summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--net-analyzer/jffnms/ChangeLog10
-rw-r--r--net-analyzer/jffnms/files/digest-jffnms-0.8.2-r13
-rw-r--r--net-analyzer/jffnms/files/digest-jffnms-0.8.3-r2 (renamed from net-analyzer/jffnms/files/digest-jffnms-0.8.3-r1)0
-rw-r--r--net-analyzer/jffnms/files/jffnms-0.8.3-misc-security-fixes.patch60
-rw-r--r--net-analyzer/jffnms/jffnms-0.8.2-r1.ebuild71
-rw-r--r--net-analyzer/jffnms/jffnms-0.8.3-r2.ebuild (renamed from net-analyzer/jffnms/jffnms-0.8.3-r1.ebuild)10
6 files changed, 78 insertions, 76 deletions
diff --git a/net-analyzer/jffnms/ChangeLog b/net-analyzer/jffnms/ChangeLog
index 90bbb7e9eb74..4b1083b24ec1 100644
--- a/net-analyzer/jffnms/ChangeLog
+++ b/net-analyzer/jffnms/ChangeLog
@@ -1,6 +1,14 @@
# ChangeLog for net-analyzer/jffnms
# Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-analyzer/jffnms/ChangeLog,v 1.9 2007/07/29 17:00:36 phreak Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-analyzer/jffnms/ChangeLog,v 1.10 2007/09/13 17:01:46 pva Exp $
+
+*jffnms-0.8.3-r2 (13 Sep 2007)
+
+ 13 Sep 2007; <pva@gentoo.org>
+ +files/jffnms-0.8.3-misc-security-fixes.patch, -jffnms-0.8.2-r1.ebuild,
+ -jffnms-0.8.3-r1.ebuild, +jffnms-0.8.3-r2.ebuild:
+ Fixes Multiple vulnerabilities (CVE-2007-31{89,90,91,92}) reported by Robert
+ Buchholz <rbu AT gentoo.org> in bug #192240.
29 Jul 2007; Christian Heim <phreak@gentoo.org> jffnms-0.8.2-r1.ebuild,
jffnms-0.8.3-r1.ebuild:
diff --git a/net-analyzer/jffnms/files/digest-jffnms-0.8.2-r1 b/net-analyzer/jffnms/files/digest-jffnms-0.8.2-r1
deleted file mode 100644
index b1b07dad71fc..000000000000
--- a/net-analyzer/jffnms/files/digest-jffnms-0.8.2-r1
+++ /dev/null
@@ -1,3 +0,0 @@
-MD5 10c4dbead14c7e53a040140620768d19 jffnms-0.8.2.tar.gz 557085
-RMD160 5ce08a50f5bbedbc00c990933c6ade935e681772 jffnms-0.8.2.tar.gz 557085
-SHA256 d42b2b9e0a65b744bec12f2eea34efe14a4b836c37c37f187d835774395edf90 jffnms-0.8.2.tar.gz 557085
diff --git a/net-analyzer/jffnms/files/digest-jffnms-0.8.3-r1 b/net-analyzer/jffnms/files/digest-jffnms-0.8.3-r2
index b79ff483c4f6..b79ff483c4f6 100644
--- a/net-analyzer/jffnms/files/digest-jffnms-0.8.3-r1
+++ b/net-analyzer/jffnms/files/digest-jffnms-0.8.3-r2
diff --git a/net-analyzer/jffnms/files/jffnms-0.8.3-misc-security-fixes.patch b/net-analyzer/jffnms/files/jffnms-0.8.3-misc-security-fixes.patch
new file mode 100644
index 000000000000..a6be62f2e0ce
--- /dev/null
+++ b/net-analyzer/jffnms/files/jffnms-0.8.3-misc-security-fixes.patch
@@ -0,0 +1,60 @@
+Fixes different security problems:
+http://bugs.gentoo.org/192240
+
+
+diff -Naur jffnms-0.8.3/htdocs/admin/adm/test.php jffnms-0.8.4-pre3/htdocs/admin/adm/test.php
+--- jffnms-0.8.3/htdocs/admin/adm/test.php 2006-09-17 03:31:13.000000000 +0400
++++ jffnms-0.8.4-pre3/htdocs/admin/adm/test.php 1970-01-01 03:00:00.000000000 +0300
+@@ -1 +0,0 @@
+-<? phpinfo(); ?>
+\ В конце файла нет новой строки
+diff -Naur jffnms-0.8.3/htdocs/auth.php jffnms-0.8.4-pre3/htdocs/auth.php
+--- jffnms-0.8.3/htdocs/auth.php 2006-09-17 03:31:13.000000000 +0400
++++ jffnms-0.8.4-pre3/htdocs/auth.php 2007-06-07 16:00:08.000000000 +0400
+@@ -46,11 +46,6 @@
+ session_start();
+ }
+
+- if (($jffnms_version=="0.0.0") && ($_SERVER["REMOTE_ADDR"]=="128.30.52.13")) { //W3C Validator
+- $_REQUEST["user"]="admin";
+- $_REQUEST["pass"]="admin";
+- }
+-
+ if (!isset($_SESSION["authentification"]))
+ $authentification = $jffnms->authenticate ($_REQUEST["user"],$_REQUEST["pass"],true,"from ".$_SERVER["REMOTE_ADDR"]);
+
+diff -Naur jffnms-0.8.3/lib/api.classes.inc.php jffnms-0.8.4-pre3/lib/api.classes.inc.php
+--- jffnms-0.8.3/lib/api.classes.inc.php 2006-09-17 03:31:14.000000000 +0400
++++ jffnms-0.8.4-pre3/lib/api.classes.inc.php 2007-06-07 16:00:08.000000000 +0400
+@@ -677,7 +677,7 @@
+ $auth_type = 1;
+ $cant_auth = 0;
+
+- if (isset($user) && isset($pass)) {
++ if (preg_match("/^[\w\@\.]{0,20}$/", $user) && isset($pass)) {
