Fixes Multiple vulnerabilities (CVE-2007-31{89,90,91,92}) reported by Robert Buchholz <rbu AT gentoo.org> in bug #192240.

Package-Manager: portage-2.1.3.9
author: Peter Volkov <pva@gentoo.org> 2007-09-13 17:01:47 +0000
committer: Peter Volkov <pva@gentoo.org> 2007-09-13 17:01:47 +0000
commit: 77975ad728c8290cdb32d5795157f13211d11598 (patch)
tree: 433d9c50841951e0ba7b473314adbf29ad96cc5f /net-analyzer/jffnms
parent: Version bump (diff)
download: historical-77975ad728c8290cdb32d5795157f13211d11598.tar.gz
historical-77975ad728c8290cdb32d5795157f13211d11598.tar.bz2
historical-77975ad728c8290cdb32d5795157f13211d11598.zip
7 files changed, 93 insertions, 105 deletions
diff --git a/net-analyzer/jffnms/ChangeLog b/net-analyzer/jffnms/ChangeLog
index 90bbb7e9eb74..4b1083b24ec1 100644
--- a/net-analyzer/jffnms/ChangeLog
+++ b/net-analyzer/jffnms/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for net-analyzer/jffnms
 # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-analyzer/jffnms/ChangeLog,v 1.9 2007/07/29 17:00:36 phreak Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-analyzer/jffnms/ChangeLog,v 1.10 2007/09/13 17:01:46 pva Exp $
+
+*jffnms-0.8.3-r2 (13 Sep 2007)
+
+  13 Sep 2007; <pva@gentoo.org>
+  +files/jffnms-0.8.3-misc-security-fixes.patch, -jffnms-0.8.2-r1.ebuild,
+  -jffnms-0.8.3-r1.ebuild, +jffnms-0.8.3-r2.ebuild:
+  Fixes Multiple vulnerabilities (CVE-2007-31{89,90,91,92}) reported by Robert
+  Buchholz <rbu AT gentoo.org> in bug #192240.
 
   29 Jul 2007; Christian Heim <phreak@gentoo.org> jffnms-0.8.2-r1.ebuild,
   jffnms-0.8.3-r1.ebuild:
diff --git a/net-analyzer/jffnms/Manifest b/net-analyzer/jffnms/Manifest
index db77737614a2..5950bc0d58c6 100644
--- a/net-analyzer/jffnms/Manifest
+++ b/net-analyzer/jffnms/Manifest
@@ -1,34 +1,20 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
-DIST jffnms-0.8.2.tar.gz 557085 RMD160 5ce08a50f5bbedbc00c990933c6ade935e681772 SHA1 3e1ff8f302d5fd30e14f4f363338b68870343d30 SHA256 d42b2b9e0a65b744bec12f2eea34efe14a4b836c37c37f187d835774395edf90
+AUX jffnms-0.8.3-misc-security-fixes.patch 2592 RMD160 e6d9d2463af92be34b32ec6290563cee3bda7d0c SHA1 392397a6113e2c062372f1885449a22ef6e44ac9 SHA256 716e8c5f5af3bdf23a6c8e9844b371998c6ae0aa451966ed61704c9d684bb564
+MD5 1280687d359f397dccf6aba4a0b65c8c files/jffnms-0.8.3-misc-security-fixes.patch 2592
+RMD160 e6d9d2463af92be34b32ec6290563cee3bda7d0c files/jffnms-0.8.3-misc-security-fixes.patch 2592
+SHA256 716e8c5f5af3bdf23a6c8e9844b371998c6ae0aa451966ed61704c9d684bb564 files/jffnms-0.8.3-misc-security-fixes.patch 2592
