[ocsinventory/f20] XSS security fix for CVE-2014-4722

Remi Collet remi at fedoraproject.org
Wed Jul 9 10:47:25 UTC 2014 

commit 82ea03957a7e6de85b87f77df4151701e6893290
Author: Remi Collet <remi at fedoraproject.org>
Date:   Wed Jul 9 12:47:37 2014 +0200

    XSS security fix for CVE-2014-4722

 ocsinventory-CVE-2014-4722.patch |   15 +++++++++++++++
 ocsinventory.spec                |    9 ++++++++-
 2 files changed, 23 insertions(+), 1 deletions(-)
---
diff --git a/ocsinventory-CVE-2014-4722.patch b/ocsinventory-CVE-2014-4722.patch
new file mode 100644
index 0000000..c98b172
--- /dev/null
+++ b/ocsinventory-CVE-2014-4722.patch
@@ -0,0 +1,15 @@
+http://bazaar.launchpad.net/~ocsinventory-core/ocsinventory-ocsreports/stable-2.0/revision/834
+
+=== modified file 'require/function_table_html.php'
+--- ocsreports/require/function_table_html.php	2012-10-31 15:26:41 +0000
++++ ocsreports/require/function_table_html.php	2014-06-19 16:05:03 +0000
+@@ -1429,7 +1429,7 @@
+ 							if ($key == "STAT" or $key == "SUP" or $key == "CHECK"){
+ 								$key2 = "NULL";
+ 							}else{
+-								$data[$i][$num_col]=$value_of_field;
++								$data[$i][$num_col]=htmlspecialchars($value_of_field, ENT_QUOTES);
+ 								$affich="KO";
+ 							}
+ 						}
+
diff --git a/ocsinventory.spec b/ocsinventory.spec
index df50762..d90cf1c 100644
--- a/ocsinventory.spec
+++ b/ocsinventory.spec
@@ -8,7 +8,7 @@ Name:        ocsinventory
 Summary:     Open Computer and Software Inventory Next Generation
 
 Version:     2.0.5
-Release:     7%{?dist}
+Release:     8%{?dist}
 
 Group:       Applications/Internet
 License:     GPLv2
@@ -21,6 +21,9 @@ Source1:     ocsinventory-reports.conf
 # Fix for httpd 2.4 (for new authz_core)
 Patch0:      ocsng-httpd24.patch
 
+# Security fix
+Patch1:      %{name}-CVE-2014-4722.patch
+
 BuildArch:   noarch
 BuildRoot:   %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: perl(ExtUtils::MakeMaker)
@@ -123,6 +126,7 @@ navigateur favori.
 %setup -q -n %{tarname}-%{version}
 
 %patch0 -p0
+%patch1 -p0
 
 chmod -x binutils/ocs-errors
 
@@ -306,6 +310,9 @@ fi
 
 
 %changelog
+* Wed Jul 09 2014 Remi Collet <remi at fedoraproject.org> - 2.0.5-8
+- XSS security fix for CVE-2014-4722
+
 * Sat Aug 03 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.0.5-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

More information about the scm-commits mailing list