[awstats/el5/master] - Fix for CVE-2010-4367 - Fix for CVE-2010-4369

Sun Dec 12 19:12:58 UTC 2010

commit 239cae2e45cebf7b2163bb2648c22e1d24f7e17d
Author: Tim Jackson <rpm at timj.co.uk>
Date:   Sun Dec 12 19:10:24 2010 +0000

    - Fix for CVE-2010-4367
    - Fix for CVE-2010-4369

 awstats-6.95-CVE-2010-4367.patch |   61 ++++++++++++++++++++++++++++++++++++++
 awstats-6.95-CVE-2010-4369.patch |   29 ++++++++++++++++++
 awstats.spec                     |   10 +++++-
 3 files changed, 99 insertions(+), 1 deletions(-)
---

diff --git a/awstats-6.95-CVE-2010-4367.patch b/awstats-6.95-CVE-2010-4367.patch
new file mode 100644
index 0000000..07b90f1
--- /dev/null
+++ b/awstats-6.95-CVE-2010-4367.patch
@@ -0,0 +1,61 @@
+This patch rolls up the relevant changes from
+http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.958&r2=1.962
+--- wwwroot/cgi-bin/awstats.pl	2009-10-10 13:36:38.000000000 +0100
++++ wwwroot/cgi-bin/awstats.pl	2010-12-12 17:43:14.796804380 +0000
+@@ -1716,27 +1716,28 @@
+ 	# Other possible directories :				"/usr/local/etc/awstats", "/etc"
+ 	# FHS standard, Suse package : 				"/etc/opt/awstats"
+ 	my $configdir         = shift;
+-	my @PossibleConfigDir = ();
++	my @PossibleConfigDir = (
++			"$DIR",
++			"/etc/awstats",
++			"/usr/local/etc/awstats", "/etc",
++			"/etc/opt/awstats"
++		); 
+ 
+ 	if ($configdir) {
++		# Check if configdir is outside default values.
++		my $outsidedefaultvalue=1;
++		foreach (@PossibleConfigDir) {
++			if ($_ eq $configdir) { $outsidedefaultvalue=0; last; }
++		}
+ 
+-# If from CGI, overwriting of configdir is only possible if AWSTATS_ENABLE_CONFIG_DIR defined
+-#if ($ENV{'GATEWAY_INTERFACE'} && ! $ENV{"AWSTATS_ENABLE_CONFIG_DIR"})
+-#{
+-#	error("Sorry, to allow overwriting of configdir parameter from an AWStats CGI usage, environment variable AWSTATS_ENABLE_CONFIG_DIR must be set to 1");
+-#}
+-#else
+-#{
+-		@PossibleConfigDir = ("$configdir");
++		# If from CGI, overwriting of configdir with a value that differs from a defautl value
++		# is only possible if AWSTATS_ENABLE_CONFIG_DIR defined
++		if ($ENV{'GATEWAY_INTERFACE'} && $outsidedefaultvalue && ! $ENV{"AWSTATS_ENABLE_CONFIG_DIR"})
++		{
++			error("Sorry, to allow overwriting of configdir parameter, from an AWStats CGI page, with a non default value, environment variable AWSTATS_ENABLE_CONFIG_DIR must be set to 1. For example, by adding the line 'SetEnv AWSTATS_ENABLE_CONFIG_DIR 1' in your Apache config file or into a .htaccess file.");
++		}
+ 
+-		#}
+-	}
+-	else {
+-		@PossibleConfigDir = (
+-			"$DIR",                   "/etc/awstats",
+-			"/usr/local/etc/awstats", "/etc",
+-			"/etc/opt/awstats"
+-		);
++		@PossibleConfigDir = ("$configdir");
+ 	}
+ 
+ 	# Open config file
+@@ -9629,6 +9630,10 @@
+ 	}
