puiterwijk pushed to php-pear-Auth-OpenID (epel7). "Patch for CVE-2013-4701"
notifications at fedoraproject.org
notifications at fedoraproject.org
Wed Apr 22 01:39:11 UTC 2015
>From b1c4f7a29ba3eb3ea514011d8c05bbfab1ce3a8d Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin at scrye.com>
Date: Fri, 23 Aug 2013 21:47:40 -0600
Subject: Patch for CVE-2013-4701
diff --git a/php-openid-2.2.2-cve-2013-4701.patch b/php-openid-2.2.2-cve-2013-4701.patch
new file mode 100644
index 0000000..8529d1b
--- /dev/null
+++ b/php-openid-2.2.2-cve-2013-4701.patch
@@ -0,0 +1,17 @@
+diff -Nur php-openid-2.2.2.orig/Auth/Yadis/XML.php php-openid-2.2.2/Auth/Yadis/XML.php
+--- php-openid-2.2.2.orig/Auth/Yadis/XML.php 2011-01-19 15:25:39.000000000 -0700
++++ php-openid-2.2.2/Auth/Yadis/XML.php 2013-08-23 21:39:13.818386179 -0600
+@@ -235,6 +235,13 @@
+ }
+
+ if (!@$this->doc->loadXML($xml_string)) {
++ // disable external entities and libxml errors
++ $loader = libxml_disable_entity_loader(true);
++ $errors = libxml_use_internal_errors(true);
++ $parse_result = @$this->doc->loadXML($xml_string);
++ libxml_disable_entity_loader($loader);
++ libxml_use_internal_errors($errors);
++ if (!$parse_result) {
+ return false;
+ }
+
diff --git a/php-pear-Auth-OpenID.spec b/php-pear-Auth-OpenID.spec
index 9c91be5..413e080 100644
--- a/php-pear-Auth-OpenID.spec
+++ b/php-pear-Auth-OpenID.spec
@@ -3,7 +3,7 @@
Name: php-pear-Auth-OpenID
Version: 2.2.2
-Release: 6%{?dist}
+Release: 7%{?dist}
Summary: PHP OpenID
Group: Development/System
License: ASL 2.0
@@ -35,6 +35,10 @@ Provides: php-pear(%{pear_name}) = %{version}
# This patch fixes the paths from Auth -> Auth_OpenID
Patch0: php-openid-2.2.2-requires-paths.patch
+# Patch for CVE-2013-4701
+# https://github.com/openid/php-openid/commit/625c16bb28bb120d262b3f19f89c2c06cb9b0da9
+Patch1: php-openid-2.2.2-cve-2013-4701.patch
+
%description
An implementation of the OpenID single sign-on authentication
protocol.
@@ -49,6 +53,7 @@ admin/packagexml.py %{version} admin/package2.xml README > %{pear_name}.xml
# Fix the paths from Auth -> Auth_OpenID
%patch0 -p1
+%patch1 -p1
%build
@@ -91,6 +96,9 @@ fi
%{pear_phpdir}/%{pear_name}
%changelog
+* Fri Aug 23 2013 Kevin Fenzi <kevin at scrye.com> 2.2.2-7
+- Patch for CVE-2013-4701
+
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.2.2-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/php-pear-Auth-OpenID.git/commit/?h=epel7&id=b1c4f7a29ba3eb3ea514011d8c05bbfab1ce3a8d
More information about the scm-commits
mailing list