From 4a5cd3c062ac91687b13c3e600ef0677ddf81e16 Mon Sep 17 00:00:00 2001
From: Xin LI <delphij@FreeBSD.org>
Date: Wed, 17 Jun 2015 17:21:18 +0000
Subject: MFH: r389895 (requested by tato@)

Apply patch for CVE-2015-2775.

PR:		ports/200562
Submitted by:	Yasuhito FUTATSUKI <freebsd-bug-report-yf yf bsdclub org>
Approved by:	ports-secteam@
---
 japanese/mailman/Makefile                  |  2 +-
 japanese/mailman/files/patch-CVE-2015-2775 | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 japanese/mailman/files/patch-CVE-2015-2775

diff --git a/japanese/mailman/Makefile b/japanese/mailman/Makefile
index e4279ad02bb7..3a989d5fa150 100644
--- a/japanese/mailman/Makefile
+++ b/japanese/mailman/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	mailman
 PORTVERSION=	2.1.14.j7
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	1
 CATEGORIES=	japanese mail
 MASTER_SITES=	http://www.python.jp/doc/contrib/mailman/_static/ \
diff --git a/japanese/mailman/files/patch-CVE-2015-2775 b/japanese/mailman/files/patch-CVE-2015-2775
new file mode 100644
index 000000000000..e570e6fa9fc8
--- /dev/null
+++ b/japanese/mailman/files/patch-CVE-2015-2775
@@ -0,0 +1,15 @@
+--- Mailman/Utils.py.orig	2011-12-11 16:56:23.000000000 +0900
++++ Mailman/Utils.py	2015-06-01 13:25:26.000000000 +0900
+@@ -93,6 +93,12 @@
+     #
+     # The former two are for 2.1alpha3 and beyond, while the latter two are
+     # for all earlier versions.
++    #
++    # But first ensure the list name doesn't contain a path traversal
++    # attack.
++    if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
++        syslog('mischief', 'Hostile listname: %s', listname)
++        return False
+     basepath = Site.get_listpath(listname)
+     for ext in ('.pck', '.pck.last', '.db', '.db.last'):
+         dbfile = os.path.join(basepath, 'config' + ext)
-- 
cgit v1.2.3