+ 	if ( $QueryString =~ /configdir=([^&]+)/i ) {
+ 		$DirConfig = &Sanitize("$1");
++		$DirConfig =~ s/\\{2,}/\\/g;	# This is to clean Remote URL
++		$DirConfig =~ s/\/{2,}/\//g;	# This is to clean Remote URL
++		$DirConfig =~ s/\\{2,}/\\/g;	# This is to clean Remote URL
++		$DirConfig =~ s/\/{2,}/\//g;	# This is to clean Remote URL
+ 	}
+ 
+ 	# All filters
diff --git a/awstats-6.95-CVE-2010-4369.patch b/awstats-6.95-CVE-2010-4369.patch
new file mode 100644
index 0000000..409501f
--- /dev/null
+++ b/awstats-6.95-CVE-2010-4369.patch
@@ -0,0 +1,29 @@
+--- wwwroot/cgi-bin/awstats.pl	2010/08/04 13:19:55	1.966
++++ wwwroot/cgi-bin/awstats.pl	2010/08/04 13:37:04	1.967
+@@ -3065,10 +3065,10 @@
+ 		my ( $pluginfile, $pluginparam ) = split( /\s+/, $plugininfo, 2 );
+ 		$pluginparam ||=
+ 		  "";    # If split has only on part, pluginparam is not initialized
+-		$pluginfile =~ s/\.pm$//i;
++        $pluginfile =~ s/\.pm$//i;
+ 		$pluginfile =~ /([^\/\\]+)$/;
+-		my $pluginname = $1;    # pluginname is pluginfile without any path
+-		                        # Check if plugin is not disabled
++		$pluginfile = Sanitize($1);     # pluginfile is cleaned from any path for security reasons and from .pm
++		my $pluginname = $pluginfile;
+ 		if ( $NoLoadPlugin{$pluginname} && $NoLoadPlugin{$pluginname} > 0 ) {
+ 			if ($Debug) {
+ 				debug(
+@@ -7826,10 +7826,10 @@
+ 	my $stringtoclean = shift;
+ 	my $full = shift || 0;
+ 	if ($full) {
+-		$stringtoclean =~ s/[^\w]//g;
++		$stringtoclean =~ s/[^\w\d]//g;
+ 	}
+ 	else {
+-		$stringtoclean =~ s/[^\w\-\\\/\.:\s]//g;
++		$stringtoclean =~ s/[^\w\d\-\\\/\.:\s]//g;
+ 	}
+ 	return $stringtoclean;
+ }
diff --git a/awstats.spec b/awstats.spec
index 1c914c6..1153a17 100644
--- a/awstats.spec
+++ b/awstats.spec
@@ -1,6 +1,6 @@
 Name:       awstats
 Version:    6.95
-Release:    1%{?dist}
+Release:    2%{?dist}
 Summary:    Advanced Web Statistics
 License:    GPLv2
 Group:      Applications/Internet
@@ -8,6 +8,8 @@ URL:        http://awstats.sourceforge.net
 Source0:    http://dl.sf.net/awstats/awstats-%{version}.tar.gz
 Source1:    awstats.README.SELinux
 Source2:    awstats.README.Fedora
+Patch0:     awstats-6.95-CVE-2010-4367.patch
+Patch1:     awstats-6.95-CVE-2010-4369.patch
 
 BuildArch:  noarch
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -46,6 +48,8 @@ This package adds SELinux enforcement to AWstats.
 
 %prep
 %setup -q
+%patch0
+%patch1
 # Fix style sheets.
 perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/*
 # Fix some bad file permissions here for convenience.
@@ -203,6 +207,10 @@ fi
 
 
 %changelog
+* Sun Dec 12 2010 Tim Jackson <rpm at timj.co.uk> - 6.95-2
+- Fix for CVE-2010-4367
+- Fix for CVE-2010-4369
+
 * Thu Nov 26 2009 Tim Jackson <rpm at timj.co.uk> -  6.95-1
 - Update to version 6.95 (security fix)
 
