[WebCalendar/f15] * Tue Oct 11 2011 Patrick Monnerat <pm at datasphere.ch> 1.2.3-5 - Patch "cve2011_3814" to fix CVE-2011
Patrick Monnerat
monnerat at fedoraproject.org
Tue Oct 11 14:46:43 UTC 2011
commit 8db1bd451d4f67fed978c1b2cc8becfbe6838b4d
Author: Patrick Monnerat <pm at datasphere.ch>
Date: Tue Oct 11 16:45:40 2011 +0200
* Tue Oct 11 2011 Patrick Monnerat <pm at datasphere.ch> 1.2.3-5
- Patch "cve2011_3814" to fix CVE-2011-3814 vulnerability.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3814
- Patch "canadd" to fix event addition control.
https://sourceforge.net/tracker/?func=detail&aid=3304491&group_id=3870&atid=303870
WebCalendar-1.2.3-canadd.patch | 77 ++++++++++++++++++++
WebCalendar-1.2.3-cve2011_3814.patch | 133 ++++++++++++++++++++++++++++++++++
WebCalendar.spec | 12 +++-
sources | 2 -
4 files changed, 221 insertions(+), 3 deletions(-)
---
diff --git a/WebCalendar-1.2.3-canadd.patch b/WebCalendar-1.2.3-canadd.patch
new file mode 100644
index 0000000..e101e22
--- /dev/null
+++ b/WebCalendar-1.2.3-canadd.patch
@@ -0,0 +1,77 @@
+diff -Naur WebCalendar-1.2.3.orig/edit_entry_handler.php WebCalendar-1.2.3.new/edit_entry_handler.php
+--- WebCalendar-1.2.3.orig/edit_entry_handler.php 2011-05-18 18:56:48.202071518 +0200
++++ WebCalendar-1.2.3.new/edit_entry_handler.php 2011-05-18 18:58:25.697834637 +0200
+@@ -290,9 +290,23 @@
+ // Value may be needed later for recreating event.
+ $user = getPostValue ( 'user' );
+ $old_create_by = ( empty ( $user ) ? '' : $user );
+-if ( empty ( $id ) )
++if (empty($id)) {
+ // New event...
+- $can_edit = true;
++ $can_edit = (!empty($readonly) && $readonly != 'Y');
++
++ if (access_is_enabled())
++ $can_edit = access_can_access_function(ACCESS_EVENT_EDIT, $user);
++
++ if ($login == '__public__')
++ $can_edit = access_is_enabled()? $can_edit: $PUBLIC_ACCESS_CAN_ADD == 'Y';
++
++ if (!$is_admin && !$is_assistant && !$is_nonuser_admin) {
++ if ($is_nonuser)
++ $can_edit = false;
++ else if (!empty($user) && $user != $login && $user != '__public__')
++ $can_edit = false;
++ }
++}
+ else {
+ // Event owner or assistant?
+ $res = dbi_execute ( 'SELECT cal_create_by FROM webcal_entry WHERE cal_id = ?',
+diff -Naur WebCalendar-1.2.3.orig/includes/classes/WebCalendar.class WebCalendar-1.2.3.new/includes/classes/WebCalendar.class
+--- WebCalendar-1.2.3.orig/includes/classes/WebCalendar.class 2011-05-18 18:56:48.266070052 +0200
++++ WebCalendar-1.2.3.new/includes/classes/WebCalendar.class 2011-05-18 18:59:11.628780770 +0200
+@@ -142,9 +142,9 @@
+ * @access private
+ */
+ function _initInitSecondPhase () {
+- global $ALLOW_VIEW_OTHER, $can_add, $can_add, $cat_id, $CATEGORIES_ENABLED,
++ global $ALLOW_VIEW_OTHER, $can_add, $cat_id, $CATEGORIES_ENABLED,
+ $CATEGORY_VIEW, $caturl, $date, $DMW, $friendly, $override, $fullname, $GROUPS_ENABLED,
+- $hour, $id, $is_admin, $is_assistant, $is_nonuser, $login, $minute, $month,
++ $hour, $id, $is_admin, $is_assistant, $is_nonuser, $is_nonuser_admin, $login, $minute, $month,
+ $NONUSER_ENABLED, $nonusers, $ovrd, $PUBLIC_ACCESS, $PUBLIC_ACCESS_CAN_ADD,
+ $PUBLIC_ACCESS_FULLNAME, $PUBLIC_ACCESS_OTHERS, $readonly, $u_url, $user,
+ $user_fullname, $USER_SEES_ONLY_HIS_GROUPS, $userlist, $valid_user, $year;
+@@ -203,8 +203,12 @@
+ if ( $PUBLIC_ACCESS_OTHERS != 'Y' )
+ $user = ''; // Security precaution.
