rpms/awstats/EL-5 awstats-6.7-CVE-2008-3714.patch, NONE, 1.1 awstats.spec, 1.21, 1.22

Tim Jackson timj at fedoraproject.org
Sat Aug 23 09:04:12 UTC 2008 

Author: timj

Update of /cvs/extras/rpms/awstats/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29442

Modified Files:
	awstats.spec 
Added Files:
	awstats-6.7-CVE-2008-3714.patch 
Log Message:
Fix CVE-2008-3714: cross-site scripting security issue (#459605)


awstats-6.7-CVE-2008-3714.patch:

--- NEW FILE awstats-6.7-CVE-2008-3714.patch ---
Adapted from:
http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912

diff -ur awstats-6.7/wwwroot/cgi-bin/awstats.pl awstats-6.7-CVE-2008-3714/wwwroot/cgi-bin/awstats.pl
--- awstats-6.7/wwwroot/cgi-bin/awstats.pl	2007-07-07 12:00:06.000000000 +0100
+++ awstats-6.7-CVE-2008-3714/wwwroot/cgi-bin/awstats.pl	2008-08-23 09:21:31.000000000 +0100
@@ -4380,6 +4380,7 @@
 sub DecodeEncodedString {
 	my $stringtodecode=shift;
 	$stringtodecode =~ tr/\+/ /s;
+	$stringtodecode =~ s/%22//g;
 	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
 	return $stringtodecode;
 }
@@ -4432,9 +4433,12 @@
 #------------------------------------------------------------------------------
 sub CleanXSS {
 	my $stringtoclean=shift;
+	# To avoid html tags and javascript
 	$stringtoclean =~ s/</</g;
 	$stringtoclean =~ s/>/>/g;
 	$stringtoclean =~ s/|//g;
+	# To avoid onload="
+	$stringtoclean =~ s/onload//g;
 	return $stringtoclean;
 }
 


Index: awstats.spec
===================================================================
RCS file: /cvs/extras/rpms/awstats/EL-5/awstats.spec,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- awstats.spec	16 Mar 2008 10:35:47 -0000	1.21
+++ awstats.spec	23 Aug 2008 09:03:41 -0000	1.22
@@ -1,18 +1,19 @@
 Name:       awstats
 Version:    6.7
-Release:    2%{?dist}
+Release:    3%{?dist}
 Summary:    Advanced Web Statistics
 License:    GPLv2
 Group:      Applications/Internet
 URL:        http://awstats.sourceforge.net
 Source0:    http://dl.sf.net/awstats/awstats-%{version}.tar.gz
-#Source0:    http://awstats.sourceforge.net/files/awstats-6.6.tar.gz
 Source1:    awstats.README.SELinux
 
 # Fix pb in xml output for history files
 # http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.892&r2=1.894&view=patch
 Patch0:     awstats-6.7-xmlhistory.patch
 
+Patch1:     awstats-6.7-CVE-2008-3714.patch
+
 BuildArch:  noarch
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: checkpolicy, selinux-policy-devel
@@ -50,9 +51,8 @@
 
 %prep
 %setup -q
-# No backup or it will be installed
-#%%patch0 -p0 -b .xmlhistory
 %patch0 -p0
+%patch1 -p1
 # Fix style sheets.
 perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/*
 # Fix some bad file permissions here for convenience.
@@ -218,6 +218,9 @@
 
 
 %changelog
+* Sat Aug 23 2008 Tim Jackson <rpm at timj.co.uk> 6.7-3
+- Fix CVE-2008-3714: cross-site scripting security issue (#459605)
+
 * Sun Mar 16 2008 Tim Jackson <rpm at timj.co.uk> 6.7-2
 - awstats does not actually require httpd (#406901)
 - Fix cron script to be compatible with SELinux (#435101)

More information about the fedora-extras-commits mailing list