[mono/el6] Patch for CVE-2012-3382 (bz 839979)

leigh123linux leigh123linux at fedoraproject.org
Fri Jul 13 12:01:07 UTC 2012 

commit b81991956468c04114d7d1f6ac0c2a0906eb1f10
Author: leigh123linux <leigh123linux at googlemail.com>
Date:   Fri Jul 13 13:00:56 2012 +0100

    Patch for CVE-2012-3382 (bz 839979)

 CVE-2012-3382.patch |   11 +++++++++++
 mono.spec           |    7 ++++++-
 2 files changed, 17 insertions(+), 1 deletions(-)
---
diff --git a/CVE-2012-3382.patch b/CVE-2012-3382.patch
new file mode 100644
index 0000000..949a97d
--- /dev/null
+++ b/CVE-2012-3382.patch
@@ -0,0 +1,11 @@
+--- mono-2.4.3.1/mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs.orig	2009-10-26 20:44:24.000000000 +0000
++++ mono-2.4.3.1/mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs	2012-07-13 12:54:42.628807327 +0100
+@@ -42,7 +42,7 @@ namespace System.Web
+ 				
+ 			throw new HttpException (403,
+ 						 "This type of page is not served.",
+-						 req != null ? req.Path : null,
++						 req != null ? HttpUtility.HtmlEncode (req.Path) : null,
+ 						 description);
+ 		}
+ 
diff --git a/mono.spec b/mono.spec
index 5de5967..fca9616 100644
--- a/mono.spec
+++ b/mono.spec
@@ -2,7 +2,7 @@
 
 Name:           mono
 Version:        2.4.3.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        A .NET runtime environment
 
 Group:          Development/Languages
@@ -52,6 +52,7 @@ Patch4: mono-2.0-monoservice.patch
 Patch5: mono-2.0-metadata-makefile.patch
 Patch6: mono-242-libgdiplusconfig.patch
 Patch7: mono-22-libdir.patch
+Patch8: CVE-2012-3382.patch
 
 %description
 The Mono runtime implements a JIT engine for the ECMA CLI
@@ -306,6 +307,7 @@ mono-moonlight are all the parts required for moonlight compilation
 %patch6 -p1 -F 2 -b .libgdiplus
 sed -i -e 's!@libdir@!%{_libdir}!' %{PATCH7}
 %patch7 -p1 -b .libdir-22
+%patch8 -p1 -b .CVE-2012-3382
 sed -i -e 's!%{_libdir}!@libdir@!' %{PATCH7}
 sed -i -e 's!@prefix@/lib/!%{_libdir}/!' data/mono.web.pc.in
 sed -i -e 's!@prefix@/lib/!%{_libdir}/!' data/system.web.extensions_1.0.pc.in
@@ -752,6 +754,9 @@ install -m 755 %{SOURCE3} %{buildroot}%{_bindir}/
 %{_libdir}/pkgconfig/monodoc.pc
 
 %changelog
+* Fri Jul 13 2012 Leigh Scott <leigh123linux at googlemail.com> - 2.4.3.1-4
+- Patch for CVE-2012-3382 (bz 839979)
+
 * Mon Jun 27 2010 Leigh Scott <leigh123linux at googlemail.com> - 2.4.3.1-3
 - rebuild against mono-core

More information about the scm-commits mailing list