Fix security bug.

(Portage version: 2.1_rc1-r3)
author: Luca Longinotti <chtekk@gentoo.org> 2006-05-30 15:17:21 +0000
committer: Luca Longinotti <chtekk@gentoo.org> 2006-05-30 15:17:21 +0000
commit: 0dacc4f0af1eaf0d587f16a43279e2ac23a89301 (patch)
tree: 3b64f45905a42345efc63bc2255c14132186caca /net-www/awstats
parent: s/+/-/ for bug #120403, completely my fault :( (diff)
download: gentoo-2-0dacc4f0af1eaf0d587f16a43279e2ac23a89301.tar.gz
gentoo-2-0dacc4f0af1eaf0d587f16a43279e2ac23a89301.tar.bz2
gentoo-2-0dacc4f0af1eaf0d587f16a43279e2ac23a89301.zip
6 files changed, 300 insertions, 3 deletions
diff --git a/net-www/awstats/ChangeLog b/net-www/awstats/ChangeLog
index cd8aaf1366a4..0381b88f52da 100644
--- a/net-www/awstats/ChangeLog
+++ b/net-www/awstats/ChangeLog
@@ -1,6 +1,17 @@
 # ChangeLog for net-www/awstats
 # Copyright 2000-2006 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-www/awstats/ChangeLog,v 1.34 2006/05/21 04:49:30 halcy0n Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-www/awstats/ChangeLog,v 1.35 2006/05/30 15:17:21 chtekk Exp $
+
+*awstats-6.5-r1 (30 May 2006)
+
+  30 May 2006; Luca Longinotti <chtekk@gentoo.org>
+  -files/awstats-6.3-CAN-2005-0363.diff,
+  +files/awstats-6.5-CVE-2006-2237-CVE-2006-1945.diff,
+  -awstats-6.3-r2.ebuild, +awstats-6.5-r1.ebuild, awstats-6.6.ebuild:
+  Fixed security bug #130487 and bug #122913. Drop awstats 6.3 release
+  (mirrors seem to not have the patchset needed for it anymore, and it's old).
+  Dropped keywords for awstats 6.6 back to testing, as it should not be stable
+  and will remain p.masked anyway for now.
 
   21 May 2006; Mark Loeser <halcy0n@gentoo.org> awstats-6.6.ebuild:
   Stable on x86; bug #130487
diff --git a/net-www/awstats/awstats-6.5-r1.ebuild b/net-www/awstats/awstats-6.5-r1.ebuild
new file mode 100644
index 000000000000..28c144446498
--- /dev/null
+++ b/net-www/awstats/awstats-6.5-r1.ebuild
@@ -0,0 +1,137 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-www/awstats/awstats-6.5-r1.ebuild,v 1.1 2006/05/30 15:17:21 chtekk Exp $
+
+inherit eutils webapp versionator
+
+DESCRIPTION="AWStats is short for Advanced Web Statistics."
