rpms/awstats/F-9 awstats-6.8-CVE-2008-3714.patch, NONE, 1.1 awstats.spec, 1.23, 1.24

Aurelien Bompard abompard at fedoraproject.org
Sat Aug 23 06:00:34 UTC 2008 

Author: abompard

Update of /cvs/pkgs/rpms/awstats/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20379/F-9

Modified Files:
	awstats.spec 
Added Files:
	awstats-6.8-CVE-2008-3714.patch 
Log Message:
* Sat Aug 23 2008 Aurelien Bompard <abompard at fedoraproject.org> 6.8-2
- Add upstream patch for CVE-2008-3714


awstats-6.8-CVE-2008-3714.patch:

--- NEW FILE awstats-6.8-CVE-2008-3714.patch ---
--- awstats.pl	2008/04/21 21:13:28	1.910
+++ awstats.pl	2008/07/27 17:44:11	1.912
@@ -6,7 +6,7 @@
 # line or a browser to read report results.
 # See AWStats documentation (in docs/ directory) for all setup instructions.
 #------------------------------------------------------------------------------
-# $Revision: 1.910 $ - $Author: eldy $ - $Date: 2008/04/21 21:13:28 $
+# $Revision: 1.912 $ - $Author: eldy $ - $Date: 2008/07/27 17:44:11 $
 require 5.005;
 
 #$|=1;
@@ -21,8 +21,8 @@
 # Defines
 #------------------------------------------------------------------------------
 use vars qw/ $REVISION $VERSION /;
-$REVISION='$Revision: 1.910 $'; $REVISION =~ /\s(.*)\s/; $REVISION=$1;
-$VERSION="6.8 (build $REVISION)";
+$REVISION='$Revision: 1.912 $'; $REVISION =~ /\s(.*)\s/; $REVISION=$1;
+$VERSION="6.9 (build $REVISION)";
 
 # ----- Constants -----
 use vars qw/
@@ -4406,6 +4406,7 @@
 sub DecodeEncodedString {
 	my $stringtodecode=shift;
 	$stringtodecode =~ tr/\+/ /s;
+	$stringtodecode =~ s/%22//g;
 	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
 	return $stringtodecode;
 }
@@ -4458,9 +4459,12 @@
 #------------------------------------------------------------------------------
 sub CleanXSS {
 	my $stringtoclean=shift;
+	# To avoid html tags and javascript
 	$stringtoclean =~ s/</</g;
 	$stringtoclean =~ s/>/>/g;
 	$stringtoclean =~ s/|//g;
+	# To avoid onload="
+	$stringtoclean =~ s/onload//g;
 	return $stringtoclean;
 }
 


Index: awstats.spec
===================================================================
RCS file: /cvs/pkgs/rpms/awstats/F-9/awstats.spec,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- awstats.spec	21 Jul 2008 21:10:43 -0000	1.23
+++ awstats.spec	23 Aug 2008 06:00:04 -0000	1.24
@@ -1,12 +1,14 @@
 Name:       awstats
 Version:    6.8
-Release:    1%{?dist}
+Release:    2%{?dist}
 Summary:    Advanced Web Statistics
 License:    GPLv2
 Group:      Applications/Internet
 URL:        http://awstats.sourceforge.net
 Source0:    http://dl.sf.net/awstats/awstats-%{version}.tar.gz
 #Source0:    http://awstats.sourceforge.net/files/awstats-6.6.tar.gz
+# http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912&view=patch
+Patch0:     awstats-6.8-CVE-2008-3714.patch
 
 BuildArch:  noarch
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -39,6 +41,9 @@
 
 %prep
 %setup -q
+pushd wwwroot/cgi-bin/
+%patch0 -p0 -b .CVE-2008-3714
+popd
 # Fix style sheets.
 perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/*
 # Fix some bad file permissions here for convenience.
@@ -158,6 +163,9 @@
 
 
 %changelog
+* Sat Aug 23 2008 Aurelien Bompard <abompard at fedoraproject.org> 6.8-2
+- Add upstream patch for CVE-2008-3714
+
 * Mon Jul 21 2008 Aurelien Bompard <abompard at fedoraproject.org> 6.8-1
 - version 6.8

More information about the fedora-extras-commits mailing list