Upstream version bump with patch for Security bug 513814, Cleanup for prior security bug 509898

(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key 786037A7)

4 files changed, 68 insertions, 4 deletions

diff --git a/net-analyzer/zabbix/ChangeLog b/net-analyzer/zabbix/ChangeLog
index e80de79d8a77..e6001dee1e96 100644
--- a/net-analyzer/zabbix/ChangeLog
+++ b/net-analyzer/zabbix/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for net-analyzer/zabbix
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-analyzer/zabbix/ChangeLog,v 1.162 2014/06/08 10:59:17 ago Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-analyzer/zabbix/ChangeLog,v 1.163 2014/06/25 20:44:16 mattm Exp $
+
+*zabbix-2.0.12-r1 (25 Jun 2014)
+*zabbix-2.2.4 (25 Jun 2014)
+
+  25 Jun 2014; Matthew Marlowe <mattm@gentoo.org>
+  +files/2.2/patches/zbx8151.patch, +zabbix-2.0.12-r1.ebuild,
+  +zabbix-2.2.4.ebuild, -zabbix-2.0.11_rc1-r1.ebuild, -zabbix-2.2.3.ebuild:
+  Upstream version bump with patch for Security bug 513814, Cleanup for prior
+  security bug 509898
 
   08 Jun 2014; Agostino Sarubbo <ago@gentoo.org> zabbix-2.0.12.ebuild:
   Stable for x86, wrt bug #509898
diff --git a/net-analyzer/zabbix/files/2.2/patches/zbx8151.patch b/net-analyzer/zabbix/files/2.2/patches/zbx8151.patch
new file mode 100644
index 000000000000..076e10ab75a4
--- /dev/null
+++ b/net-analyzer/zabbix/files/2.2/patches/zbx8151.patch
@@ -0,0 +1,53 @@
+Index: frontends/php/include/defines.inc.php
+===================================================================
+--- frontends/php/include/defines.inc.php	(revision 46596)
++++ frontends/php/include/defines.inc.php	(revision 46655)
+@@ -835,6 +835,14 @@
+ 
+ define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts');
+ 
++// XML import flags
++// See ZBX-8151. Old version of libxml suffered from setting DTDLOAD and NOENT flags by default, which allowed
++// performing XXE attacks. Calling libxml_disable_entity_loader(true) also had no affect if flags passed to libxml
++// calls were 0 - so for better security with legacy libxml we need to call libxml_disable_entity_loader(true) AND
++// pass the LIBXML_NONET flag. Please keep in mind that LIBXML_NOENT actually EXPANDS entities, opposite to it's name -
++// so this flag is not needed here.
++define('LIBXML_IMPORT_FLAGS', LIBXML_NONET);
++
+ // API errors
+ define('ZBX_API_ERROR_INTERNAL',	111);
+ define('ZBX_API_ERROR_PARAMETERS',	100);
+Index: frontends/php/include/classes/import/readers/CXmlImportReader.php
+===================================================================
+--- frontends/php/include/classes/import/readers/CXmlImportReader.php	(revision 46596)
++++ frontends/php/include/classes/import/readers/CXmlImportReader.php	(revision 46655)
+@@ -32,7 +32,8 @@
+ 	 */
+ 	public function read($string) {
+ 		libxml_use_internal_errors(true);
+-		$result = simplexml_load_string($string);
++		libxml_disable_entity_loader(true);
++		$result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS);
+ 		if (!$result) {
+ 			$errors = libxml_get_errors();
+ 			libxml_clear_errors();
+Index: frontends/php/include/classes/import/CXmlImport18.php
+===================================================================
+--- frontends/php/include/classes/import/CXmlImport18.php	(revision 46596)
++++ frontends/php/include/classes/import/CXmlImport18.php	(revision 46655)
+@@ -390,12 +390,13 @@
+ 		return $array;
+ 	}
+ 
+-	public static function import($file) {
++	public static function import($source) {
+ 
+ 		libxml_use_internal_errors(true);
++		libxml_disable_entity_loader(true);
+ 
+ 		$xml = new DOMDocument();
+-		if (!$xml->loadXML($file)) {
++		if (!$xml->loadXML($source, LIBXML_IMPORT_FLAGS)) {
+ 			$text = '';
+ 			foreach (libxml_get_errors() as $error) {
+ 				switch ($error->level) {
diff --git a/net-analyzer/zabbix/zabbix-2.0.11_rc1-r1.ebuild b/net-analyzer/zabbix/zabbix-2.0.12-r1.ebuild
index 35a9735a3cd3..51a2260ac6ff 100644
--- a/net-analyzer/zabbix/zabbix-2.0.11_rc1-r1.ebuild
+++ b/net-analyzer/zabbix/zabbix-2.0.12-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-analyzer/zabbix/zabbix-2.0.11_rc1-r1.ebuild,v 1.3 2014/02/16 07:08:51 ago Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-analyzer/zabbix/zabbix-2.0.12-r1.ebuild,v 1.1 2014/06/25 20:44:16 mattm Exp $
 
 EAPI="5"
 
@@ -16,7 +16,7 @@ SRC_URI="http://prdownloads.sourceforge.net/zabbix/${MY_P}.tar.gz"
 LICENSE="GPL-2"
 SLOT="0"
 WEBAPP_MANUAL_SLOT="yes"
-KEYWORDS="amd64 x86"
+KEYWORDS="~amd64 ~x86"
 IUSE="agent java curl frontend ipv6 jabber ldap mysql openipmi oracle postgres proxy server ssh snmp sqlite iodbc odbc static"
 
 COMMON_DEPEND="snmp? ( net-analyzer/net-snmp )
@@ -70,6 +70,7 @@ java_prepare() {
 
 src_prepare() {
 	epatch "${FILESDIR}/2.0/patches/zbx282.patch"
+	epatch "${FILESDIR}/2.2/patches/zbx8151.patch"
 	eautoreconf
 }
 
diff --git a/net-analyzer/zabbix/zabbix-2.2.3.ebuild b/net-analyzer/zabbix/zabbix-2.2.4.ebuild
index 93e8207c4e85..941a24f1b788 100644
--- a/net-analyzer/zabbix/zabbix-2.2.3.ebuild
+++ b/net-analyzer/zabbix/zabbix-2.2.4.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-analyzer/zabbix/zabbix-2.2.3.ebuild,v 1.1 2014/05/14 05:58:48 mattm Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-analyzer/zabbix/zabbix-2.2.4.ebuild,v 1.1 2014/06/25 20:44:16 mattm Exp $
 
 EAPI="5"
 
@@ -67,6 +67,7 @@ java_prepare() {
 }
 
 src_prepare() {
+	epatch "${FILESDIR}/2.2/patches/zbx8151.patch"
 	eautoreconf
 }