Pullup ticket #5033 - requested by taca mail/roundcube: security fix Revisions pulled up: - mail/roundcube/Makefile 1.81-1.83 - mail/roundcube/PLIST 1.40-1.41 - mail/roundcube/distinfo 1.49-1.51 - mail/roundcube/patches/patch-config.inc.php deleted - mail/roundcube/patches/patch-plugins_password_helpers_passwd-expect 1.1 - mail/roundcube/patches/patch-program_lib_Roundcube_rcube__washtml.php 1.3 --- Module Name: pkgsrc Committed By: taca Date: Thu May 26 03:20:37 UTC 2016 Modified Files: pkgsrc/mail/roundcube: Makefile PLIST distinfo Removed Files: pkgsrc/mail/roundcube/patches: patch-config.inc.php Log Message: Update roundcube to 1.1.5, including security fix. RELEASE 1.1.5 ------------- - Plugin API: Add html2text hook - Plugin API: Added addressbook_export hook - Fix missing emoticons on html-to-text conversion - Fix random "access to this resource is secured against CSRF" message at logout (#4956) - Fix missing language name in "Add to Dictionary" request in HTML mode (#4951) - Enable use of TLSv1.1 and TLSv1.2 for IMAP (#4955) - Fix XSS issue in SVG images handling (#4949) - Fix (again) security issue in DBMail driver of password plugin [CVE-2015-2181] (#4958) - Fix bug where Archive/Junk buttons were not active after page jump with select=all mode (#4961) - Fix bug in long recipients list parsing for cases where recipient name contained @-char (#4964) - Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9 (#4966) - Hide DSN option in Preferences when smtp_server is not used (#4967) - Protect download urls against CSRF using unique request tokens (#4957) - newmail_notifier: Refactor desktop notifications - Fix so contactlist_fields option can be set via config file - Fix so SPECIAL-USE assignments are forced only until user sets special folders (#4782) - Fix performance in reverting order of THREAD result - Fix converting mail addresses with @www. into mailto links (#5197) --- Module Name: pkgsrc Committed By: taca Date: Thu May 26 03:23:39 UTC 2016 Added Files: pkgsrc/mail/roundcube/patches: patch-plugins_password_helpers_passwd-expect Log Message: Oops, forgot to add a patch file for NetBSD (and perhaps for *BSD) to make password plugin work. --- Module Name: pkgsrc Committed By: taca Date: Thu May 26 23:22:17 UTC 2016 Modified Files: pkgsrc/mail/roundcube: Makefile distinfo Added Files: pkgsrc/mail/roundcube/patches: patch-program_lib_Roundcube_rcube__washtml.php Log Message: Update security path for CVE-2016-5103 (XSS) from upstream. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Sun May 29 15:46:59 UTC 2016 Modified Files: pkgsrc/mail/roundcube: Makefile PLIST distinfo Log Message: Switch to get distfiles from GitHub, noted by David Brownlee via private e-mail. And some installed files are changed, bump PKGREVISION.

(bsiegert)

 @@ -1,19 +1,24 @@
-# $NetBSD: Makefile,v 1.80 2016/03/16 13:36:52 taca Exp $
+# $NetBSD: Makefile,v 1.80.2.1 2016/06/04 19:39:34 bsiegert Exp $
-DISTNAME=	roundcubemail-1.1.4
+DISTNAME=	roundcubemail-1.1.5
 PKGNAME=	${PHP_PKG_PREFIX}-${DISTNAME:S/mail-/-/}
 PKGREVISION=	2
 CATEGORIES=	mail
-MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=roundcubemail/}
+MASTER_SITES=   ${MASTER_SITE_GITHUB:=roundcube/}
 GITHUB_PROJECT= roundcubemail
 GITHUB_RELEASE= 1.1.5
 GITHUB_TYPE=    release
 DIST_SUBDIR=	roundcubemail-1.1.5
 MAINTAINER=	taca@NetBSD.org
 HOMEPAGE=	http://roundcube.net/
 COMMENT=	Browser-based multilingual IMAP client
 LICENSE=	gnu-gpl-v3
 DEPENDS+=	${PHP_PKG_PREFIX}-mbstring>=${PHP_BASE_VERS}:../../converters/php-mbstring
 DEPENDS+=	${PHP_PKG_PREFIX}-dom>=${PHP_BASE_VERS}:../../textproc/php-dom
 DEPENDS+=	${PHP_PKG_PREFIX}-exif>=${PHP_BASE_VERS}:../../graphics/php-exif
 DEPENDS+=	${PHP_PKG_PREFIX}-intl>=${PHP_BASE_VERS}:../../textproc/php-intl
 DEPENDS+=	${PHP_PKG_PREFIX}-json>=${PHP_BASE_VERS}:../../textproc/php-json
 DEPENDS+=	${PHP_PKG_PREFIX}-pear-Net_Sieve>=1.3.2:../../net/pear-Net_Sieve

