diff options
-rw-r--r-- | net-analyzer/jffnms/ChangeLog | 10 | ||||
-rw-r--r-- | net-analyzer/jffnms/files/digest-jffnms-0.8.2-r1 | 3 | ||||
-rw-r--r-- | net-analyzer/jffnms/files/digest-jffnms-0.8.3-r2 (renamed from net-analyzer/jffnms/files/digest-jffnms-0.8.3-r1) | 0 | ||||
-rw-r--r-- | net-analyzer/jffnms/files/jffnms-0.8.3-misc-security-fixes.patch | 60 | ||||
-rw-r--r-- | net-analyzer/jffnms/jffnms-0.8.2-r1.ebuild | 71 | ||||
-rw-r--r-- | net-analyzer/jffnms/jffnms-0.8.3-r2.ebuild (renamed from net-analyzer/jffnms/jffnms-0.8.3-r1.ebuild) | 10 |
6 files changed, 78 insertions, 76 deletions
diff --git a/net-analyzer/jffnms/ChangeLog b/net-analyzer/jffnms/ChangeLog index 90bbb7e9eb74..4b1083b24ec1 100644 --- a/net-analyzer/jffnms/ChangeLog +++ b/net-analyzer/jffnms/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for net-analyzer/jffnms # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-analyzer/jffnms/ChangeLog,v 1.9 2007/07/29 17:00:36 phreak Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-analyzer/jffnms/ChangeLog,v 1.10 2007/09/13 17:01:46 pva Exp $ + +*jffnms-0.8.3-r2 (13 Sep 2007) + + 13 Sep 2007; <pva@gentoo.org> + +files/jffnms-0.8.3-misc-security-fixes.patch, -jffnms-0.8.2-r1.ebuild, + -jffnms-0.8.3-r1.ebuild, +jffnms-0.8.3-r2.ebuild: + Fixes Multiple vulnerabilities (CVE-2007-31{89,90,91,92}) reported by Robert + Buchholz <rbu AT gentoo.org> in bug #192240. 29 Jul 2007; Christian Heim <phreak@gentoo.org> jffnms-0.8.2-r1.ebuild, jffnms-0.8.3-r1.ebuild: diff --git a/net-analyzer/jffnms/files/digest-jffnms-0.8.2-r1 b/net-analyzer/jffnms/files/digest-jffnms-0.8.2-r1 deleted file mode 100644 index b1b07dad71fc..000000000000 --- a/net-analyzer/jffnms/files/digest-jffnms-0.8.2-r1 +++ /dev/null @@ -1,3 +0,0 @@ -MD5 10c4dbead14c7e53a040140620768d19 jffnms-0.8.2.tar.gz 557085 -RMD160 5ce08a50f5bbedbc00c990933c6ade935e681772 jffnms-0.8.2.tar.gz 557085 -SHA256 d42b2b9e0a65b744bec12f2eea34efe14a4b836c37c37f187d835774395edf90 jffnms-0.8.2.tar.gz 557085 diff --git a/net-analyzer/jffnms/files/digest-jffnms-0.8.3-r1 b/net-analyzer/jffnms/files/digest-jffnms-0.8.3-r2 index b79ff483c4f6..b79ff483c4f6 100644 --- a/net-analyzer/jffnms/files/digest-jffnms-0.8.3-r1 +++ b/net-analyzer/jffnms/files/digest-jffnms-0.8.3-r2 diff --git a/net-analyzer/jffnms/files/jffnms-0.8.3-misc-security-fixes.patch b/net-analyzer/jffnms/files/jffnms-0.8.3-misc-security-fixes.patch new file mode 100644 index 000000000000..a6be62f2e0ce --- /dev/null +++ b/net-analyzer/jffnms/files/jffnms-0.8.3-misc-security-fixes.patch @@ -0,0 +1,60 @@ +Fixes different security problems: +http://bugs.gentoo.org/192240 + + +diff -Naur jffnms-0.8.3/htdocs/admin/adm/test.php jffnms-0.8.4-pre3/htdocs/admin/adm/test.php +--- jffnms-0.8.3/htdocs/admin/adm/test.php 2006-09-17 03:31:13.000000000 +0400 ++++ jffnms-0.8.4-pre3/htdocs/admin/adm/test.php 1970-01-01 03:00:00.000000000 +0300 +@@ -1 +0,0 @@ +-<? phpinfo(); ?> +\ В конце файла нет новой строки +diff -Naur jffnms-0.8.3/htdocs/auth.php jffnms-0.8.4-pre3/htdocs/auth.php +--- jffnms-0.8.3/htdocs/auth.php 2006-09-17 03:31:13.000000000 +0400 ++++ jffnms-0.8.4-pre3/htdocs/auth.php 2007-06-07 16:00:08.000000000 +0400 +@@ -46,11 +46,6 @@ + session_start(); + } + +- if (($jffnms_version=="0.0.0") && ($_SERVER["REMOTE_ADDR"]=="128.30.52.13")) { //W3C Validator +- $_REQUEST["user"]="admin"; +- $_REQUEST["pass"]="admin"; +- } +- + if (!isset($_SESSION["authentification"])) + $authentification = $jffnms->authenticate ($_REQUEST["user"],$_REQUEST["pass"],true,"from ".$_SERVER["REMOTE_ADDR"]); + +diff -Naur jffnms-0.8.3/lib/api.classes.inc.php jffnms-0.8.4-pre3/lib/api.classes.inc.php +--- jffnms-0.8.3/lib/api.classes.inc.php 2006-09-17 03:31:14.000000000 +0400 ++++ jffnms-0.8.4-pre3/lib/api.classes.inc.php 2007-06-07 16:00:08.000000000 +0400 +@@ -677,7 +677,7 @@ + $auth_type = 1; + $cant_auth = 0; + +- if (isset($user) && isset($pass)) { ++ if (preg_match("/^[\w\@\.]