+HOMEPAGE="http://awstats.sourceforge.net/"
+#SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
+SRC_URI="http://awstats.sourceforge.net/files/${P}.tar.gz"
+
+LICENSE="GPL-2"
+KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~sparc ~x86 ~x86-fbsd"
+IUSE=""
+
+SLOT="0"
+WEBAPP_MANUAL_SLOT="yes"
+
+RDEPEND=">=dev-lang/perl-5.6.1
+	>=media-libs/libpng-1.2
+	virtual/perl-Time-Local
+	dev-perl/URI
+	net-www/apache"
+DEPEND="${RDEPEND}
+	>=sys-apps/sed-4"
+
+src_unpack() {
+	unpack ${A}
+	cd ${S}
+
+	# Fix security bug #130487
+	epatch ${FILESDIR}/${PN}-6.5-CVE-2006-2237-CVE-2006-1945.diff
+
+	epatch ${FILESDIR}/${PN}-6.3-gentoo.diff
+
+	# change AWStats default installation directory to installation directory of Gentoo
+	for file in tools/* wwwroot/cgi-bin/*; do
+	    if [[ -f "$file" ]]; then
+	        sed -i -e "s#/usr/local/awstats/wwwroot/cgi-bin#${MY_CGIBINDIR}#g" \
+	           -e "s#/usr/local/awstats/wwwroot/icon#${MY_HTDOCSDIR}/icon#g" \
+	           -e "s#/usr/local/awstats/wwwroot/plugins#${MY_HOSTROOTDIR}/plugins#g" \
+	           -e "s#/usr/local/awstats/wwwroot/classes#${MY_HTDOCSDIR}/classes#g" \
+	           -e "s#/usr/local/awstats/wwwroot#${MY_HTDOCSDIR}#g" \
+			   $file || die "sed $file failed"
+	    fi
+	done
+
+	# find apache major version
+	local apachever=$(best_version net-www/apache)
+	apachever="$(get_major_version ${apachever#*/*-})"
+	[[ ${apachever} == "1" ]] && apachever=""
+
+	# set default values for directories
+	sed -i -e "s|^\(LogFile=\).*$|\1\"/var/log/apache${apachever}/access_log\"|" \
+	    -e "s|^\(SiteDomain=\).*$|\1\"localhost\"|" \
+	    -e "s|^\(DirIcons=\).*$|\1\"/awstats/icons\"|" \
+	    -e "s|^\(DirCgi=\).*$|\1\"/cgi-bin/awstats\"|" \
+		${S}/wwwroot/cgi-bin/awstats.model.conf || die "sed failed"
+
+	# set version in postinst-en.txt
+	sed -e "s/PVR/${PVR}/g" \
+		${FILESDIR}/postinst-en.txt > ${WORKDIR}/postinst-en.txt || die
+}
+
+src_install() {
+	webapp_src_preinst
+
+	# handle documentation files
+	#
+	# NOTE that doc files go into /usr/share/doc as normal; they do NOT
+	# get installed per vhost!
+
+	dohtml -r docs/*.html docs/*.xml docs/*.css docs/*.js docs/images
+	dodoc README.TXT docs/COPYING.TXT docs/LICENSE.TXT
+	newdoc wwwroot/cgi-bin/plugins/example/example.pm example_plugin.pm
+	docinto xslt
+	dodoc tools/xslt/*
+
+	webapp_postinst_txt en ${WORKDIR}/postinst-en.txt
+
+	keepdir /var/lib/awstats
+
+	# Copy the app's main files
+	exeinto ${MY_CGIBINDIR}
+	doexe ${S}/wwwroot/cgi-bin/*.pl
+
+	exeinto ${MY_HTDOCSDIR}/classes
+	doexe ${S}/wwwroot/classes/*.jar
+
+	# install language files, libraries and plugins
+	mkdir -p ${D}${MY_CGIBINDIR}
+	for dir in lang lib plugins; do
+		cp -R ${S}/wwwroot/cgi-bin/${dir} ${D}${MY_CGIBINDIR}
+		chmod 0755 ${D}${MY_CGIBINDIR}/${dir}
+	done
+
+	# install the app's www files
+	mkdir -p ${D}${MY_HTDOCSDIR}
+	for dir in icon css js; do
+		cp -R ${S}/wwwroot/${dir} ${D}${MY_HTDOCSDIR}
+		chmod 0755 ${D}${MY_HTDOCSDIR}/${dir}
+	done
+
+	# copy configuration file
+	insinto /etc/awstats
+	doins ${S}/wwwroot/cgi-bin/awstats.model.conf
+
+	# create the data directory for awstats
+	mkdir -p ${D}/${MY_HOSTROOTDIR}/datadir
+
+	# install command line tools
+	cd ${S}/tools
+	dobin awstats_buildstaticpages.pl awstats_exportlib.pl \
+		awstats_updateall.pl logresolvemerge.pl \
+		maillogconvert.pl awstats_configure.pl
+	newbin urlaliasbuilder.pl awstats_urlaliasbuilder.pl
+
+	# all done
+	#
+	# now we let the eclass strut its stuff ;-)
+
+	webapp_src_install
+}
+
+pkg_postinst() {
+	einfo
+	einfo "The AWStats-Manual is available either inside"
+	einfo " the /usr/share/doc/${PF} - folder, or at"
+	einfo " http://awstats.sourceforge.net/docs/index.html ."
