Pullup ticket #5033 - requested by taca mail/roundcube: security fix Revisions pulled up: - mail/roundcube/Makefile 1.81-1.83 - mail/roundcube/PLIST 1.40-1.41 - mail/roundcube/distinfo 1.49-1.51 - mail/roundcube/patches/patch-config.inc.php deleted - mail/roundcube/patches/patch-plugins_password_helpers_passwd-expect 1.1 - mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php 1.3 --- Module Name: pkgsrc Committed By: taca Date: Thu May 26 03:20:37 UTC 2016 Modified Files: pkgsrc/mail/roundcube: Makefile PLIST distinfo Removed Files: pkgsrc/mail/roundcube/patches: patch-config.inc.php Log Message: Update roundcube to 1.1.5, including security fix. RELEASE 1.1.5 ------------- - Plugin API: Add html2text hook - Plugin API: Added addressbook_export hook - Fix missing emoticons on html-to-text conversion - Fix random "access to this resource is secured against CSRF" message at logout (#4956) - Fix missing language name in "Add to Dictionary" request in HTML mode (#4951) - Enable use of TLSv1.1 and TLSv1.2 for IMAP (#4955) - Fix XSS issue in SVG images handling (#4949) - Fix (again) security issue in DBMail driver of password plugin [CVE-2015-2181] (#4958) - Fix bug where Archive/Junk buttons were not active after page jump with select=all mode (#4961) - Fix bug in long recipients list parsing for cases where recipient name contained @-char (#4964) - Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9 (#4966) - Hide DSN option in Preferences when smtp_server is not used (#4967) - Protect download urls against CSRF using unique request tokens (#4957) - newmail_notifier: Refactor desktop notifications - Fix so contactlist_fields option can be set via config file - Fix so SPECIAL-USE assignments are forced only until user sets special folders (#4782) - Fix performance in reverting order of THREAD result - Fix converting mail addresses with @www. into mailto links (#5197) --- Module Name: pkgsrc Committed By: taca Date: Thu May 26 03:23:39 UTC 2016 Added Files: pkgsrc/mail/roundcube/patches: patch-plugins_password_helpers_passwd-expect Log Message: Oops, forgot to add a patch file for NetBSD (and perhaps for *BSD) to make password plugin work. --- Module Name: pkgsrc Committed By: taca Date: Thu May 26 23:22:17 UTC 2016 Modified Files: pkgsrc/mail/roundcube: Makefile distinfo Added Files: pkgsrc/mail/roundcube/patches: patch-program_lib_Roundcube_rcube__washtml.php Log Message: Update security path for CVE-2016-5103 (XSS) from upstream. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Sun May 29 15:46:59 UTC 2016 Modified Files: pkgsrc/mail/roundcube: Makefile PLIST distinfo Log Message: Switch to get distfiles from GitHub, noted by David Brownlee via private e-mail. And some installed files are changed, bump PKGREVISION.diff -r1.80 -r1.80.2.1 pkgsrc/mail/roundcube/Makefile
(bsiegert)
@@ -1,19 +1,24 @@ | @@ -1,19 +1,24 @@ | |||
1 | # $NetBSD: Makefile,v 1.80 2016/03/16 13:36:52 taca Exp $ | 1 | # $NetBSD: Makefile,v 1.80.2.1 2016/06/04 19:39:34 bsiegert Exp $ | |
2 | 2 | |||
3 | DISTNAME= roundcubemail-1.1.4 | 3 | DISTNAME= roundcubemail-1.1.5 | |
4 | PKGNAME= ${PHP_PKG_PREFIX}-${DISTNAME:S/mail-/-/} | 4 | PKGNAME= ${PHP_PKG_PREFIX}-${DISTNAME:S/mail-/-/} | |
5 | PKGREVISION= 2 | |||
5 | CATEGORIES= mail | 6 | CATEGORIES= mail | |
6 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=roundcubemail/} | 7 | MASTER_SITES= ${MASTER_SITE_GITHUB:=roundcube/} | |
8 | GITHUB_PROJECT= roundcubemail | |||
9 | GITHUB_RELEASE= 1.1.5 | |||
10 | GITHUB_TYPE= release | |||
11 | DIST_SUBDIR= roundcubemail-1.1.5 | |||
7 | 12 | |||
8 | MAINTAINER= taca@NetBSD.org | 13 | MAINTAINER= taca@NetBSD.org | |
9 | HOMEPAGE= http://roundcube.net/ | 14 | HOMEPAGE= http://roundcube.net/ | |
10 | COMMENT= Browser-based multilingual IMAP client | 15 | COMMENT= Browser-based multilingual IMAP client | |
11 | LICENSE= gnu-gpl-v3 | 16 | LICENSE= gnu-gpl-v3 | |
12 | 17 | |||
13 | DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=${PHP_BASE_VERS}:../../converters/php-mbstring | 18 | DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=${PHP_BASE_VERS}:../../converters/php-mbstring | |
