rpms/mono/F-12 mono-2.4.3.1-CVE-2010-1459.patch, NONE, 1.1 mono.spec, 1.142, 1.143
chkr
chkr at fedoraproject.org
Thu Jun 24 20:50:38 UTC 2010
Author: chkr
Update of /cvs/pkgs/rpms/mono/F-12
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv15387
Modified Files:
mono.spec
Added Files:
mono-2.4.3.1-CVE-2010-1459.patch
Log Message:
* Thu Jun 24 2010 Christian Krause <chkr at fedoraproject.org> - 2.4.3.1-2
- Add upstream patch for CVE-2010-1459:
http://anonsvn.mono-project.com/viewvc?view=revision&revision=156450
mono-2.4.3.1-CVE-2010-1459.patch:
System.Web.Compilation/PageCompiler.cs | 8 +++++---
System.Web.Configuration/ChangeLog | 9 ++++++++-
System.Web.Configuration/PagesConfiguration.cs | 2 +-
System.Web.UI/ChangeLog | 8 ++++++++
System.Web.UI/Page.cs | 5 +++++
System.Web.UI/PageParser.cs | 13 +++++++++++--
6 files changed, 38 insertions(+), 7 deletions(-)
--- NEW FILE mono-2.4.3.1-CVE-2010-1459.patch ---
Index: branches/mono-2-4-2/mcs/class/System.Web/System.Web.UI/PageParser.cs
===================================================================
--- branches/mono-2-4-2/mcs/class/System.Web/System.Web.UI/PageParser.cs (revision 156449)
+++ branches/mono-2-4-2/mcs/class/System.Web/System.Web.UI/PageParser.cs (revision 156450)
@@ -45,7 +45,8 @@
public sealed class PageParser : TemplateControlParser
{
PagesEnableSessionState enableSessionState = PagesEnableSessionState.True;
- bool enableViewStateMac = true;
+ bool enableViewStateMac;
+ bool enableViewStateMacSet;
bool smartNavigation;
bool haveTrace;
bool trace;
@@ -378,8 +379,12 @@
enable_event_validation = GetBool (atts, "EnableEventValidation", enable_event_validation);
maintainScrollPositionOnPostBack = GetBool (atts, "MaintainScrollPositionOnPostBack", maintainScrollPositionOnPostBack);
#endif
+ if (atts.ContainsKey ("EnableViewStateMac")) {
+ enableViewStateMac = GetBool (atts, "EnableViewStateMac", enableViewStateMac);
+ enableViewStateMacSet = true;
+ }
+
// Ignored by now
- GetString (atts, "EnableViewStateMac", null);
GetString (atts, "SmartNavigation", null);
base.ProcessMainAttributes (atts);
@@ -470,6 +475,10 @@
internal bool EnableViewStateMac {
get { return enableViewStateMac; }
}
+
+ internal bool EnableViewStateMacSet {
+ get { return enableViewStateMacSet; }
+ }
internal bool SmartNavigation {
get { return smartNavigation; }
Index: branches/mono-2-4-2/mcs/class/System.Web/System.Web.UI/ChangeLog
===================================================================
--- branches/mono-2-4-2/mcs/class/System.Web/System.Web.UI/ChangeLog (revision 156449)
+++ branches/mono-2-4-2/mcs/class/System.Web/System.Web.UI/ChangeLog (revision 156450)
@@ -1,3 +1,11 @@
+2010-04-29 Marek Habersack <mhabersack at novell.com>
+
+ * PageParser.cs, Page.cs: do not ignore the EnableViewStateMac
+ directive attribute. Fixes bug #592428
+ Fixes cross-site scripting vulnerability (CVE: CVE-2010-1459)
+ Credits: Web Security Research Group (WSRG) of Hewlett Packard
+ (HP)
+
2009-09-15 Marek Habersack <mhabersack at novell.com>
* TemplateParser.cs: FindNamespaceInAssembly must catch
Index: branches/mono-2-4-2/mcs/class/System.Web/System.Web.UI/Page.cs
===================================================================
--- branches/mono-2-4-2/mcs/class/System.Web/System.Web.UI/Page.cs (revision 156449)
+++ branches/mono-2-4-2/mcs/class/System.Web/System.Web.UI/Page.cs (revision 156450)
@@ -192,11 +192,16 @@
asyncTimeout = ps.AsyncTimeout;
viewStateEncryptionMode = ps.ViewStateEncryptionMode;
_viewState = ps.EnableViewState;
+ _viewStateMac = ps.EnableViewStateMac;
} else {
asyncTimeout = TimeSpan.FromSeconds (DefaultAsyncTimeout);
viewStateEncryptionMode = ViewStateEncryptionMode.Auto;
_viewState = true;
}
+#else
+ PagesConfiguration ps = PagesConfiguration.GetInstance (HttpContext.Current);
+ if (ps != null)
+ _viewStateMac = ps.EnableViewStateMac;
#endif
}
Index: branches/mono-2-4-2/mcs/class/System.Web/System.Web.Configuration/PagesConfiguration.cs
===================================================================
--- branches/mono-2-4-2/mcs/class/System.Web/System.Web.Configuration/PagesConfiguration.cs (revision 156449)
