Am Mon, Jan 02, 2023 at 09:54:40AM +0100 schrieb Martin Ziemer:
> This patch updates getmail from 6.18.10 to 6.18.11.
>
> For the new shell quotes, which fixes a security hole, i changed the
> getmails-script from using /bin/sh to use bash.
>
> Tested on to amd64 systems.
>
Index: Makefile
===================================================================
RCS file: /cvs/ports/mail/getmail/Makefile,v
retrieving revision 1.103
diff -u -p -u -p -r1.103 Makefile
--- Makefile 9 Dec 2022 14:29:52 -0000 1.103
+++ Makefile 2 Jan 2023 08:44:16 -0000
@@ -1,6 +1,6 @@
COMMENT= IMAP/POP3/SDPS mail retriever
-MODPY_EGG_VERSION= 6.18.10
+MODPY_EGG_VERSION= 6.18.11
GH_ACCOUNT= getmail6
GH_PROJECT= getmail6
GH_TAGNAME= v${MODPY_EGG_VERSION}
@@ -18,6 +18,8 @@ PERMIT_PACKAGE= Yes
MODULES= lang/python
MODPY_PYBUILD= setuptools
NO_TEST= Yes
+
+RUN_DEPENDS= shells/bash
EXDIR= ${PREFIX}/share/examples/getmail
Index: distinfo
===================================================================
RCS file: /cvs/ports/mail/getmail/distinfo,v
retrieving revision 1.82
diff -u -p -u -p -r1.82 distinfo
--- distinfo 9 Dec 2022 14:29:52 -0000 1.82
+++ distinfo 2 Jan 2023 08:44:16 -0000
@@ -1,2 +1,2 @@
-SHA256 (getmail6-6.18.10.tar.gz) = DlYXz6LMh8WyWWNPWfVyjfOyVoqSyqVkdn4lb3mGatY=
-SIZE (getmail6-6.18.10.tar.gz) = 205481
+SHA256 (getmail6-6.18.11.tar.gz) = SD5PJr0PYsie0tRHazhArKu32GjEDeC8mT7HuWQtlok=
+SIZE (getmail6-6.18.11.tar.gz) = 207051
Index: patches/patch-getmails
===================================================================
RCS file: /cvs/ports/mail/getmail/patches/patch-getmails,v
retrieving revision 1.1
diff -u -p -u -p -r1.1 patch-getmails
--- patches/patch-getmails 9 Dec 2022 14:29:52 -0000 1.1
+++ patches/patch-getmails 2 Jan 2023 08:44:16 -0000
@@ -3,16 +3,22 @@
Index: getmails
--- getmails.orig
+++ getmails
-@@ -28,7 +28,7 @@ BASE1=${1##*/}
- [ "$BASE1" != "${BASE1#$2}" ] && return 0 || return 1
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/usr/bin/env bash
+ # vim:se tw=78 sts=4:
+ # Copyright (C) 2011-2017 Osamu Aoki <os...@debian.org>, GPL2+
+
+@@ -32,7 +32,7 @@ shellquote() {
+ printf '%s\n' "'${1//\'/\'\\\'\'}'"
}
UID_BY_ID=$(id -u)
-PID_GETMAILS=$(pgrep -U $UID_BY_ID '^getmails$')
-+PID_GETMAILS=$(pgrep -f -U $UID_BY_ID '^/bin/sh /usr/local/bin/getmails$')
++PID_GETMAILS=$(pgrep -f -U $UID_BY_ID '^bash /usr/local/bin/getmails$')
if [ "x$PID_GETMAILS" != "x$$" ]; then
echo "The getmails script is already running as PID=\"$PID_GETMAILS\"
." >&2
exit 1
-@@ -44,7 +44,7 @@ if [ -f $getmailrcdir/stop ]; then
+@@ -48,7 +48,7 @@ if [ -f $getmailrcdir/stop ]; then
echo "Do not run getmail ... (if not, remove $getmailrcdir/stop)" >&2
exit 1
fi
@@ -21,7 +27,7 @@ Index: getmails
# Address concerns raised by #863856
# emacs backup files: foo~ foo#
# vim backup files: foo~ foo.swp
-@@ -57,7 +57,8 @@ if $para ; then
+@@ -61,7 +61,8 @@ if $para ; then
! endwith "$file" '#' && \
! startswith "$file" 'oldmail-' && \
! endwith "$file" '.swp' && \
@@ -31,13 +37,13 @@ Index: getmails
$rcfiles --rcfile "$file" "$@" &
pids="$pids $!"
fi
-@@ -79,7 +80,8 @@ else
+@@ -83,7 +84,8 @@ else
! endwith "$file" '#' && \
! startswith "$file" 'oldmail-' && \
! endwith "$file" '.swp' && \
- ! endwith "$file" '.bak' ; then
+ ! endwith "$file" '.bak' && \
+ [ -f "$file" ]; then
- rcfiles="$rcfiles --rcfile \"$file\""
+ rcfiles="$rcfiles --rcfile $(shellquote "$file")"
fi
done
