[ocsinventory] fix CVE-2011-4024
Remi Collet
remi at fedoraproject.org
Tue Oct 25 12:10:45 UTC 2011
commit 4f2249b1a1ca949de8ca83bfbd730d30ea411e86
Author: remi <fedora at famillecollet.com>
Date: Tue Oct 25 14:10:29 2011 +0200
fix CVE-2011-4024
.gitignore | 1 +
ocsinventory-xss.patch | 20 ++++++++++++++++++++
ocsinventory.spec | 8 +++++++-
3 files changed, 28 insertions(+), 1 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 4ca0276..2832fab 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
+*spec~
OCSNG_UNIX_SERVER-1.3.2.tar.gz
/OCSNG_UNIX_SERVER-1.3.3.tar.gz
diff --git a/ocsinventory-xss.patch b/ocsinventory-xss.patch
new file mode 100644
index 0000000..042509b
--- /dev/null
+++ b/ocsinventory-xss.patch
@@ -0,0 +1,20 @@
+diff -up ocsreports/preferences.php.orig ocsreports/preferences.php
+--- ocsreports/preferences.php.orig 2010-11-23 09:35:19.000000000 +0100
++++ ocsreports/preferences.php 2011-10-22 09:43:24.000000000 +0200
+@@ -748,6 +748,7 @@ function ShowResults($req,$sortable=true
+ }*/
+
+ foreach($tabChamps as $chmp) {// Affichage de toutes les valeurs r�sultats
++ $item[$chmp] = strip_tags($item[$chmp]);
+ echo "<td align='center'>";
+ $isLink = FALSE;
+ if($chmp==TAG_LBL)
+@@ -1594,7 +1595,7 @@ function textDecode( $txt ) {
+ for( $i=0; $i<UTF8_DEGREE; $i++ ) {
+ $txt = utf8_decode( $txt );
+ }
+- return $txt;
++ return strip_tags($txt);
+ }
+
+
diff --git a/ocsinventory.spec b/ocsinventory.spec
index 1190686..5e6432b 100644
--- a/ocsinventory.spec
+++ b/ocsinventory.spec
@@ -12,7 +12,7 @@ Name: ocsinventory
Summary: Open Computer and Software Inventory Next Generation
Version: 1.3.3
-Release: 4%{?dist}
+Release: 5%{?dist}
Group: Applications/Internet
License: GPLv2
@@ -24,6 +24,8 @@ Source1: ocsinventory-reports.conf
# Upstream patch from Bzr
Patch1: %{name}-upstream.patch
+# Patch for CVE-2011-4024
+Patch2: %{name}-xss.patch
BuildArch: noarch
@@ -133,6 +135,7 @@ navigateur favori.
%setup -q -n %{tarname}-%{version}
%patch1 -p0
+%patch2 -p0
%build
@@ -281,6 +284,9 @@ fi
%changelog
+* Tue Oct 25 2011 Remi Collet <Fedora at famillecollet.com> - 1.3.3-5
+- fix XSS vulnerabity (Bug #748072, CVE-2011-4024)
+
* Tue Jul 19 2011 Petr Sabata <contyk at redhat.com> - 1.3.3-4
- Perl mass rebuild
More information about the scm-commits
mailing list