 DIST jffnms-0.8.3.tar.gz 698871 RMD160 681d498bf49f3e1011241254c441540ebbbe1860 SHA1 230cd88b9ff5b869e7a07c828425be15ede9614f SHA256 51f84606aa81113b2ea894c9e499f18df84e5317853aefd51610f5b279853ae4
-EBUILD jffnms-0.8.2-r1.ebuild 1839 RMD160 b3441c5da0bd374893fab583989c2986043a9258 SHA1 d32a92ae955959f5ef8000412df8c8008d9d67c0 SHA256 c7e08953c9e7db037d75d7d11f5878c6135af7d80f197d5196fb2b0da4c78f04
-MD5 90fa5fad0f93cb16d3e89f17de14f3c1 jffnms-0.8.2-r1.ebuild 1839
-RMD160 b3441c5da0bd374893fab583989c2986043a9258 jffnms-0.8.2-r1.ebuild 1839
-SHA256 c7e08953c9e7db037d75d7d11f5878c6135af7d80f197d5196fb2b0da4c78f04 jffnms-0.8.2-r1.ebuild 1839
-EBUILD jffnms-0.8.3-r1.ebuild 2062 RMD160 f0c6e84a89fa9b5d393cd0fb00678a142b7d1e7f SHA1 dbfc957502dba2f70061cd28d8200efee71791a8 SHA256 65fa5d877db9dadbd95b32451615f3dc38d761bd26922ad6efe6264993a9cdb0
-MD5 8ca598316dde9a3456acd64d6b19a282 jffnms-0.8.3-r1.ebuild 2062
-RMD160 f0c6e84a89fa9b5d393cd0fb00678a142b7d1e7f jffnms-0.8.3-r1.ebuild 2062
-SHA256 65fa5d877db9dadbd95b32451615f3dc38d761bd26922ad6efe6264993a9cdb0 jffnms-0.8.3-r1.ebuild 2062
-MISC ChangeLog 1911 RMD160 91c1cc4c66547231b354d1954450a4cd5fd8de91 SHA1 0d091f611588305afd9fd16477ad26f90cebdd37 SHA256 ab74f7a36bc916183a8d1886de2b27b3ff8e9bc01739835484b0520d2267d1b2
-MD5 1976660b07810b6c1099a12b83462b56 ChangeLog 1911
-RMD160 91c1cc4c66547231b354d1954450a4cd5fd8de91 ChangeLog 1911
-SHA256 ab74f7a36bc916183a8d1886de2b27b3ff8e9bc01739835484b0520d2267d1b2 ChangeLog 1911
+EBUILD jffnms-0.8.3-r2.ebuild 2201 RMD160 ee17e18b9090009ad0d50b81b2c8469873a4d8a4 SHA1 1f084a3d62f56ec102bd6f47ae5d3e644eeed375 SHA256 374178310e143a206c4e90dcc69d0a97d866cf5f40b9e0f39eb507d3345136a3
+MD5 3545d3d45718d2e1a265c623de61f908 jffnms-0.8.3-r2.ebuild 2201
+RMD160 ee17e18b9090009ad0d50b81b2c8469873a4d8a4 jffnms-0.8.3-r2.ebuild 2201
+SHA256 374178310e143a206c4e90dcc69d0a97d866cf5f40b9e0f39eb507d3345136a3 jffnms-0.8.3-r2.ebuild 2201
+MISC ChangeLog 2226 RMD160 6d7640d0788ad528bf5313802ef943dd8bba15dc SHA1 287560910df8ee99edac969f6a879b6107a2cc4c SHA256 c259bc22b189d16d3052e0d604d016ba5ac87f9c7f705cd648d2c4ac78dac1ca
+MD5 5ad9412abb2dcf244fb7a0dfd3421daf ChangeLog 2226
+RMD160 6d7640d0788ad528bf5313802ef943dd8bba15dc ChangeLog 2226
+SHA256 c259bc22b189d16d3052e0d604d016ba5ac87f9c7f705cd648d2c4ac78dac1ca ChangeLog 2226
 MISC metadata.xml 159 RMD160 28e799fe0fd02aaab9d4bbe5595f133101606f5b SHA1 9f5df3eabd621951a959cc8e0e2e0d352cd1fe1e SHA256 b75c711bd971e46f0ec957e833c60879b0c5023e0bb94409a6255781b69f6dc6
 MD5 f34e3c8858756da0001b12d2d3fa1af2 metadata.xml 159
 RMD160 28e799fe0fd02aaab9d4bbe5595f133101606f5b metadata.xml 159