{0,20}$/", $user) && isset($pass)) { + $query_auth = "select id as auth_user_id, usern as auth_user_name, passwd, fullname as auth_user_fullname from auth where usern = '$user'"; + $result_auth = db_query ($query_auth); + $cant_auth = db_num_rows($result_auth); +@@ -693,18 +693,20 @@ + } + + if (($auth==0) && ($cant_auth == 0)){ //not found in DB +- if (isset($user) && isset($pass)) { ++ ++ if (preg_match("/^[\w\@\.]{0,20}$/", $user) && isset($pass)) { + $query_auth = "select id as auth_user_id, username as auth_user_name, name as auth_user_fullname from clients where username= '$user' and password = '$pass'"; + $result_auth = db_query ($query_auth); + $auth = db_num_rows( $result_auth); + } ++ + if ($auth==1) { + $reg = db_fetch_array($result_auth); + $auth_type = 2; + } + } + +- if (($log_event==true) && (!empty($user))) ++ if (($log_event==true) && preg_match("/^[\w\@\.]{0,20}$/", $user)) + insert_event(date("Y-m-d H:i:s",time()),get_config_option("jffnms_internal_type"),1,"Login",(($auth==1)?"successful":"failed"),$user,$log_event_info,"",0); + + unset ($reg["passwd"]); diff --git a/net-analyzer/jffnms/jffnms-0.8.2-r1.ebuild b/net-analyzer/jffnms/jffnms-0.8.2-r1.ebuild deleted file mode 100644 index 77372598810e..000000000000 --- a/net-analyzer/jffnms/jffnms-0.8.2-r1.ebuild +++ /dev/null @@ -1,71 +0,0 @@ -# Copyright 1999-2007 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-analyzer/jffnms/jffnms-0.8.2-r1.ebuild,v 1.2 2007/07/29 17:00:36 phreak Exp $ - -inherit eutils - -DESCRIPTION="Network Management and Monitoring System." -HOMEPAGE="http://www.jffnms.org/" -SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz" - -LICENSE="GPL-2" -SLOT="0" -KEYWORDS="~x86" -IUSE="mysql postgres snmp" - -DEPEND="www-servers/apache - net-analyzer/rrdtool - media-libs/gd - =dev-lang/php-4* - dev-php/PEAR-PEAR - snmp? ( net-analyzer/net-snmp ) - sys-apps/diffutils - media-gfx/graphviz - net-analyzer/nmap - net-analyzer/fping - app-mobilephone/smsclient" -RDEPEND=${DEPEND} - -pkg_setup() { - local flags="gd wddx sockets session spl cli" - - if use mysql ; then - flags="$flags mysql" - fi - - if use postgres ; then - flags="$flags postgres" - fi - - for flagname in $flags ; do - if ! built_with_use "=dev-lang/php-4*" $flagname; then - eerror "You need to build php with $flagname USE flag" - die "Jffnms requires php with $flagname USE flag" - fi - done - - enewgroup jffnms - enewuser jffnms -1 /bin/bash /dev/null jffnms,apache -} - -src_install(){ - INSTALL_DIR="/opt/${PN}" - IMAGE_DIR="${D}${INSTALL_DIR}" - - dodir "${INSTALL_DIR}" - cp -r * "${IMAGE_DIR}" || die - rm -f "${IMAGE_DIR}/LICENSE" - - # Clean up windows related stuff - rm -f "${IMAGE_DIR}/*.win32.txt" - rm -rf "${IMAGE_DIR}/docs/windows" - rm -rf "${IMAGE_DIR}/engine/windows" - - chown -R jffnms:apache "${IMAGE_DIR}" || die - chmod -R ug+rw "${IMAGE_DIR}" || die - - einfo "JFFNMS has been partialy installed on your system. However you" - einfo "still need proceed with final installation and configuration." - einfo "You can visit http://www.gentoo.org/doc/en/jffnms.xml in order" - einfo "to get detailed information on how to get jffnms up and running." -} diff --git a/net-analyzer/jffnms/jffnms-0.8.3-r1.ebuild b/net-analyzer/jffnms/jffnms-0.8.3-r2.ebuild index c259634121a4..1d41b78479b5 100644 --- a/net-analyzer/jffnms/jffnms-0.8.3-r1.ebuild +++ b/net-analyzer/jffnms/jffnms-0.8.3-r2.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2007 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-analyzer/jffnms/jffnms-0.8.3-r1.ebuild,v 1.2 2007/07/29 17:00:36 phreak Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-analyzer/jffnms/jffnms-0.8.3-r2.ebuild,v 1.1 2007/09/13 17:01:46 pva Exp $ inherit eutils depend.php @@ -52,6 +52,14 @@ pkg_setup() { enewuser jffnms -1 /bin/bash -1 jffnms,apache } +src_unpack() { + unpack ${A} + cd "${S}" + + # Fixes Multiple vulnerabilities bug #192240 + epatch "${FILESDIR}"/${P}-misc-security-fixes.patch +} + src_install(){ INSTALL_DIR="/opt/${PN}" IMAGE_DIR="${D}${INSTALL_DIR}" |