rpms/php-pear-Mail/EL-5 php-pear-Mail-security.patch, NONE, 1.1 php-pear-Mail.spec, 1.8, 1.9 xml2changelog, 1.3, 1.4
Remi Collet
remi at fedoraproject.org
Fri Nov 27 18:51:56 UTC 2009
Author: remi
Update of /cvs/extras/rpms/php-pear-Mail/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21970
Modified Files:
php-pear-Mail.spec xml2changelog
Added Files:
php-pear-Mail-security.patch
Log Message:
Fix security bug
php-pear-Mail-security.patch:
Mail-1.1.14/Mail/sendmail.php | 4 ++--
package.xml | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
--- NEW FILE php-pear-Mail-security.patch ---
diff -up Mail-1.1.14/Mail/sendmail.php.orig Mail-1.1.14/Mail/sendmail.php
--- Mail-1.1.14/Mail/sendmail.php.orig 2009-11-27 19:12:52.000000000 +0100
+++ Mail-1.1.14/Mail/sendmail.php 2009-11-27 19:16:08.000000000 +0100
@@ -108,7 +108,7 @@ class Mail_sendmail extends Mail {
if (PEAR::isError($recipients)) {
return $recipients;
}
- $recipients = escapeShellCmd(implode(' ', $recipients));
+ $recipients = implode(' ', array_map('escapeshellarg', $recipients));
$this->_sanitizeHeaders($headers);
$headerElements = $this->prepareHeaders($headers);
@@ -126,7 +126,7 @@ class Mail_sendmail extends Mail {
return PEAR::raiseError('From address specified with dangerous characters.');
}
- $from = escapeShellCmd($from);
+ $from = escapeShellArg($from);
$mail = @popen($this->sendmail_path . (!empty($this->sendmail_args) ? ' ' . $this->sendmail_args : '') . " -f$from -- $recipients", 'w');
if (!$mail) {
return PEAR::raiseError('Failed to open sendmail [' . $this->sendmail_path . '] for execution.');
--- package.xml.orig 2009-11-27 19:19:41.000000000 +0100
+++ package.xml 2006-10-11 22:32:51.000000000 +0200
@@ -52,7 +52,7 @@
<file role="php" md5sum="e90b498ce97ee926aab71180aa1f68bd" name="Mail.php"/>
<file role="php" md5sum="c3433e6b7b54a362c6acbffffddcb2f1" name="Mail/mail.php"/>
<file role="php" md5sum="4a1ed7ae8036862b24fa0ea84f8bbe0e" name="Mail/null.php"/>
- <file role="php" md5sum="8d567715b062fd05ae0d0c195ec3ba1b" name="Mail/sendmail.php"/>
+ <file role="php" md5sum="cf1a206ca5ec1dabc706e6e76b9eb723" name="Mail/sendmail.php"/>
<file role="php" md5sum="ed539e37c764c38205cb70597e0e84e4" name="Mail/smtp.php"/>
<file role="php" md5sum="3a513a76e6222b50e7e1186a11cb7b2b" name="Mail/RFC822.php"/>
<file role="test" md5sum="4117acf13586a15da2a5cdd368aa3931" name="tests/rfc822.phpt"/>
Index: php-pear-Mail.spec
===================================================================
RCS file: /cvs/extras/rpms/php-pear-Mail/EL-5/php-pear-Mail.spec,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -p -r1.8 -r1.9
--- php-pear-Mail.spec 24 Aug 2007 06:30:14 -0000 1.8
+++ php-pear-Mail.spec 27 Nov 2009 18:51:56 -0000 1.9
@@ -3,7 +3,7 @@
Name: php-pear-Mail
Version: 1.1.14
-Release: 2%{?dist}
+Release: 5%{?dist}
Summary: Class that provides multiple interfaces for sending emails
Summary(fr): Une Classe fournissant des interfaces pour envoyer des emails
@@ -12,6 +12,10 @@ License: PHP
URL: http://pear.php.net/package/Mail
Source0: http://pear.php.net/get/%{pear_name}-%{version}.tgz
Source2: xml2changelog
+
+# See http://www.debian.org/security/2009/dsa-1938
+Patch0: %{name}-security.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
@@ -21,6 +25,7 @@ Requires(post): %{__pear}
Requires(postun): %{__pear}
Provides: php-pear(%{pear_name}) = %{version}
+
%description
PEAR's Mail package defines an interface for implementing mailers under the
PEAR hierarchy. It also provides supporting functions useful to multiple
@@ -36,34 +41,43 @@ elle supporte la fonction PHP standard m
Cette extension contient aussi une classe permettant de vérifer la
conformité à la RFC822 des liste d'adresses de courrier.
