rpms/squirrelmail/F-9 squirrelmail-1.4.17-biguid.patch, NONE, 1.1 sources, 1.23, 1.24 squirrelmail-1.4.6-zenkaku-subject-convert.patch, 1.1, 1.2 squirrelmail.spec, 1.58, 1.59
Michal Hlavinka
mhlavink at fedoraproject.org
Tue May 12 13:02:12 UTC 2009
Author: mhlavink
Update of /cvs/extras/rpms/squirrelmail/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19900
Modified Files:
sources squirrelmail-1.4.6-zenkaku-subject-convert.patch
squirrelmail.spec
Added Files:
squirrelmail-1.4.17-biguid.patch
Log Message:
updated to 1.4.18
squirrelmail-1.4.17-biguid.patch:
--- NEW FILE squirrelmail-1.4.17-biguid.patch ---
diff -up squirrelmail/functions/global.php.biguid squirrelmail/functions/global.php
--- squirrelmail/functions/global.php.biguid 2009-01-22 11:35:17.000000000 +0100
+++ squirrelmail/functions/global.php 2009-01-23 12:12:31.570024148 +0100
@@ -520,3 +520,16 @@ function is_ssl_secured_connection()
return FALSE;
}
+/**
+ * Restrict value to be numeric string
+ *
+ * @param string $value The value to be checked
+ *
+ * @return $value if it is numeric string, "0" otherwise
+ *
+ * @since 1.4.18
+ */
+function sqrestrict_to_num($value)
+{
+ return preg_match('/^[0-9]+$/', $value) ? $value : '0';
+}
diff -up squirrelmail/functions/imap_messages.php.biguid squirrelmail/functions/imap_messages.php
--- squirrelmail/functions/imap_messages.php.biguid 2009-01-22 11:35:17.000000000 +0100
+++ squirrelmail/functions/imap_messages.php 2009-01-23 12:11:13.912875541 +0100
@@ -1006,7 +1006,7 @@ function sqimap_get_message($imap_stream
global $uid_support;
// typecast to int to prohibit 1:* msgs sets
- $id = (int) $id;
+ $id = sqrestrict_to_num($id);
$flags = array();
$read = sqimap_run_command($imap_stream, "FETCH $id (FLAGS BODYSTRUCTURE)", true, $response, $message, $uid_support);
if ($read) {
diff -up squirrelmail/plugins/delete_move_next/setup.php.biguid squirrelmail/plugins/delete_move_next/setup.php
--- squirrelmail/plugins/delete_move_next/setup.php.biguid 2009-01-22 11:35:10.000000000 +0100
+++ squirrelmail/plugins/delete_move_next/setup.php 2009-01-23 12:11:13.913875492 +0100
@@ -166,11 +166,11 @@ function delete_move_next_read($currloc)
$prev_if_del = $prev;
$next_if_del = $next;
if (!$uid_support && ($auto_expunge || $move_to_trash)) {
- if ($prev_if_del > $passed_id) {
- $prev_if_del--;
+ if (((float)$prev_if_del) > ((float)$passed_id)) {
+ $prev_if_del = (string) (((float)$prev_if_del) -1);
}
- if ($next_if_del > $passed_id) {
- $next_if_del--;
+ if (((float)$next_if_del) > ((float)$passed_id)) {
+ $next_if_del = (string) (((float)$next_if_del) -1);
}
}
@@ -181,31 +181,31 @@ function delete_move_next_read($currloc)
'<tr>'.
