[smokeping] Add patch to fix CVE-2012-0790 (#783584)
terjeros
terjeros at fedoraproject.org
Sun Jan 22 14:52:50 UTC 2012
commit f913bd6aeb0effb0e138be4206064412f5e32915
Author: Terje Røsten <terje.rosten at ntnu.no>
Date: Sun Jan 22 15:52:46 2012 +0100
Add patch to fix CVE-2012-0790 (#783584)
smokeping-2.4.2-cve-2012-0790.patch | 68 +++++++++++++++++++++++++++++++++++
smokeping.spec | 7 +++-
2 files changed, 74 insertions(+), 1 deletions(-)
---
diff --git a/smokeping-2.4.2-cve-2012-0790.patch b/smokeping-2.4.2-cve-2012-0790.patch
new file mode 100644
index 0000000..5923a70
--- /dev/null
+++ b/smokeping-2.4.2-cve-2012-0790.patch
@@ -0,0 +1,68 @@
+--- smokeping-2.6.6/lib/Smokeping.pm 2011-11-12 04:00:24.000000000 -0700
++++ smokeping-2.6.6/lib/Smokeping.pm 2012-01-11 01:48:43.000000000 -0700
+@@ -168,8 +168,10 @@ sub cgiurl {
+ sub hierarchy ($){
+ my $q = shift;
+ my $hierarchy = '';
++ my $h = $q->param('hierarchy');
+ if ($q->param('hierarchy')){
+- $hierarchy = 'hierarchy='.$q->param('hierarchy').';';
++ $h =~ s/[<>&%]/./g;
++ $hierarchy = 'hierarchy='.$h.';';
+ };
+ return $hierarchy;
+ }
+@@ -210,6 +212,7 @@ sub update_dynaddr ($$){
+ my $address = $ENV{REMOTE_ADDR};
+ my $targetptr = $cfg->{Targets};
+ foreach my $step (@target){
++ $step =~ s/[<>&%]/./g;
+ return "Error: Unknown target $step"
+ unless defined $targetptr->{$step};
+ $targetptr = $targetptr->{$step};
+@@ -1044,7 +1047,7 @@ sub get_detail ($$$$;$){
+ my $tree = shift;
+ my $open = shift;
+ my $mode = shift || $q->param('displaymode') || 's';
+-
++ $mode =~ s/[<>&%]/./g;
+ my $phys_tree = $tree;
+ my $phys_open = $open;
+ if ($tree->{__tree_link}){
+@@ -1443,13 +1446,15 @@ sub get_detail ($$$$;$){
+ } elsif ($mode eq 's') { # classic mode
+ $startstr =~ s/\s/%20/g;
+ $endstr =~ s/\s/%20/g;
++ my $t = $q->param('target');
++ $t =~ s/[<>&%]/./g;
+ for my $slave (@slaves){
+ my $s = $slave ? "~$slave" : "";
+ $page .= "<div>";
+ # $page .= (time-$timer_start)."<br/>";
+ # $page .= join " ",map {"'$_'"} @task;
+ $page .= "<br/>";
+- $page .= ( qq{<a href="}.cgiurl($q,$cfg)."?".hierarchy($q).qq{displaymode=n;start=$startstr;end=now;}."target=".$q->param('target').$s.'">'
++ $page .= ( qq{<a href="}.cgiurl($q,$cfg)."?".hierarchy($q).qq{displaymode=n;start=$startstr;end=now;}."target=".$t.$s.'">'
+ . qq{<IMG BORDER="0" SRC="${imghref}${s}_${end}_${start}.png">}."</a>" ); #"
+ $page .= "</div>";
+ }
+@@ -1593,8 +1598,10 @@ sub display_webpage($$){
+ my $cfg = shift;
+ my $q = shift;
+ my $targ = '';
+- if ( $q->param('target') and $q->param('target') !~ /\.\./ and $q->param('target') =~ /(\S+)/){
++ my $t = $q->param('target');
++ if ( $t and $t !~ /\.\./ and $t =~ /(\S+)/){
+ $targ = $1;
++ $targ =~ s/[<>;%]/./g;
+ }
+ my ($path,$slave) = split(/~/,$targ);
+ if ($slave and $slave =~ /(\S+)/){
+@@ -1603,6 +1610,7 @@ sub display_webpage($$){
+ $slave = $1;
+ }
+ my $hierarchy = $q->param('hierarchy');
++ $hierarchy =~ s/[<>;%]/./g;
+ die "ERROR: unknown hierarchy $hierarchy\n"
+ if $hierarchy and not $cfg->{Presentation}{hierarchies}{$hierarchy};
+ my $open = [ (split /\./,$path||'') ];
diff --git a/smokeping.spec b/smokeping.spec
index 31b8994..04dd087 100644
--- a/smokeping.spec
+++ b/smokeping.spec
@@ -7,7 +7,7 @@
Summary: Latency Logging and Graphing System
Name: smokeping
Version: 2.4.2
-Release: 15%{?dist}
+Release: 16%{?dist}
License: GPLv2+
Group: Applications/Internet
URL: http://oss.oetiker.ch/smokeping/
@@ -24,6 +24,7 @@ Patch2: smokeping-2.4.2-tr.patch
Patch3: smokeping-2.3.5-silence.patch
Patch4: smokeping-2.4.2-jsonrpc-strict.patch
Patch5: smokeping-2.4.2-scriptname.patch
+Patch6: smokeping-2.4.2-cve-2012-0790.patch
BuildRequires: glibc-common
BuildRequires: systemd-units
Requires: perl >= 5.6.1
@@ -53,6 +54,7 @@ which presents the graphs.
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
%{__install} -p -m 0644 %{SOURCE5} .
iconv -f ISO-8859-1 -t utf-8 -o CHANGES.utf8 CHANGES
@@ -151,6 +153,9 @@ fi
%attr(0755, apache, root) %{_localstatedir}/lib/%{name}/images
%changelog
+* Sun Jan 22 2012 Terje Rosten <terje.rosten at ntnu.no> - 2.4.2-16
+- Add patch to fix CVE-2012-0790 (#783584)
+
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.4.2-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
More information about the scm-commits
mailing list