rpms/moodle/FC-4 moodle-1.5.3-SA18267.patch, NONE, 1.1 moodle.spec, 1.2, 1.3

Ignacio Vazquez-Abrams (ivazquez) fedora-extras-commits at redhat.com
Tue Jan 10 00:00:32 UTC 2006


Author: ivazquez

Update of /cvs/extras/rpms/moodle/FC-4
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv19761/FC-4

Modified Files:
	moodle.spec 
Added Files:
	moodle-1.5.3-SA18267.patch 
Log Message:
Add security patch for adodb (SA18267)

moodle-1.5.3-SA18267.patch:

--- NEW FILE moodle-1.5.3-SA18267.patch ---
diff -urN moodle/lib/adodb/server.php moodle.adodb/lib/adodb/server.php
--- moodle/lib/adodb/server.php	2005-11-10 21:05:24.000000000 -0500
+++ moodle.adodb/lib/adodb/server.php	2006-01-03 21:07:46.000000000 -0500
@@ -1,98 +1,10 @@
 <?php
 
-/** 
- * @version V4.66 28 Sept 2005 (c) 2000-2005 John Lim (jlim at natsoft.com.my). All rights reserved.
- * Released under both BSD license and Lesser GPL library license. 
-  Whenever there is any discrepancy between the two licenses, 
-  the BSD license will take precedence. 
- */
- 
-/* Documentation on usage is at http://php.weblogs.com/adodb_csv
- *
- * Legal query string parameters:
- * 
- * sql = holds sql string
- * nrows = number of rows to return 
- * offset = skip offset rows of data
- * fetch = $ADODB_FETCH_MODE
- * 
- * example:
- *
- * http://localhost/php/server.php?select+*+from+table&nrows=10&offset=2
- */
+require_once('../../config.php');
+require_once('../weblib.php');
 
-
-/* 
- * Define the IP address you want to accept requests from 
- * as a security measure. If blank we accept anyone promisciously!
- */
-$ACCEPTIP = '';
-
-/*
- * Connection parameters
- */
-$driver = 'mysql';
-$host = 'localhost'; // DSN for odbc
-$uid = 'root';
-$pwd = '';
-$database = 'test';
-
-/*============================ DO NOT MODIFY BELOW HERE =================================*/
-// $sep must match csv2rs() in adodb.inc.php
-$sep = ' :::: ';
-
-include('./adodb.inc.php');
-include_once(ADODB_DIR.'/adodb-csvlib.inc.php');
-
-function err($s)
-{
-	die('**** '.$s.' ');
-}
-
-// undo stupid magic quotes
-function undomq(&$m) 
-{
-	if (get_magic_quotes_gpc()) {
-		// undo the damage
-		$m = str_replace('\\\\','\\',$m);
-		$m = str_replace('\"','"',$m);
-		$m = str_replace('\\\'','\'',$m);
-		
-	}
-	return $m;
-}
-
-///////////////////////////////////////// DEFINITIONS
-
-
-$remote = $_SERVER["REMOTE_ADDR"]; 
- 
-if (empty($_REQUEST['sql'])) err('No SQL');
-
-if (!empty($ACCEPTIP))
- if ($remote != '127.0.0.1' && $remote != $ACCEPTIP) 
- 	err("Unauthorised client: '$remote'");
-
-
-$conn = &ADONewConnection($driver);
-
-if (!$conn->Connect($host,$uid,$pwd,$database)) err($conn->ErrorNo(). $sep . $conn->ErrorMsg());
-$sql = undomq($_REQUEST['sql']);
-
-if (isset($_REQUEST['fetch']))
-	$ADODB_FETCH_MODE = $_REQUEST['fetch'];
-	
-if (isset($_REQUEST['nrows'])) {
-	$nrows = $_REQUEST['nrows'];
-	$offset = isset($_REQUEST['offset']) ? $_REQUEST['offset'] : -1;
-	$rs = $conn->SelectLimit($sql,$nrows,$offset);
-} else 
-	$rs = $conn->Execute($sql);
-if ($rs){ 
-	//$rs->timeToLive = 1;
-	echo _rs2serialize($rs,$conn,$sql);
-	$rs->Close();
-} else
-	err($conn->ErrorNo(). $sep .$conn->ErrorMsg());
+add_to_log(0, 'adodb', 'intrusion attempt', 'lib/adodb/server.php');
+trigger_error('SECURITY WARNING: intrusion attempt against lib/adodb/server.php from ' . getremoteaddr());
+error('SECURITY WARNING: logged intrusion attempt against lib/adodb/server.php');
 
