CPG 1.4.20 manual patch? CPG 1.4.20 manual patch?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

CPG 1.4.20 manual patch?

Started by lamama, February 06, 2009, 05:10:09 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

lamama

Any chance to get a manual patch for the recent security issue?

My CPG is not 'out of the box' and to re-mod everything would cost me more time that I have available at the moment...  :-\


Chianuk


Chianuk

Copy translation file for your language from lang directory of 1.4.20 Release to your lang directory if your file is not modifyed. English file fixed.
Copy others translation files it is necessary.

Chianuk

Sorry for bad english...
Copy others translation files if necessary.

Makc666

========================
MAKE A BACK UP OF YOUR GALLERY
TRY TO PATCH FIRST TIME IN A TEMPORARY FOLDER

========================
Step 0.
All steps were made under FreeBSD.
You can read about patch here:
http://www.phpbb.com/support/documents.php?mode=install#upgradeSTABLE_patch

========================
Step 1.
How I make patch file?
I unpack cpg1.4.19.zip and cpg1.4.20.zip to cpg1419 and cpg1420 folders.
Then I removed dirs
/cpg1419/lang/
/cpg1420/lang/
/cpg1419/docs/
/cpg1420/docs/
and some other docs files from root (CHANGELOG, COPYING, README.txt)
before patching, as those files can be raplaced with out any harm and I don't recommend them to be patched.

========================
Step 2.
Second I run in directory where cpg1419 and cpg1420 folders are:
diff -crbBN cpg1419 cpg1420 >cpg-1.4.19_to_1.4.20.patch

and get file: cpg-1.4.19_to_1.4.20.patch

========================
IMPORTANT!
Open file cpg-1.4.19_to_1.4.20.patch
And delete all lines:
\ No newline at end of file

========================
Step 3.
Then I made a copy of gallery folder which I was going to patch
cp -R coppermine coppermine-old-cpg1419

P.S. If you keep "albums" folder inside "coppermine" folder, for example "/coppermine/albums/",
you can move "albums" folder to some SAVE place before making a copy of "coppermine" folder.

========================
Step 4.
Also you must have these files in your coppermine directory.
/coppermine/install.php
/coppermine/update.php
/coppermine/upgrade-1.0-to-1.2.php

I make so to avoid a lot of patch errors.

You can take them from cpg1.4.19.zip, as you need old one:
http://prdownloads.sourceforge.net/coppermine/cpg1.4.19.zip?download

========================
Step 5.
Put your patch file into:
/coppermine/cpg-1.4.19_to_1.4.20.patch

========================
Step 6.
Run in /coppermine/ folder
patch -cl -d ./ -p1 < ./cpg-1.4.19_to_1.4.20.patch

You will see all results on your screen.
So make your Scroll Buffer big enough.
It will be a lot of lines, better make it about 5000.
From 1.4.19 to 1.4.20 I have around 1321 lines.

========================
Step 7.
Update your
/coppermine/lang/
/coppermine/docs/
dirs with necessary files.
For example I use only Eng, Ger, Rus.

Get them in cpg1.4.20.zip:
http://prdownloads.sourceforge.net/coppermine/cpg1.4.20.zip?download

###########################
###!!! READ THIS ONE !!!###
###!!!   IMPORTANT   !!!###
###########################
During patch process you will (can) see two main information strings:
--> Hunk #3 succeeded at 216.
and
--> Hunk #1 failed at 1.

Example below.
Word "succeeded" means that there were no problems with patching of that part of code.
Word "failed" means there were some problems.

If you see "failed" for some file, you have to open file with name "FILENAME_WITH_ERROR.rej"
(below for example it is "zipdownload.php.rej")
and look what the patch couldn't change and fix that manually.

Word "done" means that patch go throw all "cpg-1.4.19_to_1.4.20.patch" file.

After all such fixes you will have to delete all *.rej and *.orig files from coppermine directory and subdirs!

###########################
###### EXAMPLE START ######
###########################

--------------------------
|diff -crbBN cpg132/xp_publish.php cpg133/xp_publish.php
|*** cpg132/xp_publish.php      Sat Jul 24 17:03:00 2004
|--- cpg133/xp_publish.php      Tue Apr 19 05:17:00 2005
--------------------------
Patching file xp_publish.php using Plan A...
Hunk #1 succeeded at 1.
Hunk #2 succeeded at 205.
Hunk #3 succeeded at 216.
Hunk #4 succeeded at 333.
Hunk #5 succeeded at 571.
Hmm...  The next patch looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|diff -crbBN cpg132/zipdownload.php cpg133/zipdownload.php
|*** cpg132/zipdownload.php     Sat Jul 24 17:03:00 2004
|--- cpg133/zipdownload.php     Tue Apr 19 05:17:00 2005
--------------------------
Patching file zipdownload.php using Plan A...
Hunk #1 failed at 1.
Hunk #2 succeeded at 57.
1 out of 2 hunks failed--saving rejects to zipdownload.php.rej
done

###########################
###### EXAMPLE END ########
###########################

========================
Step 8.

If the file install.php exists in the root directory, delete it. When performing an upgrade, it is not needed.

Run the file "update.php" in the coppermine directory once in your browser (e.g. http://yourdomain.tld/coppermine/update.php).
This will update your coppermine install by making all necessary changes in the database.

Taken from:
3.5 Upgrading from cpg1.4.0 or better to version cpg1.4.20
http://coppermine-gallery.net/demo/cpg14x/docs/index.htm#14

========================
That it!
(c) Makc666 :)

makc666@newmail.ru

lamama

ehmmm...

I was hoping to find/replace just a few lines of code to close that recent security hole.  :o
And leave the rest as it is until 1.5 is at least at beta stage...

Makc666

Quote from: lamama on February 07, 2009, 04:44:30 PM
ehmmm...

I was hoping to find/replace just a few lines of code to close that recent security hole.  :o
And leave the rest as it is until 1.5 is at least at beta stage...

You can open the patch file I attached and change only important lines of code.
In other words, for example, don't touch files "headers".

There are some utilities as for UNIX and also for Windows which can handle patch-file over your files.

RadioErewan

Quote from: lamama on February 06, 2009, 05:10:09 AM
Any chance to get a manual patch for the recent security issue?

My CPG is not 'out of the box' and to re-mod everything would cost me more time that I have available at the moment...  :-\


If I understand vulnerability description, you have to replace /include/init.inc.php only (to patch vulnerability only).

Regards

georgeandjacks

Quote from: RadioErewan on February 10, 2009, 11:03:52 PM
If I understand vulnerability description, you have to replace /include/init.inc.php only (to patch vulnerability only).

Regards

Any way we could get a confirmation on this?

I also do not have an out of the box installation and do not have the time to go back and re-mod everything at this time.

Thanks in advanced.

Abbas Ali

#9
Quote from: georgeandjacks on February 12, 2009, 05:50:44 AM
Any way we could get a confirmation on this?

Confirmed. But always recommended to do a full update.
Chief Geek at Ranium Systems