14 | DEPENDS+= ${PHP_PKG_PREFIX}-dom>=${PHP_BASE_VERS}:../../textproc/php-dom | 19 | DEPENDS+= ${PHP_PKG_PREFIX}-dom>=${PHP_BASE_VERS}:../../textproc/php-dom | |
15 | DEPENDS+= ${PHP_PKG_PREFIX}-exif>=${PHP_BASE_VERS}:../../graphics/php-exif | 20 | DEPENDS+= ${PHP_PKG_PREFIX}-exif>=${PHP_BASE_VERS}:../../graphics/php-exif | |
16 | DEPENDS+= ${PHP_PKG_PREFIX}-intl>=${PHP_BASE_VERS}:../../textproc/php-intl | 21 | DEPENDS+= ${PHP_PKG_PREFIX}-intl>=${PHP_BASE_VERS}:../../textproc/php-intl | |
17 | DEPENDS+= ${PHP_PKG_PREFIX}-json>=${PHP_BASE_VERS}:../../textproc/php-json | 22 | DEPENDS+= ${PHP_PKG_PREFIX}-json>=${PHP_BASE_VERS}:../../textproc/php-json | |
18 | 23 | |||
19 | DEPENDS+= ${PHP_PKG_PREFIX}-pear-Net_Sieve>=1.3.2:../../net/pear-Net_Sieve | 24 | DEPENDS+= ${PHP_PKG_PREFIX}-pear-Net_Sieve>=1.3.2:../../net/pear-Net_Sieve |
@@ -1,10 +1,11 @@ | @@ -1,10 +1,11 @@ | |||
1 | $NetBSD: distinfo,v 1.48 2015/12/26 14:24:48 taca Exp $ | 1 | $NetBSD: distinfo,v 1.48.4.1 2016/06/04 19:39:34 bsiegert Exp $ | |
2 | 2 | |||
3 | SHA1 (roundcubemail-1.1.4.tar.gz) = 4883c8bb39fadf8af94ffb09ee426cba9f8ef2e3 | 3 | SHA1 (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 8a59d196ef0aa6d9c717b00699215135abcb99cf | |
4 | RMD160 (roundcubemail-1.1.4.tar.gz) = 24f4bd093db74183132eba7ff610fcff9840541a | 4 | RMD160 (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 33cc523ccbc7a4437a2f1a9d67783ba4cfc3bd5d | |
5 | SHA512 (roundcubemail-1.1.4.tar.gz) = 18c2422d65292cd13bc4ce592e8490cc0a9d3e9551ac4d188db93eb989525af7ccf519642dd2e68a7380ab0d0d4ad4f999af2b7e99da75d88274743949b42f8a | 5 | SHA512 (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 0202dfa5ae6bbc121bc07ccfe4fc5d5b3bc2ef84956c1ed1d5f0dac9290f945c0f09b6086484ff83eaec286b8083f0ce07c758ba76a13d0b1cb4571400140b1d | |
6 | Size (roundcubemail-1.1.4.tar.gz) = 3209549 bytes | 6 | Size (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 3212432 bytes | |
7 | SHA1 (patch-ac) = 235116580665d5d58edc218c063b41171a2d9227 | 7 | SHA1 (patch-ac) = 235116580665d5d58edc218c063b41171a2d9227 | |
8 | SHA1 (patch-af) = 1f95a7005569207469563aa37ff48da0383b7668 | 8 | SHA1 (patch-af) = 1f95a7005569207469563aa37ff48da0383b7668 | |
9 | SHA1 (patch-config.inc.php) = 6652bd2aaba06e1d1dd4a02d2390aa523f54e613 | 9 | SHA1 (patch-plugins_password_helpers_passwd-expect) = 9e0082f23e37bbab26e8bb1439668132d5aacca2 | |
10 | SHA1 (patch-program_lib_Roundcube_rcube__washtml.php) = 3a38804d81ead4cd0271befaacc370e78c103b7a | |||
10 | SHA1 (patch-rcube_mime_default) = fe6ff1bea0a2c4223b34e44a6d0ca76e6476d2aa | 11 | SHA1 (patch-rcube_mime_default) = fe6ff1bea0a2c4223b34e44a6d0ca76e6476d2aa |
$NetBSD: patch-plugins_password_helpers_passwd-expect,v 1.1.2.2 2016/06/04 19:39:34 bsiegert Exp $
Make password plugin work on NetBSD (and maybe other *BSD).
--- plugins/password/helpers/passwd-expect.orig 2016-04-17 16:22:20.000000000 +0000
+++ plugins/password/helpers/passwd-expect
@@ -49,7 +49,7 @@ set oldpassword_string "((O|o)ld|login|\
set newpassword_string "(N|n)ew.* (P|p)assword.*"
set badoldpassword_string "(Authentication token manipulation error).*"
set badpassword_string "((passwd|BAD PASSWORD).*|(passwd|Bad:).*\r)"
-set verify_string "((R|r)e-*enter.*(P|p)assword|Retype new( UNIX)? password|(V|v)erification|(V|v)erify|(A|a)gain).*"
+set verify_string "((R|r)e-*enter.*(P|p)assword|Retype (N|n)ew( UNIX)? (P|p)assword|(V|v)erification|(V|v)erify|(A|a)gain).*"
set success_string "((P|p)assword.* changed|successfully)"
set login_string "(((L|l)ogin|(U|u)sername).*)"
set timeout 20
@@ -251,6 +251,8 @@ expect {
expect {
-re $success_string {sleep .5
send exit\r}
+ -re $prompt_string { sleep .5
+ send exit\r}
-re $badpassword_string {puts $err "$expect_out(0,string)"
close $err
exit 1}
$NetBSD: patch-program_lib_Roundcube_rcube__washtml.php,v 1.3.2.2 2016/06/04 19:39:34 bsiegert Exp $
Fix CVE-2016-5103, XSS from upstream.
--- program/lib/Roundcube/rcube_washtml.php.orig 2016-04-17 16:22:20.000000000 +0000
+++ program/lib/Roundcube/rcube_washtml.php
@@ -370,7 +370,7 @@ class rcube_washtml
*/
private function is_link_attribute($tag, $attr)
{
- return $tag == 'a' && $attr == 'href';
+ return ($tag == 'a' || $tag == 'area') && $attr == 'href';
}
/**