[phpldapadmin/el4] fix #748539 (CVE-2011-4075)
Dmitry Butskoy
buc at fedoraproject.org
Wed Oct 26 14:39:50 UTC 2011
commit 3d1caf0c56ac4b3873e83d479cc46fdbc65b4ed4
Author: Dmitry Butskoy <Dmitry at Butskoy.name>
Date: Wed Oct 26 18:39:14 2011 +0400
fix #748539 (CVE-2011-4075)
.gitignore | 1 +
...nfig.patch => phpldapadmin-0.9.8.5-config.patch | 18 +++++++++---------
phpldapadmin-0.9.8.5-masort.patch | 14 ++++++++++++++
phpldapadmin.spec | 10 ++++++++--
sources | 2 +-
5 files changed, 33 insertions(+), 12 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 69aaf01..db22521 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
phpldapadmin-0.9.7.1.tar.gz
+/phpldapadmin-0.9.8.5.tar.gz
diff --git a/phpldapadmin-0.9.7.2-config.patch b/phpldapadmin-0.9.8.5-config.patch
similarity index 82%
rename from phpldapadmin-0.9.7.2-config.patch
rename to phpldapadmin-0.9.8.5-config.patch
index ec5b1e2..161dbfb 100644
--- a/phpldapadmin-0.9.7.2-config.patch
+++ b/phpldapadmin-0.9.8.5-config.patch
@@ -1,7 +1,7 @@
-diff -Nrbu phpldapadmin-0.9.7.2/config/config.php phpldapadmin-0.9.7.2-OK/config/config.php
---- phpldapadmin-0.9.7.2/config/config.php 2005-11-15 19:29:18.000000000 +0300
-+++ phpldapadmin-0.9.7.2-OK/config/config.php 2005-11-15 19:29:06.000000000 +0300
-@@ -34,6 +34,9 @@
+diff -Nrbu phpldapadmin-0.9.8.5/config/config.php phpldapadmin-0.9.8.5-OK/config/config.php
+--- phpldapadmin-0.9.8.5/config/config.php 2011-10-26 18:29:01.000000000 +0400
++++ phpldapadmin-0.9.8.5-OK/config/config.php 2011-10-26 18:31:00.000000000 +0400
+@@ -39,6 +39,9 @@
/* Useful important configuration overrides */
/*********************************************/
@@ -9,9 +9,9 @@ diff -Nrbu phpldapadmin-0.9.7.2/config/config.php phpldapadmin-0.9.7.2-OK/config
+# $config->custom->appearance['show_clear_password'] = true;
+
/* If you are asked to put pla in debug mode, this is how you do it: */
- # $config->custom->debug['level'] = 2;
+ # $config->custom->debug['level'] = 255;
# $config->custom->debug['syslog'] = true;
-@@ -64,7 +67,7 @@
+@@ -69,7 +72,7 @@
/* A convenient name that will appear in the tree viewer and throughout
phpLDAPadmin to identify this LDAP server to users. */
@@ -20,7 +20,7 @@ diff -Nrbu phpldapadmin-0.9.7.2/config/config.php phpldapadmin-0.9.7.2-OK/config
/* Examples:
'ldap.example.com',
-@@ -93,6 +96,7 @@
+@@ -98,6 +101,7 @@
encrypted using blowfish and the secret your specify above as
session['blowfish']. */
// $ldapservers->SetValue($i,'server','auth_type','cookie');
@@ -28,7 +28,7 @@ diff -Nrbu phpldapadmin-0.9.7.2/config/config.php phpldapadmin-0.9.7.2-OK/config
/* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or
'cookie' or 'session' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS BLANK. If
-@@ -118,6 +122,7 @@
+@@ -123,6 +127,7 @@
/* Default password hashing algorithm. One of md5, ssha, sha, md5crpyt, smd5,
blowfish, crypt or leave blank for now default algorithm. */
// $ldapservers->SetValue($i,'appearance','password_hash','md5');
@@ -36,7 +36,7 @@ diff -Nrbu phpldapadmin-0.9.7.2/config/config.php phpldapadmin-0.9.7.2-OK/config
/* If you specified 'cookie' or 'session' as the auth_type above, you can
optionally specify here an attribute to use when logging in. If you enter
-@@ -129,6 +134,7 @@
+@@ -134,6 +139,7 @@
specify 'string', in which case you can provide a string to use for logging
users in. See 'login_string' directly below. */
// $ldapservers->SetValue($i,'login','attr','dn');
diff --git a/phpldapadmin-0.9.8.5-masort.patch b/phpldapadmin-0.9.8.5-masort.patch
new file mode 100644
index 0000000..684a3ec
--- /dev/null
+++ b/phpldapadmin-0.9.8.5-masort.patch
@@ -0,0 +1,14 @@
+diff -Nrbu phpldapadmin-0.9.8.5/lib/functions.php phpldapadmin-0.9.8.5-OK/lib/functions.php
+--- phpldapadmin-0.9.8.5/lib/functions.php 2008-11-28 17:21:37.000000000 +0300
++++ phpldapadmin-0.9.8.5-OK/lib/functions.php 2011-10-26 18:33:47.000000000 +0400
+@@ -2563,6 +2563,10 @@
+ if (DEBUG_ENABLED)
+ debug_log('masort(): Entered with (%s,%s,%s)',1,$data,$sortby,$rev);
+
++ # if the array to sort is null or empty, or if we have some nasty chars
++ if (! preg_match('/^[a-zA-Z0-9_]+(\([a-zA-Z0-9_,]*\))?$/',$sortby) || ! $data)
++ return;
++
+ static $sort_funcs = array();
+
+ if (empty($sort_funcs[$sortby])) {
diff --git a/phpldapadmin.spec b/phpldapadmin.spec
index 3b2f8b1..4908968 100644
--- a/phpldapadmin.spec
+++ b/phpldapadmin.spec
@@ -1,13 +1,14 @@
Name: phpldapadmin
Summary: Web-based tool for managing LDAP servers
-Version: 0.9.8.3
+Version: 0.9.8.5
Release: 1%{?dist}
Group: Applications/Internet
License: GPL
URL: http://phpldapadmin.sourceforge.net
Source: http://dl.sourceforge.net/sourceforge/phpldapadmin/phpldapadmin-%{version}.tar.gz
Patch1: phpldapadmin-0.9.7.1-namingcontexts.patch
-Patch2: phpldapadmin-0.9.7.2-config.patch
+Patch2: phpldapadmin-0.9.8.5-config.patch
+Patch3: phpldapadmin-0.9.8.5-masort.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
@@ -39,6 +40,7 @@ cp config/config.php.example config/config.php
%patch1 -p1
%patch2 -p1
+%patch3 -p1
%build
@@ -112,6 +114,10 @@ fi
%changelog
+* Wed Oct 26 2011 Dmitry Butskoy <Dmitry at Butskoy.name> - 0.9.8.5-1
+- fix #748539 (CVE-2011-4075)
+- update to 0.9.8.5
+
* Mon May 15 2006 Dmitry Butskoy <Dmitry at Butskoy.name> - 0.9.8.3-1
- update to 0.9.8.3
diff --git a/sources b/sources
index 3211b84..68e7038 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-1bb495a36cee3582dc0957880118d3ec phpldapadmin-0.9.8.3.tar.gz
+a323d6815e5a560c5cd03614d33d7e8d phpldapadmin-0.9.8.5.tar.gz
More information about the scm-commits
mailing list