MFH: r389895 (requested by tato@)

Apply patch for CVE-2015-2775.

PR:		ports/200562
Submitted by:	Yasuhito FUTATSUKI <freebsd-bug-report-yf yf bsdclub org>
Approved by:	ports-secteam@

2 files changed, 16 insertions, 1 deletions

diff --git a/japanese/mailman/Makefile b/japanese/mailman/Makefile
index e4279ad02bb7..3a989d5fa150 100644
--- a/japanese/mailman/Makefile
+++ b/japanese/mailman/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	mailman
 PORTVERSION=	2.1.14.j7
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	1
 CATEGORIES=	japanese mail
 MASTER_SITES=	http://www.python.jp/doc/contrib/mailman/_static/ \
diff --git a/japanese/mailman/files/patch-CVE-2015-2775 b/japanese/mailman/files/patch-CVE-2015-2775
new file mode 100644
index 000000000000..e570e6fa9fc8
--- /dev/null
+++ b/japanese/mailman/files/patch-CVE-2015-2775
@@ -0,0 +1,15 @@
+--- Mailman/Utils.py.orig	2011-12-11 16:56:23.000000000 +0900
++++ Mailman/Utils.py	2015-06-01 13:25:26.000000000 +0900
+@@ -93,6 +93,12 @@
+     #
+     # The former two are for 2.1alpha3 and beyond, while the latter two are
+     # for all earlier versions.
++    #
++    # But first ensure the list name doesn't contain a path traversal
++    # attack.
++    if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
++        syslog('mischief', 'Hostile listname: %s', listname)
++        return False
+     basepath = Site.get_listpath(listname)
+     for ext in ('.pck', '.pck.last', '.db', '.db.last'):
+         dbfile = os.path.join(basepath, 'config' + ext)