From: Vincent Bernat <bernat@debian.org>
Date: Thu, 25 Dec 2008 10:38:13 +0000 (+0100)
Subject: Imported Debian patch 0.2~alpha-4
X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=0682ba561c9e444ed77692718d75f0226401cce8;p=roundcube.git

Imported Debian patch 0.2~alpha-4
---

diff --git a/debian/changelog b/debian/changelog
index 4f0290e..b97f2f8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+roundcube (0.2~alpha-4) experimental; urgency=low
+
+  * Add missing ${misc:Depends} to make Lintian happy.
+  * Add description to each patch.
+  * Execute cron job only if the directory to clean exists.
+  * Reload web server configuration instead of restart, thanks to a patch
+    from Tiago Bortoletto Vaz. Closes: #508633.
+  * Fix a vulnerability in quota image generation. This fixes
+    CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
+  * Add missing dependency on php5-gd, used for quota bar.
+  * For roundcube-pgsql, depends on postgresql-client only. This package
+    is provided by the currently supported real package.
+
+ -- Vincent Bernat <bernat@debian.org>  Thu, 25 Dec 2008 11:38:13 +0100
+
 roundcube (0.2~alpha-3) experimental; urgency=high
 
   [ Vincent Bernat ]
diff --git a/debian/control b/debian/control
index e1057b2..a510c79 100644
--- a/debian/control
+++ b/debian/control
@@ -11,7 +11,7 @@ Vcs-Browser: http://svn.debian.org/wsvn/pkg-roundcube/roundcube
 
 Package: roundcube-core
 Architecture: all
-Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1
+Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1
 Replaces: roundcube
 Conflicts: roundcube (<< 0.1~rc2-2)
 Description: skinnable AJAX based webmail solution for IMAP servers
@@ -27,7 +27,7 @@ Description: skinnable AJAX based webmail solution for IMAP servers
 
 Package: roundcube
 Architecture: all
-Depends: roundcube-sqlite | roundcube-db, roundcube-core (= ${source:Version})
+Depends: roundcube-sqlite | roundcube-db, roundcube-core (= ${source:Version}), ${misc:Depends}
 Description: skinnable AJAX based webmail solution for IMAP servers
  RoundCube Webmail is a browser-based multilingual IMAP client with an
  application-like user interface. It provides full functionality
@@ -40,7 +40,7 @@ Description: skinnable AJAX based webmail solution for IMAP servers
 
 Package: roundcube-mysql
 Architecture: all
-Depends: php5-mysql, mysql-client | virtual-mysql-client
+Depends: php5-mysql, mysql-client | virtual-mysql-client, ${misc:Depends}
 Suggests: mysql-server
 Provides: roundcube-db
 Description: metapackage providing MySQL dependencies for RoundCube
@@ -50,7 +50,7 @@ Description: metapackage providing MySQL dependencies for RoundCube
 
 Package: roundcube-pgsql
 Architecture: all
-Depends: php5-pgsql, postgresql-client-8.1 | postgresql-client 
+Depends: php5-pgsql, postgresql-client, ${misc:Depends}
 Suggests: postgresql-server
 Provides: roundcube-db
 Description: metapackage providing PostgreSQL dependencies for RoundCube
@@ -60,7 +60,7 @@ Description: metapackage providing PostgreSQL dependencies for RoundCube
 
 Package: roundcube-sqlite
 Architecture: all
-Depends: php5-sqlite, sqlite
+Depends: php5-sqlite, sqlite, ${misc:Depends}
 Provides: roundcube-db
 Description: metapackage providing sqlite dependencies for RoundCube
  This package provides sqlite dependencies for RoundCube Webmail, a
diff --git a/debian/control.in b/debian/control.in
index 76e727a..22c0cfc 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -11,7 +11,7 @@ Vcs-Browser: http://svn.debian.org/wsvn/pkg-roundcube/roundcube
 