+	einfo
+	ewarn "Copy the /etc/awstats/awstats.model.conf to"
+	ewarn "/etc/awstats/awstats.<yourdomain>.conf and edit."
+	ewarn "use the command"
+	ewarn "     webapp-config"
+	ewarn "to install awstats for each virtual host. See proper man page."
+}
+
diff --git a/net-www/awstats/awstats-6.6.ebuild b/net-www/awstats/awstats-6.6.ebuild
index c17693a311c9..288d8fe79d44 100644
--- a/net-www/awstats/awstats-6.6.ebuild
+++ b/net-www/awstats/awstats-6.6.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2006 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-www/awstats/awstats-6.6.ebuild,v 1.6 2006/05/21 04:49:30 halcy0n Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-www/awstats/awstats-6.6.ebuild,v 1.7 2006/05/30 15:17:21 chtekk Exp $
 
 inherit eutils webapp versionator
 
@@ -10,7 +10,7 @@ HOMEPAGE="http://awstats.sourceforge.net/"
 SRC_URI="http://awstats.sourceforge.net/files/${P}.tar.gz"
 
 LICENSE="GPL-2"
-KEYWORDS="alpha amd64 ~hppa ~mips ppc ~sparc x86 ~x86-fbsd"
+KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~sparc ~x86 ~x86-fbsd"
 IUSE=""
 
 SLOT="0"
@@ -19,6 +19,7 @@ WEBAPP_MANUAL_SLOT="yes"
 RDEPEND=">=dev-lang/perl-5.6.1
 	>=media-libs/libpng-1.2
 	virtual/perl-Time-Local
+	dev-perl/URI
 	net-www/apache"
 DEPEND="${RDEPEND}
 	>=sys-apps/sed-4"
diff --git a/net-www/awstats/files/awstats-6.5-CVE-2006-2237-CVE-2006-1945.diff b/net-www/awstats/files/awstats-6.5-CVE-2006-2237-CVE-2006-1945.diff
new file mode 100644
index 000000000000..9a82f4eda964
--- /dev/null
+++ b/net-www/awstats/files/awstats-6.5-CVE-2006-2237-CVE-2006-1945.diff
@@ -0,0 +1,143 @@
+--- awstats-6.5.orig/wwwroot/cgi-bin/awstats.pl	2005-11-24 15:11:19.000000000 -0500
++++ awstats-6.5/wwwroot/cgi-bin/awstats.pl	2006-05-06 17:34:13.000000000 -0400
+@@ -5534,7 +5534,7 @@
+ 	    $QueryString =~ s/&/&amp;/g;
+ 	}
+ 
+-	$QueryString = CleanFromCSSA($QueryString);
++	$QueryString = CleanFromCSSA(&DecodeEncodedString($QueryString));
+ 
+     # Security test
+ 	if ($QueryString =~ /LogFile=([^&]+)/i)				{ error("Logfile parameter can't be overwritten when AWStats is used from a CGI"); }
+@@ -5542,7 +5542,7 @@
+ 	# No update but report by default when run from a browser
+ 	$UpdateStats=($QueryString=~/update=1/i?1:0);
+ 
+-	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&DecodeEncodedString("$1"); }
++	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&Sanitize(&DecodeEncodedString("$1")); }
+ 	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons=&DecodeEncodedString("$1"); }
+ 	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
+ 	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
+@@ -5561,7 +5561,7 @@
+ 
+ 	# If migrate
+ 	if ($QueryString =~ /(^|-|&|&amp;)migrate=([^&]+)/i)	{
+-		$MigrateStats=&DecodeEncodedString("$2"); 
++		$MigrateStats=&Sanitize(&DecodeEncodedString("$2"));
+ 		$MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
+ 		$SiteConfig=$5?$5:'xxx'; $SiteConfig =~ s/^\.//;		# SiteConfig is used to find config file
