rpms/awstats/EL-5 awstats-6.7-CVE-2008-3714.patch, 1.1, 1.2 awstats.spec, 1.23, 1.24

Tim Jackson timj at fedoraproject.org
Sun Dec 7 18:40:46 UTC 2008 

Author: timj

Update of /cvs/extras/rpms/awstats/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22932

Modified Files:
	awstats-6.7-CVE-2008-3714.patch awstats.spec 
Log Message:
Use Debian's patch for CVE-2008-3714 (#474396
Sync spec with devel branch a bit


awstats-6.7-CVE-2008-3714.patch:

Index: awstats-6.7-CVE-2008-3714.patch
===================================================================
RCS file: /cvs/extras/rpms/awstats/EL-5/awstats-6.7-CVE-2008-3714.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- awstats-6.7-CVE-2008-3714.patch	23 Aug 2008 09:03:41 -0000	1.1
+++ awstats-6.7-CVE-2008-3714.patch	7 Dec 2008 18:40:14 -0000	1.2
@@ -1,27 +1,12 @@
-Adapted from:
-http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912
-
 diff -ur awstats-6.7/wwwroot/cgi-bin/awstats.pl awstats-6.7-CVE-2008-3714/wwwroot/cgi-bin/awstats.pl
 --- awstats-6.7/wwwroot/cgi-bin/awstats.pl	2007-07-07 12:00:06.000000000 +0100
-+++ awstats-6.7-CVE-2008-3714/wwwroot/cgi-bin/awstats.pl	2008-08-23 09:21:31.000000000 +0100
-@@ -4380,6 +4380,7 @@
- sub DecodeEncodedString {
++++ awstats-6.7-CVE-2008-3714/wwwroot/cgi-bin/awstats.pl	2008-12-06 15:01:44.000000000 +0000
+@@ -4381,6 +4381,7 @@
  	my $stringtodecode=shift;
  	$stringtodecode =~ tr/\+/ /s;
-+	$stringtodecode =~ s/%22//g;
  	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
++	$stringtodecode =~ s/["']//g;
  	return $stringtodecode;
  }
-@@ -4432,9 +4433,12 @@
- #------------------------------------------------------------------------------
- sub CleanXSS {
- 	my $stringtoclean=shift;
-+	# To avoid html tags and javascript
- 	$stringtoclean =~ s/</</g;
- 	$stringtoclean =~ s/>/>/g;
- 	$stringtoclean =~ s/|//g;
-+	# To avoid onload="
-+	$stringtoclean =~ s/onload//g;
- 	return $stringtoclean;
- }
  
+Only in awstats-6.7-CVE-2008-3714/wwwroot/cgi-bin: awstats.pl.orig


Index: awstats.spec
===================================================================
RCS file: /cvs/extras/rpms/awstats/EL-5/awstats.spec,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- awstats.spec	24 Sep 2008 18:46:55 -0000	1.23
+++ awstats.spec	7 Dec 2008 18:40:14 -0000	1.24
@@ -9,7 +9,7 @@
 Source1:    awstats.README.SELinux
 Source2:    awstats.README.Fedora
 
-# Fix pb in xml output for history files
+# Fix XML output for history files
 # http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.892&r2=1.894&view=patch
 Patch0:     awstats-6.7-xmlhistory.patch
 
@@ -59,8 +59,8 @@
 # Fix some bad file permissions here for convenience.
 chmod -x tools/httpd_conf
 find tools/xslt -type f | xargs chmod -x
-# Remove \r in conf file (file written on MS Windows)
-perl -pi -e 's/\r//g' tools/httpd_conf tools/logresolvemerge.pl
+# Remove \r in various files
+perl -pi -e 's/\r//g' docs/COPYING.TXT docs/LICENSE.TXT docs/pad_awstats.xml docs/awstats_changelog.txt docs/styles.css tools/httpd_conf tools/logresolvemerge.pl tools/awstats_exportlib.pl tools/awstats_buildstaticpages.pl tools/maillogconvert.pl tools/urlaliasbuilder.pl wwwroot/cgi-bin/awredir.pl
 # SELinux README
 cp -a %{SOURCE1} README.SELinux
 cp -a %{SOURCE2} README.Fedora
@@ -126,11 +126,6 @@
 iconv -f iso-8859-1 -t utf-8 < docs/awstats_changelog.txt > docs/awstats_changelog.txt.utf8
 mv docs/awstats_changelog.txt.utf8 docs/awstats_changelog.txt
 
-# Fix EOLs
-%{__sed} -i 's/\r//' docs/pad_awstats.xml
-%{__sed} -i 's/\r//' docs/styles.css
-%{__sed} -i 's/\r//' docs/awstats_changelog.txt
-
 # Apache configuration
 install -p -m 644 tools/httpd_conf $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/conf.d/%{name}.conf
 perl -pi -e 's|/usr/local|%{_datadir}|g;s|Allow from all|Allow from 127.0.0.1|g' \
@@ -220,7 +215,8 @@
 
 
 %changelog
-* Wed Sep 24 2008 Tim Jackson <rpm at timj.co.uk> 6.7-4
+* Sat Dec 06 2008 Tim Jackson <rpm at timj.co.uk> 6.7-4
+- Use Debian's patch for CVE-2008-3714 (#474396)
 - Add README.Fedora file pointing people towards the -selinux subpackage
 
 * Sat Aug 23 2008 Tim Jackson <rpm at timj.co.uk> 6.7-3

More information about the fedora-extras-commits mailing list