 @@ -1,10 +1,11 @@
-$NetBSD: distinfo,v 1.48 2015/12/26 14:24:48 taca Exp $
+$NetBSD: distinfo,v 1.48.4.1 2016/06/04 19:39:34 bsiegert Exp $
-SHA1 (roundcubemail-1.1.4.tar.gz) = 4883c8bb39fadf8af94ffb09ee426cba9f8ef2e3
+SHA1 (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 8a59d196ef0aa6d9c717b00699215135abcb99cf
-RMD160 (roundcubemail-1.1.4.tar.gz) = 24f4bd093db74183132eba7ff610fcff9840541a
+RMD160 (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 33cc523ccbc7a4437a2f1a9d67783ba4cfc3bd5d
-SHA512 (roundcubemail-1.1.4.tar.gz) = 18c2422d65292cd13bc4ce592e8490cc0a9d3e9551ac4d188db93eb989525af7ccf519642dd2e68a7380ab0d0d4ad4f999af2b7e99da75d88274743949b42f8a
+SHA512 (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 0202dfa5ae6bbc121bc07ccfe4fc5d5b3bc2ef84956c1ed1d5f0dac9290f945c0f09b6086484ff83eaec286b8083f0ce07c758ba76a13d0b1cb4571400140b1d
-Size (roundcubemail-1.1.4.tar.gz) = 3209549 bytes
+Size (roundcubemail-1.1.5/roundcubemail-1.1.5.tar.gz) = 3212432 bytes
 SHA1 (patch-ac) = 235116580665d5d58edc218c063b41171a2d9227
 SHA1 (patch-af) = 1f95a7005569207469563aa37ff48da0383b7668
-SHA1 (patch-config.inc.php) = 6652bd2aaba06e1d1dd4a02d2390aa523f54e613
+SHA1 (patch-plugins_password_helpers_passwd-expect) = 9e0082f23e37bbab26e8bb1439668132d5aacca2
 SHA1 (patch-program_lib_Roundcube_rcube__washtml.php) = 3a38804d81ead4cd0271befaacc370e78c103b7a
 SHA1 (patch-rcube_mime_default) = fe6ff1bea0a2c4223b34e44a6d0ca76e6476d2aa

$NetBSD: patch-plugins_password_helpers_passwd-expect,v 1.1.2.2 2016/06/04 19:39:34 bsiegert Exp $ Make password plugin work on NetBSD (and maybe other *BSD). --- plugins/password/helpers/passwd-expect.orig 2016-04-17 16:22:20.000000000 +0000 +++ plugins/password/helpers/passwd-expect @@ -49,7 +49,7 @@ set oldpassword_string "((O|o)ld|login|\ set newpassword_string "(N|n)ew.* (P|p)assword.*" set badoldpassword_string "(Authentication token manipulation error).*" set badpassword_string "((passwd|BAD PASSWORD).*|(passwd|Bad:).*\r)" -set verify_string "((R|r)e-*enter.*(P|p)assword|Retype new( UNIX)? password|(V|v)erification|(V|v)erify|(A|a)gain).*" +set verify_string "((R|r)e-*enter.*(P|p)assword|Retype (N|n)ew( UNIX)? (P|p)assword|(V|v)erification|(V|v)erify|(A|a)gain).*" set success_string "((P|p)assword.* changed|successfully)" set login_string "(((L|l)ogin|(U|u)sername).*)" set timeout 20 @@ -251,6 +251,8 @@ expect { expect { -re $success_string {sleep .5 send exit\r} + -re $prompt_string { sleep .5 + send exit\r} -re $badpassword_string {puts $err "$expect_out(0,string)" close $err exit 1}

$NetBSD: patch-program_lib_Roundcube_rcube__washtml.php,v 1.3.2.2 2016/06/04 19:39:34 bsiegert Exp $ Fix CVE-2016-5103, XSS from upstream. --- program/lib/Roundcube/rcube_washtml.php.orig 2016-04-17 16:22:20.000000000 +0000 +++ program/lib/Roundcube/rcube_washtml.php @@ -370,7 +370,7 @@ class rcube_washtml */ private function is_link_attribute($tag, $attr) { - return $tag == 'a' && $attr == 'href'; + return ($tag == 'a' || $tag == 'area') && $attr == 'href'; } /**