"<td bgcolor=\"$color[9]\" width=\"100%\" align=\"center\"><small>";
- if ($prev > 0){
+ if (((float)$prev) > 0){
echo "<a href=\"read_body.php?passed_id=$prev_if_del&mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&show_more=0&delete_id=$passed_id\">" . _("Delete & Prev") . "</a>" . " | \n";
}
else {
echo _("Delete & Prev") . " | ";
}
- if ($next > 0){
+ if (((float)$next) > 0){
echo "<a href=\"read_body.php?passed_id=$next_if_del&mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&show_more=0&delete_id=$passed_id\">" . _("Delete & Next") . "</a>\n";
} else {
echo _("Delete & Next");
}
echo '</small></td></tr>';
- if ($next_if_del < 0) {
+ if (((float)$next_if_del) < 0) {
$next_if_del = $prev_if_del;
}
if (($delete_move_next_formATtop == 'on') && ($currloc == 'top')) {
- if ($next_if_del > 0) {
+ if (((float)$next_if_del) > 0) {
delete_move_next_moveNextForm($next_if_del);
} else {
delete_move_next_moveRightMainForm();
}
}
if (($delete_move_next_formATbottom != 'off') && ($currloc == 'bottom')) {
- if ($next_if_del > 0) {
+ if (((float)$next_if_del) > 0) {
delete_move_next_moveNextForm($next_if_del);
} else {
delete_move_next_moveRightMainForm();
diff -up squirrelmail/src/compose.php.biguid squirrelmail/src/compose.php
--- squirrelmail/src/compose.php.biguid 2009-01-22 11:35:13.000000000 +0100
+++ squirrelmail/src/compose.php 2009-01-23 12:11:13.913875492 +0100
@@ -92,7 +92,7 @@ sqgetGlobalVar('ent_num',$ent_num, $SQ_G
sqgetGlobalVar('saved_draft',$saved_draft, SQ_FORM);
if ( sqgetGlobalVar('delete_draft',$delete_draft) ) {
- $delete_draft = (int)$delete_draft;
+ $delete_draft = sqrestrict_to_num($delete_draft);
}
if ( sqgetGlobalVar('startMessage',$startMessage) ) {
diff -up squirrelmail/src/download.php.biguid squirrelmail/src/download.php
--- squirrelmail/src/download.php.biguid 2009-01-22 11:35:13.000000000 +0100
+++ squirrelmail/src/download.php 2009-01-23 12:11:13.914875446 +0100
@@ -38,7 +38,7 @@ sqgetGlobalVar('mailbox', $mailbox,
sqgetGlobalVar('ent_id', $ent_id, SQ_GET);
sqgetGlobalVar('absolute_dl',$absolute_dl, SQ_GET);
if ( sqgetGlobalVar('passed_id', $temp, SQ_GET) ) {
- $passed_id = (int) $temp;
+ $passed_id = sqrestrict_to_num($temp);
}
global $default_charset;
diff -up squirrelmail/src/image.php.biguid squirrelmail/src/image.php
--- squirrelmail/src/image.php.biguid 2009-01-22 11:35:13.000000000 +0100
+++ squirrelmail/src/image.php 2009-01-23 12:11:13.914875446 +0100
@@ -32,7 +32,7 @@ displayPageHeader($color, 'None');
/* globals */
if ( sqgetGlobalVar('passed_id', $temp, SQ_GET) ) {
- $passed_id = (int) $temp;
+ $passed_id = sqrestrict_to_num($temp);
}
sqgetGlobalVar('mailbox', $mailbox, SQ_GET);
sqgetGlobalVar('ent_id', $ent_id, SQ_GET);
diff -up squirrelmail/src/printer_friendly_main.php.biguid squirrelmail/src/printer_friendly_main.php
--- squirrelmail/src/printer_friendly_main.php.biguid 2009-01-22 11:35:13.000000000 +0100
+++ squirrelmail/src/printer_friendly_main.php 2009-01-23 12:11:13.914875446 +0100
@@ -29,7 +29,7 @@ if ( ! sqgetGlobalVar('mailbox',$mailbox
! sqgetGlobalVar('passed_id',$passed_id,SQ_GET)) {
error_box(_("Invalid URL"),$color);
} else {
- $passed_id= (int) $passed_id;
+ $passed_id= sqrestrict_to_num($passed_id);
$view_unsafe_images = (bool) $_GET['view_unsafe_images'];