+ $query_auth = "select id as auth_user_id, usern as auth_user_name, passwd, fullname as auth_user_fullname from auth where usern = '$user'";
+ $result_auth = db_query ($query_auth);
+ $cant_auth = db_num_rows($result_auth);
+@@ -693,18 +693,20 @@
+ }
+
+ if (($auth==0) && ($cant_auth == 0)){ //not found in DB
+- if (isset($user) && isset($pass)) {
++
++ if (preg_match("/^[\w\@\.]{0,20}$/", $user) && isset($pass)) {
+ $query_auth = "select id as auth_user_id, username as auth_user_name, name as auth_user_fullname from clients where username= '$user' and password = '$pass'";
+ $result_auth = db_query ($query_auth);
+ $auth = db_num_rows( $result_auth);
+ }
++
+ if ($auth==1) {
+ $reg = db_fetch_array($result_auth);
+ $auth_type = 2;
+ }
+ }
+
+- if (($log_event==true) && (!empty($user)))
++ if (($log_event==true) && preg_match("/^[\w\@\.]{0,20}$/", $user))
+ insert_event(date("Y-m-d H:i:s",time()),get_config_option("jffnms_internal_type"),1,"Login",(($auth==1)?"successful":"failed"),$user,$log_event_info,"",0);
+
+ unset ($reg["passwd"]);
diff --git a/net-analyzer/jffnms/jffnms-0.8.2-r1.ebuild b/net-analyzer/jffnms/jffnms-0.8.2-r1.ebuild
deleted file mode 100644
index 77372598810e..000000000000
--- a/net-analyzer/jffnms/jffnms-0.8.2-r1.ebuild
+++ /dev/null
@@ -1,71 +0,0 @@
-# Copyright 1999-2007 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-analyzer/jffnms/jffnms-0.8.2-r1.ebuild,v 1.2 2007/07/29 17:00:36 phreak Exp $
-
-inherit eutils
-
-DESCRIPTION="Network Management and Monitoring System."
-HOMEPAGE="http://www.jffnms.org/"
-SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="~x86"
-IUSE="mysql postgres snmp"
-
-DEPEND="www-servers/apache
- net-analyzer/rrdtool
- media-libs/gd
- =dev-lang/php-4*
- dev-php/PEAR-PEAR
- snmp? ( net-analyzer/net-snmp )
- sys-apps/diffutils
- media-gfx/graphviz
- net-analyzer/nmap
- net-analyzer/fping
- app-mobilephone/smsclient"
-RDEPEND=${DEPEND}
-
-pkg_setup() {
- local flags="gd wddx sockets session spl cli"
-
- if use mysql ; then
- flags="$flags mysql"
- fi
-
- if use postgres ; then
- flags="$flags postgres"
- fi
-
- for flagname in $flags ; do
- if ! built_with_use "=dev-lang/php-4*" $flagname; then
- eerror "You need to build php with $flagname USE flag"
- die "Jffnms requires php with $flagname USE flag"
- fi
- done
-
- enewgroup jffnms
- enewuser jffnms -1 /bin/bash /dev/null jffnms,apache
-}
-
-src_install(){
- INSTALL_DIR="/opt/${PN}"
- IMAGE_DIR="${D}${INSTALL_DIR}"
-
- dodir "${INSTALL_DIR}"
- cp -r * "${IMAGE_DIR}" || die
- rm -f "${IMAGE_DIR}/LICENSE"
-
- # Clean up windows related stuff
- rm -f "${IMAGE_DIR}/*.win32.txt"
- rm -rf "${IMAGE_DIR}/docs/windows"
- rm -rf "${IMAGE_DIR}/engine/windows"
-
- chown -R jffnms:apache "${IMAGE_DIR}" || die
- chmod -R ug+rw "${IMAGE_DIR}" || die
-
- einfo "JFFNMS has been partialy installed on your system. However you"
- einfo "still need proceed with final installation and configuration."
- einfo "You can visit http://www.gentoo.org/doc/en/jffnms.xml in order"
- einfo "to get detailed information on how to get jffnms up and running."
-}
diff --git a/net-analyzer/jffnms/jffnms-0.8.3-r1.ebuild b/net-analyzer/jffnms/jffnms-0.8.3-r2.ebuild
index c259634121a4..1d41b78479b5 100644
--- a/net-analyzer/jffnms/jffnms-0.8.3-r1.ebuild
+++ b/net-analyzer/jffnms/jffnms-0.8.3-r2.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2007 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-analyzer/jffnms/jffnms-0.8.3-r1.ebuild,v 1.2 2007/07/29 17:00:36 phreak Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-analyzer/jffnms/jffnms-0.8.3-r2.ebuild,v 1.1 2007/09/13 17:01:46 pva Exp $
inherit eutils depend.php
@@ -52,6 +52,14 @@ pkg_setup() {
enewuser jffnms -1 /bin/bash -1 jffnms,apache
}
+src_unpack() {
+ unpack ${A}
+ cd "${S}"
+
+ # Fixes Multiple vulnerabilities bug #192240
+ epatch "${FILESDIR}"/${P}-misc-security-fixes.patch
+}
+
src_install(){
INSTALL_DIR="/opt/${PN}"
IMAGE_DIR="${D}${INSTALL_DIR}"