ace84254b9e9c4537ab691bbaf SHA256 b0c7822c7e36d037e15839046bdfc842540b972633e293c5d96e6d3117f782e0
+AUX phpldapadmin-1.2.1.1-fix-functions-exploit.patch 939 RMD160 7c4cd4aa9290ad298afe18ef78765ba0619a365b SHA1 6c7f3b29e696b1b16ffead286962dca98970674d SHA256 94344146e0434ac7c70375f4cbfef9bcd40897c06fb3eddc0b39eaed0c5c669d
AUX phpldapadmin-1.2.1.1-fix-magic-quotes.patch 829 RMD160 085053d13ba91c8b69d5b0e4d6ce3fd0e627780b SHA1 8f6ea7971157091febc6a7ff2f6fe97ed908df38 SHA256 7cce069d30a5c4067743de8e91d0d6bd4d9faaaf169ed342a3890bf07ced8817
AUX postinstall2-en.txt 131 RMD160 f1f681b3b5094f555e6adfca8d70d4ca1b14ae4b SHA1 deecc59339d6c83dad797c0f8cfab9ea0110153a SHA256 e2dc7bea366789a303eb9a90d1bced655cea00469202859af40bf19c00505d38
DIST phpldapadmin-1.2.0.4.tgz 1291545 RMD160 23b6a9afd438add7ed48ff390d5b4d4400df54b4 SHA1 7b364065e91f4dca606432c42fa2ae48e54f04ce SHA256 e4887ed0db63c926162d79d603add21a669103ad2f75a7b90686a18eed8a6330
DIST phpldapadmin-1.2.1.1.tgz 1468961 RMD160 c78bd0f056f7f5f8b150360e6ee0ef3f37d6560c SHA1 f30d76205891fbd01fab468af1f8430597983787 SHA256 1fa6373c500a193a8868cb6a753f3b5218a92374b792994129c0c1b69d4d1090
EBUILD phpldapadmin-1.2.0.4-r1.ebuild 983 RMD160 2228477215296b381a25ece0ac9f81d4cdead10e SHA1 340b6602090d046c526914f56a2ad55023f3e334 SHA256 cbb2de3c6c29336841d910feaf10b559158f85031f47b52d3f1574f2d985b79b
EBUILD phpldapadmin-1.2.0.5.ebuild 970 RMD160 702248b5bf778558a6704f761755f82060f0d053 SHA1 aea420c3f57d9de49e731ab8b6e3b7cc806c36ee SHA256 b785da167be298f837071d8e8d5a741d2c6f1e18038badd54349ed111f0e04d5
+EBUILD phpldapadmin-1.2.1.1-r1.ebuild 1359 RMD160 7459adeaca2213071d4adc19e0d8417f19a1d959 SHA1 cca736aaa69b6728ca6f03ff68135f75da60b315 SHA256 f1f21dc696d4f862bfffdf45bd8b0b5d32d62fa9731713ae3dbc3c447ea3b5e4
EBUILD phpldapadmin-1.2.1.1.ebuild 1129 RMD160 37a8f6d38c93c7eef6aa7c04e73c2e66f2df498f SHA1 ec4b1fd9da21bee274d685efda10cd81cc417005 SHA256 40f439fbda56140a71f345358aeb603b17440464497a0168b28368a157ca5591
-MISC ChangeLog 8739 RMD160 e7f46a91444c702d3fb1dcdffef2cd37f54a1b0d SHA1 cfe01976a8cc4e6b86fdf238b7c246951590ca0d SHA256 44543871ea4864ddd156d30ea197d48f4e90b6e42a8a932bfc19438c56b4e4c9
+MISC ChangeLog 9040 RMD160 164da373a94995f0768f7ae06eaf4e047125e031 SHA1 d2d95b3cc4ce6c172e184a64c6ab9980dac0a678 SHA256 c2131f81a7b00630dcd40b14889bea39ccdb2ffe565eb3c10db4db33552c7cfc
MISC metadata.xml 483 RMD160 9f29226203f0c22470a627939b84edbe57d40a7c SHA1 69affdfca1b1dd98d302336a0e47d708e96317ba SHA256 4da024bde528d8117f42de927efa5e86dd4445b018a818608e1db16969957186
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.18 (GNU/Linux)
-
-iQIcBAEBAgAGBQJOoHiTAAoJEC8ZTXQF1qEPfzEP/1yIegcgSXa5CgtLlW0J7Xzy
-p2WLH0M5AFTY9oigP+idTwDMjMwi+ofT6ObKC4Y0I2MiJgeSGfZh7P28S3itNJJT
-GlPXHXMC3d6E97asPShZ8M3YPOyepD8j/EkfjIwCzKyfgQhMSndSB+uQvIGhoppi
-G5DY6aWzctiaZtApmGeqIleECHgP/4QCDcBmYCZ/x0vdyd8WJvp9qT2nGHQ9Glwd
-LpxtOrOwTHnOqAiIzsiG84vMoW/TgASRmmHdExWYG57NhvUN6O7mZ7IBxWoUzb8K
-ZU8eFx5CJiyyOQCTewWYEK7AG/nNQioJW2bI+G9O7Dlp9yHg6hHPLawOsm2WIOJs
-ujl7m2hqi53ySAGQfzcK7byUMDGXmEt/hexayUmKVAzLJpsGRI7mkj7ThfqafeAC
-7e6arzp8JMWSNLh70Q2/ommmfrYZ9O2SSs4mXpr3b21AZn3zVZ00KfbB4iZK2qov
-KXNV7Ebt3fVXOH+V5Sxsw4Sln4oL18gQqmAB9poF8gU31Pm2PzCgbyWni+9YmpJU