 ?>
\ No newline at end of file
diff -urN moodle/lib/adodb/tests/benchmark.php moodle.adodb/lib/adodb/tests/benchmark.php
--- moodle/lib/adodb/tests/benchmark.php	2005-11-10 21:05:25.000000000 -0500
+++ moodle.adodb/lib/adodb/tests/benchmark.php	1969-12-31 19:00:00.000000000 -0500
@@ -1,84 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
-
-<html>
-<head>
-	<title>ADODB Benchmarks</title>
-</head> 
-
-<body>
-<?php 
-/*
-V4.66 28 Sept 2005  (c) 2000-2005 John Lim (jlim at natsoft.com.my). All rights reserved.
-  Released under both BSD license and Lesser GPL library license. 
-  Whenever there is any discrepancy between the two licenses, 
-  the BSD license will take precedence.
-  
-  Benchmark code to test the speed to the ADODB library with different databases.
-  This is a simplistic benchmark to be used as the basis for further testing.
-  It should not be used as proof of the superiority of one database over the other.
-*/ 
- 
-$testmssql = true;
-//$testvfp = true;
-$testoracle = true;
-$testado = true; 
-$testibase = true;
-$testaccess = true;
-$testmysql = true;
-$testsqlite = true;;
-
-set_time_limit(240); // increase timeout
-
-include("../tohtml.inc.php");
-include("../adodb.inc.php");
-
-function testdb(&$db,$createtab="create table ADOXYZ (id int, firstname char(24), lastname char(24), created date)")
-{
-GLOBAL $ADODB_version,$ADODB_FETCH_MODE;
-
-	adodb_backtrace();
-	
-	$max = 100;
-	$sql = 'select * from ADOXYZ';
-	$ADODB_FETCH_MODE = ADODB_FETCH_NUM;
-	
-	//print "<h3>ADODB Version: $ADODB_version Host: <i>$db->host</i> &nbsp; Database: <i>$db->database</i></h3>";
-	
-	// perform query once to cache results so we are only testing throughput 
-	$rs = $db->Execute($sql);
-	if (!$rs){
-		print "Error in recordset<p>";
-		return;
-	}	
-	$arr = $rs->GetArray();
-	//$db->debug = true;
-	global $ADODB_COUNTRECS;
-	$ADODB_COUNTRECS = false;
-	$start = microtime();
-	for ($i=0; $i < $max; $i++) {
-		$rs =& $db->Execute($sql);	
-		$arr =& $rs->GetArray();
-	   //		 print $arr[0][1];
-	}
-	$end =  microtime();
-	$start = explode(' ',$start);
-	$end = explode(' ',$end);
-	
-	//print_r($start);
-	//print_r($end);
-	
-	  //  print_r($arr);
-	$total = $end[0]+trim($end[1]) - $start[0]-trim($start[1]);
-	printf ("<p>seconds = %8.2f for %d iterations each with %d records</p>",$total,$max, sizeof($arr));
-	flush();
-
-
-		//$db->Close();
-}
-include("testdatabases.inc.php");
-
-?>
-
-
-</body>
-</html>
diff -urN moodle/lib/adodb/tests/client.php moodle.adodb/lib/adodb/tests/client.php
--- moodle/lib/adodb/tests/client.php	2004-07-12 23:13:35.000000000 -0400
+++ moodle.adodb/lib/adodb/tests/client.php	1969-12-31 19:00:00.000000000 -0500
[...3782 lines suppressed...]
-			print "<p>Random session destroy</p>";
-			session_destroy();
-		}
