[ganglia/f16] Backport of security fix http://bugzilla.ganglia.info/cgi-bin/bugzilla/show_bug.cgi?id=333

[georgiou]

commit b5aeb719d4af0a8ad4c7533ed30ffc74621fe138
Author: Kostas Georgiou <k.georgiou at atreides.org.uk>
Date:   Sun Jul 15 14:37:08 2012 +0100

    Backport of security fix http://bugzilla.ganglia.info/cgi-bin/bugzilla/show_bug.cgi?id=333

 ganglia.spec               |    7 ++++++-
 graph-remoteexec-fix.patch |   12 ++++++++++++
 2 files changed, 18 insertions(+), 1 deletions(-)
---
diff --git a/ganglia.spec b/ganglia.spec
index 01ed120..f7b591d 100644
--- a/ganglia.spec
+++ b/ganglia.spec
@@ -1,6 +1,6 @@
 Name:               ganglia
 Version:            3.1.7
-Release:            4%{?svnrev:.r%{svnrev}}%{?dist}
+Release:            5%{?svnrev:.r%{svnrev}}%{?dist}
 Summary:            Ganglia Distributed Monitoring System
 
 Group:              Applications/Internet
@@ -11,6 +11,7 @@ Source0:            http://dl.sourceforge.net/sourceforge/%{name}/%{name}-%{vers
 Patch0:             diskusage-pcre.patch
 Patch1:             setuserid-fix.patch
 Patch2:             diskmetrics.patch
+Patch3:             graph-remoteexec-fix.patch
 Buildroot:          %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:      rrdtool-devel, apr-devel >= 1
@@ -94,6 +95,7 @@ programmers can use to build scalable cluster or grid applications
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 ## Hey, those shouldn't be executable...
 chmod -x lib/*.{h,x}
 
@@ -279,6 +281,9 @@ fi
 %{_datadir}/%{name}
 
 %changelog
+* Sun Jul 15 2012 Kostas Georgiou <georgiou at fedoraproject.org> - 3.1.7-5
+- Backpor of security patch for gangliabz#333
+
 * Tue Jun 14 2011 Kostas Georgiou <georgiou at fedoraproject.org> - 3.1.7-4
 - Fix buffer overflow in moddisk.so #689483
 
diff --git a/graph-remoteexec-fix.patch b/graph-remoteexec-fix.patch
new file mode 100644
index 0000000..7c8ffe0
--- /dev/null
+++ b/graph-remoteexec-fix.patch
@@ -0,0 +1,12 @@
+diff -u a/web/graph.php-orig b/web/graph.php
+--- a/web/graph.php-orig	2012-07-15 13:56:07.004566423 +0100
++++ b/web/graph.php	2012-07-15 13:56:17.082752514 +0100
+@@ -122,7 +122,7 @@
+ 
+ $graph_file = "$graphdir/$graph.php";
+ 
+-if ( is_readable($graph_file) ) {
++if ( is_readable($graph_file) and realpath($graphdir) === dirname(realpath($graph_file)) ) {
+     include_once($graph_file);
+ 
+     $graph_function = "graph_${graph}";