 SHA256 b75c711bd971e46f0ec957e833c60879b0c5023e0bb94409a6255781b69f6dc6 metadata.xml 159
-MD5 a01464e5866620e8703815db0e566469 files/digest-jffnms-0.8.2-r1 238
-RMD160 f6d19620bb3649aae5765b68f7e62fe175d7245b files/digest-jffnms-0.8.2-r1 238
-SHA256 ff790a322c824f6a74e6425b92f79852c65878844fcc89e37a0cb639d7ea8f34 files/digest-jffnms-0.8.2-r1 238
-MD5 6fe4d457ec8518e152f7f6615d1eb401 files/digest-jffnms-0.8.3-r1 238
-RMD160 5411137de6c3221379230507ea07e1fc8603c100 files/digest-jffnms-0.8.3-r1 238
-SHA256 28acbd4ddf1e417a4561d54fa7febbc163d9ac28080423b402d9f365120eb969 files/digest-jffnms-0.8.3-r1 238
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.5 (GNU/Linux)
-
-iD8DBQFGrMfAyuNVb5qfaOYRAppAAKCKWi4Z1JFzZ8sQ6cpZuJRS117c7wCfePj0
-dWr0kwqTf3vcS2EcLQ2JVsA=
-=crG8
------END PGP SIGNATURE-----
+MD5 6fe4d457ec8518e152f7f6615d1eb401 files/digest-jffnms-0.8.3-r2 238
+RMD160 5411137de6c3221379230507ea07e1fc8603c100 files/digest-jffnms-0.8.3-r2 238
+SHA256 28acbd4ddf1e417a4561d54fa7febbc163d9ac28080423b402d9f365120eb969 files/digest-jffnms-0.8.3-r2 238
diff --git a/net-analyzer/jffnms/files/digest-jffnms-0.8.2-r1 b/net-analyzer/jffnms/files/digest-jffnms-0.8.2-r1
deleted file mode 100644
index b1b07dad71fc..000000000000
--- a/net-analyzer/jffnms/files/digest-jffnms-0.8.2-r1
+++ /dev/null
@@ -1,3 +0,0 @@
-MD5 10c4dbead14c7e53a040140620768d19 jffnms-0.8.2.tar.gz 557085
-RMD160 5ce08a50f5bbedbc00c990933c6ade935e681772 jffnms-0.8.2.tar.gz 557085
-SHA256 d42b2b9e0a65b744bec12f2eea34efe14a4b836c37c37f187d835774395edf90 jffnms-0.8.2.tar.gz 557085
diff --git a/net-analyzer/jffnms/files/digest-jffnms-0.8.3-r1 b/net-analyzer/jffnms/files/digest-jffnms-0.8.3-r2
index b79ff483c4f6..b79ff483c4f6 100644
--- a/net-analyzer/jffnms/files/digest-jffnms-0.8.3-r1
+++ b/net-analyzer/jffnms/files/digest-jffnms-0.8.3-r2
diff --git a/net-analyzer/jffnms/files/jffnms-0.8.3-misc-security-fixes.patch b/net-analyzer/jffnms/files/jffnms-0.8.3-misc-security-fixes.patch
new file mode 100644
index 000000000000..a6be62f2e0ce
--- /dev/null
+++ b/net-analyzer/jffnms/files/jffnms-0.8.3-misc-security-fixes.patch
@@ -0,0 +1,60 @@
+Fixes different security problems:
+http://bugs.gentoo.org/192240
+
+
+diff -Naur jffnms-0.8.3/htdocs/admin/adm/test.php jffnms-0.8.4-pre3/htdocs/admin/adm/test.php
+--- jffnms-0.8.3/htdocs/admin/adm/test.php	2006-09-17 03:31:13.000000000 +0400
++++ jffnms-0.8.4-pre3/htdocs/admin/adm/test.php	1970-01-01 03:00:00.000000000 +0300
+@@ -1 +0,0 @@
+-<? phpinfo(); ?>
+\ В конце файла нет новой строки
+diff -Naur jffnms-0.8.3/htdocs/auth.php jffnms-0.8.4-pre3/htdocs/auth.php
