[Pkg-voip-commits] r7821 - in /destar/trunk/debian: changelog control copyright patches/00list patches/fixCVE-2008-6538.dpatch patches/fixCVE-2008-6539.dpatch rules

alerios at alioth.debian.org alerios at alioth.debian.org
Wed Nov 18 21:14:59 UTC 2009 

Author: alerios
Date: Wed Nov 18 21:14:59 2009
New Revision: 7821

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=7821
Log:
Adding proposed fixes to CVE-2008-6538 and CVE-2008-6539

Added:
    destar/trunk/debian/patches/fixCVE-2008-6538.dpatch   (with props)
    destar/trunk/debian/patches/fixCVE-2008-6539.dpatch   (with props)
Modified:
    destar/trunk/debian/changelog
    destar/trunk/debian/control
    destar/trunk/debian/copyright
    destar/trunk/debian/patches/00list
    destar/trunk/debian/rules

Modified: destar/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/destar/trunk/debian/changelog?rev=7821&op=diff
==============================================================================
--- destar/trunk/debian/changelog (original)
+++ destar/trunk/debian/changelog Wed Nov 18 21:14:59 2009
@@ -1,15 +1,29 @@
-destar (0.2.2-6) UNRELEASED; urgency=low
-
-  [ Patrick Matthäi ]
-  * Bumped Standards-Version to 3.8.0.
-  * Added missing copyright notice.
-    Thanks lintian.
-
-  [ Kilian Krause ]
-  * Remove -N from wget args in get-orig-source target as -O is already
-    used.
-
- -- Kilian Krause <kilian at debian.org>  Sat, 09 May 2009 23:30:33 +0200
+destar (0.2.2-6) UNRELEASED; urgency=high
+
+  * Acknoledge pending NMUs.
+  * Add fixes to CVE-2008-6538 and CVE-2008-6539 (Closes: #522123)
+
+ -- Alejandro Rios P. <alerios at debian.org>  Tue, 17 Nov 2009 12:58:55 -0500
+
+destar (0.2.2-5.2) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix pending l10n issues. Debconf translations:
+    - Czech. Closes: #483303
+    - Russian. Closes: #497836
+    - Swedish. Closes: #500128
+    - Basque. Closes: #503071
+    - Italian. Closes: #503263
+
+ -- Christian Perrier <bubulle at debian.org>  Sun, 26 Oct 2008 08:47:45 +0100
+
+destar (0.2.2-5.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * python25.dpatch. Fix syntax error. (Closes: #501207).
+    + Thanks to John Wright for the patch.
+
+ -- Barry deFreese <bdefreese at debian.org>  Wed, 15 Oct 2008 14:53:24 -0400
 
 destar (0.2.2-5) unstable; urgency=medium
 

Modified: destar/trunk/debian/control
URL: http://svn.debian.org/wsvn/pkg-voip/destar/trunk/debian/control?rev=7821&op=diff
==============================================================================
--- destar/trunk/debian/control (original)
+++ destar/trunk/debian/control Wed Nov 18 21:14:59 2009
@@ -2,10 +2,10 @@
 Section: comm
 Priority: optional
 Maintainer: Debian VoIP Team <pkg-voip-maintainers at lists.alioth.debian.org>
-Uploaders: Alejandro Rios P. <alejandro.rios at avatar.com.co>, Mark Purcell <msp at debian.org>
+Uploaders: Santiago Ruano Rincón <santiago at debian.org>, Alejandro Rios P. <alejandro.rios at avatar.com.co>, Mark Purcell <msp at debian.org>
 Build-Depends: debhelper (>= 5.0.37.2), dpatch, po-debconf
 Build-Depends-Indep: python
-Standards-Version: 3.8.0
+Standards-Version: 3.7.2
 Homepage: http://destar.berlios.de/
 Vcs-Svn: svn://svn.debian.org/pkg-voip/destar/trunk/
 Vcs-Browser: http://svn.debian.org/wsvn/pkg-voip/destar/?op=log
@@ -17,11 +17,11 @@
 Conflicts: freepbx
 XB-Python-Version: ${python:Versions}
 Description: management interface for the Asterisk PBX
- A web-based interface to manage the Asterisk PBX. It provides a high-level
+ A web-based interface to manage the Asterisk PBX. It provides a high-level 
  abstraction of the Asterisk configuration.
  .
  DeStar runs as an independent daemon and it supports multiple
  users (of multiple access levels).
  .
- The design is very modular, and adding your own plug-ins requires just
+ The design is very modular, and adding your own plug-ins requires just 
  dropping a cfg_*.py file in the main scripts directory.

Modified: destar/trunk/debian/copyright
URL: http://svn.debian.org/wsvn/pkg-voip/destar/trunk/debian/copyright?rev=7821&op=diff
==============================================================================
--- destar/trunk/debian/copyright (original)
+++ destar/trunk/debian/copyright Wed Nov 18 21:14:59 2009
@@ -3,6 +3,8 @@
 based on the one maded by Tzafrir Cohen <tzafrir.cohen at xorcom.com>
 
 It was downloaded from http://destar.berlios.de
+
+Copyright: GPL
 
 Upstream Authors: Holger Schurig <holgerschurig using the domain gmx point de> and
 		  Michael Schwartz <nynymike at users point berlios point de>
@@ -13,17 +15,16 @@
 		  Santiago Ruano Rincón <santiago at unicauca point edu point co>
 		  Manuel Alejandro Ceron Estrada <ceronman at gmail point com>
 
-Copyright: (C) 2005 by Holger Schurig and contributors
 
 License:
 
-This package may be redistributed under the terms of the GNU GPL, version
+This package may be redistributed under the terms of the GNU GPL, version 
 2.0, found on Debian systems in the file /usr/share/common-licenses/GPL
 
 There are some exceptions:
 
 * destar_cfg.py: this is a *DATA* file, althought it looks like source-code
-* part of the code in the medusa subdirectory
-* those cfg_*.py files that bear another name on top of their copyright notice
+* part of the code in the medusa subdirectory 
+* those cfg_*.py files that bear another name on top of their copyright notice 
   have a different author. All of them are still distibuted under the terms
   of the GPL as stated above, though.

