[drupal7] CVE-2012-2922.

Jon Ciesla limb at fedoraproject.org
Thu May 24 12:45:46 UTC 2012 

commit 295f409fe029c73521ec0e952e092f575680da34
Author: Jon Ciesla <limburgher at gmail.com>
Date:   Thu May 24 07:45:33 2012 -0500

    CVE-2012-2922.

 drupal-7.14-CVE-2012-2922.patch |   10 ++++++++++
 drupal7.spec                    |    7 ++++++-
 2 files changed, 16 insertions(+), 1 deletions(-)
---
diff --git a/drupal-7.14-CVE-2012-2922.patch b/drupal-7.14-CVE-2012-2922.patch
new file mode 100644
index 0000000..a5101e7
--- /dev/null
+++ b/drupal-7.14-CVE-2012-2922.patch
@@ -0,0 +1,10 @@
+--- includes/bootstrap.inc~	2012-05-02 17:10:42.000000000 -0500
++++ includes/bootstrap.inc	2012-05-24 07:42:06.465246724 -0500
+@@ -2729,6 +2729,7 @@
+   // Under certain conditions Apache's RewriteRule directive prepends the value
+   // assigned to $_GET['q'] with a slash. Moreover we can always have a trailing
+   // slash in place, hence we need to normalize $_GET['q'].
++  if(is_array($path)) { die(); }
+   $path = trim($path, '/');
+ 
+   return $path;
diff --git a/drupal7.spec b/drupal7.spec
index 1d45f0a..3a48dcc 100644
--- a/drupal7.spec
+++ b/drupal7.spec
@@ -1,7 +1,7 @@
 %define drupaldir %{_datadir}/drupal7
 Name: drupal7
 Version:  7.14
-Release:  1%{?dist}
+Release:  2%{?dist}
 Summary: An open-source content-management platform
 
 Group: Applications/Publishing
@@ -13,6 +13,7 @@ Source2: %{name}-README.fedora
 Source3: %{name}-cron
 Source4: %{name}-files-migrator.sh
 Patch0:  %{name}-7.4-scripts-noshebang.patch
+Patch1:  drupal-7.14-CVE-2012-2922.patch
 
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -29,6 +30,7 @@ configurable, skinnable, and secure.
 %setup -q -n drupal-%{version}
 
 %patch0 -p1
+%patch1 -p0
 
 chmod -x scripts/drupal.sh
 chmod -x scripts/password-hash.sh
@@ -86,6 +88,9 @@ rm -rf %{buildroot}
 %dir %attr(775,root,apache) %{_localstatedir}/lib/%{name}/files/default/
 
 %changelog
+* Thu May 24 2012 Jon Ciesla <limburgher at gmail.com> - 7.14-2
+- Patch for CVE-2012-2922, BZ 824631, BZ 824632.
+
 * Thu May  3 2012 Paul W. Frields <stickster at gmail.com> - 7.14-1
 - New upstream. (#818538)

More information about the scm-commits mailing list