Sec patch applied, revbumped

Package-Manager: portage-2.1.11.63/cvs/Linux x86_64 Manifest-Sign-Key: 0xB8072B0D
author: Ian Delaney <idella4@gentoo.org> 2013-06-28 02:53:04 +0000
committer: Ian Delaney <idella4@gentoo.org> 2013-06-28 02:53:04 +0000
commit: d5bcfeced6badd412a8443fd9e62d42a6224da33 (patch)
tree: 033f620b055de5731f0bacae65da9c63a240fbcc /dev-util/reviewboard
parent: Fix redundant slashes in header-wrapping include paths, bug #475046. Thanks t... (diff)
download: historical-d5bcfeced6badd412a8443fd9e62d42a6224da33.tar.gz
historical-d5bcfeced6badd412a8443fd9e62d42a6224da33.tar.bz2
historical-d5bcfeced6badd412a8443fd9e62d42a6224da33.zip
4 files changed, 204 insertions, 5 deletions
diff --git a/dev-util/reviewboard/ChangeLog b/dev-util/reviewboard/ChangeLog
index 34a75af24c48..40e34692b779 100644
--- a/dev-util/reviewboard/ChangeLog
+++ b/dev-util/reviewboard/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for dev-util/reviewboard
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-util/reviewboard/ChangeLog,v 1.1 2013/06/16 16:02:06 idella4 Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-util/reviewboard/ChangeLog,v 1.2 2013/06/28 02:52:33 idella4 Exp $
+
+*reviewboard-1.7.7.1-r1 (28 Jun 2013)
+
+  28 Jun 2013; Ian Delaney <idella4@gentoo.org> +files/CVE-2013-2209-sec.patch,
+  +reviewboard-1.7.7.1-r1.ebuild, reviewboard-1.7.7.1.ebuild:
+  Sec patch applied, revbumped
 
 *reviewboard-1.7.7.1 (16 Jun 2013)
 
diff --git a/dev-util/reviewboard/Manifest b/dev-util/reviewboard/Manifest
index b26238db48d1..a6438c7e6081 100644
--- a/dev-util/reviewboard/Manifest
+++ b/dev-util/reviewboard/Manifest
@@ -1,15 +1,17 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
+AUX CVE-2013-2209-sec.patch 3367 SHA256 18ae4b1f4af8c8872497b8efdcf304d13bcb2192d2c2857a293dd32edaf0d0d0 SHA512 e12d36ee960134f3233647e6cc3e9f7c134282e88259c920e346823e578e29bcc21062c417e12c0f13c3c1cc4310e8e18ce6be740dfaa2219c335c2e28e832a6 WHIRLPOOL fe391e1f110973c9cf81442454e33c1cc5086b5f93389315aebc4f478220202149d314e0d6b07d7f43537b1b69f81b957800b98df9fc1587623bbae068403279
 AUX docs.patch 2031 SHA256 b013c83c282756b78adc128b2e2a26914eb3b64f3940e0091cc0cff54d618e5f SHA512 3a99f5cb314e8a315325c02bc3f5fa8c700baf958564dc46c64d4715229cadef5512014409b3647c8adf7fc20c29c2de0fd1f1ff58867c719d70b16fcf3cf2dd WHIRLPOOL 433ff7949062eda6bf8d0c5d5a6967b78b00a806082775e528f5cb9a3c3e76a22f30bb32f7ba991df28275722eb6d69832a3e8ca62844b8d8150dbfd7928b8c8
 DIST ReviewBoard-1.7.7.1.tar.gz 2946656 SHA256 4e3306cd55e572179cdd1157e50a3e3bb4b0b8847bc14d0bafdb7fd7fe696208 SHA512 3896be4ee0dcd6817f21e326ef4a55ed04d1101939971c92f88d8e3501b8133a793816bd94c93475fb59528a4c37f1c405691a98bf896bc0df3fc0c8c08df02a WHIRLPOOL b288af9765a6df271ffc1e51f9fadca91f604a5166dd6f44a7c28c3ecea8e63676d96e5a84f5e1a18331fdab2cbb799dbb3d33ac28e9bd37c7af66fed17070ac
