bump to fix security issue (bug #303745), also move jpgraph install path to /usr/share/php/jpgraph (losing the src part)

Package-Manager: portage-2.2.0_alpha110/cvs/Linux x86_64

4 files changed, 52 insertions, 7 deletions

diff --git a/dev-php/jpgraph/ChangeLog b/dev-php/jpgraph/ChangeLog
index 5cc6699d194f..ffaa5e68abda 100644
--- a/dev-php/jpgraph/ChangeLog
+++ b/dev-php/jpgraph/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for dev-php5/jpgraph
 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-php/jpgraph/ChangeLog,v 1.22 2012/01/28 14:04:18 mabi Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-php/jpgraph/ChangeLog,v 1.23 2012/06/11 15:12:54 mabi Exp $
+
+*jpgraph-3.0.7-r1 (11 Jun 2012)
+
+  11 Jun 2012; Matti Bickel <mabi@gentoo.org> +files/cve-2009-4422.patch,
+  +jpgraph-3.0.7-r1.ebuild, -jpgraph-3.0.7.ebuild:
+  bump to fix security issue (bug #303745), also move jpgraph install path to
+  /usr/share/php/jpgraph (losing the src part)
 
   28 Jan 2012; Matti Bickel <mabi@gentoo.org> jpgraph-3.0.7.ebuild:
   EAPI bump
diff --git a/dev-php/jpgraph/Manifest b/dev-php/jpgraph/Manifest
index c56e19a9d7b6..57fb2d7e69a9 100644
--- a/dev-php/jpgraph/Manifest
+++ b/dev-php/jpgraph/Manifest
@@ -1,6 +1,7 @@
+AUX cve-2009-4422.patch 1328 RMD160 94682ac419cb6dcbd14e535269b2faa927cdb379 SHA1 9ef5ae5f284d1e8c65360bd3439c52de16881f92 SHA256 cc527f33c6a81e850152655fdc2601e61727a419853d44c3de7b0ab282f98c80
 DIST jpgraph-2.3.tar.gz 4619908 RMD160 dcebe1591bc9ccd1a24d454b8890416d06e4ef4b SHA1 69c14f902befa68cfe84de19a2f42621f770604c SHA256 f149ed7a45e4e2e8045f9ccf3f8342153d25766ffc0f0f7242cfcf7185b88fb9
 DIST jpgraph-3.0.7.tar.bz2 10541173 RMD160 338f78c8b3ef0a9f3e52240be43bb5f5e02662b9 SHA1 3f841ea20cb27d0ee2376669936ca5127f7c2291 SHA256 412a1aaf47c7d70c5a4350d1c571ebb88c77138d9b95afd51895c44f188a03b6
 EBUILD jpgraph-2.3.ebuild 2772 RMD160 ec85124de106d6960aa5ee38992f67b05375d03d SHA1 4b8246430f7907d7c25725e2980e299b96f95472 SHA256 ff6c59569c00591532e6941b8c54598bd44d80e712d9c2705c589ebc7fac8f59
-EBUILD jpgraph-3.0.7.ebuild 2642 RMD160 661cb830d2f0b7e69f2cce9b6c98b734a7a3ad15 SHA1 b2829538f2758cf3fda95c789def4be359dcbaee SHA256 d30191ed61005e9d70b58a6962243efbc4d8d4413808d9dee10261ec416fd84e
-MISC ChangeLog 4353 RMD160 bced8d9935a9ad9f5d2825c6724ff62fc0f4310f SHA1 5f29331335495342457299b31feb7edb6201a6ee SHA256 007b5c7fd53166134a16192d21811a8f34401d245676fc009a806ad9b9ffae9f
+EBUILD jpgraph-3.0.7-r1.ebuild 2805 RMD160 efb7fac2c55cfc2e7e653dd7aeb9a3c6de8c5c2b SHA1 c67fa4dd02dbe8ef0567d610ca94ada0bcd7b5f3 SHA256 e40cddfbb964c1f204b75dfdba8789e5b17b0d8c6226aaef0d344c8177dbd8ee
+MISC ChangeLog 4637 RMD160 923b206ac057ac9a1af168cc23e4eb388db06c8a SHA1 85c5c1152a6fe93fb4b4d892e0191ad0788aba4d SHA256 5d44dacceaffa0baefed024da29ac8efc1cd0759bbccea26516cced65fb061cf
 MISC metadata.xml 157 RMD160 a98db3a086fae3c09a903dadbc05f60443ec4b1a SHA1 ddaa23cc35eb917bf8962b652442bebb1ce0f440 SHA256 54f8878ca0228e380abbaa4b529806b5533a6b9b51b3b16c0909e906586a91a1
diff --git a/dev-php/jpgraph/files/cve-2009-4422.patch b/dev-php/jpgraph/files/cve-2009-4422.patch
new file mode 100644
index 000000000000..b092d43c9006
--- /dev/null
+++ b/dev-php/jpgraph/files/cve-2009-4422.patch
@@ -0,0 +1,31 @@
+diff -ur jpgraph-3.0.7.orig/src/jpgraph.php jpgraph-3.0.7/src/jpgraph.php
+--- jpgraph-3.0.7.orig/src/jpgraph.php	1970-01-01 10:13:08.000000000 +0100
++++ jpgraph-3.0.7/src/jpgraph.php	2012-06-11 14:55:18.557995018 +0200
+@@ -1286,11 +1286,11 @@
+         while( list($key,$value) = each($_GET) ) {
+             if( is_array($value) ) {
+                 foreach ( $value as $k => $v ) {
+-                    $urlarg .= '&amp;'.$key.'%5B'.$k.'%5D='.urlencode($v);
++                    $urlarg .= '&amp;'.urlencode($key).'%5B'.$k.'%5D='.urlencode($v);
+                 }
+             }
+             else {
+-                $urlarg .= '&amp;'.$key.'='.urlencode($value);
++                $urlarg .= '&amp;'.urlencode($key).'='.urlencode($value);
+             }
+         }
+ 
+@@ -1301,11 +1301,11 @@
+         while( list($key,$value) = each($_POST) ) {
+             if( is_array($value) ) {
+                 foreach ( $value as $k => $v ) {
+-                    $urlarg .= '&amp;'.$key.'%5B'.$k.'%5D='.urlencode($v);
++                    $urlarg .= '&amp;'.htmlentities($key).'%5B'.$k.'%5D='.htmlentities($v);
+                 }
+             }
+             else {
+-                $urlarg .= '&amp;'.$key.'='.urlencode($value);
++                $urlarg .= '&amp;'.htmlentities($key).'='.htmlentities($value);
+             }
+         }
+ 
diff --git a/dev-php/jpgraph/jpgraph-3.0.7.ebuild b/dev-php/jpgraph/jpgraph-3.0.7-r1.ebuild
index 56cc07980d29..9919f7eb2d09 100644
--- a/dev-php/jpgraph/jpgraph-3.0.7.ebuild
+++ b/dev-php/jpgraph/jpgraph-3.0.7-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2012 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-php/jpgraph/jpgraph-3.0.7.ebuild,v 1.2 2012/01/28 14:04:18 mabi Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-php/jpgraph/jpgraph-3.0.7-r1.ebuild,v 1.1 2012/06/11 15:12:54 mabi Exp $
 
