Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 17 Jun 2015 00:44:49 +0000 (UTC)
From:      Xin LI <delphij@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r389895 - in head/japanese/mailman: . files
Message-ID:  <201506170044.t5H0inbU013632@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: delphij
Date: Wed Jun 17 00:44:48 2015
New Revision: 389895
URL: https://svnweb.freebsd.org/changeset/ports/389895

Log:
  Apply patch for CVE-2015-2775.
  
  PR:		ports/200562
  Submitted by:	Yasuhito FUTATSUKI <freebsd-bug-report-yf yf bsdclub org>
  Approved by:	maintainer timeout

Added:
  head/japanese/mailman/files/patch-CVE-2015-2775   (contents, props changed)
Modified:
  head/japanese/mailman/Makefile

Modified: head/japanese/mailman/Makefile
==============================================================================
--- head/japanese/mailman/Makefile	Wed Jun 17 00:24:46 2015	(r389894)
+++ head/japanese/mailman/Makefile	Wed Jun 17 00:44:48 2015	(r389895)
@@ -3,7 +3,7 @@
 
 PORTNAME=	mailman
 PORTVERSION=	2.1.14.j7
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	1
 CATEGORIES=	japanese mail
 MASTER_SITES=	http://www.python.jp/doc/contrib/mailman/_static/ \

Added: head/japanese/mailman/files/patch-CVE-2015-2775
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/japanese/mailman/files/patch-CVE-2015-2775	Wed Jun 17 00:44:48 2015	(r389895)
@@ -0,0 +1,15 @@
+--- Mailman/Utils.py.orig	2011-12-11 16:56:23.000000000 +0900
++++ Mailman/Utils.py	2015-06-01 13:25:26.000000000 +0900
+@@ -93,6 +93,12 @@
+     #
+     # The former two are for 2.1alpha3 and beyond, while the latter two are
+     # for all earlier versions.
++    #
++    # But first ensure the list name doesn't contain a path traversal
++    # attack.
++    if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
++        syslog('mischief', 'Hostile listname: %s', listname)
++        return False
+     basepath = Site.get_listpath(listname)
+     for ext in ('.pck', '.pck.last', '.db', '.db.last'):
+         dbfile = os.path.join(basepath, 'config' + ext)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201506170044.t5H0inbU013632>