Sec patch applied, revbumped

(Portage version: 2.1.11.63/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D)
author: Ian Delaney <idella4@gentoo.org> 2013-06-28 02:52:33 +0000
committer: Ian Delaney <idella4@gentoo.org> 2013-06-28 02:52:33 +0000
commit: ef0c61b693ef466ee6a518319b3191aa9315afbc (patch)
tree: 8b975f97f1084096d52643c7dcb649d22647aeca /dev-util
parent: Fix redundant slashes in header-wrapping include paths, bug #475046. Thanks t... (diff)
download: gentoo-2-ef0c61b693ef466ee6a518319b3191aa9315afbc.tar.gz
gentoo-2-ef0c61b693ef466ee6a518319b3191aa9315afbc.tar.bz2
gentoo-2-ef0c61b693ef466ee6a518319b3191aa9315afbc.zip
3 files changed, 198 insertions, 1 deletions
diff --git a/dev-util/reviewboard/ChangeLog b/dev-util/reviewboard/ChangeLog
index 34a75af24c48..40e34692b779 100644
--- a/dev-util/reviewboard/ChangeLog
+++ b/dev-util/reviewboard/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for dev-util/reviewboard
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-util/reviewboard/ChangeLog,v 1.1 2013/06/16 16:02:06 idella4 Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-util/reviewboard/ChangeLog,v 1.2 2013/06/28 02:52:33 idella4 Exp $
+
+*reviewboard-1.7.7.1-r1 (28 Jun 2013)
+
+  28 Jun 2013; Ian Delaney <idella4@gentoo.org> +files/CVE-2013-2209-sec.patch,
+  +reviewboard-1.7.7.1-r1.ebuild, reviewboard-1.7.7.1.ebuild:
+  Sec patch applied, revbumped
 
 *reviewboard-1.7.7.1 (16 Jun 2013)
 
diff --git a/dev-util/reviewboard/files/CVE-2013-2209-sec.patch b/dev-util/reviewboard/files/CVE-2013-2209-sec.patch
new file mode 100644
index 000000000000..1b41c3c6f0d2
--- /dev/null
+++ b/dev-util/reviewboard/files/CVE-2013-2209-sec.patch
@@ -0,0 +1,74 @@
+From 4aaacbb1e628a80803ba1a55703db38fccdf7dbf Mon Sep 17 00:00:00 2001
+From: Christian Hammond <chipx86@chipx86.com>
+Date: Fri, 21 Jun 2013 23:33:16 -0700
+Subject: [PATCH] Fix an XSS vulnerability in the reviews dropdown.
+
+The reviews dropdown had a bad vulnerability where it would assume the
+user's full name is valid HTML. This allowed the user to craft a script
+tag that would be executed every time the name appeared in the dropdown.
+
+This vulnerability exists in 1.6.x, 1.7.x, and the in-development 1.8.
+There are no known attacks in the wild.
+
+This was reported by Craig Young at Tripwire.