+
%prep
%setup -q -c
-[ -f package2.xml ] || mv package.xml package2.xml
+
+%patch0 -p0
+
+# Package is still an old V1 one
+%{__pear} convert package.xml package2.xml
%{_bindir}/php -n %{SOURCE2} package2.xml >CHANGELOG
-mv package2.xml %{pear_name}-%{version}/%{pear_name}.xml
+mv package2.xml %{pear_name}-%{version}/%{name}.xml
+
%build
cd %{pear_name}-%{version}
# Empty build section, most likely nothing required.
+
%install
rm -rf $RPM_BUILD_ROOT
cd %{pear_name}-%{version}
-%{__pear} install --nodeps --packagingroot $RPM_BUILD_ROOT %{pear_name}.xml
+%{__pear} install --nodeps --packagingroot $RPM_BUILD_ROOT %{name}.xml
# Clean up unnecessary files
rm -rf $RPM_BUILD_ROOT%{pear_phpdir}/.??*
# Install XML package description
mkdir -p $RPM_BUILD_ROOT%{pear_xmldir}
-install -pm 644 %{pear_name}.xml $RPM_BUILD_ROOT%{pear_xmldir}
+install -pm 644 %{name}.xml $RPM_BUILD_ROOT%{pear_xmldir}
+
%clean
rm -rf $RPM_BUILD_ROOT
+
%post
%{__pear} install --nodeps --soft --force --register-only \
- %{pear_xmldir}/%{pear_name}.xml >/dev/null || :
+ %{pear_xmldir}/%{name}.xml >/dev/null || :
%postun
if [ $1 -eq 0 ] ; then
@@ -71,15 +85,21 @@ if [ $1 -eq 0 ] ; then
%{pear_name} >/dev/null || :
fi
+
%files
%defattr(-,root,root,-)
%doc CHANGELOG
%{pear_phpdir}/Mail.php
%{pear_phpdir}/Mail
%{pear_testdir}/Mail
-%{pear_xmldir}/%{pear_name}.xml
+%{pear_xmldir}/%{name}.xml
+
%changelog
+* Fri Nov 27 2009 Remi Collet <Fedora at FamilleCollet.com> 1.1.14-5
+- Fix CVE-2009-4023 (#540842)
+- rename Mail.xml to php-pear-Mail.xml
+
* Fri Aug 24 2007 Remi Collet <Fedora at FamilleCollet.com> 1.1.14-2
- Fix License
Index: xml2changelog
===================================================================
RCS file: /cvs/extras/rpms/php-pear-Mail/EL-5/xml2changelog,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -r1.3 -r1.4
--- xml2changelog 24 Aug 2007 06:30:14 -0000 1.3
+++ xml2changelog 27 Nov 2009 18:51:56 -0000 1.4
@@ -7,16 +7,22 @@ $file=array_shift($_SERVER['argv']);
if (in_array("--debug", $_SERVER['argv'])) print_r($xml);
if ($xml['version'] >= "2"){ // Package.xml V 2.0
- printf("* Version %s (%s) - API %s (%s) - %s\n\n%s\n\n",
+ printf("*** Version %s (%s) - API %s (%s) - %s\n\n%s\n\n",
$xml->version->release, $xml->stability->release,
$xml->version->api, $xml->stability->api,
$xml->date, $xml->notes);
+ $new=$xml->version->release;
- if (is_array($xml->changelog->release)) foreach($xml->changelog->release as $rel)
- printf("* Version %s (%s) - API %s (%s) - %s\n\n%s\n\n",
+ if (isset($xml->changelog->release) && count($xml->changelog->release))
+ foreach($xml->changelog->release as $rel) {
+ $old=$rel->version->release;
+ if ("$old" != "$new") {
+ printf("*** Version %s (%s) - API %s (%s) - %s\n\n%s\n\n",
$rel->version->release, $rel->stability->release,
$rel->version->api, $rel->stability->api,
$rel->date, $rel->notes);
+ }
+ }
} else { // Package.xml V 1.0
printf("* Version %s (%s) - %s\n\n%s\n\n",
$xml->release->version, $xml->release->state, $xml->release->date, $xml->release->notes);
More information about the scm-commits
mailing list