+ 	}
+@@ -5591,7 +5591,7 @@
+ 	# Update with no report by default when run from command line
+ 	$UpdateStats=1;
+ 
+-	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig="$1"; }
++	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&Sanitize("$1"); }
+ 	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons="$1"; }
+ 	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize("$1",1); }
+ 	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize("$1"); }
+Index: awstats-6.5/wwwroot/cgi-bin/awstats.pl
+===================================================================
+--- awstats-6.5.orig/wwwroot/cgi-bin/awstats.pl	2006-05-05 16:43:12.000000000 -0400
++++ awstats-6.5/wwwroot/cgi-bin/awstats.pl	2006-05-06 17:26:10.000000000 -0400
+@@ -1131,7 +1131,7 @@
+ 	my $configdir=shift;
+ 	my @PossibleConfigDir=();
+ 
+-	if ($configdir) { @PossibleConfigDir=("$configdir"); }
++	if ($configdir && $ENV{"AWSTATS_ENABLE_CONFIG_DIR"}) { @PossibleConfigDir=("$configdir"); }
+ 	else { @PossibleConfigDir=("$DIR","/etc/awstats","/usr/local/etc/awstats","/etc","/etc/opt/awstats"); }
+ 
+ 	# Open config file
+diff -urN awstats-6.5.orig/tools/awstats_buildstaticpages.pl awstats-6.5/tools/awstats_buildstaticpages.pl
+--- awstats-6.5.orig/tools/awstats_buildstaticpages.pl	2005-08-23 15:56:35.000000000 -0400
++++ awstats-6.5/tools/awstats_buildstaticpages.pl	2006-01-04 00:58:20.490613529 -0500
+@@ -75,7 +75,7 @@
+ # Return:		None
+ #------------------------------------------------------------------------------
+ sub error {
+-	print "Error: $_[0].\n";
++	print STDERR "Error: $_[0].\n";
+     exit 1;
+ }
+ 
+@@ -95,7 +95,7 @@
+ #    		print "$messagestring<br />\n";
+ #    	}
+ #    	else {
+-	    	print "$messagestring\n";
++	    	print STDERR "$messagestring\n";
+ #    	}
+ #	}
+ }
+diff -urN awstats-6.5.orig/tools/awstats_configure.pl awstats-6.5/tools/awstats_configure.pl
+--- awstats-6.5.orig/tools/awstats_configure.pl	2005-04-22 13:34:05.000000000 -0400
++++ awstats-6.5/tools/awstats_configure.pl	2006-01-04 00:58:24.987002812 -0500
+@@ -87,7 +87,7 @@
+ # error
+ #-------------------------------------------------------
+ sub error {
+-	print "Error: $_[0].\n";
++	print STDERR "Error: $_[0].\n";
+     exit 1;
+ }
+ 
+diff -urN awstats-6.5.orig/tools/awstats_exportlib.pl awstats-6.5/tools/awstats_exportlib.pl
+--- awstats-6.5.orig/tools/awstats_exportlib.pl	2003-12-05 18:53:38.000000000 -0500
++++ awstats-6.5/tools/awstats_exportlib.pl	2006-01-04 00:58:30.769217454 -0500
+@@ -93,8 +93,8 @@
+ 	my $thirdmessage=shift||"";
+ 	my $donotshowsetupinfo=shift||0;
+ 	if ($Debug) { debug("$message $secondmessage $thirdmessage",1); }
+-	print "$message";
+-	print "\n";
++	print STDERR "$message";
++	print STDERR "\n";
+ 	exit 1;
+ }
+ 
+diff -urN awstats-6.5.orig/tools/awstats_updateall.pl awstats/tools/awstats_updateall.pl
+--- awstats-6.5.orig/tools/awstats_updateall.pl	2005-04-22 13:34:05.000000000 -0400
