Fix CVE-2019-20378 CVE-2019-20379

2022-03-02 09:40:28 +08:00 · 2022-03-02 09:40:28 +08:00 · 7272b4f42d
commit 7272b4f42d
parent db8efc298d
2 changed files with 37 additions and 1 deletions
--- a/CVE-2019-20378_CVE-2019-20379.patch
+++ b/CVE-2019-20378_CVE-2019-20379.patch
@ -0,0 +1,31 @@
 From ab909037aa30bc200d467eecb1c189565604ba6a Mon Sep 17 00:00:00 2001
 From: Adam Tygart <adam.tygart@gmail.com>
 Date: Fri, 28 Feb 2020 10:17:20 -0600
 Subject: [PATCH] Fix XSS from OBB-1005024
 ---
 graph_all_periods.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
 diff --git a/graph_all_periods.php b/graph_all_periods.php
 index 4e90ccba..9185d646 100644
 --- a/graph_all_periods.php
 +++ b/graph_all_periods.php
@@ -10,12 +10,12 @@
 $data->assign("refresh", $conf['default_refresh']);
 $data->assign("conf", $conf);
 $data->assign("embed",
 -              isset($_REQUEST['embed']) ? $_REQUEST['embed'] : NULL);
 +              isset($_REQUEST['embed']) ? sanitize($_REQUEST['embed']) : NULL);
 $data->assign("mobile",
 -              isset($_REQUEST['mobile']) ? $_REQUEST['mobile'] : NULL);
 -$data->assign("h", isset($_GET['h']) ? $_GET['h'] : NULL);
 -$data->assign("g", isset($_GET['g']) ? $_GET['g'] : NULL);
 -$data->assign("m", isset($_GET['m']) ? $_GET['m'] : NULL);
 +              isset($_REQUEST['mobile']) ? sanitize($_REQUEST['mobile']) : NULL);
 +$data->assign("h", isset($_GET['h']) ? sanitize($_GET['h']) : NULL);
 +$data->assign("g", isset($_GET['g']) ? sanitize($_GET['g']) : NULL);
 +$data->assign("m", isset($_GET['m']) ? sanitize($_GET['m']) : NULL);
 $data->assign("html_g",
               isset($_GET['g']) ? htmlspecialchars($_GET['g']) : NULL);
 $data->assign("html_m",
--- a/ganglia.spec
+++ b/ganglia.spec
@ -6,7 +6,7 @@
 Summary:             Distributed Monitoring System
 Name:                ganglia
 Version:             %{gangver}
-Release:             1
+Release:             2
 License:             BSD
 URL:                 http://ganglia.sourceforge.net/
 Source0:             http://downloads.sourceforge.net/sourceforge/ganglia/ganglia-%{version}.tar.gz
@ -21,6 +21,7 @@ Patch1:              ganglia-3.7.2-apache.patch
 Patch2:              ganglia-3.7.2-sflow.patch
 Patch3:              ganglia-3.7.2-tirpc-hack.patch
 Patch4:              ganglia-web-5ee6b7.patch
 Patch5:		     CVE-2019-20378_CVE-2019-20379.patch
 %if 0%{?systemd}
 BuildRequires:       systemd
 %endif
@ -118,6 +119,7 @@ mv ganglia-web-%{webver} web
 pushd web
 %patch0 -p1
 %patch4 -p1
 %patch5 -p1
 popd
 %build
@ -316,5 +318,8 @@ end
 %dir %attr(0755,apache,apache) %{_localstatedir}/lib/%{name}-web/dwoo/compiled
 %changelog
 * Wed Mar 02 2022 houyingchao <houyingchao@huawei.com> - 3.7.2-2
 - Fix CVE-2019-20378 CVE-2019-20379
 * Wed Apr 14 2021 chengzihan <chengzihan2@huawei.com> - 3.7.2-1
 - package init