 Package: roundcube-core
 Architecture: all
-Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1
+Depends: dbconfig-common, debconf | debconf-2.0, apache2 | lighttpd | httpd, php5, php5-mcrypt, php5-gd, roundcube-db, php-db, php-auth, php-net-smtp, php-net-socket, php-mail-mime (>= 1.5.0), ucf, tinymce (>= 3), ${misc:Depends}, libmagic1
 Replaces: roundcube
 Conflicts: roundcube (<< 0.1~rc2-2)
 Description: skinnable AJAX based webmail solution for IMAP servers
@@ -27,7 +27,7 @@ Description: skinnable AJAX based webmail solution for IMAP servers
 
 Package: roundcube
 Architecture: all
-Depends: roundcube-sqlite | roundcube-db, roundcube-core (= ${source:Version})
+Depends: roundcube-sqlite | roundcube-db, roundcube-core (= ${source:Version}), ${misc:Depends}
 Description: skinnable AJAX based webmail solution for IMAP servers
  RoundCube Webmail is a browser-based multilingual IMAP client with an
  application-like user interface. It provides full functionality
@@ -40,7 +40,7 @@ Description: skinnable AJAX based webmail solution for IMAP servers
 
 Package: roundcube-mysql
 Architecture: all
-Depends: php5-mysql, mysql-client | virtual-mysql-client
+Depends: php5-mysql, mysql-client | virtual-mysql-client, ${misc:Depends}
 Suggests: mysql-server
 Provides: roundcube-db
 Description: metapackage providing MySQL dependencies for RoundCube
@@ -50,7 +50,7 @@ Description: metapackage providing MySQL dependencies for RoundCube
 
 Package: roundcube-pgsql
 Architecture: all
-Depends: php5-pgsql, postgresql-client-8.1 | postgresql-client 
+Depends: php5-pgsql, postgresql-client-8.1 | postgresql-client, ${misc:Depends}
 Suggests: postgresql-server
 Provides: roundcube-db
 Description: metapackage providing PostgreSQL dependencies for RoundCube
@@ -60,7 +60,7 @@ Description: metapackage providing PostgreSQL dependencies for RoundCube
 
