Yay! Another update. And it's only the 3rd in four days. Just for a change, this is a security thing. http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-3 From the announce message: Hi, The "Month Of PHP Bugs" reveals some PHP vulnerabilities. MOPB-02-2007 (PHP Executor Deep Recursion Stack Overflow) uses phpMyAdmin as an example to show a recursion vulnerability in PHP, for which a protection is provided in version 2.10.0.2. More details will follow on phpmyadmin.net, Security section, PMASA-2007-3. Marc Delisle, for the team
State Changed From-To: open->feedback
Le Lun 5 mar 07 à 22:44:19 +0100, Thierry Thomas <thierry@FreeBSD.org> écrivait : > Synopsis: [maintainer] databases/phpmyadmin security update to 2.10.0.2 > > State-Changed-From-To: open->feedback > State-Changed-By: thierry > State-Changed-When: Mon Mar 5 21:40:39 UTC 2007 > State-Changed-Why: > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=109765 Oops, the explantion was missing: it installs an empty directory ${PREFIX}/www/phpMyAdmin/libraries/compat which is ignored when packaging. Then, pkg_delete causes the following error: pkg_delete: file '/usr/local/www/phpMyAdmin/libraries/compat' doesn't exist pkg_delete: unable to completely remove directory '/usr/local/www/phpMyAdmin/libraries/compat' pkg_delete: couldn't entirely delete package (perhaps the packing list is incorrectly specified?) Regards, -- Th. Thomas.
Thierry Thomas wrote: > Le Lun 5 mar 07 à 22:44:19 +0100, Thierry Thomas <thierry@FreeBSD.org> > écrivait : >> Synopsis: [maintainer] databases/phpmyadmin security update to 2.10.0.2 >> >> State-Changed-From-To: open->feedback >> State-Changed-By: thierry >> State-Changed-When: Mon Mar 5 21:40:39 UTC 2007 >> State-Changed-Why: >> >> >> http://www.freebsd.org/cgi/query-pr.cgi?pr=109765 > > Oops, the explantion was missing: > > it installs an empty directory ${PREFIX}/www/phpMyAdmin/libraries/compat > which is ignored when packaging. > > Then, pkg_delete causes the following error: > > pkg_delete: file '/usr/local/www/phpMyAdmin/libraries/compat' doesn't exist > pkg_delete: unable to completely remove directory '/usr/local/www/phpMyAdmin/libraries/compat' > pkg_delete: couldn't entirely delete package (perhaps the packing list is > incorrectly specified?) > > Regards, I'm sorry, but I cannot reproduce this in my testing. There is certainly an entry for that directory in the +CONTENTS file for the port. When I remove the port it deinstalls cleanly. For testing purposes I set: PKG_DBDIR=/home/matthew/tmp/db/pkgs PORT_DBDIR=/home/matthew/tmp/db/ports PREFIX=/home/matthew/tmp/local After installing the port: happy-idiot-talk:~...db/pkgs/phpMyAdmin-2.10.0.2:% pwd /home/matthew/tmp/db/pkgs/phpMyAdmin-2.10.0.2 happy-idiot-talk:~...db/pkgs/phpMyAdmin-2.10.0.2:% grep compat ./+CONTENTS @dirrm www/phpMyAdmin/libraries/compat Note that 'pkg_info -L pkgname' only shows the *files* installed by the port -- not the directories. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK
On Mar 6 mar 07 at 11:47:03 +0100, Matthew Seaman <m.seaman@infracaninophile.co.uk> wrote: > > it installs an empty directory ${PREFIX}/www/phpMyAdmin/libraries/compat > > which is ignored when packaging. > > > > Then, pkg_delete causes the following error: > > > > pkg_delete: file '/usr/local/www/phpMyAdmin/libraries/compat' doesn't exist > > pkg_delete: unable to completely remove directory '/usr/local/www/phpMyAdmin/libraries/compat' > > pkg_delete: couldn't entirely delete package (perhaps the packing list is > > incorrectly specified?) > > > > Regards, > > I'm sorry, but I cannot reproduce this in my testing. There is certainly > an entry for that directory in the +CONTENTS file for the port. When I > remove the port it deinstalls cleanly. Yes, it only installs libraries/compat as an empty directory: cd /usr/ports/databases/phpmyadmin make grep compat work/plist @dirrm %%MYADMDIR%%/libraries/compat To reproduce the problem: make package sudo pkg_add /usr/ports/packages/All/phpMyAdmin-2.10.0.2.tbz sudo pkg_delete phpMyAdmin-2.10.0.2 When installed as a port, this empty directory is created, but if installed as a package it is skipped. To fix the problem: if you think that this directory is needed, then touch ${PREFIX}/www/phpMyAdmin/libraries/compat/.keepme during post-install, else just rmdir it, and adapt the plist accordingly. Regards, -- Th. Thomas.