++++ awstats-6.5/tools/awstats_updateall.pl	2006-01-04 00:58:34.910654953 -0500
+@@ -36,7 +36,7 @@
+ # Return:		None
+ #------------------------------------------------------------------------------
+ sub error {
+-	print "Error: $_[0].\n";
++	print STDERR "Error: $_[0].\n";
+     exit 1;
+ }
+ 
+diff -urN awstats-6.5.orig/tools/logresolvemerge.pl awstats-6.5/tools/logresolvemerge.pl
+--- awstats-6.5.orig/tools/logresolvemerge.pl	2005-12-04 16:10:46.000000000 -0500
++++ awstats-6.5/tools/logresolvemerge.pl	2006-01-04 00:58:38.552160356 -0500
+@@ -104,7 +104,7 @@
+ # Return:		None
+ #------------------------------------------------------------------------------
+ sub error {
+-	print "Error: $_[0].\n";
++	print STDERR "Error: $_[0].\n";
+     exit 1;
+ }
+ 
+@@ -133,7 +133,7 @@
+ sub warning {
+ 	my $messagestring=shift;
+ 	if ($Debug) { debug("$messagestring",1); }
+-   	print "$messagestring\n";
++   	print STDERR "$messagestring\n";
+ }
+ 
+ #-----------------------------------------------------------------------------
+diff -urN awstats-6.5.orig/tools/maillogconvert.pl awstats-6.5/tools/maillogconvert.pl
+--- awstats-6.5.orig/tools/maillogconvert.pl	2005-04-22 13:34:05.000000000 -0400
++++ awstats-6.5/tools/maillogconvert.pl	2006-01-04 00:58:42.465628823 -0500
+@@ -56,7 +56,7 @@
+ #-------------------------------------------------------
+ 
+ sub error {
+-	print "Error: $_[0].\n";
++	print STDERR "Error: $_[0].\n";
+     exit 1;
+ }
+ 
diff --git a/net-www/awstats/files/digest-awstats-6.4 b/net-www/awstats/files/digest-awstats-6.4
index 828cff76dc65..499e03865edb 100644
--- a/net-www/awstats/files/digest-awstats-6.4
+++ b/net-www/awstats/files/digest-awstats-6.4
@@ -1 +1,3 @@
 MD5 056e6fb0c7351b17fe5bbbe0aa1297b1 awstats-6.4.tgz 918435
+RMD160 318b34afcb7f7e8a4d26d46344e37bcbe3a8460a awstats-6.4.tgz 918435
+SHA256 94ec0963dd88a4995ae63be675936da9d3dfaed0c0b0155c5c0400c989b6d294 awstats-6.4.tgz 918435
diff --git a/net-www/awstats/files/digest-awstats-6.5-r1 b/net-www/awstats/files/digest-awstats-6.5-r1
new file mode 100644
index 000000000000..b326ee291e86
--- /dev/null
+++ b/net-www/awstats/files/digest-awstats-6.5-r1
@@ -0,0 +1,3 @@
+MD5 f323e197f78934c66b3bf4cb07422606 awstats-6.5.tar.gz 972275
+RMD160 f5bac64fe43a0629474203f4846a863a439416cf awstats-6.5.tar.gz 972275
+SHA256 2d536fac86e97b4ba22fc811753536a0081823136b3a337f5833a6ad04b6f7f1 awstats-6.5.tar.gz 972275
author	Luca Longinotti <chtekk@gentoo.org>	2006-05-30 15:17:21 +0000
committer	Luca Longinotti <chtekk@gentoo.org>	2006-05-30 15:17:21 +0000
commit	0dacc4f0af1eaf0d587f16a43279e2ac23a89301 (patch)
tree	3b64f45905a42345efc63bc2255c14132186caca /net-www/awstats
parent	s/+/-/ for bug #120403, completely my fault :( (diff)
download	gentoo-2-0dacc4f0af1eaf0d587f16a43279e2ac23a89301.tar.gz gentoo-2-0dacc4f0af1eaf0d587f16a43279e2ac23a89301.tar.bz2 gentoo-2-0dacc4f0af1eaf0d587f16a43279e2ac23a89301.zip