Thu May 26 23:22:17 2016 UTC ()

Update security path for CVE-2016-5103 (XSS) from upstream.

Bump PKGREVISION.


(taca)

diff -r1.81 -r1.82 pkgsrc/mail/roundcube/Makefile
diff -r1.49 -r1.50 pkgsrc/mail/roundcube/distinfo
diff -r0 -r1.3 pkgsrc/mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php

--- pkgsrc/mail/roundcube/Makefile 2016/05/26 03:20:37 1.81
+++ pkgsrc/mail/roundcube/Makefile 2016/05/26 23:22:17 1.82

 @@ -1,17 +1,18 @@
-# $NetBSD: Makefile,v 1.81 2016/05/26 03:20:37 taca Exp $
+# $NetBSD: Makefile,v 1.82 2016/05/26 23:22:17 taca Exp $
 DISTNAME=	roundcubemail-1.1.5
 PKGNAME=	${PHP_PKG_PREFIX}-${DISTNAME:S/mail-/-/}
 PKGREVISION=	1
 CATEGORIES=	mail
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=roundcubemail/}
 MAINTAINER=	taca@NetBSD.org
 HOMEPAGE=	http://roundcube.net/
 COMMENT=	Browser-based multilingual IMAP client
 LICENSE=	gnu-gpl-v3
 DEPENDS+=	${PHP_PKG_PREFIX}-mbstring>=${PHP_BASE_VERS}:../../converters/php-mbstring
 DEPENDS+=	${PHP_PKG_PREFIX}-dom>=${PHP_BASE_VERS}:../../textproc/php-dom
 DEPENDS+=	${PHP_PKG_PREFIX}-exif>=${PHP_BASE_VERS}:../../graphics/php-exif
 DEPENDS+=	${PHP_PKG_PREFIX}-intl>=${PHP_BASE_VERS}:../../textproc/php-intl
 DEPENDS+=	${PHP_PKG_PREFIX}-json>=${PHP_BASE_VERS}:../../textproc/php-json

--- pkgsrc/mail/roundcube/distinfo 2016/05/26 03:20:37 1.49
+++ pkgsrc/mail/roundcube/distinfo 2016/05/26 23:22:17 1.50

 @@ -1,10 +1,11 @@
-$NetBSD: distinfo,v 1.49 2016/05/26 03:20:37 taca Exp $
+$NetBSD: distinfo,v 1.50 2016/05/26 23:22:17 taca Exp $
 SHA1 (roundcubemail-1.1.5.tar.gz) = d0843b592a810435dff49aa615fd3075691ca18d
 RMD160 (roundcubemail-1.1.5.tar.gz) = b716851dc55fa88553ad06c21e8c8080416303f1
 SHA512 (roundcubemail-1.1.5.tar.gz) = 7723746c4c1959460adb9f157fed6ebf78720ee84640791e0501b6c2adb5c60a58fa93e4e244dfad1998f3595cc31ca3dc48e7e111e69e5a0444d96d6cf04289
 Size (roundcubemail-1.1.5.tar.gz) = 3147385 bytes
 SHA1 (patch-ac) = 235116580665d5d58edc218c063b41171a2d9227
 SHA1 (patch-af) = 1f95a7005569207469563aa37ff48da0383b7668
 SHA1 (patch-plugins_password_helpers_passwd-expect) = 9e0082f23e37bbab26e8bb1439668132d5aacca2
 SHA1 (patch-program_lib_Roundcube_rcube__washtml.php) = 3a38804d81ead4cd0271befaacc370e78c103b7a
 SHA1 (patch-rcube_mime_default) = fe6ff1bea0a2c4223b34e44a6d0ca76e6476d2aa

$NetBSD: patch-program_lib_Roundcube_rcube__washtml.php,v 1.3 2016/05/26 23:22:17 taca Exp $

Fix CVE-2016-5103, XSS from upstream.

--- program/lib/Roundcube/rcube_washtml.php.orig	2016-04-17 16:22:20.000000000 +0000
+++ program/lib/Roundcube/rcube_washtml.php
@@ -370,7 +370,7 @@ class rcube_washtml
      */
     private function is_link_attribute($tag, $attr)
     {
-        return $tag == 'a' && $attr == 'href';
+        return ($tag == 'a' || $tag == 'area') && $attr == 'href';
     }
 
     /**