dist-git conversion

#2781)

Makefile

@@ -1,21 +0,0 @@
-# Makefile for source rpm: zoneminder
-# $Id$
-NAME := zoneminder
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attept a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)

zoneminder-1.22.3-runlevel.patch

@@ -0,0 +1,10 @@
+--- scripts/zm.in.runlevel	2008-05-06 22:54:36.000000000 +0100
++++ scripts/zm.in	2008-05-06 23:01:35.000000000 +0100
+@@ -1,6 +1,6 @@
+ #!/bin/sh
+ # description: ZoneMinder is the top Linux video camera security and surveillance solution. ZoneMinder is intended for use in single or multi-camera video security applications.Copyright: Philip Coombes, Corey DeLasaux 2003-2006
+-# chkconfig: 2345 99 00
++# chkconfig: - 99 00
+ # processname: zmpkg.pl
+ 
+ # Source function library.

zoneminder-1.22.3-security.patch

@@ -0,0 +1,143 @@
+diff -ru ZoneMinder-1.22.3/web/zm_export_funcs.php ZoneMinder-1.22.3-fix/web/zm_export_funcs.php
+--- ZoneMinder-1.22.3/web/zm_export_funcs.php	2006-03-27 16:01:33.000000000 -0600
++++ ZoneMinder-1.22.3-fix/web/zm_export_funcs.php	2008-04-28 10:07:32.000000000 -0500
+@@ -314,7 +314,7 @@
+ 		{
+ 			$archive = "temp/".$export_root.".tar.gz";
+ 			@unlink( $archive );
+-			$command = "tar --create --gzip --file=$archive --files-from=$list_file";
++			$command = "tar --create --gzip --file=".escapeshellarg($archive)." --files-from=".escapeshellarg($list_file);
+ 			exec( $command, $output, $status );
+ 			if ( $status )
+ 			{
+@@ -329,7 +329,7 @@
+ 			$archive = "temp/zm_export.zip";
+ 			$archive = "temp/".$export_root.".zip";
+ 			@unlink( $archive );
+-			$command = "cat $list_file | zip -q $archive -@";
++			$command = "cat ".escapeshellarg($list_file)." | zip -q ".escapeshellarg($archive)." -@";
+ 			exec( $command, $output, $status );
+ 			if ( $status )
+ 			{
+diff -ru ZoneMinder-1.22.3/web/zm_funcs.php ZoneMinder-1.22.3-fix/web/zm_funcs.php
+--- ZoneMinder-1.22.3/web/zm_funcs.php	2006-11-09 04:51:10.000000000 -0600
++++ ZoneMinder-1.22.3-fix/web/zm_funcs.php	2008-04-28 10:16:17.000000000 -0500
+@@ -724,20 +724,20 @@
+ 
+ function packageControl( $command )
+ {
+-	$string = ZM_PATH_BIN."/zmpkg.pl $command";
++	$string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
+ 	$string .= " 2>/dev/null >&- <&- >/dev/null";
+ 	exec( $string );
+ }
+ 
+ function daemonControl( $command, $daemon=false, $args=false )
+ {
+-	$string = ZM_PATH_BIN."/zmdc.pl $command";
++	$string = ZM_PATH_BIN."/zmdc.pl ".escapeshellarg( $command );
+ 	if ( $daemon )
+ 	{
+-		$string .= " $daemon";
++		$string .= " ".escapeshellarg( $daemon );
+ 		if ( $args )
+ 		{
+-			$string .= " $args";
++			$string .= " ".escapeshellarg( $args );
+ 		}
+ 	}
+ 	$string .= " 2>/dev/null >&- <&- >/dev/null";
+@@ -893,9 +893,9 @@
+ 	$string = ZM_PATH_BIN."/zmdc.pl check";
+ 	if ( $daemon )
+ 	{
+-		$string .= " $daemon";
++		$string .= " ".escapeshellarg( $daemon );
+ 		if ( $args )
+-			$string .= " $args";
++			$string .= " ".escapeshellarg( $args );
+ 	}
+ 	$result = exec( $string );
+ 	return( preg_match( '/running/', $result ) );
+@@ -973,7 +973,7 @@
+ 		{
+ 			if ( ZM_WEB_SCALE_THUMBS )
+ 			{
+-				$command = ZM_PATH_NETPBM."/jpegtopnm -quiet -dct fast $image_path | ".ZM_PATH_NETPBM."/pnmscalefixed -quiet $fraction | ".ZM_PATH_NETPBM."/pnmtojpeg -quiet -dct=fast > $thumb_path";
++				$command = ZM_PATH_NETPBM."/jpegtopnm -quiet -dct fast ".escapeshellarg( $image_path )." | ".ZM_PATH_NETPBM."/pnmscalefixed -quiet ".escapeshellarg( $fraction )." | ".ZM_PATH_NETPBM."/pnmtojpeg -quiet -dct=fast > ".escapeshellarg( $thumb_path );
+ 				exec( $command );
+ 			}
+ 			else
+@@ -1040,7 +1040,7 @@
+ 		$command = ZM_PATH_BIN."/zmvideo.pl -e ".$event['Id']." -f ".$format." -r ".sprintf( "%.2f", ($rate/RATE_BASE) )." -s ".sprintf( "%.2f", ($scale/SCALE_BASE) );
+ 	if ( $overwrite )
+ 		$command .= " -o";
+-	$result = exec( $command, $output, $status );