-	}
-?>
\ No newline at end of file
diff -urN moodle/lib/adodb/tests/test-xmlschema.php moodle.adodb/lib/adodb/tests/test-xmlschema.php
--- moodle/lib/adodb/tests/test-xmlschema.php	2005-11-10 21:05:25.000000000 -0500
+++ moodle.adodb/lib/adodb/tests/test-xmlschema.php	1969-12-31 19:00:00.000000000 -0500
@@ -1,54 +0,0 @@
-<?PHP
-
-// V4.50 6 July 2004
-
-error_reporting(E_ALL);
-include_once( "../adodb.inc.php" );
-include_once( "../adodb-xmlschema.inc.php" );
-
-// To build the schema, start by creating a normal ADOdb connection:
-$db = ADONewConnection( 'mysql' );
-$db->Connect( 'localhost', 'root', '', 'schematest' );
-
-// To create a schema object and build the query array.
-$schema = new adoSchema( $db );
-
-// To upgrade an existing schema object, use the following 
-// To upgrade an existing database to the provided schema,
-// uncomment the following line:
-#$schema->upgradeSchema();
-
-print "<b>SQL to build xmlschema.xml</b>:\n<pre>";
-// Build the SQL array
-$sql = $schema->ParseSchema( "xmlschema.xml" );
-
-print_r( $sql );
-print "</pre>\n";
-
-// Execute the SQL on the database
-//$result = $schema->ExecuteSchema( $sql );
-
-// Finally, clean up after the XML parser
-// (PHP won't do this for you!)
-//$schema->Destroy();
-
-
-
-print "<b>SQL to build xmlschema-mssql.xml</b>:\n<pre>";
-
-$db2 = ADONewConnection('mssql');
-$db2->Connect('','adodb','natsoft','northwind') || die("Fail 2");
-
-$db2->Execute("drop table simple_table");
-
-$schema = new adoSchema( $db2 );
-$sql = $schema->ParseSchema( "xmlschema-mssql.xml" );
-
-print_r( $sql );
-print "</pre>\n";
-
-$db2->debug=1;
-
-foreach ($sql as $s)
-$db2->Execute($s);
-?>
\ No newline at end of file
diff -urN moodle/lib/adodb/tests/time.php moodle.adodb/lib/adodb/tests/time.php
--- moodle/lib/adodb/tests/time.php	2003-10-22 04:52:42.000000000 -0400
+++ moodle.adodb/lib/adodb/tests/time.php	1969-12-31 19:00:00.000000000 -0500
@@ -1,17 +0,0 @@
-<?php
-
-include_once('../adodb-time.inc.php');
-//adodb_date_test();
-?>
-<?php 
-//require("adodb-time.inc.php"); 
-
-$datestring = "1963-12-04"; // string normally from mySQL 
-$stringArray = explode("-", $datestring);
-$date = adodb_mktime(0,0,0,$stringArray[1],$stringArray[2],$stringArray[0]); 
-
-$convertedDate = date("d-M-Y", $date); // converted string to UK style date
-
-echo( "Birthday: $convertedDate" ); //why is string returned as one day (3 not 4) less for this example??
-
-?>
\ No newline at end of file
diff -urN moodle/lib/adodb/tests/tmssql.php moodle.adodb/lib/adodb/tests/tmssql.php
--- moodle/lib/adodb/tests/tmssql.php	2005-11-10 21:05:25.000000000 -0500
+++ moodle.adodb/lib/adodb/tests/tmssql.php	2006-01-03 21:07:46.000000000 -0500
@@ -1,65 +1,10 @@
 <?php
-error_reporting(E_ALL);
-ini_set('mssql.datetimeconvert',0); 
 