+++ branches/mono-2-4-2/mcs/class/System.Web/System.Web.Configuration/PagesConfiguration.cs (revision 156450)
@@ -38,7 +38,7 @@
internal bool Buffer = true;
internal PagesEnableSessionState EnableSessionState = PagesEnableSessionState.True;
internal bool EnableViewState = true;
- internal bool EnableViewStateMac = false;
+ internal bool EnableViewStateMac = true;
internal bool SmartNavigation = false;
internal bool AutoEventWireup = true;
internal bool ValidateRequest = true;
Index: branches/mono-2-4-2/mcs/class/System.Web/System.Web.Configuration/ChangeLog
===================================================================
--- branches/mono-2-4-2/mcs/class/System.Web/System.Web.Configuration/ChangeLog (revision 156449)
+++ branches/mono-2-4-2/mcs/class/System.Web/System.Web.Configuration/ChangeLog (revision 156450)
@@ -1,3 +1,11 @@
+2010-04-29 Marek Habersack <mhabersack at novell.com>
+
+ * PagesConfiguration.cs: make EnableViewStateMac default to
+ true. Fixes bug #592428
+ Fixes cross-site scripting vulnerability (CVE: CVE-2010-1459)
+ Credits: Web Security Research Group (WSRG) of Hewlett Packard
+ (HP)
+
2009-05-14 Marek Habersack <mhabersack at novell.com>
* HandlerFactoryConfiguration.cs: if we're matching a default
@@ -943,4 +951,3 @@
2002-06-03 Gonzalo Paniagua Javier <gonzalo at ximian.com>
* System.Web.Configuration/HttpCapabilitiesBase.cs: New file.
-
Index: branches/mono-2-4-2/mcs/class/System.Web/System.Web.Compilation/PageCompiler.cs
===================================================================
--- branches/mono-2-4-2/mcs/class/System.Web/System.Web.Compilation/PageCompiler.cs (revision 156449)
+++ branches/mono-2-4-2/mcs/class/System.Web/System.Web.Compilation/PageCompiler.cs (revision 156450)
@@ -314,11 +314,13 @@
protected override void AddStatementsToInitMethod (CodeMemberMethod method)
{
+ ILocation directiveLocation = pageParser.DirectiveLocation;
+ CodeArgumentReferenceExpression ctrlVar = new CodeArgumentReferenceExpression("__ctrl");
+
+ if (pageParser.EnableViewStateMacSet)
+ method.Statements.Add (AddLinePragma (CreatePropertyAssign (ctrlVar, "EnableViewStateMac", pageParser.EnableViewStateMac), directiveLocation));
#if NET_2_0
AddStatementsFromDirective (method);
- ILocation directiveLocation = pageParser.DirectiveLocation;
-
- CodeArgumentReferenceExpression ctrlVar = new CodeArgumentReferenceExpression("__ctrl");
if (pageParser.Title != null)
method.Statements.Add (AddLinePragma (CreatePropertyAssign (ctrlVar, "Title", pageParser.Title), directiveLocation));
Index: mono.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mono/F-12/mono.spec,v
retrieving revision 1.142
retrieving revision 1.143
diff -u -p -r1.142 -r1.143
--- mono.spec 13 Jan 2010 22:16:02 -0000 1.142
+++ mono.spec 24 Jun 2010 20:50:38 -0000 1.143
@@ -2,7 +2,7 @@
Name: mono
Version: 2.4.3.1
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: A .NET runtime environment
Group: Development/Languages
@@ -52,6 +52,8 @@ Patch4: mono-2.0-monoservice.patch
Patch5: mono-2.0-metadata-makefile.patch
Patch6: mono-242-libgdiplusconfig.patch
Patch7: mono-22-libdir.patch
+# http://anonsvn.mono-project.com/viewvc?view=revision&revision=156450
+Patch8: mono-2.4.3.1-CVE-2010-1459.patch
%description
The Mono runtime implements a JIT engine for the ECMA CLI
@@ -306,6 +308,7 @@ mono-moonlight are all the parts require
%patch6 -p1 -F 2 -b .libgdiplus
sed -i -e 's!@libdir@!%{_libdir}!' %{PATCH7}
%patch7 -p1 -b .libdir-22
+%patch8 -p2 -F 3 -b .cve-2010-1459
sed -i -e 's!%{_libdir}!@libdir@!' %{PATCH7}
sed -i -e 's!@prefix@/lib/!%{_libdir}/!' data/mono.web.pc.in
sed -i -e 's!@prefix@/lib/!%{_libdir}/!' data/system.web.extensions_1.0.pc.in
@@ -752,6 +755,10 @@ install -m 755 %{SOURCE3} %{buildroot}%{
%{_libdir}/pkgconfig/monodoc.pc
%changelog
+* Thu Jun 24 2010 Christian Krause <chkr at fedoraproject.org> - 2.4.3.1-2
+- Add upstream patch for CVE-2010-1459:
+ http://anonsvn.mono-project.com/viewvc?view=revision&revision=156450
+
* Wed Jan 13 2010 Christian Krause <chkr at fedoraproject.org> - 2.4.3.1-1
- Update to 2.4.3.1
More information about the scm-commits
mailing list