[drupal7] CVE-2012-2922.
Jon Ciesla
limb at fedoraproject.org
Thu May 24 12:45:46 UTC 2012
commit 295f409fe029c73521ec0e952e092f575680da34
Author: Jon Ciesla <limburgher at gmail.com>
Date: Thu May 24 07:45:33 2012 -0500
CVE-2012-2922.
drupal-7.14-CVE-2012-2922.patch | 10 ++++++++++
drupal7.spec | 7 ++++++-
2 files changed, 16 insertions(+), 1 deletions(-)
---
diff --git a/drupal-7.14-CVE-2012-2922.patch b/drupal-7.14-CVE-2012-2922.patch
new file mode 100644
index 0000000..a5101e7
--- /dev/null
+++ b/drupal-7.14-CVE-2012-2922.patch
@@ -0,0 +1,10 @@
+--- includes/bootstrap.inc~ 2012-05-02 17:10:42.000000000 -0500
++++ includes/bootstrap.inc 2012-05-24 07:42:06.465246724 -0500
+@@ -2729,6 +2729,7 @@
+ // Under certain conditions Apache's RewriteRule directive prepends the value
+ // assigned to $_GET['q'] with a slash. Moreover we can always have a trailing
+ // slash in place, hence we need to normalize $_GET['q'].
++ if(is_array($path)) { die(); }
+ $path = trim($path, '/');
+
+ return $path;
diff --git a/drupal7.spec b/drupal7.spec
index 1d45f0a..3a48dcc 100644
--- a/drupal7.spec
+++ b/drupal7.spec
@@ -1,7 +1,7 @@
%define drupaldir %{_datadir}/drupal7
Name: drupal7
Version: 7.14
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: An open-source content-management platform
Group: Applications/Publishing
@@ -13,6 +13,7 @@ Source2: %{name}-README.fedora
Source3: %{name}-cron
Source4: %{name}-files-migrator.sh
Patch0: %{name}-7.4-scripts-noshebang.patch
+Patch1: drupal-7.14-CVE-2012-2922.patch
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -29,6 +30,7 @@ configurable, skinnable, and secure.
%setup -q -n drupal-%{version}
%patch0 -p1
+%patch1 -p0
chmod -x scripts/drupal.sh
chmod -x scripts/password-hash.sh
@@ -86,6 +88,9 @@ rm -rf %{buildroot}
%dir %attr(775,root,apache) %{_localstatedir}/lib/%{name}/files/default/
%changelog
+* Thu May 24 2012 Jon Ciesla <limburgher at gmail.com> - 7.14-2
+- Patch for CVE-2012-2922, BZ 824631, BZ 824632.
+
* Thu May 3 2012 Paul W. Frields <stickster at gmail.com> - 7.14-1
- New upstream. (#818538)
More information about the scm-commits
mailing list