rpms/awstats/FC-5 awstats-6.5-CVE-2006-1945.patch, NONE, 1.1 awstats.README.SELinux, NONE, 1.1 .cvsignore, 1.6, 1.7 awstats.spec, 1.12, 1.13 sources, 1.9, 1.10

Aurelien Bompard (abompard) fedora-extras-commits at redhat.com
Sun May 7 23:40:35 UTC 2006


Author: abompard

Update of /cvs/extras/rpms/awstats/FC-5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14808/FC-5

Modified Files:
	.cvsignore awstats.spec sources 
Added Files:
	awstats-6.5-CVE-2006-1945.patch awstats.README.SELinux 
Log Message:
revert to version 6.5 (build failed for FC-4 and 5 anyway) and backport the fix for the vulnerability

awstats-6.5-CVE-2006-1945.patch:

--- NEW FILE awstats-6.5-CVE-2006-1945.patch ---
diff -u -r1.860 -r1.861
--- wwwroot/cgi-bin/awstats.pl	9 Jan 2006 18:51:06 -0000	1.860
+++ wwwroot/cgi-bin/awstats.pl	22 Jan 2006 12:55:14 -0000	1.861
@@ -5542,7 +5542,7 @@
 	# No update but report by default when run from a browser
 	$UpdateStats=($QueryString=~/update=1/i?1:0);
 
-	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&DecodeEncodedString("$1"); }
+	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&Sanitize(&DecodeEncodedString("$1")); }
 	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons=&DecodeEncodedString("$1"); }
 	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
 	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
@@ -5591,7 +5591,7 @@
 	# Update with no report by default when run from command line
 	$UpdateStats=1;
 
-	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig="$1"; }
+	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&Sanitize("$1"); }
 	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons="$1"; }
 	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize("$1",1); }
 	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize("$1"); }


--- NEW FILE awstats.README.SELinux ---
==========================
SELinux support in AWStats
==========================


What is the problem ?
---------------------

AWStats is a CGI script, and needs to be labelled correctly to be called
from Apache.
The files in ``/usr/share/awstats/wwwroot/cgi-bin`` need to have the 
``httpd_sys_script_exec_t`` type, and the databases files in 
``/var/lib/awstats`` need to have the ``httpd_sys_script_rw_t`` type.


How do we solve it ?
--------------------

You can change the type with the ``chcon`` command::

    chcon -R -t httpd_sys_script_exec_t /usr/share/awstats/wwwroot/cgi-bin
    chcon -R -t httpd_sys_script_rw_t /var/lib/awstats

But these modifications will be lost if the system is relabeled (you can
request a relabel with the system-config-security tool).

To make these changes permanent, this package sets the contexts by running
the following commands::

    semanage fcontext -a -t httpd_sys_script_exec_t \
        '/usr/share/awstats/wwwroot/cgi-bin(/.*)?'
    semanage fcontext -a -t httpd_sys_script_rw_t '/var/lib/awstats(/.*)?'


Please send your bug reports (if any ;) ) to https://bugzilla.redhat.com


Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/awstats/FC-5/.cvsignore,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- .cvsignore	7 May 2006 08:17:09 -0000	1.6
+++ .cvsignore	7 May 2006 23:40:34 -0000	1.7
@@ -1 +1 @@
-awstats-6.6.tar.gz
+awstats-6.5.tar.gz


Index: awstats.spec
===================================================================
RCS file: /cvs/extras/rpms/awstats/FC-5/awstats.spec,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- awstats.spec	7 May 2006 08:17:09 -0000	1.12
+++ awstats.spec	7 May 2006 23:40:34 -0000	1.13
@@ -1,13 +1,14 @@
 Name:       awstats
-Version:    6.6
-Release:    0.1.beta%{?dist}
+Version:    6.5
+Release:    4%{?dist}
 Summary:    Advanced Web Statistics
 License:    GPL
 Group:      Applications/Internet
 URL:        http://awstats.sourceforge.net
-#Source0:    http://dl.sf.net/awstats/awstats-6.6.tar.gz
-Source0:    http://awstats.sourceforge.net/files/awstats-6.6.tar.gz
+Source0:    http://dl.sf.net/awstats/awstats-6.5.tar.gz
+#Source0:   http://awstats.sourceforge.net/files/awstats-6.5.tar.gz
 Source1:    awstats.README.SELinux
+Patch0:     awstats-6.5-CVE-2006-1945.patch
 BuildArch:  noarch
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires:   httpd
@@ -34,6 +35,8 @@
 
 %prep
 %setup -q
+# no backup or the orig file will be installed
+%patch0 -p0
 # Fix style sheets.
 perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/*
 # Fix some bad file permissions here for convenience.
@@ -49,7 +52,7 @@
 rm -rf $RPM_BUILD_ROOT
 
 ### Create cron job
-%{__cat} <<EOF >awstats.cron
+cat <<EOF >awstats.cron
 #!/bin/bash
 
 if [ -f %{_localstatedir}/log/httpd/access_log ] ; then
@@ -173,8 +176,8 @@
 
 
 %changelog
-* Sun May 07 2006 Aurelien Bompard <gauret[AT]free.fr> 6.6-0.1.beta
-- version 6.6 (beta), fixes CVE-2005-2732 (bug 190921, 190922, and 190923)
+* Mon May 08 2006 Aurelien Bompard <gauret[AT]free.fr> 6.5-4
+- add patch to fix CVE-2006-1945 (bugs 190921, 190922 and 190923)
 
 * Sun Apr 09 2006 Aurelien Bompard <gauret[AT]free.fr> 6.5-3
 - SELinux support: use semanage to label the cgi and the database files


Index: sources
===================================================================
RCS file: /cvs/extras/rpms/awstats/FC-5/sources,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- sources	7 May 2006 08:17:09 -0000	1.9
+++ sources	7 May 2006 23:40:34 -0000	1.10
@@ -1 +1 @@
-c9b65c5a58011fdb4ec611feec17eee4  awstats-6.6.tar.gz
+aef00b2ff5c5413bd2a868299cabd69a  awstats-6.5.tar.gz




More information about the fedora-extras-commits mailing list