- update to version 3.6.7

- CVE-2011-3657
- CVE-2011-3667

Summary
=======

The following security issues have been discovered in Bugzilla:

* When viewing tabular or graphical reports as well as new charts,
  an XSS vulnerability is possible in debug mode.

* The User.offer_account_by_email WebService method lets you create
  a new user account even if the active authentication method forbids
  users to create an account.

* A CSRF vulnerability in post_bug.cgi and in attachment.cgi could
  lead to the creation of unwanted bug reports and attachments.

All affected installations are encouraged to upgrade as soon as possible.

Full Release Notes:
http://www.bugzilla.org/security/3.4.12/

Approved by:	skv@ (explicit)

devel/bugzilla/Makefile

@@ -6,8 +6,7 @@
 #
 
 PORTNAME=	bugzilla
-PORTVERSION=	4.0.2
-PORTREVISION=	1
+PORTVERSION=	4.0.3
 CATEGORIES=	devel
 MASTER_SITES=	${MASTER_SITE_MOZILLA}
 MASTER_SITE_SUBDIR=	webtools webtools/archived
@@ -130,7 +129,7 @@ RUN_DEPENDS+=	p5-JSON-RPC>=0:${PORTSDIR}/devel/p5-JSON-RPC \
 
 .ifdef WITH_MODPERL2
 RUN_DEPENDS+=	${SITE_PERL}/${PERL_ARCH}/mod_perl2.pm:${PORTSDIR}/www/mod_perl2 \
-		${SITE_PERL}/Apache/DBI.pm:${PORTSDIR}/www/p5-Apache-DBI-mp2
+		${SITE_PERL}/Apache/DBI.pm:${PORTSDIR}/www/p5-Apache-DBI
 .endif
 
 .ifdef WITH_GRAPHVIZ
@@ -163,12 +162,13 @@ post-patch:
 	@${PERL} -pi -e 's/(default =>.+|Default is )mysql/$$1Pg/' \
 		${WRKSRC}/Bugzilla/Install/Localconfig.pm
 .endif
-	@${FIND} ${WRKSRC} \( -name "CVS" -or -name ".cvsignore" -or -name "*.orig" \
-		-or -name ".bzr*" -or -name "README.docs" \) | ${XARGS} ${RM} -rf
 	@${FIND} ${WRKSRC} -type f -exec ${REINPLACE_CMD} -i '' \
 		-e 's!/usr/lib/sendmail!/usr/sbin/sendmail!g; s=/usr/bin/perl=${PERL}=g' {} \+
 	@${FIND} ${WRKSRC}/docs -type f | \
 		${XARGS} ${REINPLACE_CMD} -i '' -e "s!/var/www/html/bugzilla!${WWWDIR}!"
+	@${FIND} ${WRKSRC} \( -name "CVS" -or -name ".cvsignore" -or -name "*.orig" \
+		-or -name "*.bak" -or -name ".bzr*" -or -name "README.docs" \) \
+		| ${XARGS} ${RM} -rf
 
 do-install:	.SILENT
 	${MKDIR} ${WWWDIR}
@@ -183,15 +183,14 @@ do-install:	.SILENT
 	${MKDIR} ${DOCSDIR}
 	(cd ${WRKSRC}/docs/ && ${COPYTREE_SHARE} . ${DOCSDIR}/)
 .endif
+# This are empty directories but they are needed,
+# else ckecksetup.pl will fail!
+	${MKDIR} ${WWWDIR}/contrib ${WWWDIR}/lib ${WWWDIR}/t ${WWWDIR}/xt
 .ifdef WITH_CONTRIB
-	${MKDIR} ${WWWDIR}/contrib
 	@cd ${WRKSRC}/contrib && \
 		${FIND} . -type d -exec ${MKDIR} "${WWWDIR}/contrib/{}" \; && \
 		${FIND} . -type f -exec ${INSTALL_DATA} "{}" "${WWWDIR}/contrib/{}" \;
 .endif
-# This are empty directories but they are needed,
-# else ckecksetup.pl will fail!
-	${MKDIR} ${WWWDIR}/lib ${WWWDIR}/t ${WWWDIR}/xt
 .if !defined(BATCH)
 	@${ECHO_MSG}
 	@${CAT} ${PKGMESSAGE}

devel/bugzilla/distinfo

@@ -1,2 +1,2 @@
-SHA256 (bugzilla/bugzilla-4.0.2.tar.gz) = 9513d53f75aaf7dc6efc4b145c09d95d8148b976cd71a2cda3a1093a2183bd77
-SIZE (bugzilla/bugzilla-4.0.2.tar.gz) = 2987667
+SHA256 (bugzilla/bugzilla-4.0.3.tar.gz) = 0b24b5b44f9f14dd127f86bb2e560ac99e1dfba258bc0d8677968a9f3633435c
+SIZE (bugzilla/bugzilla-4.0.3.tar.gz) = 2991669

