[ikiwiki/f16] Add patch that should fix CVE-2012-0220.
Thomas Moschny
thm at fedoraproject.org
Sat May 19 16:17:48 UTC 2012
commit a4ded368842d6684963132101c741f2921f5ff54
Author: Thomas Moschny <thm at fedoraproject.org>
Date: Sat May 19 18:13:31 2012 +0200
Add patch that should fix CVE-2012-0220.
ikiwiki-3.20111106-meta.patch | 54 +++++++++++++++++++++++++++++++++++++++++
ikiwiki.spec | 7 ++++-
2 files changed, 60 insertions(+), 1 deletions(-)
---
diff --git a/ikiwiki-3.20111106-meta.patch b/ikiwiki-3.20111106-meta.patch
new file mode 100644
index 0000000..ed61370
--- /dev/null
+++ b/ikiwiki-3.20111106-meta.patch
@@ -0,0 +1,54 @@
+From: Thomas Moschny <thm at fedoraproject.org>
+Subject: [PATCH] t/cve-2012-0220
+
+Apply changes from these commits:
+
+commit fbfcea89f8e06426c73ab8ea369ca4cdc566db6f
+Author: Joey Hess <joey at kitenet.net>
+Date: Wed May 16 19:54:41 2012 -0400
+
+ meta: Security fix; add missing sanitization of author and authorurl. Thanks, Raúl Benencia
+
+commit 18b0f2737b3f1478deff6e9c48217c6f22a576ea
+Author: Joey Hess <joey at kitenet.net>
+Date: Wed May 16 22:13:23 2012 -0400
+
+ ensure HTML::Entities is always loaded
+
+ (Worked ok in my tests w/o this, but not sure I tested every case,
+ and this is correct.)
+
+
+Signed-off-by: Thomas Moschny <thm at fedoraproject.org>
+
+---
+ IkiWiki/Plugin/meta.pm | 7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
+index 220fff9..38938ed 100644
+--- a/IkiWiki/Plugin/meta.pm
++++ b/IkiWiki/Plugin/meta.pm
+@@ -312,8 +312,9 @@ sub pagetemplate (@) {
+ $template->param(title_overridden => 1);
+ }
+
+- foreach my $field (qw{author authorurl}) {
+- $template->param($field => $pagestate{$page}{meta}{$field})
++ foreach my $field (qw{authorurl}) {
++ eval q{use HTML::Entities};
++ $template->param($field => HTML::Entities::encode_entities($pagestate{$page}{meta}{$field}))
+ if exists $pagestate{$page}{meta}{$field} && $template->query(name => $field);
+ }
+
+@@ -324,7 +325,7 @@ sub pagetemplate (@) {
+ }
+ }
+
+- foreach my $field (qw{description}) {
++ foreach my $field (qw{description author}) {
+ eval q{use HTML::Entities};
+ $template->param($field => HTML::Entities::encode_numeric($pagestate{$page}{meta}{$field}))
+ if exists $pagestate{$page}{meta}{$field} && $template->query(name => $field);
+--
+tg: (5fd076e..) t/cve-2012-0220 (depends on: master)
diff --git a/ikiwiki.spec b/ikiwiki.spec
index d5c7654..5b2a929 100644
--- a/ikiwiki.spec
+++ b/ikiwiki.spec
@@ -1,6 +1,6 @@
Name: ikiwiki
Version: 3.20111106
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: A wiki compiler
Group: Applications/Internet
@@ -10,6 +10,7 @@ License: GPLv2+ and BSD
URL: http://ikiwiki.info/
Source0: http://ftp.debian.org/debian/pool/main/i/%{name}/%{name}_%{version}.tar.gz
Patch0: ikiwiki-libexecdir.patch
+Patch1: ikiwiki-3.20111106-meta.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
@@ -64,6 +65,7 @@ array of plugins.
%prep
%setup0 -q -n %{name}
%patch0 -p1 -b .libexecdir
+%patch1 -p1
# goes into the -w3m subpackage
%{__cat} << \EOF > README.fedora
@@ -140,6 +142,9 @@ meta-wrapper in this package.
%changelog
+* Thu May 17 2012 Thomas Moschny <thomas.moschny at gmx.de> - 3.20111106-2
+- Add patch that should fix CVE-2012-0220.
+
* Wed Nov 9 2011 Thomas Moschny <thomas.moschny at gmx.de> - 3.20111106-1
- Update to 3.20111106.
More information about the scm-commits
mailing list