+--- jffnms-0.8.3/htdocs/auth.php	2006-09-17 03:31:13.000000000 +0400
++++ jffnms-0.8.4-pre3/htdocs/auth.php	2007-06-07 16:00:08.000000000 +0400
+@@ -46,11 +46,6 @@
+ 		    session_start();
+ 		}
+ 
+-		if (($jffnms_version=="0.0.0") && ($_SERVER["REMOTE_ADDR"]=="128.30.52.13")) { //W3C Validator
+-		    $_REQUEST["user"]="admin";
+-		    $_REQUEST["pass"]="admin";
+-		}
+-		
+ 		if (!isset($_SESSION["authentification"]))
+ 		    $authentification = $jffnms->authenticate ($_REQUEST["user"],$_REQUEST["pass"],true,"from ".$_SERVER["REMOTE_ADDR"]);
+ 
+diff -Naur jffnms-0.8.3/lib/api.classes.inc.php jffnms-0.8.4-pre3/lib/api.classes.inc.php
+--- jffnms-0.8.3/lib/api.classes.inc.php	2006-09-17 03:31:14.000000000 +0400
++++ jffnms-0.8.4-pre3/lib/api.classes.inc.php	2007-06-07 16:00:08.000000000 +0400
+@@ -677,7 +677,7 @@
+     	    $auth_type = 1;
+ 	    $cant_auth = 0;
+ 	    
+-	    if (isset($user) && isset($pass)) {
++	    if (preg_match("/^[\w\@\.]{0,20}$/", $user) && isset($pass)) {
+ 		$query_auth = "select id as auth_user_id, usern as auth_user_name, passwd, fullname as auth_user_fullname from auth where usern = '$user'";
+ 		$result_auth = db_query ($query_auth);
+ 		$cant_auth = db_num_rows($result_auth);
+@@ -693,18 +693,20 @@
+ 	    } 
+     
+ 	    if (($auth==0) && ($cant_auth == 0)){  //not found in DB
+-		if (isset($user) && isset($pass)) {
++
++		if (preg_match("/^[\w\@\.]{0,20}$/", $user) && isset($pass)) {
+     		    $query_auth = "select id as auth_user_id, username as auth_user_name, name as auth_user_fullname from clients where username= '$user' and password = '$pass'";
+ 		    $result_auth = db_query ($query_auth);
+ 		    $auth = db_num_rows( $result_auth);
+ 		}
++		
+ 		if ($auth==1) { 
+ 		    $reg = db_fetch_array($result_auth);
+ 		    $auth_type = 2;
+ 		}
+ 	    }
+ 	    
+-	    if (($log_event==true) && (!empty($user)))
++	    if (($log_event==true) && preg_match("/^[\w\@\.]{0,20}$/", $user))
+ 		insert_event(date("Y-m-d H:i:s",time()),get_config_option("jffnms_internal_type"),1,"Login",(($auth==1)?"successful":"failed"),$user,$log_event_info,"",0);
+ 	    
+ 	    unset ($reg["passwd"]);
diff --git a/net-analyzer/jffnms/jffnms-0.8.2-r1.ebuild b/net-analyzer/jffnms/jffnms-0.8.2-r1.ebuild
deleted file mode 100644
index 77372598810e..000000000000
--- a/net-analyzer/jffnms/jffnms-0.8.2-r1.ebuild
+++ /dev/null
@@ -1,71 +0,0 @@
-# Copyright 1999-2007 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-analyzer/jffnms/jffnms-0.8.2-r1.ebuild,v 1.2 2007/07/29 17:00:36 phreak Exp $
-
-inherit eutils
-
-DESCRIPTION="Network Management and Monitoring System."
