[tinymce-spellchecker/el6] fix for CVE-2012-6112
Matthias Runge
mrunge at fedoraproject.org
Tue Jan 22 11:58:26 UTC 2013
commit 48b6db59e3d09e8f0b52186c253e356f5b37cac9
Author: Matthias Runge <mrunge at redhat.com>
Date: Tue Jan 22 12:58:08 2013 +0100
fix for CVE-2012-6112
tinymce-spellchecker-sec-issue-fix.patch | 12 ++++++++++++
tinymce-spellchecker.spec | 9 +++++++--
2 files changed, 19 insertions(+), 2 deletions(-)
---
diff --git a/tinymce-spellchecker-sec-issue-fix.patch b/tinymce-spellchecker-sec-issue-fix.patch
new file mode 100644
index 0000000..56326b4
--- /dev/null
+++ b/tinymce-spellchecker-sec-issue-fix.patch
@@ -0,0 +1,12 @@
+diff -up spellchecker/classes/GoogleSpell.php.orig spellchecker/classes/GoogleSpell.php
+--- spellchecker/classes/GoogleSpell.php.orig 2013-01-22 12:19:27.656421749 +0100
++++ spellchecker/classes/GoogleSpell.php 2013-01-22 12:21:49.539886477 +0100
+@@ -51,6 +51,8 @@ class GoogleSpell extends SpellChecker {
+ }
+
+ function &_getMatches($lang, $str) {
++ $lang = preg_replace('/[^a-z\-]/i', '', $lang); // Sanitize, remove everything but a-z or -
++ $str = preg_replace('/[\x00-\x1F\x7F]/', '', $str); // Sanitize, remove all control characters
+ $server = "www.google.com";
+ $port = 443;
+ $path = "/tbproxy/spell?lang=" . $lang . "&hl=en";
diff --git a/tinymce-spellchecker.spec b/tinymce-spellchecker.spec
index 3c4fd7b..46fd67b 100644
--- a/tinymce-spellchecker.spec
+++ b/tinymce-spellchecker.spec
@@ -2,14 +2,14 @@
Summary: TinyMCE spellchecker plugin
Name: tinymce-spellchecker
Version: 2.0.5
-Release: 5%{?dist}
+Release: 6%{?dist}
Group: Applications/Publishing
URL: http://wiki.moxiecode.com/index.php/TinyMCE:Plugins/spellchecker
License: LGPLv2+
Source0: http://cloud.github.com/downloads/tinymce/tinymce/tinymce_spellchecker_php_%{ver}.zip
+Patch0: tinymce-spellchecker-sec-issue-fix.patch
BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: tinymce >= 3.1.1
Requires: php >= 5.2.0
Requires: php-pspell
@@ -24,6 +24,8 @@ PSpell/ASpell or Google spellchecker.
%prep
%setup -q -n spellchecker
+%patch0 -p1
+
# Convert to utf-8
for file in changelog.txt; do
iconv -f ISO-8859-1 -t UTF-8 -o $file.new $file && \
@@ -66,6 +68,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
+* Tue Jan 22 2013 Matthias Runge <mrunge at redhat.com> - 2.0.5-6
+- fix CVE-2012-6112
+
* Mon Dec 12 2011 Parag Nemade <pnemade AT fedoraproject DOT org> - 2.0.5-5
- Rebuild this package.
More information about the scm-commits
mailing list