+ }
+- if ( $is_nonuser )
+- $can_add = false;
++ if (!$is_admin && !$is_assistant && !$is_nonuser_admin) {
++ if ($is_nonuser)
++ $can_add = false;
++ else if (!empty($user) && $user != $login && $user != '__public__')
++ $can_add = false;
++ }
+
+ if ( $GROUPS_ENABLED == 'Y' && $USER_SEES_ONLY_HIS_GROUPS == 'Y' && ! $is_admin ) {
+ $userlist = get_my_users ();
+diff -Naur WebCalendar-1.2.3.orig/includes/menu/index.php WebCalendar-1.2.3.new/includes/menu/index.php
+--- WebCalendar-1.2.3.orig/includes/menu/index.php 2011-05-18 18:56:48.290069502 +0200
++++ WebCalendar-1.2.3.new/includes/menu/index.php 2011-05-18 18:59:34.756250102 +0200
+@@ -29,8 +29,12 @@
+ if ( $login == '__public__' )
+ $can_add = ( access_is_enabled () ? $can_add : $PUBLIC_ACCESS_CAN_ADD == 'Y' );
+
+-if ( $is_nonuser )
+- $can_add = false;
++if (!$is_admin && !$is_assistant && !$is_nonuser_admin) {
++ if ($is_nonuser)
++ $can_add = false;
++ else if (!empty($user) && $user != $login && $user != '__public__')
++ $can_add = false;
++}
+
+ $export_url = $import_url = $new_entry_url = $new_task_url = '';
+ $search_url = $select_user_url = $unapproved_url = '';
diff --git a/WebCalendar-1.2.3-cve2011_3814.patch b/WebCalendar-1.2.3-cve2011_3814.patch
new file mode 100644
index 0000000..781751f
--- /dev/null
+++ b/WebCalendar-1.2.3-cve2011_3814.patch
@@ -0,0 +1,133 @@
+diff -Naur WebCalendar-1.2.3.orig/includes/classes/hKit/hcal.profile.php WebCalendar-1.2.3.new/includes/classes/hKit/hcal.profile.php
+--- WebCalendar-1.2.3.orig/includes/classes/hKit/hcal.profile.php 2007-08-06 04:28:33.000000000 +0200
++++ WebCalendar-1.2.3.new/includes/classes/hKit/hcal.profile.php 2011-09-27 18:27:59.000000000 +0200
+@@ -2,6 +2,9 @@
+ // hcal profile for hkit
+ // hacked together by Ray Jones 06/26/2006
+
++ if (!isset($this)) // Prevent CVE-2011-3814.
++ die();
++
+ $this->root_class = 'vevent';
+
+ $this->classes = array (
+@@ -57,4 +60,4 @@
+ $vevent = array_change_key_case($vevent, CASE_UPPER);
+ }
+
+-?>
+\ No newline at end of file
++?>
+diff -Naur WebCalendar-1.2.3.orig/includes/common_admin_pref.php WebCalendar-1.2.3.new/includes/common_admin_pref.php
+--- WebCalendar-1.2.3.orig/includes/common_admin_pref.php 2007-07-28 21:21:57.000000000 +0200
++++ WebCalendar-1.2.3.new/includes/common_admin_pref.php 2011-09-28 12:01:05.782652146 +0200
+@@ -2,6 +2,7 @@
+ /* Consolidating parts of admin.php and pref.php.
+ * $Id: common_admin_pref.php,v 1.4 2007/07/28 19:21:57 bbannon Exp $
+ */
++function_exists('translate') or die('You cannot access this file directly!');
+ // .
+ // Force the CSS cache to clear by incrementing webcalendar_csscache cookie.