++	$result = exec( escapeshellcmd( $command ), $output, $status );
+ 	return( $status?"":rtrim($result) );
+ }
+ 
+@@ -1062,7 +1062,7 @@
+ 
+ function executeFilter( $filter )
+ {
+-	$command = ZM_PATH_BIN."/zmfilter.pl --filter ".$filter;
++	$command = ZM_PATH_BIN."/zmfilter.pl --filter ".escapeshellarg( $filter );
+ 	$result = exec( $command, $output, $status );
+ 	$result = mysql_query( "delete from Filters where Name like '_TempFilter%'" );
+ 	if ( !$result )
+@@ -1882,13 +1882,7 @@
+     {
+         // Can't connect so use script
+     	$command = ZM_PATH_BIN."/zmx10.pl --command $status --key $key";
+-	    //$command .= " 2>/dev/null >&- <&- >/dev/null";
+-	    $result = exec( $string );
+-	    if ( preg_match( '/^'.$key.'\s+(.*)/', $result, $matches ) )
+-		    $status = $matches[1];
+-	    else
+-		    $status = "unknown";
+-        $x10_response = exec( escapeshellcmd( $x10_command ) );
++        $x10_response = exec( escapeshellcmd( $command ) );
+     }
+ 	if ( preg_match( '/^'.$key.'\s+(.*)/', $x10_response, $matches ) )
+ 		$status = $matches[1];
+diff -ru ZoneMinder-1.22.3/web/zm_xhtml_view_eventdetails.php ZoneMinder-1.22.3-fix/web/zm_xhtml_view_eventdetails.php
+--- ZoneMinder-1.22.3/web/zm_xhtml_view_eventdetails.php	2006-11-09 05:48:56.000000000 -0600
++++ ZoneMinder-1.22.3-fix/web/zm_xhtml_view_eventdetails.php	2008-04-28 10:07:32.000000000 -0500
+@@ -75,7 +75,7 @@
+ 				$fraction = sprintf( "%.2f", $scale/100 );
+ 			if ( file_exists( $image_path ) )
+ 			{
+-				$command = ZM_PATH_NETPBM."/jpegtopnm -dct fast $image_path | ".ZM_PATH_NETPBM."/pnmscalefixed $fraction | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > $thumb_image";
++				$command = ZM_PATH_NETPBM."/jpegtopnm -dct fast ".escapeshellarg($image_path)." | ".ZM_PATH_NETPBM."/pnmscalefixed ".escapeshellarg($fraction)." | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > ".escapeshellarg($thumb_image);
+ 				exec( $command );
+ 			}
+ 		}
+diff -ru ZoneMinder-1.22.3/web/zm_xhtml_view_event.php ZoneMinder-1.22.3-fix/web/zm_xhtml_view_event.php
+--- ZoneMinder-1.22.3/web/zm_xhtml_view_event.php	2006-11-09 05:48:56.000000000 -0600
++++ ZoneMinder-1.22.3-fix/web/zm_xhtml_view_event.php	2008-04-28 10:07:32.000000000 -0500
+@@ -278,10 +278,9 @@
+ 		{
+ 			$anal_image = preg_replace( "/capture/", "analyse", $capt_image );
+ 			if ( file_exists( $anal_image ) )
+-				$command = ZM_PATH_NETPBM."/jpegtopnm -dct fast $anal_image | ".ZM_PATH_NETPBM."/pnmscalefixed $fraction | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > $thumb_image";
++				$command = ZM_PATH_NETPBM."/jpegtopnm -dct fast ".escapeshellarg($anal_image)." | ".ZM_PATH_NETPBM."/pnmscalefixed ".escapeshellarg($fraction)." | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > ".escapeshellarg($thumb_image);
+ 			else
+-				$command = ZM_PATH_NETPBM."/jpegtopnm -dct fast $capt_image | ".ZM_PATH_NETPBM."/pnmscalefixed $fraction | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > $thumb_image";
+-			#exec( escapeshellcmd( $command ) );
++				$command = ZM_PATH_NETPBM."/jpegtopnm -dct fast ".escapeshellarg($capt_image)." | ".ZM_PATH_NETPBM."/pnmscalefixed ".escapeshellarg($fraction)." | ".ZM_PATH_NETPBM."/ppmtojpeg --dct=fast > ".escapeshellarg($thumb_image);
+ 			exec( $command );
+ 		}
+ 	}
+diff -ru ZoneMinder-1.22.3/web/zm_xhtml_view_video.php ZoneMinder-1.22.3-fix/web/zm_xhtml_view_video.php
+--- ZoneMinder-1.22.3/web/zm_xhtml_view_video.php	2006-11-09 05:48:56.000000000 -0600
++++ ZoneMinder-1.22.3-fix/web/zm_xhtml_view_video.php	2008-04-28 10:07:32.000000000 -0500
+@@ -102,7 +102,7 @@
+ 		$command = ZM_PATH_BIN."/zmvideo.pl -e ".$event['Id']." -f ".$video_format." -r ".sprintf( "%.2f", ($rate/RATE_BASE) )." -S ".$video_size;
+ 	if ( $overwrite )
+ 		$command .= " -o";
+-	$generated = exec( $command, $output, $status );
++	$generated = exec( escapeshellcmd( $command ), $output, $status );
+ }
+ 
+ $video_files = array();