-function tmssql()
-{
-	print "<h3>mssql</h3>";
-	$db = mssql_connect('JAGUAR\vsdotnet','adodb','natsoft') or die('No Connection');
-	mssql_select_db('northwind',$db);
-	
-	$rs = mssql_query('select getdate() as date',$db);
-	$o = mssql_fetch_row($rs);
-	print_r($o);
-	mssql_free_result($rs);
-	
-	print "<p>Delete</p>"; flush();
-	$rs2 = mssql_query('delete from adoxyz',$db);
-	$p = mssql_num_rows($rs2);
-	mssql_free_result($rs2);
+require_once('../../../config.php');
+require_once('../../weblib.php');
 
-}
+add_to_log(0, 'adodb', 'intrusion attempt', 'lib/adodb/tests/tmssql.php');
+trigger_error('SECURITY WARNING: intrusion attempt against lib/tests/tmssql.php from ' . getremoteaddr());
+error('SECURITY WARNING: logged intrusion attempt against lib/adodb/tests/tmssql.php');
 
-function tpear()
-{
-include_once('DB.php');
-
-	print "<h3>PEAR</h3>";
-	$username = 'adodb';
-	$password = 'natsoft';
-	$hostname = 'JAGUAR\vsdotnet';
-	$databasename = 'northwind';
-	
-	$dsn = "mssql://$username:$password@$hostname/$databasename";
-	$conn = &DB::connect($dsn);
-	print "date=".$conn->GetOne('select getdate()')."<br>";
-	@$conn->query('create table tester (id integer)');
-	print "<p>Delete</p>"; flush();
-	$rs = $conn->query('delete from tester');
-	print "date=".$conn->GetOne('select getdate()')."<br>";
-}
-
-function tadodb()
-{
-include_once('../adodb.inc.php');
-
-	print "<h3>ADOdb</h3>";
-	$conn = NewADOConnection('mssql');
-	$conn->Connect('JAGUAR\vsdotnet','adodb','natsoft','northwind');
-//	$conn->debug=1;
-	print "date=".$conn->GetOne('select getdate()')."<br>";
-	$conn->Execute('create table tester (id integer)');
-	print "<p>Delete</p>"; flush();
-	$rs = $conn->Execute('delete from tester');
-	print "date=".$conn->GetOne('select getdate()')."<br>";
-}
-?>
-<a href=tmssql.php?do=tmssql>mssql</a>
-<a href=tmssql.php?do=tpear>pear</a>
-<a href=tmssql.php?do=tadodb>adodb</a>
-<?php
-if (!empty($_GET['do'])) {
-	$do = $_GET['do'];
-	$do();
-}
 ?>
\ No newline at end of file
diff -urN moodle/lib/adodb/tests/xmlschema.xml moodle.adodb/lib/adodb/tests/xmlschema.xml
--- moodle/lib/adodb/tests/xmlschema.xml	2005-11-10 21:05:25.000000000 -0500
+++ moodle.adodb/lib/adodb/tests/xmlschema.xml	1969-12-31 19:00:00.000000000 -0500
@@ -1,33 +0,0 @@
-<?xml version="1.0"?>
-<schema version="0.2">
-  <table name="mytable">
-    <field name="row1" type="I">
-      <descr>An integer row that's a primary key and autoincrements</descr>
-      <KEY/>
-      <AUTOINCREMENT/>
-    </field>
-    <field name="row2" type="C" size="16">
-      <descr>A 16 character varchar row that can't be null</descr>
-      <NOTNULL/>
-    </field>
-    <index name="myindex">
-      <col>row1</col>
-      <col>row2</col>
-    </index>
-  </table>
-  <sql>
-    <descr>SQL to be executed only on specific platforms</descr>
-    <query platform="postgres|postgres7">
-      insert into mytable ( row1, row2 ) values ( 12, 'postgres stuff' )
-    </query>
-    <query platform="mysql">
-      insert into mytable ( row1, row2 ) values ( 12, 'mysql stuff' )
-    </query>
-	<query platform="mssql">
-      insert into mytable ( row1, row2 ) values ( 12, 'Microsoft stuff' )
-    </query>
-  </sql>
-  <table name="obsoletetable">
-    <DROP/>
-  </table>
-</schema>
\ No newline at end of file


Index: moodle.spec
===================================================================
RCS file: /cvs/extras/rpms/moodle/FC-4/moodle.spec,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- moodle.spec	12 Dec 2005 21:05:20 -0000	1.2
+++ moodle.spec	10 Jan 2006 00:00:32 -0000	1.3
@@ -9,7 +9,7 @@
 
 Name:           moodle
 Version:        1.5.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A Course Management System
 
 Group:          Applications/Publishing
@@ -24,6 +24,7 @@
 Source6:        moodle-README-rpm
 Patch0:         moodle-1.5.2-mimetex-linux.patch
 Patch1:         moodle-1.5.2-mimetex-fedora.patch
+Patch2:         moodle-1.5.3-SA18267.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch:      noarch
 
@@ -628,6 +629,7 @@
 %setup -q -n %{name}
 %patch0 -p1 -b .mimetex-linux
 %patch1 -p1 -b .mimetex-fedora
+%patch2 -p1 -b .SA18267
 cp %{SOURCE6} README-rpm
 find $RPM_BUILD_DIR/%{name} -name \*.bak -exec rm {} \;
 find $RPM_BUILD_DIR/%{name} -type f -exec chmod a-x {} \;
@@ -692,6 +694,9 @@
 %endif
 
 %changelog
+* Mon Jan  9 2006 Ignacio Vazquez-Abrams <ivazquez at ivazquez.net> 1.5.3-2
+- Add security patch for adodb (SA18267)
+
 * Sat Dec 10 2005 Ignacio Vazquez-Abrams <ivazquez at ivazquez.net> 1.5.3-1
 - Update to 1.5.3
 - Split off spell check package due to lack of Text::Aspell




More information about the scm-commits mailing list