Modified: destar/trunk/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-voip/destar/trunk/debian/patches/00list?rev=7821&op=diff
==============================================================================
--- destar/trunk/debian/patches/00list (original)
+++ destar/trunk/debian/patches/00list Wed Nov 18 21:14:59 2009
@@ -4,3 +4,6 @@
 example.dpatch
 zaptel.dpatch
 debug_prints.dpatch
+python25.dpatch
+fixCVE-2008-6538.dpatch
+fixCVE-2008-6539.dpatch

Added: destar/trunk/debian/patches/fixCVE-2008-6538.dpatch
URL: http://svn.debian.org/wsvn/pkg-voip/destar/trunk/debian/patches/fixCVE-2008-6538.dpatch?rev=7821&op=file
==============================================================================
--- destar/trunk/debian/patches/fixCVE-2008-6538.dpatch (added)
+++ destar/trunk/debian/patches/fixCVE-2008-6538.dpatch Wed Nov 18 21:14:59 2009
@@ -1,0 +1,20 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## fixCVE-2008-6538.dpatch by Alejandro Rios P. <alerios at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6538
+
+ at DPATCH@
+diff -urNad destar-0.2.2~/Publisher.py destar-0.2.2/Publisher.py
+--- destar-0.2.2~/Publisher.py	2006-05-24 18:14:06.000000000 -0500
++++ destar-0.2.2/Publisher.py	2009-11-18 15:59:14.000000000 -0500
+@@ -77,7 +77,8 @@
+ 				user=None,
+ 				phone='',
+ 				language='en',
+-				level=-1,		# Try to auto-login, based on IP
++				#level=-1,		# Try to auto-login, based on IP
++				level=0,		# Don't auto-login, based on IP
+ 			))
+ 
+ 		# level==-1 means we should auto-login

Propchange: destar/trunk/debian/patches/fixCVE-2008-6538.dpatch
------------------------------------------------------------------------------
    svn:executable = *

Added: destar/trunk/debian/patches/fixCVE-2008-6539.dpatch
URL: http://svn.debian.org/wsvn/pkg-voip/destar/trunk/debian/patches/fixCVE-2008-6539.dpatch?rev=7821&op=file
==============================================================================
--- destar/trunk/debian/patches/fixCVE-2008-6539.dpatch (added)
+++ destar/trunk/debian/patches/fixCVE-2008-6539.dpatch Wed Nov 18 21:14:59 2009
@@ -1,0 +1,32 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## fixCVE-2008-6539.dpatch by Alejandro Rios P. <alerios at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6539
+
+ at DPATCH@
+diff -urNad destar-0.2.2~/page_user_settings.ptl destar-0.2.2/page_user_settings.ptl
+--- destar-0.2.2~/page_user_settings.ptl	2007-01-15 18:46:08.000000000 -0500
++++ destar-0.2.2/page_user_settings.ptl	2009-11-18 16:10:11.000000000 -0500
+@@ -20,7 +20,7 @@
+ 
+ from Templates import *
+ from quixote.form2 import *
+-import backend, manager, configlets
++import backend, manager, configlets, re
+ import time,types
+ 
+ _q_parent  = 'page_user'
+@@ -85,10 +85,10 @@
+ 	manager.setVar('VMBS/%s' % phone.pbx, phone.ext, form['vmbs'])
+ 	manager.setVar('VMU/%s' % phone.pbx,  phone.ext, form['vmu'])
+ 
+-	if form["pin"]:
++	if form["pin"] and re.search("[\"|)|\;|(]",form["pin"]) < 1::
+ 		phone.pin = form["pin"]
+ 	try:
+-		if form["secret"]:
++		if form["secret"] and re.search("[\"|)|\;|(]",form["secret"]) < 1:
+ 			phone.secret = form["secret"]
+ 	except KeyError:	
+ 		pass

Propchange: destar/trunk/debian/patches/fixCVE-2008-6539.dpatch
------------------------------------------------------------------------------
    svn:executable = *

Modified: destar/trunk/debian/rules
URL: http://svn.debian.org/wsvn/pkg-voip/destar/trunk/debian/rules?rev=7821&op=diff
==============================================================================
--- destar/trunk/debian/rules (original)
+++ destar/trunk/debian/rules Wed Nov 18 21:14:59 2009
@@ -74,7 +74,7 @@
 	@@dh_testdir
 	@@[ -d ../tarballs/. ]||mkdir -p ../tarballs
 	@@echo Downloading $(FILENAME) from $(URL) ...
-	@@wget -nv -T10 -t3 -O ../tarballs/$(FILENAME) $(URL)
+	@@wget -N -nv -T10 -t3 -O ../tarballs/$(FILENAME) $(URL)
 
 binary: binary-indep 
 .PHONY: build clean binary-indep binary install configure patch unpatch

More information about the Pkg-voip-commits mailing list