[awstats/el5/master] - Fix for CVE-2010-4367 - Fix for CVE-2010-4369
Tim Jackson
timj at fedoraproject.org
Sun Dec 12 19:12:58 UTC 2010
commit 239cae2e45cebf7b2163bb2648c22e1d24f7e17d
Author: Tim Jackson <rpm at timj.co.uk>
Date: Sun Dec 12 19:10:24 2010 +0000
- Fix for CVE-2010-4367
- Fix for CVE-2010-4369
awstats-6.95-CVE-2010-4367.patch | 61 ++++++++++++++++++++++++++++++++++++++
awstats-6.95-CVE-2010-4369.patch | 29 ++++++++++++++++++
awstats.spec | 10 +++++-
3 files changed, 99 insertions(+), 1 deletions(-)
---
diff --git a/awstats-6.95-CVE-2010-4367.patch b/awstats-6.95-CVE-2010-4367.patch
new file mode 100644
index 0000000..07b90f1
--- /dev/null
+++ b/awstats-6.95-CVE-2010-4367.patch
@@ -0,0 +1,61 @@
+This patch rolls up the relevant changes from
+http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.958&r2=1.962
+--- wwwroot/cgi-bin/awstats.pl 2009-10-10 13:36:38.000000000 +0100
++++ wwwroot/cgi-bin/awstats.pl 2010-12-12 17:43:14.796804380 +0000
+@@ -1716,27 +1716,28 @@
+ # Other possible directories : "/usr/local/etc/awstats", "/etc"
+ # FHS standard, Suse package : "/etc/opt/awstats"
+ my $configdir = shift;
+- my @PossibleConfigDir = ();
++ my @PossibleConfigDir = (
++ "$DIR",
++ "/etc/awstats",
++ "/usr/local/etc/awstats", "/etc",
++ "/etc/opt/awstats"
++ );
+
+ if ($configdir) {
++ # Check if configdir is outside default values.
++ my $outsidedefaultvalue=1;
++ foreach (@PossibleConfigDir) {
++ if ($_ eq $configdir) { $outsidedefaultvalue=0; last; }
++ }
+
+-# If from CGI, overwriting of configdir is only possible if AWSTATS_ENABLE_CONFIG_DIR defined
+-#if ($ENV{'GATEWAY_INTERFACE'} && ! $ENV{"AWSTATS_ENABLE_CONFIG_DIR"})
+-#{
+-# error("Sorry, to allow overwriting of configdir parameter from an AWStats CGI usage, environment variable AWSTATS_ENABLE_CONFIG_DIR must be set to 1");
+-#}
+-#else
+-#{
+- @PossibleConfigDir = ("$configdir");
++ # If from CGI, overwriting of configdir with a value that differs from a defautl value
++ # is only possible if AWSTATS_ENABLE_CONFIG_DIR defined
++ if ($ENV{'GATEWAY_INTERFACE'} && $outsidedefaultvalue && ! $ENV{"AWSTATS_ENABLE_CONFIG_DIR"})
++ {
++ error("Sorry, to allow overwriting of configdir parameter, from an AWStats CGI page, with a non default value, environment variable AWSTATS_ENABLE_CONFIG_DIR must be set to 1. For example, by adding the line 'SetEnv AWSTATS_ENABLE_CONFIG_DIR 1' in your Apache config file or into a .htaccess file.");
++ }
+
+- #}
+- }
+- else {
+- @PossibleConfigDir = (
+- "$DIR", "/etc/awstats",
+- "/usr/local/etc/awstats", "/etc",
+- "/etc/opt/awstats"
+- );
++ @PossibleConfigDir = ("$configdir");
+ }
+
+ # Open config file
+@@ -9629,6 +9630,10 @@
+ }
+ if ( $QueryString =~ /configdir=([^&]+)/i ) {
+ $DirConfig = &Sanitize("$1");
++ $DirConfig =~ s/\\{2,}/\\/g; # This is to clean Remote URL
++ $DirConfig =~ s/\/{2,}/\//g; # This is to clean Remote URL
++ $DirConfig =~ s/\\{2,}/\\/g; # This is to clean Remote URL
++ $DirConfig =~ s/\/{2,}/\//g; # This is to clean Remote URL
+ }
+
+ # All filters
diff --git a/awstats-6.95-CVE-2010-4369.patch b/awstats-6.95-CVE-2010-4369.patch
new file mode 100644
index 0000000..409501f
--- /dev/null
+++ b/awstats-6.95-CVE-2010-4369.patch
@@ -0,0 +1,29 @@
+--- wwwroot/cgi-bin/awstats.pl 2010/08/04 13:19:55 1.966
++++ wwwroot/cgi-bin/awstats.pl 2010/08/04 13:37:04 1.967
+@@ -3065,10 +3065,10 @@
+ my ( $pluginfile, $pluginparam ) = split( /\s+/, $plugininfo, 2 );
+ $pluginparam ||=
+ ""; # If split has only on part, pluginparam is not initialized
+- $pluginfile =~ s/\.pm$//i;
++ $pluginfile =~ s/\.pm$//i;
+ $pluginfile =~ /([^\/\\]+)$/;
+- my $pluginname = $1; # pluginname is pluginfile without any path
+- # Check if plugin is not disabled
++ $pluginfile = Sanitize($1); # pluginfile is cleaned from any path for security reasons and from .pm
++ my $pluginname = $pluginfile;
+ if ( $NoLoadPlugin{$pluginname} && $NoLoadPlugin{$pluginname} > 0 ) {
+ if ($Debug) {
+ debug(
+@@ -7826,10 +7826,10 @@
+ my $stringtoclean = shift;
+ my $full = shift || 0;
+ if ($full) {
+- $stringtoclean =~ s/[^\w]//g;
++ $stringtoclean =~ s/[^\w\d]//g;
+ }
+ else {
+- $stringtoclean =~ s/[^\w\-\\\/\.:\s]//g;
++ $stringtoclean =~ s/[^\w\d\-\\\/\.:\s]//g;
+ }
+ return $stringtoclean;
+ }
diff --git a/awstats.spec b/awstats.spec
index 1c914c6..1153a17 100644
--- a/awstats.spec
+++ b/awstats.spec
@@ -1,6 +1,6 @@
Name: awstats
Version: 6.95
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Advanced Web Statistics
License: GPLv2
Group: Applications/Internet
@@ -8,6 +8,8 @@ URL: http://awstats.sourceforge.net
Source0: http://dl.sf.net/awstats/awstats-%{version}.tar.gz
Source1: awstats.README.SELinux
Source2: awstats.README.Fedora
+Patch0: awstats-6.95-CVE-2010-4367.patch
+Patch1: awstats-6.95-CVE-2010-4369.patch
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -46,6 +48,8 @@ This package adds SELinux enforcement to AWstats.
%prep
%setup -q
+%patch0
+%patch1
# Fix style sheets.
perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/*
# Fix some bad file permissions here for convenience.
@@ -203,6 +207,10 @@ fi
%changelog
+* Sun Dec 12 2010 Tim Jackson <rpm at timj.co.uk> - 6.95-2
+- Fix for CVE-2010-4367
+- Fix for CVE-2010-4369
+
* Thu Nov 26 2009 Tim Jackson <rpm at timj.co.uk> - 6.95-1
- Update to version 6.95 (security fix)
More information about the scm-commits
mailing list