+EBUILD reviewboard-1.7.7.1-r1.ebuild 3808 SHA256 e64a2a78677cab7d89394388dee39f6974bf5423bc2834d16b6c1afd546b5c49 SHA512 e0eebefe73976832d8e484dbf158e18f2a0ab67df7dc4337d9bcd2d8e1af049ad94796ca87138209be89ca9fce763ad80edb797c4f5804a3b9e231514d469a24 WHIRLPOOL d7ab90d091ec96d3764e8da4e894a27426fd2c30864b904258b17d8bf2c3b4023fcab95248de8dbc71313aff02cd3eee9e8a4b7e1fc3348b404adceea47da69a
 EBUILD reviewboard-1.7.7.1.ebuild 3765 SHA256 8f4be71279b6c85c48dd82c29dc84abf2f60c1963a5b4dac94b4889b86f6efaf SHA512 a2727ca06c0eb82c745ec5e3990ac93fc2e4d5d1798ddfad9f7712a82bae5c33690f58dc52d2815dc21b5ecc89cbcdaa9c4a303552ff8425c699646768896db8 WHIRLPOOL 21c47afc9ee97c8d43574fd02f49a9a3b0e6326bfdaa4dc95e1306ec8482dd6615e389523cad6b99af69c916d26ab2b822cb658b9a7cce7ab1e6a9fa4c46868c
-MISC ChangeLog 438 SHA256 3ed21bb5120c2d5425f4498f374be11dc3af1583cc6215b947c5d980ae0fdd32 SHA512 a2ea55fda1826c5a7aab88a1f6fc0757174016c7f1b4203c1b23de7920e44b65d768fc801d0631bb2ccf6a87979752ec3035ae2e6f9f53e44a41067f47197bf8 WHIRLPOOL e7146d984105224951740b51167490aaee8275e2f2eaab90d76f75110972d08efd669aefd892253c1689c4225b28be9e5ce52622d027e19da023beba66eda957
+MISC ChangeLog 651 SHA256 f9b373d51748513384d5890fa35cb106e5084443d0493a1b74116cdeb32ae00f SHA512 efeffc469d9d4565adb087529adfb52d1c41c4390a5a8cfa52bed6ff1d888c7ae0ecc1adfedea74dad56f8fa84a5475146965f65c0ba78113f3f8112d1f6581d WHIRLPOOL 8a7643fd9ae7f6650c6724f015b4ba89462cfcf3cc3134275589368d7f4b01a2fa7a7beb735f755e054a18631aa2c6601c64b7bf4554dace6d74722d307bb774
 MISC metadata.xml 412 SHA256 2781c5d2f9500d5d74e7c740d5ac3187b3ae9d7758afd1f5574e8e37075db16c SHA512 aa08361eb0976b2da686be94c22be013a320f4eeee38d1337a38409dc04f8dddf5af65aa3a6885100e007f43af36d692546f00aabdfc1d20a95c2f4dfa471c7f WHIRLPOOL 6a38977a12bdfffa285472cc2395b06443860ee86881f86e4f5134471d53ecf7729d09d49c1bf732820d7ec7d4f373060b32fd535b0501e00f178c0f390bd0a0
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
-iEYEAREIAAYFAlG94YoACgkQso7CE7gHKw2kHACgwa2amMvWC6ehF40oCMvbd7Aa
-A90AoKQFwdbWZ7s7njjXSUxlRX1YGnjn
-=YX4h
+iEYEAREIAAYFAlHM+noACgkQso7CE7gHKw3KdgCfQjfsaxR5hWxWAaNwFcKOr0Kb
+Ys4AniHUihOzKI0OBQZ0nI/4sI6RRL8e
+=Ux82
 -----END PGP SIGNATURE-----
diff --git a/dev-util/reviewboard/files/CVE-2013-2209-sec.patch b/dev-util/reviewboard/files/CVE-2013-2209-sec.patch
new file mode 100644
index 000000000000..1b41c3c6f0d2
--- /dev/null
+++ b/dev-util/reviewboard/files/CVE-2013-2209-sec.patch
@@ -0,0 +1,74 @@
+From 4aaacbb1e628a80803ba1a55703db38fccdf7dbf Mon Sep 17 00:00:00 2001
+From: Christian Hammond <chipx86@chipx86.com>
+Date: Fri, 21 Jun 2013 23:33:16 -0700
+Subject: [PATCH] Fix an XSS vulnerability in the reviews dropdown.
+
+The reviews dropdown had a bad vulnerability where it would assume the
+user's full name is valid HTML. This allowed the user to craft a script
+tag that would be executed every time the name appeared in the dropdown.
+
+This vulnerability exists in 1.6.x, 1.7.x, and the in-development 1.8.
+There are no known attacks in the wild.
+
+This was reported by Craig Young at Tripwire.