+ $webcalendar_csscache = 1;
+@@ -334,4 +335,4 @@
+ load_user_preferences ();
+ }
+
+-?>
+\ No newline at end of file
++?>
+diff -Naur WebCalendar-1.2.3.orig/includes/date_formats.php WebCalendar-1.2.3.new/includes/date_formats.php
+--- WebCalendar-1.2.3.orig/includes/date_formats.php 2007-08-06 04:28:32.000000000 +0200
++++ WebCalendar-1.2.3.new/includes/date_formats.php 2011-09-28 11:53:54.070565909 +0200
+@@ -22,6 +22,7 @@
+ // .
+ // This will force $LANGUAGE to the current value
+ // and eliminate having to double click the 'SAVE' button.
++function_exists('reset_language') or die('You cannot access this file directly!');
+ reset_language ( get_pref_setting ( $login, 'LANGUAGE' ) );
+ define_languages (); // Load the language list.
+ reset ( $languages );
+diff -Naur WebCalendar-1.2.3.orig/includes/help_list.php WebCalendar-1.2.3.new/includes/help_list.php
+--- WebCalendar-1.2.3.orig/includes/help_list.php 2008-02-12 20:08:52.000000000 +0100
++++ WebCalendar-1.2.3.new/includes/help_list.php 2011-09-28 11:46:35.152005220 +0200
+@@ -5,7 +5,7 @@
+ * This should make it easier to add new help screens without having to
+ * touch each file every time.
+ */
+-defined ( '_ISVALID' ) or ( 'You cannot access this file directly!' );
++defined ( '_ISVALID' ) or die( 'You cannot access this file directly!' );
+ // DO NOT DELETE translate ( 'Index' ) translate ( 'Documentation' )
+ $help_list = array ();
+ $help_list['Index'] = 'help_index.php';
+diff -Naur WebCalendar-1.2.3.orig/includes/js/visible.php WebCalendar-1.2.3.new/includes/js/visible.php
+--- WebCalendar-1.2.3.orig/includes/js/visible.php 2008-01-28 21:17:08.000000000 +0100
++++ WebCalendar-1.2.3.new/includes/js/visible.php 2011-09-28 15:07:17.027310063 +0200
+@@ -183,7 +183,12 @@
+ colorCell.style.backgroundColor = "#000000";
+ input.select ();
+ input.focus ();
+- alert ( '<?php etranslate ( 'Invalid Color', true ) ?>');
++ alert ( '<?php
++ $m = 'Invalid Color';
++ if (function_exists('etranslate')) // Prevent CVE-2011-3814.
++ etranslate($m, true);
++ else
++ echo $m; ?>');
+ } else {
+ colorCell.style.backgroundColor = color;
+ }
+diff -Naur WebCalendar-1.2.3.orig/ws/login.php WebCalendar-1.2.3.new/ws/login.php
+--- WebCalendar-1.2.3.orig/ws/login.php 2011-09-27 18:26:28.000000000 +0200
++++ WebCalendar-1.2.3.new/ws/login.php 2011-09-27 19:14:07.000000000 +0200
+@@ -9,15 +9,13 @@
+ // relative to current working directory.
+ define ( '__WC_INCLUDEDIR', '../includes' );
+
+-include __WC_INCLUDEDIR . '/translate.php';
++foreach (array('config', 'dbi4php', 'formvars', 'functions', 'translate') as $i)
++ include_once __WC_INCLUDEDIR . '/' . $i . '.php';
++
+ require_once __WC_INCLUDEDIR . '/classes/WebCalendar.class';
+
+ $WebCalendar = new WebCalendar(__FILE__);
+
+-include __WC_INCLUDEDIR . '/config.php';
+-include __WC_INCLUDEDIR . '/dbi4php.php';
+-include __WC_INCLUDEDIR . '/functions.php';
+-
+ $WebCalendar->initializeFirstPhase ();
+
+ include __WC_INCLUDEDIR . '/' .$user_inc;
+diff -Naur WebCalendar-1.2.3.orig/ws/ws.php WebCalendar-1.2.3.new/ws/ws.php
+--- WebCalendar-1.2.3.orig/ws/ws.php 2011-09-27 18:26:28.000000000 +0200
++++ WebCalendar-1.2.3.new/ws/ws.php 2011-09-27 19:08:04.000000000 +0200
+@@ -19,23 +19,17 @@
+ // relative to current working directory.