+#---
+# reviewboard/htdocs/media/rb/js/reviews.js | 6 ++++--
+# 1 file changed, 4 insertions(+), 2 deletions(-)
+ 
+#diff --git a/reviewboard/htdocs/media/rb/js/reviews.js b/reviewboard/htdocs/media/rb/js/reviews.js
+#index 6340744..035872f 100644
+#--- a/reviewboard/htdocs/media/rb/js/reviews.js
+#+++ b/reviewboard/htdocs/media/rb/js/reviews.js
+#@@ -352,10 +352,12 @@ $.fn.reviewsAutoComplete = function(options) {
+#         $(this)
+#             .autocomplete({
+#                 formatItem: function(data) {
+#-                    var s = data[options.nameKey];
+#+                    var s = data[options.nameKey],
+#+                        desc;
+#
+#                     if (options.descKey) {
+#-                        s += " <span>(" + data[options.descKey] + ")</span>";
+#+                        desc = $('<div/>').text(data[options.descKey]).html();
+#+                        s += " <span>(" + desc + ")</span>";
+#                     }
+# 
+ #                    return s;
+#-- 
+#1.8.1.6
+diff -ur ReviewBoard-1.7.7.1.orig/reviewboard/htdocs/static/rb/js/reviews.js ReviewBoard-1.7.7.1/reviewboard/htdocs/static/rb/js/reviews.js
+--- reviewboard/htdocs/static/rb/js/reviews.js	2013-04-22 04:40:30.000000000 +0800
++++ reviewboard/htdocs/static/rb/js/reviews.js	2013-06-28 10:38:29.514298074 +0800
+@@ -257,10 +257,12 @@
+         $(this)
+             .rbautocomplete({
+                 formatItem: function(data) {
+-                    var s = data[options.nameKey];
++                    var s = data[options.nameKey],
++                        desc;
+ 
+                     if (options.descKey && data[options.descKey]) {
+-                        s += " <span>(" + data[options.descKey] + ")</span>";
++                        desc = $('<div/>').text(data[options.descKey]).html();
++                        s += " <span>(" + desc + ")</span>";
+                     }
+ 
+                     return s;
+diff -ur ReviewBoard-1.7.7.1.orig/reviewboard/static/rb/js/reviews.js ReviewBoard-1.7.7.1/reviewboard/static/rb/js/reviews.js
+--- reviewboard/static/rb/js/reviews.js	2013-04-22 04:40:29.000000000 +0800
++++ reviewboard/static/rb/js/reviews.js	2013-06-28 10:40:09.922290974 +0800
+@@ -257,10 +257,12 @@
+         $(this)
+             .rbautocomplete({
+                 formatItem: function(data) {
+-                    var s = data[options.nameKey];
++                    var s = data[options.nameKey],
++                       desc;
+ 
+                     if (options.descKey && data[options.descKey]) {
+-                        s += " <span>(" + data[options.descKey] + ")</span>";
++                        desc = $('<div/>').text(data[options.descKey]).html();
++                        s += " <span>(" + desc + ")</span>";
+                     }
+ 
+                     return s;
diff --git a/dev-util/reviewboard/reviewboard-1.7.7.1-r1.ebuild b/dev-util/reviewboard/reviewboard-1.7.7.1-r1.ebuild
new file mode 100644
index 000000000000..f8ae2788db2e
--- /dev/null
+++ b/dev-util/reviewboard/reviewboard-1.7.7.1-r1.ebuild
@@ -0,0 +1,117 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-util/reviewboard/reviewboard-1.7.7.1-r1.ebuild,v 1.1 2013/06/28 02:52:33 idella4 Exp $
+
+EAPI=5
+PYTHON_COMPAT=( python{2_6,2_7} )
+
+inherit distutils-r1
+
+MY_PN="ReviewBoard"
+DESCRIPTION="A web-based code review tool that offers developers an easy way to handle code reviews"
+HOMEPAGE="http://www.reviewboard.org/"
+SRC_URI="http://downloads.reviewboard.org/releases/${MY_PN}/1.7/${MY_PN}-${PV}.tar.gz"
+KEYWORDS="~amd64 ~x86"
+IUSE="codebase doc manual rnotes test"
+
+LICENSE="MIT"
+SLOT="0"
+S=${WORKDIR}/${MY_PN}-${PV}
+
+RDEPEND=">=dev-python/django-1.4.3[${PYTHON_USEDEP}]
+	<dev-python/django-1.5[${PYTHON_USEDEP}]
+	>=dev-python/django-evolution-0.6.7[${PYTHON_USEDEP}]
+	>=dev-python/django-pipeline-1.2.24[${PYTHON_USEDEP}]
+	>=dev-python/Djblets-0.7.7[${PYTHON_USEDEP}]
+	>=dev-python/pygments-1.5[${PYTHON_USEDEP}]
+	dev-python/docutils[${PYTHON_USEDEP}]
+	>=dev-python/markdown-2.2.1[${PYTHON_USEDEP}]
+	>=dev-python/paramiko-1.7.6[${PYTHON_USEDEP}]
+	>=dev-python/mimeparse-0.1.3[${PYTHON_USEDEP}]
+	dev-python/python-dateutil[${PYTHON_USEDEP}]
+	dev-python/python-memcached[${PYTHON_USEDEP}]
+	dev-python/pytz[${PYTHON_USEDEP}]
+	dev-python/recaptcha-client[${PYTHON_USEDEP}]"
+DEPEND="${RDEPEND}
+	dev-python/setuptools[${PYTHON_USEDEP}]
+	test? ( dev-python/nose[${PYTHON_USEDEP}] )
+	doc? ( dev-python/sphinx[${PYTHON_USEDEP}] )"
+
+REQUIRED_USE="doc? ( || ( codebase manual rnotes ) )"
+# Tests mostly access the inet and when run mostly fail
+RESTRICT=test
+
+PATCHES=( "${FILESDIR}"/docs.patch 
+	"${FILESDIR}"/CVE-2013-2209-sec.patch )
+
+python_prepare_all() {
+	# Higher versions do not support python-2.5, while reviewboard upstream
+	# still does. We do not support python-2.5 for this package as it will
+	# prevent downgrades for some of our dependencies.
