[php-pecl-apc/el5/master] add patch for XSS vulnerability

Remi Collet remi at fedoraproject.org
Sat Sep 18 09:18:48 UTC 2010 

commit ef62db3383ce7626e08944316505c95b049671d1
Author: remi <fedora at famillecollet.com>
Date:   Sat Sep 18 11:18:41 2010 +0200

    add patch for XSS vulnerability

 apc-xss.patch     |   11 +++++++++++
 php-pecl-apc.spec |   18 +++++++++++++++---
 2 files changed, 26 insertions(+), 3 deletions(-)
---
diff --git a/apc-xss.patch b/apc-xss.patch
new file mode 100644
index 0000000..142f2ba
--- /dev/null
+++ b/apc-xss.patch
@@ -0,0 +1,11 @@
+--- pecl/apc/trunk/apc.php	2010/07/25 19:58:43	301548
++++ pecl/apc/trunk/apc.php	2010/08/05 09:10:58	301867
+@@ -991,7 +991,7 @@
+ 					echo
+ 						"<tr class=tr-$m>",
+ 						"<td class=td-0>",ucwords(preg_replace("/_/"," ",$k)),"</td>",
+-						"<td class=td-last>",(preg_match("/time/",$k) && $value!='None') ? date(DATE_FORMAT,$value) : $value,"</td>",
++						"<td class=td-last>",(preg_match("/time/",$k) && $value!='None') ? date(DATE_FORMAT,$value) : htmlspecialchars($value, ENT_QUOTES, 'UTF-8'),"</td>",
+ 						"</tr>";
+ 					$m=1-$m;
+ 				}
diff --git a/php-pecl-apc.spec b/php-pecl-apc.spec
index 199212f..de12759 100644
--- a/php-pecl-apc.spec
+++ b/php-pecl-apc.spec
@@ -1,20 +1,26 @@
 %{!?__pecl: %{expand: %%global __pecl %{_bindir}/pecl}}
-%define php_extdir %(php-config --extension-dir 2>/dev/null || echo %{_libdir}/php4)                     
+%global php_extdir %(php-config --extension-dir 2>/dev/null || echo %{_libdir}/php4)                     
 %global php_zendabiver %((echo 0; php -i 2>/dev/null | sed -n 's/^PHP Extension => //p') | tail -1)
 %global php_version %((echo 0; php-config --version 2>/dev/null) | tail -1)
-%define pecl_name APC
+%global pecl_name APC
 
 Summary:       APC caches and optimizes PHP intermediate code
 Name:          php-pecl-apc
 Version:       3.0.19
-Release:       1%{?dist}
+Release:       2%{?dist}
 License:       PHP
 Group:         Development/Languages
 URL:           http://pecl.php.net/package/APC
 Source:        http://pecl.php.net/get/APC-%{version}.tgz
+
+# Upstream patch for CVE-2010-3294
+# http://svn.php.net/viewvc/pecl/apc/trunk/apc.php?r1=301548&r2=301867&view=patch
+Patch0:        apc-xss.patch
+
 BuildRoot:     %{_tmppath}/%{name}-%{version}-%{release}-root
 Conflicts:     php-mmcache php-eaccelerator
 BuildRequires: php-devel httpd-devel php-pear
+
 %if %{?php_zend_api}0
 # Require clean ABI/API versions if available (Fedora)
 Requires:      php(zend-abi) = %{php_zend_api}
@@ -40,6 +46,9 @@ intermediate code.
 %prep
 %setup -q -n %{pecl_name}-%{version}
 
+%patch0 -p3 -b .xss
+
+
 %build
 %{_bindir}/phpize
 %configure --enable-apc-mmap --with-apxs=%{_sbindir}/apxs --with-php-config=%{_bindir}/php-config
@@ -95,6 +104,9 @@ fi
 %{pecl_xmldir}/%{pecl_name}.xml
 
 %changelog
+* Sat Sep 18 2010 Remi Collet <fedora at famillecollet.com> - 3.0.19-2
+- add patch for CVE-2010-3294 (#634336)
+
 * Wed Jun 25 2008 Tim Jackson <rpm at timj.co.uk> - 3.0.19-1
 - Update to 3.0.19
 - Fix PHP Zend API/ABI dependencies to work on EL-4/5

More information about the scm-commits mailing list