+#---
+# reviewboard/htdocs/media/rb/js/reviews.js | 6 ++++--
+# 1 file changed, 4 insertions(+), 2 deletions(-)
+ 
+#diff --git a/reviewboard/htdocs/media/rb/js/reviews.js b/reviewboard/htdocs/media/rb/js/reviews.js
+#index 6340744..035872f 100644
+#--- a/reviewboard/htdocs/media/rb/js/reviews.js
+#+++ b/reviewboard/htdocs/media/rb/js/reviews.js
+#@@ -352,10 +352,12 @@ $.fn.reviewsAutoComplete = function(options) {
+#         $(this)
+#             .autocomplete({
+#                 formatItem: function(data) {
+#-                    var s = data[options.nameKey];
+#+                    var s = data[options.nameKey],
+#+                        desc;
+#
+#                     if (options.descKey) {
+#-                        s += " <span>(" + data[options.descKey] + ")</span>";
+#+                        desc = $('<div/>').text(data[options.descKey]).html();
+#+                        s += " <span>(" + desc + ")</span>";
+#                     }
+# 
+ #                    return s;
+#-- 
+#1.8.1.6
+diff -ur ReviewBoard-1.7.7.1.orig/reviewboard/htdocs/static/rb/js/reviews.js ReviewBoard-1.7.7.1/reviewboard/htdocs/static/rb/js/reviews.js
+--- reviewboard/htdocs/static/rb/js/reviews.js	2013-04-22 04:40:30.000000000 +0800
++++ reviewboard/htdocs/static/rb/js/reviews.js	2013-06-28 10:38:29.514298074 +0800
+@@ -257,10 +257,12 @@
+         $(this)
+             .rbautocomplete({
+                 formatItem: function(data) {
+-                    var s = data[options.nameKey];
++                    var s = data[options.nameKey],
++                        desc;
+ 
+                     if (options.descKey && data[options.descKey]) {
+-                        s += " <span>(" + data[options.descKey] + ")</span>";
++                        desc = $('<div/>').text(data[options.descKey]).html();
++                        s += " <span>(" + desc + ")</span>";
+                     }
+ 
+                     return s;
+diff -ur ReviewBoard-1.7.7.1.orig/reviewboard/static/rb/js/reviews.js ReviewBoard-1.7.7.1/reviewboard/static/rb/js/reviews.js
+--- reviewboard/static/rb/js/reviews.js	2013-04-22 04:40:29.000000000 +0800
++++ reviewboard/static/rb/js/reviews.js	2013-06-28 10:40:09.922290974 +0800
+@@ -257,10 +257,12 @@
+         $(this)
+             .rbautocomplete({
+                 formatItem: function(data) {
+-                    var s = data[options.nameKey];
++                    var s = data[options.nameKey],
++                       desc;
+ 
+                     if (options.descKey && data[options.descKey]) {
+-                        s += " <span>(" + data[options.descKey] + ")</span>";
++                        desc = $('<div/>').text(data[options.descKey]).html();
++                        s += " <span>(" + desc + ")</span>";
+                     }
+ 
+                     return s;
diff --git a/dev-util/reviewboard/reviewboard-1.7.7.1-r1.ebuild b/dev-util/reviewboard/reviewboard-1.7.7.1-r1.ebuild
new file mode 100644
index 000000000000..f8ae2788db2e
--- /dev/null
+++ b/dev-util/reviewboard/reviewboard-1.7.7.1-r1.ebuild
@@ -0,0 +1,117 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-util/reviewboard/reviewboard-1.7.7.1-r1.ebuild,v 1.1 2013/06/28 02:52:33 idella4 Exp $
+
+EAPI=5
+PYTHON_COMPAT=( python{2_6,2_7} )
+
+inherit distutils-r1
+
+MY_PN="ReviewBoard"
+DESCRIPTION="A web-based code review tool that offers developers an easy way to handle code reviews"
+HOMEPAGE="http://www.reviewboard.org/"
+SRC_URI="http://downloads.reviewboard.org/releases/${MY_PN}/1.7/${MY_PN}-${PV}.tar.gz"
+KEYWORDS="~amd64 ~x86"
+IUSE="codebase doc manual rnotes test"
+
+LICENSE="MIT"
+SLOT="0"
+S=${WORKDIR}/${MY_PN}-${PV}
+
+RDEPEND=">=dev-python/django-1.4.3[${PYTHON_USEDEP}]