 Package: roundcube-sqlite
 Architecture: all
-Depends: php5-sqlite, sqlite
+Depends: php5-sqlite, sqlite, ${misc:Depends}
 Provides: roundcube-db
 Description: metapackage providing sqlite dependencies for RoundCube
  This package provides sqlite dependencies for RoundCube Webmail, a
diff --git a/debian/patches/correct-magic-path.patch b/debian/patches/correct-magic-path.patch
index e8e1b2e..de9330f 100644
--- a/debian/patches/correct-magic-path.patch
+++ b/debian/patches/correct-magic-path.patch
@@ -1,3 +1,5 @@
+On Debian, the magic file is in /usr/share/file/magic.
+
 --- roundcube-0.1/config/main.inc.php.dist~	2008-02-21 11:27:19.000000000 +0100
 +++ roundcube-0.1/config/main.inc.php.dist	2008-03-06 14:04:53.000000000 +0100
 @@ -277,7 +277,7 @@
diff --git a/debian/patches/correct_install_path.patch b/debian/patches/correct_install_path.patch
index 1acfc5a..b8e6daa 100644
--- a/debian/patches/correct_install_path.patch
+++ b/debian/patches/correct_install_path.patch
@@ -1,3 +1,5 @@
+Install path is /var/lib/roundcube for Debian. Don't try to guess it.
+
 --- a/program/include/iniset.php~	2008-06-09 22:57:53.000000000 +0200
 +++ a/program/include/iniset.php	2008-06-22 12:10:55.000000000 +0200
 @@ -27,7 +27,7 @@
diff --git a/debian/patches/cve-2008-5620.patch b/debian/patches/cve-2008-5620.patch
new file mode 100644
index 0000000..c1fdd23
--- /dev/null
+++ b/debian/patches/cve-2008-5620.patch
@@ -0,0 +1,45 @@
+Fix CVE-2008-5620 which was caused by insufficient input sanitizing for quota bar.
+
+diff --git a/bin/quotaimg.php b/bin/quotaimg.php
+index 354f4eb..4e73c21 100644
+--- a/bin/quotaimg.php
++++ b/bin/quotaimg.php
+@@ -18,10 +18,10 @@
+ 
+ */
+ 
+-$used   = ((isset($_GET['u']) && !empty($_GET['u'])) || $_GET['u']=='0')?(int)$_GET['u']:'??';
+-$quota  = ((isset($_GET['q']) && !empty($_GET['q'])) || $_GET['q']=='0')?(int)$_GET['q']:'??';
+-$width  = empty($_GET['w']) ? 100 : (int)$_GET['w'];
+-$height = empty($_GET['h']) ? 14 : (int)$_GET['h'];
++$used   = isset($_GET['u']) ? intval($_GET['u']) : '??';
++$quota  = isset($_GET['q']) ? intval($_GET['q']) : '??';
++$width  = empty($_GET['w']) ? 100 : min(300, intval($_GET['w']));
++$height = empty($_GET['h']) ? 14  : min(50,  intval($_GET['h']));
+ 
+ /**
+  * Quota display
+@@ -159,7 +159,7 @@ function genQuota($used, $total, $width, $height)
+ 		}
+ 
+ 		$quota_width = $quota / 100 * $width;
+-		imagefilledrectangle($im, $border, 0, $quota, $height-2*$border, $fill);
++		imagefilledrectangle($im, $border, 0, $quota_width, $height-2*$border, $fill);
+ 
+ 		$string = $quota . '%';
+ 		$mid    = floor(($width-(strlen($string)*imagefontwidth($font)))/2)+1;
+@@ -178,6 +178,12 @@ function genQuota($used, $total, $width, $height)
+ 	imagedestroy($im);
+ }
+ 
+-genQuota($used, $quota, $width, $height);
++if ($width > 1 && $height > 1) {
++	genQuota($used, $quota, $width, $height);
++}
++else {
++	header("HTTP/1.0 404 Not Found");
++}
++
+ exit;
+ ?>
+\ No newline at end of file
diff --git a/debian/patches/dbconfig-common_support.patch b/debian/patches/dbconfig-common_support.patch
index a4be31d..f6f01c2 100644
--- a/debian/patches/dbconfig-common_support.patch
+++ b/debian/patches/dbconfig-common_support.patch
@@ -1,3 +1,5 @@
+The default db.inc.php is modified to adapt it to the use of dbconfig-common package.
+
 --- roundcube_0.1~beta2.2/config/db.inc.php.dist        2006-03-20 23:08:51.000000000 +0100
 +++ roundcube_0.1~beta2.2/config/db.inc.php.dist  2007-03-13 14:33:38.000000000 +0100
 @@ -14,13 +14,20 @@
diff --git a/debian/patches/dont-use-preg-e-option.patch b/debian/patches/dont-use-preg-e-option.patch
index 1179a86..718526b 100644
--- a/debian/patches/dont-use-preg-e-option.patch
+++ b/debian/patches/dont-use-preg-e-option.patch
@@ -1,3 +1,5 @@
+Fix a vulnerability due to the use of "e" option of preg_replace.
+
 --- roundcube-0.2~alpha/program/lib/html2text.php	2008-04-12 15:54:45.000000000 +0200
 +++ roundcube-0.2~alpha/program/lib/html2text.php	2008-12-13 14:21:44.000000000 +0100
 @@ -99,6 +99,22 @@
diff --git a/debian/patches/fix_login.patch b/debian/patches/fix_login.patch
index b731043..581deaf 100644
--- a/debian/patches/fix_login.patch
+++ b/debian/patches/fix_login.patch
@@ -1,3 +1,5 @@
+Fix login redirection.
+
 --- a/program/include/rcmail.php~	2008-06-07 21:33:07.000000000 +0200
 +++ a/program/include/rcmail.php	2008-06-22 13:36:57.000000000 +0200
 @@ -474,7 +474,7 @@
diff --git a/debian/patches/series b/debian/patches/series
index b68113a..07f681f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ use-db-backend.patch
 correct-magic-path.patch
 fix_login.patch
 dont-use-preg-e-option.patch
+cve-2008-5620.patch
diff --git a/debian/patches/use-db-backend.patch b/debian/patches/use-db-backend.patch
index a32a0f4..d76df6d 100644
--- a/debian/patches/use-db-backend.patch
+++ b/debian/patches/use-db-backend.patch
@@ -1,3 +1,5 @@
+Use db backend since mdb2 is not yet available in Debian.
+
 --- roundcubemail-0.1-dep/config/db.inc.php.dist~	2008-03-03 22:32:15.000000000 +0100
 +++ roundcubemail-0.1-dep/config/db.inc.php.dist	2008-03-05 21:07:28.000000000 +0100
 @@ -27,7 +27,7 @@
diff --git a/debian/patches/use_packaged_tinymce.patch b/debian/patches/use_packaged_tinymce.patch
index 72643fc..290afb9 100644
--- a/debian/patches/use_packaged_tinymce.patch
+++ b/debian/patches/use_packaged_tinymce.patch
@@ -1,3 +1,5 @@
+Use tinymce from tinycme package instead of the shipped one.
+
 Index: roundcube-0.1~rc2/program/steps/mail/sendmail.inc
 ===================================================================
 --- a/program/steps/mail/sendmail.inc~	2008-04-30 10:21:42.000000000 +0200
diff --git a/debian/roundcube-core.cron.daily b/debian/roundcube-core.cron.daily
index 0fe51fc..ec4bfd7 100644
--- a/debian/roundcube-core.cron.daily
+++ b/debian/roundcube-core.cron.daily
@@ -6,4 +6,6 @@ if [ -r /etc/default/roundcube-core ]; then
 	. /etc/default/roundcube-core
 fi
 
