Fix CVE-2019-20378 CVE-2019-20379

2022-03-02 09:40:28 +08:00 · 2022-03-02 09:40:28 +08:00 · 7272b4f42d
commit 7272b4f42d
parent db8efc298d
2 changed files with 37 additions and 1 deletions
--- a/CVE-2019-20378_CVE-2019-20379.patch
+++ b/CVE-2019-20378_CVE-2019-20379.patch
@ -0,0 +1,31 @@
+From ab909037aa30bc200d467eecb1c189565604ba6a Mon Sep 17 00:00:00 2001
+From: Adam Tygart <adam.tygart@gmail.com>
+Date: Fri, 28 Feb 2020 10:17:20 -0600
+Subject: [PATCH] Fix XSS from OBB-1005024
+
+---
+ graph_all_periods.php | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/graph_all_periods.php b/graph_all_periods.php
+index 4e90ccba..9185d646 100644
+--- a/graph_all_periods.php
+++ b/graph_all_periods.php
+@@ -10,12 +10,12 @@
+ $data->assign("refresh", $conf['default_refresh']);
+ $data->assign("conf", $conf);
+ $data->assign("embed",
+-              isset($_REQUEST['embed']) ? $_REQUEST['embed'] : NULL);
+              isset($_REQUEST['embed']) ? sanitize($_REQUEST['embed']) : NULL);
+ $data->assign("mobile",
+-              isset($_REQUEST['mobile']) ? $_REQUEST['mobile'] : NULL);
+-$data->assign("h", isset($_GET['h']) ? $_GET['h'] : NULL);
+-$data->assign("g", isset($_GET['g']) ? $_GET['g'] : NULL);
+-$data->assign("m", isset($_GET['m']) ? $_GET['m'] : NULL);
+              isset($_REQUEST['mobile']) ? sanitize($_REQUEST['mobile']) : NULL);
+$data->assign("h", isset($_GET['h']) ? sanitize($_GET['h']) : NULL);
+$data->assign("g", isset($_GET['g']) ? sanitize($_GET['g']) : NULL);
+$data->assign("m", isset($_GET['m']) ? sanitize($_GET['m']) : NULL);
+ $data->assign("html_g",
+               isset($_GET['g']) ? htmlspecialchars($_GET['g']) : NULL);
+ $data->assign("html_m",
--- a/ganglia.spec
+++ b/ganglia.spec
@ -6,7 +6,7 @@
 Summary:             Distributed Monitoring System
 Name:                ganglia
 Version:             %{gangver}
-Release:             1
+Release:             2
 License:             BSD
 URL:                 http://ganglia.sourceforge.net/
 Source0:             http://downloads.sourceforge.net/sourceforge/ganglia/ganglia-%{version}.tar.gz
@ -21,6 +21,7 @@ Patch1:              ganglia-3.7.2-apache.patch
 Patch2:              ganglia-3.7.2-sflow.patch
 Patch3:              ganglia-3.7.2-tirpc-hack.patch
 Patch4:              ganglia-web-5ee6b7.patch
+Patch5:		     CVE-2019-20378_CVE-2019-20379.patch
 %if 0%{?systemd}
 BuildRequires:       systemd
 %endif
@ -118,6 +119,7 @@ mv ganglia-web-%{webver} web
 pushd web
 %patch0 -p1
 %patch4 -p1
+%patch5 -p1
 popd

 %build
@ -316,5 +318,8 @@ end
 %dir %attr(0755,apache,apache) %{_localstatedir}/lib/%{name}-web/dwoo/compiled

 %changelog
+* Wed Mar 02 2022 houyingchao <houyingchao@huawei.com> - 3.7.2-2
+- Fix CVE-2019-20378 CVE-2019-20379
+
 * Wed Apr 14 2021 chengzihan <chengzihan2@huawei.com> - 3.7.2-1
 - package init