puiterwijk pushed to php-pear-Auth-OpenID (epel7). "Patch for CVE-2013-4701"

notifications at fedoraproject.org notifications at fedoraproject.org
Wed Apr 22 01:39:11 UTC 2015 

>From b1c4f7a29ba3eb3ea514011d8c05bbfab1ce3a8d Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin at scrye.com>
Date: Fri, 23 Aug 2013 21:47:40 -0600
Subject: Patch for CVE-2013-4701


diff --git a/php-openid-2.2.2-cve-2013-4701.patch b/php-openid-2.2.2-cve-2013-4701.patch
new file mode 100644
index 0000000..8529d1b
--- /dev/null
+++ b/php-openid-2.2.2-cve-2013-4701.patch
@@ -0,0 +1,17 @@
+diff -Nur php-openid-2.2.2.orig/Auth/Yadis/XML.php php-openid-2.2.2/Auth/Yadis/XML.php
+--- php-openid-2.2.2.orig/Auth/Yadis/XML.php	2011-01-19 15:25:39.000000000 -0700
++++ php-openid-2.2.2/Auth/Yadis/XML.php	2013-08-23 21:39:13.818386179 -0600
+@@ -235,6 +235,13 @@
+         }
+ 
+         if (!@$this->doc->loadXML($xml_string)) {
++ 	 // disable external entities and libxml errors
++ 	 $loader = libxml_disable_entity_loader(true);
++ 	 $errors = libxml_use_internal_errors(true);
++ 	 $parse_result = @$this->doc->loadXML($xml_string);
++ 	 libxml_disable_entity_loader($loader);
++ 	 libxml_use_internal_errors($errors);
++ 	if (!$parse_result) {
+             return false;
+         }
+ 
diff --git a/php-pear-Auth-OpenID.spec b/php-pear-Auth-OpenID.spec
index 9c91be5..413e080 100644
--- a/php-pear-Auth-OpenID.spec
+++ b/php-pear-Auth-OpenID.spec
@@ -3,7 +3,7 @@
 
 Name: php-pear-Auth-OpenID
 Version: 2.2.2
-Release: 6%{?dist}
+Release: 7%{?dist}
 Summary: PHP OpenID
 Group: Development/System
 License: ASL 2.0
@@ -35,6 +35,10 @@ Provides: php-pear(%{pear_name}) = %{version}
 # This patch fixes the paths from Auth -> Auth_OpenID
 Patch0: php-openid-2.2.2-requires-paths.patch
 
+# Patch for CVE-2013-4701
+# https://github.com/openid/php-openid/commit/625c16bb28bb120d262b3f19f89c2c06cb9b0da9
+Patch1: php-openid-2.2.2-cve-2013-4701.patch
+
 %description
 An implementation of the OpenID single sign-on authentication
 protocol.
@@ -49,6 +53,7 @@ admin/packagexml.py %{version} admin/package2.xml README > %{pear_name}.xml
 
 # Fix the paths from Auth -> Auth_OpenID
 %patch0 -p1
+%patch1 -p1
 
 %build
 
@@ -91,6 +96,9 @@ fi
 %{pear_phpdir}/%{pear_name}
 
 %changelog
+* Fri Aug 23 2013 Kevin Fenzi <kevin at scrye.com> 2.2.2-7
+- Patch for CVE-2013-4701
+
 * Sun Aug 04 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.2.2-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
 
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/php-pear-Auth-OpenID.git/commit/?h=epel7&id=b1c4f7a29ba3eb3ea514011d8c05bbfab1ce3a8d

More information about the scm-commits mailing list