From bf059b34a04c901be4b825c13dc0553bc5f8d9e4 Mon Sep 17 00:00:00 2001 From: Tom William Payne Date: Fri, 13 May 2005 19:03:44 +0000 Subject: Security fix. Bug # 91354. (Portage version: 2.0.51.21-r1) --- app-text/info2html/ChangeLog | 14 ++++++- app-text/info2html/Manifest | 7 +++- app-text/info2html/files/digest-info2html-1.4-r1 | 1 + app-text/info2html/files/info2html-xss.patch | 51 ++++++++++++++++++++++++ app-text/info2html/info2html-1.4-r1.ebuild | 44 ++++++++++++++++++++ 5 files changed, 114 insertions(+), 3 deletions(-) create mode 100644 app-text/info2html/files/digest-info2html-1.4-r1 create mode 100644 app-text/info2html/files/info2html-xss.patch create mode 100644 app-text/info2html/info2html-1.4-r1.ebuild (limited to 'app-text') diff --git a/app-text/info2html/ChangeLog b/app-text/info2html/ChangeLog index e9e9884c544a..d54e99ca0094 100644 --- a/app-text/info2html/ChangeLog +++ b/app-text/info2html/ChangeLog @@ -1,6 +1,18 @@ # ChangeLog for app-text/info2html # Copyright 2000-2005 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-text/info2html/ChangeLog,v 1.8 2005/04/21 20:22:40 blubb Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-text/info2html/ChangeLog,v 1.9 2005/05/13 19:03:44 twp Exp $ + +*info2html-1.4-r1 (13 May 2005) + + 13 May 2005; Tom Payne +files/info2html-xss.patch, + +info2html-1.4-r1.ebuild: + Security fix. Bug # 91354. + +*info2html-1.4-r1 (13 May 2005) + + 13 May 2005; Tom Payne +files/info2html-xss.patch, + +info2html-1.4-r1.ebuild: + Security fix. Bug # 91354. 21 Apr 2005; Simon Stelling info2html-1.4.ebuild: stable on amd64 diff --git a/app-text/info2html/Manifest b/app-text/info2html/Manifest index 2838e9e72b46..b78c2df62192 100644 --- a/app-text/info2html/Manifest +++ b/app-text/info2html/Manifest @@ -1,5 +1,8 @@ -MD5 52a5838473c0a6f6dc9d0e6d2e5b4780 ChangeLog 849 +MD5 f7e6c44fd8afaf4c4d98ee7bcbf9b727 info2html-1.4-r1.ebuild 991 MD5 98979dcc8f89c84051f9957afd8d481a info2html-1.4.ebuild 947 +MD5 2bfb7f9df11b5572e72eaa0e4d6458cd ChangeLog 1171 MD5 d992d28bec4a3bfd72b441145091a58e metadata.xml 244 -MD5 4b9f64ddf8e7ef3c725fc1f785c69456 files/digest-info2html-1.4 60 +MD5 cc6a82ee8361bbdc4e94d4f39feb5896 files/info2html-xss.patch 1730 +MD5 4b9f64ddf8e7ef3c725fc1f785c69456 files/digest-info2html-1.4-r1 60 MD5 495fd408850958212ae70b35f3b8129b files/info2html-gentoo.patch 1767 +MD5 4b9f64ddf8e7ef3c725fc1f785c69456 files/digest-info2html-1.4 60 diff --git a/app-text/info2html/files/digest-info2html-1.4-r1 b/app-text/info2html/files/digest-info2html-1.4-r1 new file mode 100644 index 000000000000..cbd2963fe8b5 --- /dev/null +++ b/app-text/info2html/files/digest-info2html-1.4-r1 @@ -0,0 +1 @@ +MD5 bccc18eeb48bb2571e5c66dec8822770 info2html-1.4.tgz 8473 diff --git a/app-text/info2html/files/info2html-xss.patch b/app-text/info2html/files/info2html-xss.patch new file mode 100644 index 000000000000..98f61a6461f8 --- /dev/null +++ b/app-text/info2html/files/info2html-xss.patch @@ -0,0 +1,51 @@ +Index: info2html1.1/info2html +=================================================================== +--- info2html1.1.orig/info2html ++++ info2html1.1/info2html +@@ -47,7 +47,7 @@ $FTAG = '[^\)]+'; #-- p + # not accessible. + #--------------------------------------------------------- + sub DieFileNotFound{ +- local($FileName) = @_; ++ local($FileName) = &XssEscape(@_); + #-- TEXT : error message if a file could not be opened + print < +@@ -110,6 +110,28 @@ sub DeEscape{ + } + + #---------------------------------------------------------- ++# XssEscape ++#---------------------------------------------------------- ++sub XssEscape { ++ local($Tag) = @_; ++ #-- output escaping is required to protect browser ++ # against `cross site' and `cross frame scripting' ++ ++ $Tag =~ s/&/&/gs; # ampersand ++ $Tag =~ s/#/#/gs; ++ $Tag =~ s/;/;/gs; ++ $Tag =~ s/[\000-\037\200-\237]/¿/gs; ++ $Tag =~ s//>/gs; # greater-than symbol ++ $Tag =~ s/"/"/gs; # double quote ++ $Tag =~ s/\240/ /gs; # non-breaking space ++ $Tag =~ s/\255/­/gs; # soft hyphen ++ # the rest is interpreted ++ # as ISO 8859-1 ++ $Tag; ++} ++ ++#---------------------------------------------------------- + # ParsHeaderToken + #---------------------------------------------------------- + # Parses the heaer line of an info node for a specific +@@ -470,6 +492,8 @@ EOF + #---------------------------------------------------------- + sub ReplyNotFoundMessage{ + local($FileName,$Tag) = @_; ++ $FileName = &XssEscape($FileName); ++ $Tag = &XssEscape($Tag); + print < + Info Files - Error Message diff --git a/app-text/info2html/info2html-1.4-r1.ebuild b/app-text/info2html/info2html-1.4-r1.ebuild new file mode 100644 index 000000000000..ca36616dc2b8 --- /dev/null +++ b/app-text/info2html/info2html-1.4-r1.ebuild @@ -0,0 +1,44 @@ +# Copyright 1999-2005 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-text/info2html/info2html-1.4-r1.ebuild,v 1.1 2005/05/13 19:03:44 twp Exp $ + +inherit eutils webapp-apache + +DESCRIPTION="Converts GNU .info files to HTML" +HOMEPAGE="http://info2html.sourceforge.net/" +SRC_URI="mirror://sourceforge/info2html/${P}.tgz" + +LICENSE="freedist" +SLOT="0" +IUSE="" +KEYWORDS="~alpha ~hppa ~sparc x86 ~amd64" + +DEPEND="dev-lang/perl" + +pkg_setup() { + webapp-detect || NO_HTTPD=1 + webapp-pkg_setup "${NO_HTTPD}" + einfo "Installing into ${ROOT}${HTTPD_ROOT}" +} + +src_unpack() { + unpack ${A} + cd ${S} + epatch ${FILESDIR}/info2html-gentoo.patch + epatch ${FILESDIR}/info2html-xss.patch +} + +src_install() { + webapp-mkdirs + + exeinto ${HTTPD_CGIBIN} + doexe info2html infocat + insinto ${HTTPD_CGIBIN} + doins info2html.conf + dodoc README +} + +pkg_postinst() { + einfo "Info files can be found at:" + einfo "\thttp://localhost/cgi-bin/infocat" +} -- cgit v1.2.3-65-gdbad