/* end globals */
displayHtmlHeader( _("Printer Friendly"), '', false, true );
diff -up squirrelmail/src/read_body.php.biguid squirrelmail/src/read_body.php
--- squirrelmail/src/read_body.php.biguid 2009-01-22 11:35:13.000000000 +0100
+++ squirrelmail/src/read_body.php 2009-01-23 12:11:13.915796109 +0100
@@ -750,7 +750,7 @@ sqgetGlobalVar('passed_ent_id', $passed_
sqgetGlobalVar('mailbox', $mailbox);
if ( sqgetGlobalVar('passed_id', $temp) ) {
- $passed_id = (int) $temp;
+ $passed_id = sqrestrict_to_num($temp);
}
if ( sqgetGlobalVar('sort', $temp) ) {
$sort = (int) $temp;
diff -up squirrelmail/src/view_header.php.biguid squirrelmail/src/view_header.php
--- squirrelmail/src/view_header.php.biguid 2009-01-22 11:35:13.000000000 +0100
+++ squirrelmail/src/view_header.php 2009-01-23 12:11:13.915796109 +0100
@@ -119,7 +119,7 @@ function view_header($header, $mailbox,
/* get global vars */
if ( sqgetGlobalVar('passed_id', $temp, SQ_GET) ) {
- $passed_id = (int) $temp;
+ $passed_id = sqrestrict_to_num($temp);
}
if ( sqgetGlobalVar('mailbox', $temp, SQ_GET) ) {
$mailbox = $temp;
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/squirrelmail/F-9/sources,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -p -r1.23 -r1.24
--- sources 4 Dec 2008 14:00:26 -0000 1.23
+++ sources 12 May 2009 13:01:41 -0000 1.24
@@ -1,2 +1,2 @@
-6ff0df8ae0e7f13418ed37ea1c93f6f3 squirrelmail-1.4.17.tar.bz2
c6463312afcd602ae60fd8f388dfb8c2 all_locales-1.4.13-20071220.tar.bz2
+2df99afc1bc3b121296af65f52fbc5cc squirrelmail-1.4.18.tar.bz2
squirrelmail-1.4.6-zenkaku-subject-convert.patch:
Index: squirrelmail-1.4.6-zenkaku-subject-convert.patch
===================================================================
RCS file: /cvs/extras/rpms/squirrelmail/F-9/squirrelmail-1.4.6-zenkaku-subject-convert.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- squirrelmail-1.4.6-zenkaku-subject-convert.patch 23 Jun 2006 20:39:43 -0000 1.1
+++ squirrelmail-1.4.6-zenkaku-subject-convert.patch 12 May 2009 13:01:41 -0000 1.2
@@ -4,14 +4,14 @@ kata-kana". Usually, if a user used "han
or header, any mail application would convert it to "zen-kaku kata-kana".
The squirrelmail also should convert.
-diff -urN squirrelmail-1.4.6.orig/functions/i18n.php squirrelmail-1.4.6/functions/i18n.php
---- squirrelmail-1.4.6.orig/functions/i18n.php 2006-02-10 15:30:31.000000000 -0500
-+++ squirrelmail-1.4.6/functions/i18n.php 2006-06-23 15:49:06.000000000 -0400
-@@ -487,6 +487,7 @@
- break;
- case 'encodeheader':
- $result = '';
-+ $ret = mb_convert_kana($ret, "KV");
- if (strlen($ret) > 0) {
- $tmpstr = mb_substr($ret, 0, 1);
- $prevcsize = strlen($tmpstr);
+diff -up squirrelmail-1.4.18/functions/i18n.php.zenkaku squirrelmail-1.4.18/functions/i18n.php
+--- squirrelmail-1.4.18/functions/i18n.php.zenkaku 2009-05-07 23:55:44.000000000 +0200
++++ squirrelmail-1.4.18/functions/i18n.php 2009-05-12 09:24:06.063892916 +0200
+@@ -625,6 +625,7 @@ function japanese_charset_xtra() {
+ $ret = encodeHeaderBase64(mb_convert_encoding($ret,'ISO-2022-JP','EUC-JP'),
+ 'iso-2022-jp');
+ }
++ $ret = mb_convert_kana($ret, "KV");
+ /**
+ * if text is in ascii, we leave it unchanged. If some ASCII
+ * chars must be encoded, add code here in else statement.
