[ocsinventory] fix CVE-2011-4024

Remi Collet remi at fedoraproject.org
Tue Oct 25 12:10:45 UTC 2011 

commit 4f2249b1a1ca949de8ca83bfbd730d30ea411e86
Author: remi <fedora at famillecollet.com>
Date:   Tue Oct 25 14:10:29 2011 +0200

    fix CVE-2011-4024

 .gitignore             |    1 +
 ocsinventory-xss.patch |   20 ++++++++++++++++++++
 ocsinventory.spec      |    8 +++++++-
 3 files changed, 28 insertions(+), 1 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 4ca0276..2832fab 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
+*spec~
 OCSNG_UNIX_SERVER-1.3.2.tar.gz
 /OCSNG_UNIX_SERVER-1.3.3.tar.gz
diff --git a/ocsinventory-xss.patch b/ocsinventory-xss.patch
new file mode 100644
index 0000000..042509b
--- /dev/null
+++ b/ocsinventory-xss.patch
@@ -0,0 +1,20 @@
+diff -up ocsreports/preferences.php.orig ocsreports/preferences.php
+--- ocsreports/preferences.php.orig	2010-11-23 09:35:19.000000000 +0100
++++ ocsreports/preferences.php	2011-10-22 09:43:24.000000000 +0200
+@@ -748,6 +748,7 @@ function ShowResults($req,$sortable=true
+ 			}*/			
+ 
+ 			foreach($tabChamps as $chmp) {// Affichage de toutes les valeurs r�sultats
++				$item[$chmp] = strip_tags($item[$chmp]);
+                 echo "<td align='center'>";
+                 $isLink = FALSE;
+ 				if($chmp==TAG_LBL)
+@@ -1594,7 +1595,7 @@ function textDecode( $txt ) {
+ 	for( $i=0; $i<UTF8_DEGREE; $i++ ) {
+ 		$txt = utf8_decode( $txt );
+ 	}
+-	return $txt;
++	return strip_tags($txt);
+ }
+ 
+ 
diff --git a/ocsinventory.spec b/ocsinventory.spec
index 1190686..5e6432b 100644
--- a/ocsinventory.spec
+++ b/ocsinventory.spec
@@ -12,7 +12,7 @@ Name:        ocsinventory
 Summary:     Open Computer and Software Inventory Next Generation
 
 Version:     1.3.3
-Release:     4%{?dist}
+Release:     5%{?dist}
 
 Group:       Applications/Internet
 License:     GPLv2
@@ -24,6 +24,8 @@ Source1:     ocsinventory-reports.conf
 
 # Upstream patch from Bzr
 Patch1:      %{name}-upstream.patch
+# Patch for CVE-2011-4024
+Patch2:      %{name}-xss.patch
 
 
 BuildArch:   noarch
@@ -133,6 +135,7 @@ navigateur favori.
 %setup -q -n %{tarname}-%{version}
 
 %patch1 -p0
+%patch2 -p0
 
 
 %build
@@ -281,6 +284,9 @@ fi
 
 
 %changelog
+* Tue Oct 25 2011 Remi Collet <Fedora at famillecollet.com> - 1.3.3-5
+- fix XSS vulnerabity (Bug #748072, CVE-2011-4024)
+
 * Tue Jul 19 2011 Petr Sabata <contyk at redhat.com> - 1.3.3-4
 - Perl mass rebuild

More information about the scm-commits mailing list