[ocsinventory/epel7] XSS security fix for CVE-2014-4722
Remi Collet
remi at fedoraproject.org
Wed Jul 9 10:36:12 UTC 2014
commit c4a7fbf460c2889748dd36fc34bf19846b990912
Author: Remi Collet <remi at fedoraproject.org>
Date: Wed Jul 9 12:36:24 2014 +0200
XSS security fix for CVE-2014-4722
ocsinventory-CVE-2014-4722.patch | 15 +++++++++++++++
ocsinventory.spec | 9 ++++++++-
ocsng-httpd24.patch | 4 ++--
3 files changed, 25 insertions(+), 3 deletions(-)
---
diff --git a/ocsinventory-CVE-2014-4722.patch b/ocsinventory-CVE-2014-4722.patch
new file mode 100644
index 0000000..c805b3b
--- /dev/null
+++ b/ocsinventory-CVE-2014-4722.patch
@@ -0,0 +1,15 @@
+http://bazaar.launchpad.net/~ocsinventory-dev/ocsinventory-ocsreports/stable-2.1/revision/882
+
+=== modified file 'require/function_table_html.php'
+--- ocsreports/require/function_table_html.php 2014-03-06 14:50:02 +0000
++++ ocsreports/require/function_table_html.php 2014-06-19 14:39:34 +0000
+@@ -1443,7 +1443,7 @@
+ if ($key == "STAT" or $key == "SUP" or $key == "CHECK"){
+ $key2 = "NULL";
+ }else{
+- $data[$i][$num_col]=$value_of_field;
++ $data[$i][$num_col]=htmlspecialchars($value_of_field, ENT_QUOTES);
+ $affich="KO";
+ }
+ }
+
diff --git a/ocsinventory.spec b/ocsinventory.spec
index 50da662..7bc56de 100644
--- a/ocsinventory.spec
+++ b/ocsinventory.spec
@@ -17,7 +17,7 @@ Name: ocsinventory
Summary: Open Computer and Software Inventory Next Generation
Version: 2.1.1
-Release: 1%{?dist}
+Release: 3%{?dist}
Group: Applications/Internet
License: GPLv2
@@ -30,6 +30,9 @@ Source1: ocsinventory-reports.conf
# Fix for httpd 2.4 (for new authz_core)
Patch0: ocsng-httpd24.patch
+# Security fix
+Patch1: %{name}-CVE-2014-4722.patch
+
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: perl(ExtUtils::MakeMaker)
@@ -139,6 +142,7 @@ navigateur favori.
%setup -q -n %{tarname}-%{version}
%patch0 -p0
+%patch1 -p0
chmod -x binutils/ocs-errors
@@ -308,6 +312,9 @@ fi
%changelog
+* Wed Jul 09 2014 Remi Collet <remi at fedoraproject.org> - 2.1.1-3
+- XSS security fix for CVE-2014-4722
+
* Thu May 22 2014 Remi Collet <remi at fedoraproject.org> - 2.1.1-1
- update to 2.1.1
diff --git a/ocsng-httpd24.patch b/ocsng-httpd24.patch
index 466b6e6..79b4536 100644
--- a/ocsng-httpd24.patch
+++ b/ocsng-httpd24.patch
@@ -30,7 +30,7 @@ diff -up etc/ocsinventory/ocsinventory-server.conf.orig etc/ocsinventory/ocsinve
# Which version of mod_perl we are using
# For mod_perl <= 1.999_21, replace VERSION_MP by 1
# For mod_perl > 1.999_21, replace VERSION_MP by 2
-@@ -285,13 +283,24 @@
+@@ -288,13 +286,24 @@
# "Virtual" directory for handling OCS Inventory NG agents communications
# Be careful, do not create such directory into your web server root document !
<Location /ocsinventory>
@@ -58,7 +58,7 @@ diff -up etc/ocsinventory/ocsinventory-server.conf.orig etc/ocsinventory/ocsinve
SetHandler perl-script
PerlHandler Apache::Ocsinventory
</Location>
-@@ -303,14 +312,22 @@
+@@ -306,14 +315,22 @@
SetHandler perl-script
PerlHandler "Apache::Ocsinventory::SOAP"
More information about the scm-commits
mailing list