Bug 59741 - [maintainer update]Fix Potential security issue with search in phpbb
Summary: [maintainer update]Fix Potential security issue with search in phpbb
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-11-28 00:20 UTC by Kang Liu
Modified: 2003-12-26 03:20 UTC (History)
0 users

See Also:


Attachments
file.diff (225 bytes, patch)
2003-11-28 00:20 UTC, Kang Liu
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kang Liu 2003-11-28 00:20:13 UTC
The phpbb developers just released a announcement about potential security issue with search:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=153818
They updated the src-pack but didn't change the version number.
I know the port freeze has begun, but this problem seems serious, 
and all src-packs have been updated, phpbb is borken(checksum) now.

As Joe Marcus Clarke said in PR:56706,  All build fixes do not need portmgr approval.
Can anyone commit it?

How-To-Repeat: run make at ports/www/phpbb
Comment 1 Clement Laforet 2003-11-28 00:23:12 UTC
On Fri, 28 Nov 2003 08:11:46 +0800
"Kang Liu" <liukang@bjpu.edu.cn> wrote:

> >Fix:
> --- distinfo.orig       Thu Sep 18 02:14:52 2003
> +++ distinfo    Fri Nov 28 07:54:56 2003
> @@ -1 +1 @@
> -MD5 (phpBB-2.0.6.tar.bz2) = ee73baaac8f2f72c2a1d879ea811bd07
> +MD5 (phpBB-2.0.6.tar.bz2) = 6574f13e2c7b66fda4faf1b2ddacae48

You should  bump PORTREVISION too ;-)

clem
Comment 2 Kang Liu 2003-11-28 00:26:43 UTC
Yes, you are right.
I'm sorry for my careless. :-(
Here is patch again.

--- Makefile.orig       Mon Jul  7 16:04:49 2003
+++ Makefile    Fri Nov 28 08:24:37 2003
@@ -7,7 +7,7 @@
 
 PORTNAME=      phpbb
 PORTVERSION=   2.0.5
-PORTREVISION=  1
+PORTREVISION=  2
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=    ${PORTNAME}


--- distinfo.orig       Thu Sep 18 02:14:52 2003
+++ distinfo    Fri Nov 28 07:54:56 2003
@@ -1 +1 @@
-MD5 (phpBB-2.0.6.tar.bz2) = ee73baaac8f2f72c2a1d879ea811bd07
+MD5 (phpBB-2.0.6.tar.bz2) = 6574f13e2c7b66fda4faf1b2ddacae48
Comment 3 Kang Liu 2003-11-28 00:33:22 UTC
patch again.
The portversion should be 2.0.6, not 2.0.5

--- Makefile.orig       Fri Nov 28 08:30:42 2003
+++ Makefile    Fri Nov 28 08:30:48 2003
@@ -7,7 +7,7 @@
 
 PORTNAME=      phpbb
 PORTVERSION=   2.0.6
-PORTREVISION=  2
+PORTREVISION=  3
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=    ${PORTNAME}

--- distinfo.orig       Thu Sep 18 02:14:52 2003
+++ distinfo    Fri Nov 28 07:54:56 2003
@@ -1 +1 @@
-MD5 (phpBB-2.0.6.tar.bz2) = ee73baaac8f2f72c2a1d879ea811bd07
+MD5 (phpBB-2.0.6.tar.bz2) = 6574f13e2c7b66fda4faf1b2ddacae48
Comment 4 Kang Liu 2003-11-29 07:51:52 UTC
Hi, portmgr
	Could you approve and commit this PR? Thanks very much.

	The details of this vulnerability: http://www.securityfocus.com/archive/1/345872
	The exploit:  http://www.securityfocus.com/archive/1/345937

Kang
Comment 5 Michael Haro freebsd_committer 2003-12-17 05:31:10 UTC
State Changed
From-To: open->closed

committed, thanks!
Comment 6 jfkimura 2003-12-26 03:13:22 UTC
HI.

This ports becomes checksum error. The contents of distfiles put in 
freebsd.org feel old.

How-To-Repeat:

#cd /usr/ports/www/phpbb
#make fetch
------------------------------------------------------------------------
-
Perform a "make options" to see a list of available installation options.
------------------------------------------------------------------------
-
>> phpBB-2.0.6.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/.
>> Attempting to fetch from ftp://ftp2.jp.freebsd.org/pub/FreeBSD/ports/
distfiles/.
Receiving phpBB-2.0.6.tar.bz2 (447777 bytes): 100% (ETA 00:00)
447777 bytes transferred in 36.3 seconds (12.03 kBps)
#md5 phpBB-2.0.6.tar.bz2
MD5 (phpBB-2.0.6.tar.bz2) = ee73baaac8f2f72c2a1d879ea811bd07


#fetch http://keihanna.dl.sourceforge.net/sourceforge/phpbb/phpBB-2.0.6.
tar.bz2
#md5 phpBB-2.0.6.tar.bz2
MD5 (phpBB-2.0.6.tar.bz2) = 6574f13e2c7b66fda4faf1b2ddacae48

#cat /usr/ports/www/phpbb/distinfo
MD5 (phpBB-2.0.6.tar.bz2) = 6574f13e2c7b66fda4faf1b2ddacae48

---
Fumihiko Kimura <jfkimura@yahoo.co.jp>

__________________________________________________
Do You Yahoo!?
Yahoo! BB is Broadband by Yahoo!
http://bb.yahoo.co.jp/