On Tue, Mar 06, 2007 at 09:08:49PM +0100, Thierry Thomas wrote: > > To fix the problem: if you think that this directory is needed, then > touch ${PREFIX}/www/phpMyAdmin/libraries/compat/.keepme > during post-install, else just rmdir it, and adapt the plist > accordingly. Yes, I see the problem now. That's rather annoying behaviour from the pkg tools. Updated patch included: Cheers, Matthew diff -Nur /usr/ports/databases/phpmyadmin/Makefile phpmyadmin/Makefile --- /usr/ports/databases/phpmyadmin/Makefile Fri Mar 2 19:18:40 2007 +++ phpmyadmin/Makefile Wed Mar 7 17:41:07 2007 @@ -6,8 +6,7 @@ # PORTNAME= phpMyAdmin -DISTVERSION= 2.10.0.1 -PORTREVISION= 1 +DISTVERSION= 2.10.0.2 CATEGORIES= databases www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= phpmyadmin @@ -111,7 +110,14 @@ ${ECHO_MSG} "databases/phpmyadmin" ${ECHO_MSG} "" +# When creating a package, empty directories will not be generated +# from the pkg tarball. Therefore make sure no directories are empty. + post-patch: + cd ${WRKSRC} ; \ + for emptydir in $$( ${FIND} . -type d -empty -print ) ; do \ + ${TOUCH} $${emptydir}/.keep-me ; \ + done ${CP} ${FILESDIR}/${CFGFILE}.sample ${WRKSRC}/${CFGFILE}.sample cd ${WRKSRC} ; \ ${FIND} . ! -type d ! -name ${CFGFILE}.sample | ${SORT} | \ diff -Nur /usr/ports/databases/phpmyadmin/distinfo phpmyadmin/distinfo --- /usr/ports/databases/phpmyadmin/distinfo Thu Mar 1 17:34:55 2007 +++ phpmyadmin/distinfo Fri Mar 2 19:28:52 2007 @@ -1,3 +1,3 @@ -MD5 (phpMyAdmin-2.10.0.1-all-languages.tar.bz2) = 0f23d25a64ce0547bdfb05dee748760b -SHA256 (phpMyAdmin-2.10.0.1-all-languages.tar.bz2) = c5628fff652947811efa91e3d8e13be02a28a9c300a30da112f86ca94ecc5c7f -SIZE (phpMyAdmin-2.10.0.1-all-languages.tar.bz2) = 3019979 +MD5 (phpMyAdmin-2.10.0.2-all-languages.tar.bz2) = 2aa1abcdacc93a6ccdea149d8c74aa9c +SHA256 (phpMyAdmin-2.10.0.2-all-languages.tar.bz2) = 4b9949d9a79973de663a0ff526b0a567f7d496c31a5371e4f9eeaa97c599e9a6 +SIZE (phpMyAdmin-2.10.0.2-all-languages.tar.bz2) = 3020505 -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
thierry 2007-03-07 21:34:21 UTC FreeBSD ports repository Modified files: databases/phpmyadmin Makefile distinfo Log: Yay! Another update. And it's only the 3rd in four days. Just for a change, this is a security thing. http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-3 From the announce message: Hi, The "Month Of PHP Bugs" reveals some PHP vulnerabilities. MOPB-02-2007 (PHP Executor Deep Recursion Stack Overflow) uses phpMyAdmin as an example to show a recursion vulnerability in PHP, for which a protection is provided in version 2.10.0.2. More details will follow on phpmyadmin.net, Security section, PMASA-2007-3. Marc Delisle, for the team. PR: ports/109765 Submitted by: Matthew Seaman <m.seaman (at) infracaninophile.co.uk> (maintainer) Security: PMASA-2007-3 Revision Changes Path 1.67 +8 -2 ports/databases/phpmyadmin/Makefile 1.53 +3 -3 ports/databases/phpmyadmin/distinfo _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: feedback->closed Committed, thanks!