 EAPI="4"
 
@@ -13,7 +13,7 @@ HOMEPAGE="http://www.aditus.nu/jpgraph/"
 SRC_URI="http://hem.bredband.net/jpgraph2/${P}.tar.bz2"
 LICENSE="QPL-1.0"
 SLOT="0"
-IUSE="truetype"
+IUSE="truetype +examples"
 
 DEPEND=""
 RDEPEND="truetype? ( media-fonts/corefonts )
@@ -40,6 +40,10 @@ pkg_setup() {
 	fi
 }
 
+src_prepare() {
+	epatch "${FILESDIR}/cve-2009-4422.patch"
+}
+
 src_install() {
 	# some patches to adapt the config to Gentoo
 	einfo "Patching jpg-config.inc.php"
@@ -66,14 +70,16 @@ src_install() {
 
 	# patch 4:
 	# disable READ_CACHE in jpgraph
-
 	sed -i "s|^define('READ_CACHE',true);|define('READ_CACHE',false);|" src/jpg-config.inc.php \
 		|| die "sed failed in patch 4"
 
 	# install php files
 	einfo "Building list of files to install"
 	insinto "/usr/share/php/${PN}"
-	doins -r src/
+	doins -r src/*
+
+	# remove unwanted examples
+	use examples || rm -rf "${D}/usr/share/php/${PN}/Examples"
 
 	# install documentation
 	einfo "Installing documentation"