+	<dev-python/django-1.5[${PYTHON_USEDEP}]
+	>=dev-python/django-evolution-0.6.7[${PYTHON_USEDEP}]
+	>=dev-python/django-pipeline-1.2.24[${PYTHON_USEDEP}]
+	>=dev-python/Djblets-0.7.7[${PYTHON_USEDEP}]
+	>=dev-python/pygments-1.5[${PYTHON_USEDEP}]
+	dev-python/docutils[${PYTHON_USEDEP}]
+	>=dev-python/markdown-2.2.1[${PYTHON_USEDEP}]
+	>=dev-python/paramiko-1.7.6[${PYTHON_USEDEP}]
+	>=dev-python/mimeparse-0.1.3[${PYTHON_USEDEP}]
+	dev-python/python-dateutil[${PYTHON_USEDEP}]
+	dev-python/python-memcached[${PYTHON_USEDEP}]
+	dev-python/pytz[${PYTHON_USEDEP}]
+	dev-python/recaptcha-client[${PYTHON_USEDEP}]"
+DEPEND="${RDEPEND}
+	dev-python/setuptools[${PYTHON_USEDEP}]
+	test? ( dev-python/nose[${PYTHON_USEDEP}] )
+	doc? ( dev-python/sphinx[${PYTHON_USEDEP}] )"
+
+REQUIRED_USE="doc? ( || ( codebase manual rnotes ) )"
+# Tests mostly access the inet and when run mostly fail
+RESTRICT=test
+
+PATCHES=( "${FILESDIR}"/docs.patch 
+	"${FILESDIR}"/CVE-2013-2209-sec.patch )
+
+python_prepare_all() {
+	# Higher versions do not support python-2.5, while reviewboard upstream
+	# still does. We do not support python-2.5 for this package as it will
+	# prevent downgrades for some of our dependencies.
+	sed -i setup.py \
+		-e "s/python-dateutil==1.5/python-dateutil/" \
+		-e "s/django-pipeline>=1.2.24,<1.3/django-pipeline>=1.2.24/" || die
+
+	distutils-r1_python_prepare_all
+}
+
+python_compile_all() {
+	# See http://code.google.com/p/reviewboard/issues/ #3009
+	# until build of manual can find and use ROOT_URLCONF, only possible build path for manual
+	# requires sacrificing the resources section, all of which call on ROOT_URLCONF
+	local msg="Generating docs for"
+	if use doc; then
+		if use manual; then
+			rm -rf docs/manual/webapi//2.0/resources/ || die
+			einfo;einfo "$msg manual"
+			DJANGO_SETTINGS_MODULE="django.conf" emake -C docs/manual html
+		fi
+		if use codebase; then
+			pushd docs/codebase &> /dev/null
+			ln -sf ../../contrib/internal/conf/settings_local.py .
+			popd &> /dev/null
+			einfo;einfo "$msg codebase"
+			emake -C docs/codebase html
+		fi
+
+		if use rnotes; then
+			einfo;einfo "$msg release notes"
+			emake -C docs/releasenotes html
+		fi
+	fi
+}
+
+python_test() {
+	pushd ${PN} > /dev/null
+	ln -sf contrib/internal/conf/settings_local.py .
+	"${PYTHON}" manage.py test || die
+}
+
+python_install_all() {
+	if use doc; then
+		if use manual; then
+			insinto /usr/share/doc/${PF}/manual
+			doins -r docs/manual/_build/html/
+		fi
+		if use codebase; then
+			insinto /usr/share/doc/${PF}/codebase
+			doins -r docs/codebase/_build/html/
+		fi
+		if use rnotes; then
+			insinto /usr/share/doc/${PF}/release_notes
+			doins -r docs/releasenotes/_build/html/
+		fi
+	fi
+	distutils-r1_python_install_all
+}
+
+pkg_postinst() {
+	elog "You must install any VCS tool you wish ${PN} to support."
+	elog "dev-util/cvs, dev-vcs/git, dev-vcs/mercurial or dev-util/subversion."
+	elog
+	elog "Enable the mysql, postgres or sqlite USEflag on dev-python/django"
+	elog "to use the corresponding database backend."
+	elog
+	elog "For speed and responsiveness, consider installing net-misc/memcached"
+	elog "and dev-python/python-memcached"
+}
author	Ian Delaney <idella4@gentoo.org>	2013-06-28 02:53:04 +0000
committer	Ian Delaney <idella4@gentoo.org>	2013-06-28 02:53:04 +0000
commit	d5bcfeced6badd412a8443fd9e62d42a6224da33 (patch)
tree	033f620b055de5731f0bacae65da9c63a240fbcc /dev-util/reviewboard
parent	Fix redundant slashes in header-wrapping include paths, bug #475046. Thanks t... (diff)
download	historical-d5bcfeced6badd412a8443fd9e62d42a6224da33.tar.gz historical-d5bcfeced6badd412a8443fd9e62d42a6224da33.tar.bz2 historical-d5bcfeced6badd412a8443fd9e62d42a6224da33.zip