Index: squirrelmail.spec
===================================================================
RCS file: /cvs/extras/rpms/squirrelmail/F-9/squirrelmail.spec,v
retrieving revision 1.58
retrieving revision 1.59
diff -u -p -r1.58 -r1.59
--- squirrelmail.spec 4 Dec 2008 14:00:26 -0000 1.58
+++ squirrelmail.spec 12 May 2009 13:01:41 -0000 1.59
@@ -5,7 +5,7 @@
Summary: SquirrelMail webmail client
Name: squirrelmail
-Version: 1.4.17
+Version: 1.4.18
Release: 1%{?dist}
License: GPLv2+
URL: http://www.squirrelmail.org/
@@ -16,18 +16,22 @@ Source2: squirrelmail-splash-fedora.png
Source3: squirrelmail-splash-rhel.png
Source4: http://prdownloads.sourceforge.net/squirrelmail/all_locales-1.4.13-20071220.tar.bz2
Source5: config_local.php
-Patch1: squirrelmail-1.4.6-zenkaku-subject-convert.patch
-#Patch2: squirrelmail-1.4.8-IE-Japanese-download-ugly-hack.patch
-Patch3: squirrelmail-1.4.6-japanese-multibyte-view-text.patch
-Patch4: squirrelmail-1.4.6-japanese-multibyte-view-body.patch
-#Patch5: squirrelmail-1.4.7-ja-translate.patch
-#Patch6: squirrelmail-1.4.9a-id_plural.patch
-# Taken from upstream
-Patch7: squirrelmail-1.4.15-tr-fix.patch
-# CVE-2006-6142
-#Patch100: squirrelmail-1.4.8-CVE-2006-6142-draft_composesess.patch
-#Patch101: squirrelmail-1.4.8-CVE-2006-6142-mailto.patch
-#Patch102: squirrelmail-1.4.8-CVE-2006-6142-mime.php.patch
+
+# bug #196017
+Patch1: squirrelmail-1.4.6-zenkaku-subject-convert.patch
+
+# bug #195452
+Patch2: squirrelmail-1.4.6-japanese-multibyte-view-text.patch
+
+# bug #194457
+Patch3: squirrelmail-1.4.6-japanese-multibyte-view-body.patch
+
+# Taken from upstream - translation with this fix is not released yet
+Patch4: squirrelmail-1.4.15-tr-fix.patch
+
+# bug #450780 - sent upstream, available here:
+# http://sourceforge.net/tracker/index.php?func=detail&aid=1855717&group_id=311&atid=100311
+Patch5: squirrelmail-1.4.17-biguid.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
@@ -46,34 +50,28 @@ easy to configure and install.
%prep
%setup -q -n squirrelmail-%{version}
-%patch1 -p1
-#%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-
-# CVE-2006-6142
-#%patch100 -p0
-#%patch101 -p0
-#%patch102 -p1
+%patch1 -p1 -b .zenkaku
+%patch2 -p1 -b .jpmbtext
+%patch3 -p1 -b .jpmbbody
mkdir locale_tempdir
-cd locale_tempdir
+pushd locale_tempdir
tar xfj %SOURCE4
-#%patch6 -p2
-%patch7 -p2
+%patch4 -p2
+popd
+
+%patch5 -p1 -b .biguid
%build
rm -f plugins/make_archive.pl
-# Clean up .orig files
-find -name '*.orig' -exec rm -f \{\} \;
-
# Rearrange the documentation
-mv AUTHORS ChangeLog COPYING INSTALL README UPGRADE doc/
-mv ReleaseNotes doc/ReleaseNotes.txt
+mv README doc/
mv themes/README.themes doc/
+mkdir -p doc/plugins
+mv plugins/demo doc/plugins
for f in `find plugins -name "README*" -or -name INSTALL \
- -or -name CHANGES -or -name HISTORY`; do
+ -or -name CHANGES -or -name HISTORY`; do
mkdir -p doc/`dirname $f`
mv $f $_
done
@@ -88,7 +86,7 @@ perl -pi -e "s{\.\./}{}g" doc/index.html
echo "left_refresh=300" >> data/default_pref
for f in contrib/RPM/squirrelmail.cron contrib/RPM/config.php.redhat; do
perl -pi -e "s|__ATTDIR__|%{_localstatedir}/spool/squirrelmail/attach/|g;"\
- -e "s|__PREFSDIR__|%{_localstatedir}/lib/squirrelmail/prefs/|g;" $f
+ -e "s|__PREFSDIR__|%{_localstatedir}/lib/squirrelmail/prefs/|g;" $f
done
# Fix the version
@@ -128,34 +126,34 @@ cd locale_tempdir
for LOCALE in `ls locale/` ; do
SKIPINVALID=
case $LOCALE in
- ja_JP)
- # ja_JP uses iso2022-jp for email but euc-jp in its interface.
+ ja_JP)
+ # ja_JP uses iso2022-jp for email but euc-jp in its interface.
# But why!?!?
- CHARSET=euc-jp
- ;;
- ko_KR)
- # ko_KR has broken help files in indeterminate charset.
- # Assume it's _mostly_ EUC-KR as it's supposed to be, and let
- # iconv drop invalid characters from the input.
- SKIPINVALID=-c
- CHARSET=`grep CHARSET locale/$LOCALE/setup.php | cut -f6 -d\'`
- ;;
- *)
- CHARSET=`grep CHARSET locale/$LOCALE/setup.php | cut -f6 -d\'`
- ;;
+ CHARSET=euc-jp
+ ;;
+ ko_KR)
+ # ko_KR has broken help files in indeterminate charset.