-find /var/lib/roundcube/temp -type f -mtime +$MAX_TMPFILE_LIFETIME -print0 | xargs -0 -r rm
+if [ -d /var/lib/roundcube/temp ]; then
+	find /var/lib/roundcube/temp -type f -mtime +$MAX_TMPFILE_LIFETIME -print0 | xargs -0 -r rm
+fi
diff --git a/debian/roundcube-core.postinst b/debian/roundcube-core.postinst
index 80a085a..5e7e0e2 100644
--- a/debian/roundcube-core.postinst
+++ b/debian/roundcube-core.postinst
@@ -151,10 +151,12 @@ EOF
 	if [ "$res" = "true" ]; then
             for webserver in $restart; do
 		webserver=${webserver%,}
+		# Redirection of 3 is needed because Debconf uses it and it might
+                # be inherited by webserver. See bug #446324.
 		if [ -x /usr/sbin/invoke-rc.d ]; then
-                    invoke-rc.d $webserver restart
+                    invoke-rc.d $webserver reload 3>/dev/null || true
 		else
-                    /etc/init.d/$webserver restart
+                    /etc/init.d/$webserver reload 3>/dev/null || true
 		fi
             done
 	fi
diff --git a/debian/roundcube-core.postrm b/debian/roundcube-core.postrm
index 1e0467b..6659a77 100644
--- a/debian/roundcube-core.postrm
+++ b/debian/roundcube-core.postrm
@@ -73,10 +73,12 @@ case "$1" in
         if [ "$res" = "true" ]; then
             for webserver in $restart; do
                 webserver=${webserver%,}
+                # Redirection of 3 is needed because Debconf uses it and it might
+                # be inherited by webserver. See bug #446324.
                 if [ -x /usr/sbin/invoke-rc.d ]; then
-                    invoke-rc.d $webserver restart
+                    invoke-rc.d $webserver reload 3>/dev/null || true
                 else
-                    /etc/init.d/$webserver restart
+                    /etc/init.d/$webserver reload 3>/dev/null || true
                 fi
             done
         fi