zoneminder.spec

@@ -5,7 +5,7 @@
 
 Name: 		zoneminder
 Version: 	1.22.3
-Release: 	12%{?dist}
+Release: 	14%{?dist}
 Summary:        A camera monitoring and analysis tool
 Group:          System Environment/Daemons
 License:        GPLv2+
@@ -18,8 +18,10 @@ Source2: 	zoneminder.conf
 Source3: 	redalert.wav
 Source4: 	README.Fedora
 Patch1: 	zoneminder-1.22.3-dbinstall.patch
+Patch2:		zoneminder-1.22.3-runlevel.patch
 Patch10: 	zoneminder-1.22.3-installfix.patch
 Patch11:	zoneminder-1.22.3-gcc43.patch
+Patch12:	zoneminder-1.22.3-security.patch
 
 Conflicts: 	zm <= 1.22.3
 
@@ -50,8 +52,10 @@ too much degradation of performance. This package includes cambozola.jar.
 %prep
 %setup -q -n ZoneMinder-%{version}
 %patch1 -p0 -b .dbinstall
+%patch2 -p0 -b .runlevel
 %patch10 -p0 -b .installfix
 %patch11 -p0 -b .gcc43
+%patch12 -p1 -b .security
 gunzip -c %{SOURCE1} | tar xf - cambozola-*/dist/cambozola.jar
 cp %{SOURCE4} README.Fedora
 
@@ -167,6 +171,12 @@ fi
 
 
 %changelog
+* Tue May  6 2008 Martin Ebourne <martin@zepler.org> - 1.22.3-14
+- Remove default runlevel, bz #441315
+
+* Wed Apr 30 2008 Martin Ebourne <martin@zepler.org> - 1.22.3-13
+- Patch for CVE-2008-1381
+
 * Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1.22.3-12
 - Autorebuild for GCC 4.3