Bug 169558 - Port www/coppermine is out of the date
Summary: Port www/coppermine is out of the date
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Jase Thew
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-29 23:20 UTC by Alexey Kouznetsov
Modified: 2012-08-30 12:50 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Kouznetsov 2012-06-29 23:20:06 UTC
From coppermine news 

---
2012-03-29: cpg1.5.20 has been released. It's a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.18 or older update to this latest version as soon as possible.
---

current version in the port is: coppermine-1.5.18

Fix: 

change version in the port to 1.5.20
How-To-Repeat: Install port from the latest porttree
Comment 1 Jase Thew freebsd_committer freebsd_triage 2012-06-29 23:51:52 UTC
Responsible Changed
From-To: freebsd-ports-bugs->jase

I'll take it.
Comment 2 dfilter service freebsd_committer freebsd_triage 2012-08-30 12:40:32 UTC
Author: jase
Date: Thu Aug 30 11:40:20 2012
New Revision: 303369
URL: http://svn.freebsd.org/changeset/ports/303369

Log:
  - Update to 1.5.20
  - Update MASTER_SITES
  - Convert to optionsNG and add DOCS option
  - Document security vulnerabilities [1]
  
  PR:		ports/169558
  Requested by:	Alexey <alexey@kouznetsov.com> (submitter)
  Security:	6dd5e45c-f084-11e1-8d0f-406186f3d89d [1]
  Approved by:	flo (mentor)

Modified:
  head/security/vuxml/vuln.xml
  head/www/coppermine/Makefile   (contents, props changed)
  head/www/coppermine/distinfo   (contents, props changed)

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Thu Aug 30 10:54:49 2012	(r303368)
+++ head/security/vuxml/vuln.xml	Thu Aug 30 11:40:20 2012	(r303369)
@@ -51,6 +51,40 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="6dd5e45c-f084-11e1-8d0f-406186f3d89d">
+    <topic>coppermine -- Multiple vulnerabilites</topic>
+    <affects>
+      <package>
+	<name>coppermine</name>
+	<range><lt>1.5.20</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Coppermine Team reports:</p>
+	<blockquote cite="http://forum.coppermine-gallery.net/index.php/topic,74682.0.html">
+	  <p>The release covers several path disclosure vulnerabilities. If 
+	    unpatched, it's possible to generate an error that will reveal the 
+	    full path of the script. A remote user can determine the full path 
+	    to the web root directory and other potentially sensitive 
+	    information. Furthermore, the release covers a recently discovered 
+	    XSS vulnerability that allows (if unpatched) a malevolent visitor to 
+	    include own script routines under certain conditions.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2012-1613</cvename>
+      <cvename>CVE-2012-1614</cvename>
+      <mlist>http://seclists.org/oss-sec/2012/q2/11</mlist>
+      <url>http://forum.coppermine-gallery.net/index.php/topic,74682.0.html</url>
+    </references>
+    <dates>
+      <discovery>2012-03-29</discovery>
+      <entry>2012-08-30</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="16846d1e-f1de-11e1-8bd8-0022156e8794">
     <topic>Java 1.7 -- security manager bypass</topic>
     <affects>

Modified: head/www/coppermine/Makefile
==============================================================================
--- head/www/coppermine/Makefile	Thu Aug 30 10:54:49 2012	(r303368)
+++ head/www/coppermine/Makefile	Thu Aug 30 11:40:20 2012	(r303369)
@@ -6,15 +6,16 @@
 #
 
 PORTNAME=	coppermine
-PORTVERSION=	1.5.18
+PORTVERSION=	1.5.20
 CATEGORIES=	www
-MASTER_SITES=	SF/${PORTNAME}/Coppermine/${PORTVERSION:R}.x/
+MASTER_SITES=	SF/eenemeenemuu.u
 DISTNAME=	cpg${PORTVERSION}
 
 MAINTAINER=	ports@FreeBSD.org
 COMMENT=	A web picture gallery script
 
-OPTIONS=	IMAGEMAGICK "Use ImageMagick instead of php5-gd" off
+OPTIONS_DEFINE=	DOCS IMAGEMAGICK
+IMAGEMAGICK_DESC=	Use ImageMagick instead of PHP GD extension
 
 USE_PHP=	mysql pcre
 USE_ZIP=	yes
@@ -28,8 +29,8 @@ SUB_FILES+=	pkg-message
 
 .include <bsd.port.options.mk>
 
-.if defined (WITH_IMAGEMAGICK)
-RUN_DEPENDS+=	${LOCALBASE}/bin/convert:${PORTSDIR}/graphics/ImageMagick
+.if ${PORT_OPTIONS:MIMAGEMAGICK}
+RUN_DEPENDS+=	convert:${PORTSDIR}/graphics/ImageMagick
 .else
 USE_PHP+=	gd
 .endif
@@ -37,14 +38,14 @@ USE_PHP+=	gd
 pre-everything::
 	@${ECHO_MSG} ""
 	@${ECHO_MSG} "By default, coppermine depends on PHP with GD support."
-	@${ECHO_MSG} "You may define WITH_IMAGEMAGICK to depend on ImageMagick instead of GD."
+	@${ECHO_MSG} "You may select IMAGEMAGICK to depend on ImageMagick instead of GD."
 	@${ECHO_MSG} ""
 
 post-extract:
 	@${CHMOD} -R o-w ${WRKSRC}/
 
 do-install:
-.if !defined(NOPORTDOCS)
+.if ${PORT_OPTIONS:MDOCS}
 	${MKDIR} ${DOCSDIR}/
 	@cd ${WRKSRC} && ${INSTALL_DATA} ${DOCFILES} ${DOCSDIR}
 .endif

Modified: head/www/coppermine/distinfo
==============================================================================
--- head/www/coppermine/distinfo	Thu Aug 30 10:54:49 2012	(r303368)
+++ head/www/coppermine/distinfo	Thu Aug 30 11:40:20 2012	(r303369)
@@ -1,2 +1,2 @@
-SHA256 (cpg1.5.18.zip) = 58255ee376daae3592bb3118701119a5e2388a99a736e98c72f62ec53391fbe8
-SIZE (cpg1.5.18.zip) = 19035430
+SHA256 (cpg1.5.20.zip) = f5388d6fa0952f4aba8f51ae9f86c7f916c432831e02050c27d27737cececcf5
+SIZE (cpg1.5.20.zip) = 19122378
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 3 Jase Thew freebsd_committer freebsd_triage 2012-08-30 12:44:29 UTC
State Changed
From-To: open->closed

Committed. Thanks!