-UZ5x0mKHyaYrpp5+PVwDDWN3Ehb/QUbnRI+xeVCu6pZoubvm7473eTI1sxq8z8rk
-BcchD4FGqFYYXBOF4nBHRU0KQmHkKhFfItrHg5atKqea0Ic+KLgpFRGoQdbyfes/
-Y6unEOVGHmrDoplPbDNT
-=HZGa
------END PGP SIGNATURE-----
--- /dev/null
+From 64668e882b8866fae0fa1b25375d1a2f3b4672e2 Mon Sep 17 00:00:00 2001
+From: Deon George <wurley@users.sf.net>
+Date: Wed, 27 Jul 2011 07:30:06 +1000
+Subject: [PATCH] Remove XSS vulnerabilty in debug code
+
+---
+ htdocs/cmd.php | 4 ----
+ 1 files changed, 0 insertions(+), 4 deletions(-)
+
+diff --git a/htdocs/cmd.php b/htdocs/cmd.php
+index 34f3848..0ddf004 100644
+--- a/htdocs/cmd.php
++++ b/htdocs/cmd.php
+@@ -19,10 +19,6 @@ $www['meth'] = get_request('meth','REQUEST');
+ ob_start();
+
+ switch ($www['cmd']) {
+- case '_debug':
+- debug_dump($_REQUEST,1);
+- break;
+-
+ default:
+ if (defined('HOOKSDIR') && file_exists(HOOKSDIR.$www['cmd'].'.php'))
+ $app['script_cmd'] = HOOKSDIR.$www['cmd'].'.php';
+--
+1.7.4.1
+
--- /dev/null
+From 76e6dad13ef77c5448b8dfed1a61e4acc7241165 Mon Sep 17 00:00:00 2001
+From: Deon George <wurley@users.sf.net>
+Date: Thu, 6 Oct 2011 09:03:20 +1100
+Subject: [PATCH] SF Bug #3417184 - PHP Code Injection Vulnerability
+
+---
+ lib/functions.php | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/functions.php b/lib/functions.php
+index 19fde99..eb160dc 100644
+--- a/lib/functions.php
++++ b/lib/functions.php
+@@ -1003,8 +1003,9 @@ function masort(&$data,$sortby,$rev=0) {
+ if (defined('DEBUG_ENABLED') && DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
+ debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);
+
+- # if the array to sort is null or empty
+- if (! $data) return;
++ # if the array to sort is null or empty, or if we have some nasty chars
++ if (! preg_match('/^[a-zA-Z0-9_]+(\([a-zA-Z0-9_,]*\))?$/',$sortby) || ! $data)
++ return;
+
+ static $CACHE = array();
+
+--
+1.7.4.1
+
--- /dev/null
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-nds/phpldapadmin/phpldapadmin-1.2.1.1-r1.ebuild,v 1.1 2011/10/25 18:18:43 jmbsvicetto Exp $
+
+EAPI="2"
+
+inherit webapp depend.php
+
+DESCRIPTION="phpLDAPadmin is a web-based tool for managing all aspects of your LDAP server."
+HOMEPAGE="http://phpldapadmin.sourceforge.net"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tgz"
+
+LICENSE="GPL-2"
+KEYWORDS="~alpha ~amd64 ~ia64 ~ppc ~sparc ~x86"
+IUSE=""
+
+RDEPEND="dev-lang/php[hash,ldap,session,xml,nls]
+ || ( <dev-lang/php-5.3[pcre] >=dev-lang/php-5.3 )"
+
+need_httpd_cgi
+need_php_httpd
+
+src_prepare() {
+ mv config/config.php.example config/config.php
+ epatch "${FILESDIR}/${P}-fix-magic-quotes.patch"
+
+ # Security patches for secunia advisory 46551
+ # https://secunia.com/advisories/46551/
+ # CVE-2011-4075
+ epatch "${FILESDIR}/${P}-fix-functions-exploit.patch"
+ # CVE-2011-4074
+ epatch "${FILESDIR}/${P}-fix-cmd-exploit.patch"
+}
+
+src_install() {
+ webapp_src_preinst
+
+ dodoc INSTALL
+
+ # Restrict config file access - bug 280836
+ chown root:apache "config/config.php"
+ chmod 640 "config/config.php"
+
+ insinto "${MY_HTDOCSDIR}"
+ doins -r *
+
+ webapp_configfile "${MY_HTDOCSDIR}/config/config.php"
+ webapp_postinst_txt en "${FILESDIR}"/postinstall2-en.txt
+
+ webapp_src_install
+}
projects / gentoo.git / commitdiff