devel/bugzilla/files/patch-Bugzilla__Install__Requirements.pm

@@ -1,14 +0,0 @@
---- ./Bugzilla/Install/Requirements.pm.orig	2011-08-05 04:25:35.000000000 +0200
-+++ ./Bugzilla/Install/Requirements.pm	2011-08-16 08:55:28.000000000 +0200
-@@ -698,8 +698,9 @@
-     # show "ok" or "not found".
-     if (exists $params->{found}) {
-         my $found_string;
--        # We do a string compare in case it's non-numeric.
--        if ($found and $found eq "-1") {
-+        # We do a string compare in case it's non-numeric. We make sure
-+        # it's not a version object as negative versions are forbidden.
-+        if ($found && !ref($found) && $found eq '-1') {
-             $found_string = install_string('module_not_found');
-         }
-         elsif ($found) {

devel/bugzilla/files/patch-Bugzilla__WebService__Server__JSONRPC.pm

@@ -0,0 +1,33 @@
+Bug-Id:  706753
+Summary: Bugzilla will not work with newest version of 
+         JSON::RPC 1.01 due to non-backward compatibility
+URL:     https://bugzilla.mozilla.org/show_bug.cgi?id=706753
+
+
+Index: Bugzilla/WebService/Server/JSONRPC.pm
+===================================================================
+RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/WebService/Server/JSONRPC.pm,v
+retrieving revision 1.18
+diff -p -u -r1.18 JSONRPC.pm
+--- Bugzilla/WebService/Server/JSONRPC.pm	14 Feb 2011 20:18:51 -0000	1.18
++++ Bugzilla/WebService/Server/JSONRPC.pm	5 Jan 2012 00:04:31 -0000
+@@ -22,7 +22,18 @@
+ package Bugzilla::WebService::Server::JSONRPC;
+ 
+ use strict;
+-use base qw(JSON::RPC::Server::CGI Bugzilla::WebService::Server);
++use Bugzilla::WebService::Server;
++BEGIN {
++    our @ISA = qw(Bugzilla::WebService::Server);
++
++    if (eval { require JSON::RPC::Server::CGI }) {
++        unshift(@ISA, 'JSON::RPC::Server::CGI');
++    }
++    else {
++        require JSON::RPC::Legacy::Server::CGI;
++        unshift(@ISA, 'JSON::RPC::Legacy::Server::CGI');
++    }
++}
+ 
+ use Bugzilla::Error;
+ use Bugzilla::WebService::Constants;

devel/bugzilla/pkg-plist

@@ -974,7 +974,7 @@
 @dirrm %%WWWDIR%%/images
 %%CONTRIB%%@dirrm %%WWWDIR%%/contrib/cmdline
 %%CONTRIB%%@dirrm %%WWWDIR%%/contrib/bugzilla-submit
-%%CONTRIB%%@dirrmtry %%WWWDIR%%/contrib
+@dirrmtry %%WWWDIR%%/contrib
 @dirrm %%WWWDIR%%/Bugzilla/Whine
 @dirrm %%WWWDIR%%/Bugzilla/WebService/Server
 @dirrm %%WWWDIR%%/Bugzilla/WebService
@@ -1034,3 +1034,4 @@
 @exec mkdir -p %D/%%WWWDIR%%/xt
 @exec mkdir -p %D/%%WWWDIR%%/t
 @exec mkdir -p %D/%%WWWDIR%%/lib
+@exec mkdir -p %D/%%WWWDIR%%/contrib

devel/bugzilla3/Makefile

@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	bugzilla
-PORTVERSION=	3.6.6
+PORTVERSION=	3.6.7
 CATEGORIES=	devel
 MASTER_SITES=	${MASTER_SITE_MOZILLA}
 MASTER_SITE_SUBDIR=	webtools webtools/archived
@@ -128,7 +128,7 @@ RUN_DEPENDS+=	p5-JSON-RPC>=0:${PORTSDIR}/devel/p5-JSON-RPC
 
 .ifdef WITH_MODPERL2
 RUN_DEPENDS+=	${SITE_PERL}/${PERL_ARCH}/mod_perl2.pm:${PORTSDIR}/www/mod_perl2 \
-		${SITE_PERL}/Apache/DBI.pm:${PORTSDIR}/www/p5-Apache-DBI-mp2
+		${SITE_PERL}/Apache/DBI.pm:${PORTSDIR}/www/p5-Apache-DBI
 .endif
 
