Hi, Attached is a debdiff of the changes I made for 1.1.0.7-1.1 0-day NMU.
Cheers, Giuseppe
diff -u phpldapadmin-1.1.0.7/debian/changelog phpldapadmin-1.1.0.7/debian/changelog --- phpldapadmin-1.1.0.7/debian/changelog +++ phpldapadmin-1.1.0.7/debian/changelog @@ -1,3 +1,10 @@ +phpldapadmin (1.1.0.7-1.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fixed CVE-2009-4427 (Closes: #561975) + + -- Giuseppe Iuculano <[email protected]> Sun, 03 Jan 2010 11:47:29 +0100 + phpldapadmin (1.1.0.7-1) unstable; urgency=low * New upstream release. diff -u phpldapadmin-1.1.0.7/debian/patches/00list phpldapadmin-1.1.0.7/debian/patches/00list --- phpldapadmin-1.1.0.7/debian/patches/00list +++ phpldapadmin-1.1.0.7/debian/patches/00list @@ -1,0 +2 @@ +CVE-2009-4427 only in patch2: unchanged: --- phpldapadmin-1.1.0.7.orig/debian/patches/CVE-2009-4427.dpatch +++ phpldapadmin-1.1.0.7/debian/patches/CVE-2009-4427.dpatch @@ -0,0 +1,25 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2009-4427.dpatch by Giuseppe Iuculano <[email protected]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2009-4427: Local file inclusion vulnerability #561975 + +...@dpatch@ +diff -urNad phpldapadmin~/htdocs/cmd.php phpldapadmin/htdocs/cmd.php +--- phpldapadmin~/htdocs/cmd.php 2008-01-10 13:28:34.000000000 +0100 ++++ phpldapadmin/htdocs/cmd.php 2010-01-03 11:45:59.000000000 +0100 +@@ -35,6 +35,14 @@ + # Create page. + $www['page'] = new page($ldapserver->server_id); + ++# See if we can render the command ++if (trim($www['cmd'])) { ++ # If this command has been disabled by the config. ++ if (! $_SESSION[APPCONFIG]->isCommandAvailable('script',$www['cmd'])) ++ system_message(array('title'=>_('Command disabled by the server configuration'), ++ _('Error'),'body'=>sprintf('%s: <b>%s</b>.',_('The command could not be run'),$www['cmd']),'type'=>'error'),'index.php'); ++} ++ + if ($file) + include $file; +
signature.asc
Description: OpenPGP digital signature