+	sed -i setup.py \
+		-e "s/python-dateutil==1.5/python-dateutil/" \
+		-e "s/django-pipeline>=1.2.24,<1.3/django-pipeline>=1.2.24/" || die
+
+	distutils-r1_python_prepare_all
+}
+
+python_compile_all() {
+	# See http://code.google.com/p/reviewboard/issues/ #3009
+	# until build of manual can find and use ROOT_URLCONF, only possible build path for manual
+	# requires sacrificing the resources section, all of which call on ROOT_URLCONF
+	local msg="Generating docs for"
+	if use doc; then
+		if use manual; then
+			rm -rf docs/manual/webapi//2.0/resources/ || die
+			einfo;einfo "$msg manual"
+			DJANGO_SETTINGS_MODULE="django.conf" emake -C docs/manual html
+		fi
+		if use codebase; then
+			pushd docs/codebase &> /dev/null
+			ln -sf ../../contrib/internal/conf/settings_local.py .
+			popd &> /dev/null
+			einfo;einfo "$msg codebase"
+			emake -C docs/codebase html
+		fi
+
+		if use rnotes; then
+			einfo;einfo "$msg release notes"
+			emake -C docs/releasenotes html
+		fi
+	fi
+}
+
+python_test() {
+	pushd ${PN} > /dev/null
+	ln -sf contrib/internal/conf/settings_local.py .
+	"${PYTHON}" manage.py test || die
+}
+
+python_install_all() {
+	if use doc; then
+		if use manual; then
+			insinto /usr/share/doc/${PF}/manual
+			doins -r docs/manual/_build/html/
+		fi
+		if use codebase; then
+			insinto /usr/share/doc/${PF}/codebase
+			doins -r docs/codebase/_build/html/
+		fi
+		if use rnotes; then
+			insinto /usr/share/doc/${PF}/release_notes
+			doins -r docs/releasenotes/_build/html/
+		fi
+	fi
+	distutils-r1_python_install_all
+}
+
+pkg_postinst() {
+	elog "You must install any VCS tool you wish ${PN} to support."
+	elog "dev-util/cvs, dev-vcs/git, dev-vcs/mercurial or dev-util/subversion."
+	elog
+	elog "Enable the mysql, postgres or sqlite USEflag on dev-python/django"
+	elog "to use the corresponding database backend."
+	elog
+	elog "For speed and responsiveness, consider installing net-misc/memcached"
+	elog "and dev-python/python-memcached"
+}
author	Ian Delaney <idella4@gentoo.org>	2013-06-28 02:52:33 +0000
committer	Ian Delaney <idella4@gentoo.org>	2013-06-28 02:52:33 +0000
commit	ef0c61b693ef466ee6a518319b3191aa9315afbc (patch)
tree	8b975f97f1084096d52643c7dcb649d22647aeca /dev-util
parent	Fix redundant slashes in header-wrapping include paths, bug #475046. Thanks t... (diff)
download	gentoo-2-ef0c61b693ef466ee6a518319b3191aa9315afbc.tar.gz gentoo-2-ef0c61b693ef466ee6a518319b3191aa9315afbc.tar.bz2 gentoo-2-ef0c61b693ef466ee6a518319b3191aa9315afbc.zip