 .ifdef WITH_GRAPHVIZ
@@ -161,12 +161,13 @@ post-patch:
 	@${PERL} -pi -e 's/(default =>.+|Default is )mysql/$$1Pg/' \
 		${WRKSRC}/Bugzilla/Install/Localconfig.pm
 .endif
-	@${FIND} ${WRKSRC} \( -name "CVS" -or -name ".cvsignore" -or -name "*.orig" \
-		-or -name ".bzr*" -or -name "README.docs" \) | ${XARGS} ${RM} -rf
 	@${FIND} ${WRKSRC} -type f -exec ${REINPLACE_CMD} -i '' \
 		-e 's!/usr/lib/sendmail!/usr/sbin/sendmail!g; s=/usr/bin/perl=${PERL}=g' {} \+
 	@${FIND} ${WRKSRC}/docs -type f | \
 		${XARGS} ${REINPLACE_CMD} -i '' -e "s!/var/www/html/bugzilla!${WWWDIR}!"
+	@${FIND} ${WRKSRC} \( -name "CVS" -or -name ".cvsignore" -or -name "*.orig" \
+		-or -name "*.bak" -or -name ".bzr*" -or -name "README.docs" \) \
+		| ${XARGS} ${RM} -rf
 
 do-install:	.SILENT
 	${MKDIR} ${WWWDIR}
@@ -181,15 +182,14 @@ do-install:	.SILENT
 	${MKDIR} ${DOCSDIR}
 	(cd ${WRKSRC}/docs/ && ${COPYTREE_SHARE} . ${DOCSDIR}/)
 .endif
+# This are empty directories but they are needed,
+# else ckecksetup.pl does not work as expected!
+	${MKDIR} ${WWWDIR}/contrib ${WWWDIR}/lib ${WWWDIR}/t
 .ifdef WITH_CONTRIB
-	${MKDIR} ${WWWDIR}/contrib
 	@cd ${WRKSRC}/contrib && \
 		${FIND} . -type d -exec ${MKDIR} "${WWWDIR}/contrib/{}" \; && \
 		${FIND} . -type f -exec ${INSTALL_DATA} "{}" "${WWWDIR}/contrib/{}" \;
 .endif
-# This are empty directories but they are needed,
-# else ckecksetup.pl does not work as expected!
-	${MKDIR} ${WWWDIR}/lib ${WWWDIR}/t
 .if !defined(BATCH)
 	@${ECHO_MSG}
 	@${CAT} ${PKGMESSAGE}

devel/bugzilla3/distinfo

@@ -1,2 +1,2 @@
-SHA256 (bugzilla/bugzilla-3.6.6.tar.gz) = 76f0fac1bc2c1bb498868728bd64a90081ff848db96a75e9a2fc9bbe9942e546
-SIZE (bugzilla/bugzilla-3.6.6.tar.gz) = 2528601
+SHA256 (bugzilla/bugzilla-3.6.7.tar.gz) = bc4983b0b136a712e37414045383c0735bf23412d290141e1dc60c7a45d9cd11
+SIZE (bugzilla/bugzilla-3.6.7.tar.gz) = 2638159

devel/bugzilla3/files/patch-Bugzilla__WebService__Server__JSONRPC.pm

@@ -0,0 +1,33 @@
+Bug-Id:  706753
+Summary: Bugzilla will not work with newest version of 
+         JSON::RPC 1.01 due to non-backward compatibility
+URL:     https://bugzilla.mozilla.org/show_bug.cgi?id=706753
+
+
+Index: Bugzilla/WebService/Server/JSONRPC.pm
+===================================================================
+RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/WebService/Server/JSONRPC.pm,v
+retrieving revision 1.18
+diff -p -u -r1.18 JSONRPC.pm
+--- Bugzilla/WebService/Server/JSONRPC.pm	14 Feb 2011 20:18:51 -0000	1.18
++++ Bugzilla/WebService/Server/JSONRPC.pm	5 Jan 2012 00:04:31 -0000
+@@ -22,7 +22,18 @@
+ package Bugzilla::WebService::Server::JSONRPC;
+ 
+ use strict;
+-use base qw(JSON::RPC::Server::CGI Bugzilla::WebService::Server);
++use Bugzilla::WebService::Server;
++BEGIN {
++    our @ISA = qw(Bugzilla::WebService::Server);
++
++    if (eval { require JSON::RPC::Server::CGI }) {
++        unshift(@ISA, 'JSON::RPC::Server::CGI');
++    }
++    else {
++        require JSON::RPC::Legacy::Server::CGI;
++        unshift(@ISA, 'JSON::RPC::Legacy::Server::CGI');
++    }
++}
+ 
+ use Bugzilla::Error;
+ use Bugzilla::WebService::Constants;

devel/bugzilla3/pkg-plist

@@ -791,7 +791,7 @@
 @dirrm %%WWWDIR%%/images
 %%CONTRIB%%@dirrm %%WWWDIR%%/contrib/cmdline
 %%CONTRIB%%@dirrm %%WWWDIR%%/contrib/bugzilla-submit
-%%CONTRIB%%@dirrmtry %%WWWDIR%%/contrib
+@dirrmtry %%WWWDIR%%/contrib
 @dirrm %%WWWDIR%%/Bugzilla/Whine
 @dirrm %%WWWDIR%%/Bugzilla/WebService/Server
 @dirrm %%WWWDIR%%/Bugzilla/WebService
@@ -850,3 +850,4 @@
 %%PORTDOCS%%@dirrm %%DOCSDIR%%
 @exec mkdir -p %D/%%WWWDIR%%/t
 @exec mkdir -p %D/%%WWWDIR%%/lib
+@exec mkdir -p %D/%%WWWDIR%%/contrib