+ # Assume it's _mostly_ EUC-KR as it's supposed to be, and let
+ # iconv drop invalid characters from the input.
+ SKIPINVALID=-c
+ CHARSET=`grep CHARSET locale/$LOCALE/setup.php | cut -f6 -d\'`
+ ;;
+ *)
+ CHARSET=`grep CHARSET locale/$LOCALE/setup.php | cut -f6 -d\'`
+ ;;
esac
# Check for locales where CHARSET isn't in LOCALE.
grep LOCALE locale/$LOCALE/setup.php | grep -vi $CHARSET || :
if [ "$CHARSET" != "utf-8" -a "$CHARSET" != "UTF-8" ]; then
- for a in `ls help/$LOCALE/ 2>/dev/null` ; do
+ for a in `ls help/$LOCALE/ 2>/dev/null` ; do
if [ "$LOCALE" == "ja_JP" ]; then continue; fi
- iconv $SKIPINVALID -f $CHARSET -t utf-8 help/$LOCALE/$a > $a.new && mv $a.new help/$LOCALE/$a
- done
- sed -e "s/CHARSET..[ ]*= [^;]*;/CHARSET'] = 'utf-8';/" \
- -e "s/LOCALE..[ ]*= [^;]*;/LOCALE'] = '$LOCALE.UTF-8';/" \
- locale/$LOCALE/setup.php > setup.php.new ; mv setup.php.new locale/$LOCALE/setup.php
+ iconv $SKIPINVALID -f $CHARSET -t utf-8 help/$LOCALE/$a > $a.new && mv $a.new help/$LOCALE/$a
+ done
+ sed -e "s/CHARSET..[ ]*= [^;]*;/CHARSET'] = 'utf-8';/" \
+ -e "s/LOCALE..[ ]*= [^;]*;/LOCALE'] = '$LOCALE.UTF-8';/" \
+ locale/$LOCALE/setup.php > setup.php.new ; mv setup.php.new locale/$LOCALE/setup.php
fi
done
@@ -163,7 +161,7 @@ done
for POFILE in `find locale -name \*.po` ; do
CHARSET=`grep charset= $POFILE | cut -f2 -d= | cut -f1 -d\\\\`
if [ "$CHARSET" != "utf-8" -a "$CHARSET" != "UTF-8" ]; then
- sed s/charset=$CHARSET/charset=utf-8/ $POFILE | iconv -f $CHARSET -t utf-8 > $POFILE.new && mv $POFILE.new $POFILE
+ sed s/charset=$CHARSET/charset=utf-8/ $POFILE | iconv -f $CHARSET -t utf-8 > $POFILE.new && mv $POFILE.new $POFILE
fi
done
for POFILE in `find . -name \*.po` ; do
@@ -214,8 +212,7 @@ install -m 0755 contrib/RPM/squirrelmail
# install the config file
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d
-install -m 644 $RPM_SOURCE_DIR/squirrelmail.conf \
- $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/
+install -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/
# move sqspell plugin config to /etc
rm -f $RPM_BUILD_ROOT%{_datadir}/squirrelmail/plugins/squirrelspell/sqspell_config.php
@@ -231,6 +228,14 @@ cp -r help/* $RPM_BUILD_ROOT%{_datadir}/
cd ..
rm $RPM_BUILD_ROOT%{_datadir}/squirrelmail/locale/README.locales
+#remove '\r' where needed
+sed -i 's/\r//' doc/release_notes_archive/1.4/Notes-1.4.12.txt
+sed -i 's/\r//' doc/release_notes_archive/1.4/Notes-1.4.13.txt
+
+#remove unwanted files
+rm $RPM_BUILD_ROOT%{_datadir}/squirrelmail/plugins/filters/bulkquery/bulkquery.c
+rm $RPM_BUILD_ROOT%{_datadir}/squirrelmail/locale/es_ES/LC_MESSAGES/serversidefilter.po.new
+
%clean
rm -rf $RPM_BUILD_ROOT
@@ -261,6 +266,9 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/cron.daily/squirrelmail.cron
%changelog
+* Tue May 12 2009 Michal Hlavinka <mhlavink at redhat.com> - 1.4.18-1
+- update to 1.4.18 (fixes CVE-2009-1581)
+
* Thu Dec 04 2008 Michal Hlavinka <mhlavink at redhat.com> - 1.4.17-1
- update to 1.4.17 (fixes CVE-2008-2379)
More information about the scm-commits
mailing list