-HOMEPAGE="http://www.jffnms.org/"
-SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="~x86"
-IUSE="mysql postgres snmp"
-
-DEPEND="www-servers/apache
-	net-analyzer/rrdtool
-	media-libs/gd
-	=dev-lang/php-4*
-	dev-php/PEAR-PEAR
-	snmp? ( net-analyzer/net-snmp )
-	sys-apps/diffutils
-	media-gfx/graphviz
-	net-analyzer/nmap
-	net-analyzer/fping
-	app-mobilephone/smsclient"
-RDEPEND=${DEPEND}
-
-pkg_setup() {
-	local flags="gd wddx sockets session spl cli"
-
-	if use mysql ; then
-		flags="$flags mysql"
-	fi
-
-	if use postgres ; then
-		flags="$flags postgres"
-	fi
-
-	for flagname in $flags ; do
-		if ! built_with_use "=dev-lang/php-4*" $flagname; then
-			eerror "You need to build php with $flagname USE flag"
-			die "Jffnms requires php with $flagname USE flag"
-		fi
-	done
-
-	enewgroup jffnms
-	enewuser jffnms -1 /bin/bash /dev/null jffnms,apache
-}
-
-src_install(){
-	INSTALL_DIR="/opt/${PN}"
-	IMAGE_DIR="${D}${INSTALL_DIR}"
-
-	dodir "${INSTALL_DIR}"
-	cp -r * "${IMAGE_DIR}" || die
-	rm -f "${IMAGE_DIR}/LICENSE"
-
-	# Clean up windows related stuff
-	rm -f "${IMAGE_DIR}/*.win32.txt"
-	rm -rf "${IMAGE_DIR}/docs/windows"
-	rm -rf "${IMAGE_DIR}/engine/windows"
-
-	chown -R jffnms:apache "${IMAGE_DIR}" || die
-	chmod -R ug+rw "${IMAGE_DIR}" || die
-
-	einfo "JFFNMS has been partialy installed on your system. However you"
-	einfo "still need proceed with final installation and configuration."
-	einfo "You can visit http://www.gentoo.org/doc/en/jffnms.xml in order"
-	einfo "to get detailed information on how to get jffnms up and running."
-}
diff --git a/net-analyzer/jffnms/jffnms-0.8.3-r1.ebuild b/net-analyzer/jffnms/jffnms-0.8.3-r2.ebuild
index c259634121a4..1d41b78479b5 100644
--- a/net-analyzer/jffnms/jffnms-0.8.3-r1.ebuild
+++ b/net-analyzer/jffnms/jffnms-0.8.3-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2007 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-analyzer/jffnms/jffnms-0.8.3-r1.ebuild,v 1.2 2007/07/29 17:00:36 phreak Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-analyzer/jffnms/jffnms-0.8.3-r2.ebuild,v 1.1 2007/09/13 17:01:46 pva Exp $
 
 inherit eutils depend.php
 
@@ -52,6 +52,14 @@ pkg_setup() {
 	enewuser jffnms -1 /bin/bash -1 jffnms,apache
 }
 
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+
+	# Fixes Multiple vulnerabilities bug #192240
+	epatch "${FILESDIR}"/${P}-misc-security-fixes.patch
+}
+
 src_install(){
 	INSTALL_DIR="/opt/${PN}"
 	IMAGE_DIR="${D}${INSTALL_DIR}"
author	Peter Volkov <pva@gentoo.org>	2007-09-13 17:01:47 +0000
committer	Peter Volkov <pva@gentoo.org>	2007-09-13 17:01:47 +0000
commit	77975ad728c8290cdb32d5795157f13211d11598 (patch)
tree	433d9c50841951e0ba7b473314adbf29ad96cc5f /net-analyzer/jffnms
parent	Version bump (diff)
download	historical-77975ad728c8290cdb32d5795157f13211d11598.tar.gz historical-77975ad728c8290cdb32d5795157f13211d11598.tar.bz2 historical-77975ad728c8290cdb32d5795157f13211d11598.zip