+ define ( '__WC_INCLUDEDIR', '../includes' );
+
+- include_once __WC_INCLUDEDIR . '/translate.php';
+- require_once __WC_INCLUDEDIR . '/classes/WebCalendar.class';
+- require_once __WC_INCLUDEDIR . '/classes/Event.class';
+- require_once __WC_INCLUDEDIR . '/classes/RptEvent.class';
++ foreach(array('access', 'config', 'dbi4php', 'formvars', 'functions',
++ 'site_extras', 'translate', 'validate') as $i)
++ include_once __WC_INCLUDEDIR . '/' . $i . '.php';
+
+- $WebCalendar = new WebCalendar(__FILE__);
+-
+- include_once __WC_INCLUDEDIR . '/config.php';
+- include_once __WC_INCLUDEDIR . '/dbi4php.php';
+- include_once __WC_INCLUDEDIR . '/access.php';
+- include_once __WC_INCLUDEDIR . '/functions.php';
++ foreach(array('WebCalendar', 'Event', 'RptEvent') as $i)
++ include_once __WC_INCLUDEDIR . '/classes/' . $i . '.class';
+
++ $WebCalendar = new WebCalendar(__FILE__);
+ $WebCalendar->initializeFirstPhase ();
+
+ include_once __WC_INCLUDEDIR . '/' . $user_inc;
+- include_once __WC_INCLUDEDIR . '/validate.php';
+- include_once __WC_INCLUDEDIR . '/site_extras.php';
+
+ $WebCalendar->initializeSecondPhase ();
+
diff --git a/WebCalendar.spec b/WebCalendar.spec
index 96c18e8..d265ca1 100644
--- a/WebCalendar.spec
+++ b/WebCalendar.spec
@@ -20,7 +20,7 @@
Name: WebCalendar
Summary: Single/multi-user web-based calendar application
Version: 1.2.3
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2
Group: Applications/Internet
Source0: WebCalendar-%{version}-clean.tar.gz
@@ -44,6 +44,8 @@ Patch13: WebCalendar-1.2.3-nonuser.patch
Patch14: WebCalendar-1.2.3-usercase.patch
Patch15: WebCalendar-1.2.3-authsettings.patch
Patch16: WebCalendar-1.2.3-etp.patch
+Patch17: WebCalendar-1.2.3-canadd.patch
+Patch18: WebCalendar-1.2.3-cve2011_3814.patch
URL: http://www.k5n.us/webcalendar.php
Requires: webserver
Requires: php >= 4.1.0
@@ -113,6 +115,8 @@ rm -rf includes/classes/captcha
%patch14 -p 1
%patch15 -p 1
%patch16 -p 1
+%patch17 -p 1
+%patch18 -p 1
#-------------------------------------------------------------------------------
@@ -258,6 +262,12 @@ rm -rf "${RPM_BUILD_ROOT}"
%changelog
#-------------------------------------------------------------------------------
+* Tue Oct 11 2011 Patrick Monnerat <pm at datasphere.ch> 1.2.3-5
+- Patch "cve2011_3814" to fix CVE-2011-3814 vulnerability.
+ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3814
+- Patch "canadd" to fix event addition control.
+ https://sourceforge.net/tracker/?func=detail&aid=3304491&group_id=3870&atid=303870
+
* Fri Apr 15 2011 Patrick Monnerat <pm at datasphere.ch> 1.2.3-4
- Patch "nonuser" to fix handling of non-user calendars.
https://sourceforge.net/tracker/?func=detail&aid=3287576&group_id=3870&atid=303870
diff --git a/sources b/sources
index 318f279..4b3e3f8 100644
--- a/sources
+++ b/sources
@@ -1,5 +1,3 @@
24abd68064ecf044bfabff0e4aa4f43a WebCalendar-1.2.3-clean.tar.gz
c746b936b582c04f69b6052c8c4be2f8 WebCalendar-1.2.0-newmenuicons.tar.gz
ef48b67a09af50404167c66856cc724d WebCalendarUserManual-0.9.43.tar.gz
-d10cef8fbd0e4a4acae2d393122da07b WebCalendar-http.conf
-9d4d438b872f288a152a28fe63857127 WebCalendar-taglang.php
More information about the scm-commits
mailing list