rpms/awstats/FC-4 awstats-6.5-CVE-2006-1945.patch, NONE, 1.1 .cvsignore, 1.6, 1.7 awstats.spec, 1.10, 1.11 sources, 1.9, 1.10

Sun May 7 23:40:34 UTC 2006

Author: abompard

Update of /cvs/extras/rpms/awstats/FC-4
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14808/FC-4

Modified Files:
	.cvsignore awstats.spec sources 
Added Files:
	awstats-6.5-CVE-2006-1945.patch 
Log Message:
revert to version 6.5 (build failed for FC-4 and 5 anyway) and backport the fix for the vulnerability

awstats-6.5-CVE-2006-1945.patch:

--- NEW FILE awstats-6.5-CVE-2006-1945.patch ---
diff -u -r1.860 -r1.861
--- wwwroot/cgi-bin/awstats.pl	9 Jan 2006 18:51:06 -0000	1.860
+++ wwwroot/cgi-bin/awstats.pl	22 Jan 2006 12:55:14 -0000	1.861
@@ -5542,7 +5542,7 @@
 	# No update but report by default when run from a browser
 	$UpdateStats=($QueryString=~/update=1/i?1:0);
 
-	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&DecodeEncodedString("$1"); }
+	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&Sanitize(&DecodeEncodedString("$1")); }
 	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons=&DecodeEncodedString("$1"); }
 	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
 	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
@@ -5591,7 +5591,7 @@
 	# Update with no report by default when run from command line
 	$UpdateStats=1;
 
-	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig="$1"; }
+	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&Sanitize("$1"); }
 	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons="$1"; }
 	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize("$1",1); }
 	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize("$1"); }


Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/awstats/FC-4/.cvsignore,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- .cvsignore	7 May 2006 08:17:08 -0000	1.6
+++ .cvsignore	7 May 2006 23:40:34 -0000	1.7
@@ -1 +1 @@
-awstats-6.6.tar.gz
+awstats-6.5.tar.gz


Index: awstats.spec
===================================================================
RCS file: /cvs/extras/rpms/awstats/FC-4/awstats.spec,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- awstats.spec	7 May 2006 08:17:08 -0000	1.10
+++ awstats.spec	7 May 2006 23:40:34 -0000	1.11
@@ -1,19 +1,19 @@
 Name:       awstats
-Version:    6.6
-Release:    0.1.beta%{?dist}
+Version:    6.5
+Release:    1%{?dist}
 Summary:    Advanced Web Statistics
 License:    GPL
 Group:      Applications/Internet
 URL:        http://awstats.sourceforge.net
-#Source0:    http://dl.sf.net/awstats/awstats-6.6.tar.gz
-Source0:    http://awstats.sourceforge.net/files/awstats-6.6.tar.gz
-Source1:    awstats.README.SELinux
+Source0:    http://dl.sf.net/awstats/awstats-6.5.tar.gz
+#Source0:   http://awstats.sourceforge.net/files/awstats-6.5.tar.gz
+Patch0:     awstats-6.5-CVE-2006-1945.patch
 BuildArch:  noarch
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires:   httpd
 Requires:   perl
-Requires(post): perl, policycoreutils
-Requires(postun): /sbin/service, policycoreutils
+Requires(post): perl
+Requires(postun): /sbin/service
 
 %description
 Advanced Web Statistics is a powerful and featureful tool that generates
@@ -31,19 +31,20 @@
 With the default configuration, the statistics are available:
 http://localhost/awstats/awstats.pl
 
-
 %prep
 %setup -q
+# no backup or the orig file will be installed
+%patch0 -p0
+
 # Fix style sheets.
 perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/*
+
 # Fix some bad file permissions here for convenience.
 chmod -x tools/httpd_conf
 find tools/xslt -type f | xargs chmod -x
+
 # Remove \r in conf file (file written on MS Windows)
 perl -pi -e 's/\r//g' tools/httpd_conf
-# SELinux README
-cp -a %{SOURCE1} README.SELinux
-
 
 %install
 rm -rf $RPM_BUILD_ROOT
@@ -81,7 +82,7 @@
 ### Commit permanent changes to default configuration
 install -p -m 644 wwwroot/cgi-bin/awstats.model.conf \
     $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.model.conf
-perl -pi -e '
+%{__perl} -pi -e '
                 s|^LogFile=.*$|LogFile="%{_localstatedir}/log/httpd/access_log"|;
                 s|^DirData=.*$|DirData="%{_localstatedir}/lib/awstats"|;
                 s|^DirCgi=.*$|DirCgi="/awstats"|;
@@ -92,17 +93,16 @@
                 s|^SaveDatabaseFilesWithPermissionsForEveryone=.*$|SaveDatabaseFilesWithPermissionsForEveryone=0|;
                 s|^SkipHosts=.*$|SkipHosts="127.0.0.1"|;
                 s|^Expires=.*$|Expires=3600|;
-            ' $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.model.conf
+        ' $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.model.conf
 install -p -m 644 $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.{model,localhost.localdomain}.conf 
 
 # Fix scripts
-perl -pi -e 's|/usr/local/awstats|%{_datadir}/awstats|g' \
+%{__perl} -pi -e 's|/usr/local/awstats|%{_datadir}/awstats|g' \
              $RPM_BUILD_ROOT%{_datadir}/%{name}/tools/{*.pl,httpd_conf}
 
 # Apache configuration
 install -p -m 644 tools/httpd_conf $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/conf.d/%{name}.conf
-perl -pi -e 's|/usr/local|%{_datadir}|g;s|Allow from all|Allow from 127.0.0.1|g' \
-             $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/conf.d/%{name}.conf
+%{__perl} -pi -e 's|/usr/local|%{_datadir}|g' $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/conf.d/%{name}.conf
 echo "# Additional Perl modules
 <IfModule mod_env.c>
     SetEnv PERL5LIB %{_datadir}/awstats/lib:%{_datadir}/awstats/plugins
@@ -115,7 +115,6 @@
 %clean
 rm -rf $RPM_BUILD_ROOT
 
-
 %post
 if [ $1 -eq 1 ]; then
   if [ ! -f %{_sysconfdir}/%{name}/%{name}.`hostname`.conf ]; then
@@ -125,27 +124,11 @@
                       ' > %{_sysconfdir}/%{name}/%{name}.`hostname`.conf || :
   fi
 fi
-### SELinux support ###
-# Set SELinux file_context
-semanage fcontext -a -t httpd_sys_script_exec_t \
-    '%{_datadir}/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || :
-semanage fcontext -a -t httpd_sys_script_rw_t '%{_localstatedir}/lib/awstats(/.*)?' 2>/dev/null || :
-# Actually change the context
-chcon -R -t httpd_sys_script_exec_t %{_datadir}/awstats/wwwroot/cgi-bin || :
-chcon -R -t httpd_sys_script_rw_t %{_localstatedir}/lib/awstats || :
-
 
 %postun
 if [ $1 -ne 0 ]; then
   /sbin/service httpd condrestart >/dev/null 2>&1
 fi
-# SELinux support
-if [ $1 -eq 0 ]; then
-  semanage fcontext -d -t httpd_sys_script_exec_t \
-    '%{_datadir}/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || :
-  semanage fcontext -d -t httpd_sys_script_rw_t '%{_localstatedir}/lib/awstats(/.*)?' 2>/dev/null || :
-fi
-
 
 
 %files
@@ -161,7 +144,7 @@
 %{_datadir}/%{name}/wwwroot/cgi-bin
 # Different defattr to fix lots of files which should not be +x.
 %defattr(644,root,root,755)
-%doc README.TXT docs/* README.SELinux
+%doc README.TXT docs/*
 %{_datadir}/%{name}/lang
 %{_datadir}/%{name}/lib
 %{_datadir}/%{name}/plugins
@@ -170,19 +153,7 @@
 %{_datadir}/%{name}/wwwroot/icon
 %{_datadir}/%{name}/wwwroot/js
 
-
-
 %changelog
-* Sun May 07 2006 Aurelien Bompard <gauret[AT]free.fr> 6.6-0.1.beta
-- version 6.6 (beta), fixes CVE-2005-2732 (bug 190921, 190922, and 190923)
-
-* Sun Apr 09 2006 Aurelien Bompard <gauret[AT]free.fr> 6.5-3
-- SELinux support: use semanage to label the cgi and the database files
-- Only allow access from localhost by default (this app has a security history)
-
-* Thu Feb 23 2006 Aurelien Bompard <gauret[AT]free.fr> 6.5-2
-- rebuild for FC5
-
 * Wed Jan 11 2006 Aurelien Bompard <gauret[AT]free.fr> 6.5-1
 - version 6.5 final
 


Index: sources
===================================================================
RCS file: /cvs/extras/rpms/awstats/FC-4/sources,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- sources	7 May 2006 08:17:08 -0000	1.9
+++ sources	7 May 2006 23:40:34 -0000	1.10
@@ -1 +1 @@
-c9b65c5a58011fdb4ec611feec17eee4  awstats-6.6.tar.gz
+aef00b2ff5c5413bd2a868299cabd69a  awstats-6.5.tar.gz


