Here is my proposed patch against the wheezy version. The upstream patches applied with no problem except for a single hunk that makes a single white space change. I deleted this hunk.
I also built a version, which is available for testing: https://people.debian.org/~bam/debian/pool/main/a/awstats/ diff -Nru awstats-7.0~dfsg/debian/changelog awstats-7.0~dfsg/debian/changelog --- awstats-7.0~dfsg/debian/changelog 2012-06-14 04:07:00.000000000 +1000 +++ awstats-7.0~dfsg/debian/changelog 2018-01-08 18:01:59.000000000 +1100 @@ -1,3 +1,11 @@ +awstats (7.0~dfsg-7+deb7u1) wheezy-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * Fix CVE-2017-1000501: Untrusted parameters were not sanitised, allowing + unauthenticated remote code execution. Closes: #885835. + + -- Brian May <b...@debian.org> Mon, 08 Jan 2018 18:01:59 +1100 + awstats (7.0~dfsg-7) unstable; urgency=low * Document -configdir option in README.Debian (Closes: #280067) diff -Nru awstats-7.0~dfsg/debian/patches/CVE-2017-1000501.patch awstats-7.0~dfsg/debian/patches/CVE-2017-1000501.patch --- awstats-7.0~dfsg/debian/patches/CVE-2017-1000501.patch 1970-01-01 10:00:00.000000000 +1000 +++ awstats-7.0~dfsg/debian/patches/CVE-2017-1000501.patch 2018-01-08 18:00:19.000000000 +1100 @@ -0,0 +1,82 @@ +--- a/wwwroot/cgi-bin/awstats.pl ++++ b/wwwroot/cgi-bin/awstats.pl +@@ -2115,7 +2115,10 @@ + } + + # Plugins +- if ( $param =~ /^LoadPlugin/ ) { push @PluginsToLoad, $value; next; } ++ if ( $param =~ /^LoadPlugin/ ) { ++ $value =~ s/[^a-zA-Z0-9_\/\.\+:=\?\s%\-]//g; # Sanitize plugin name and string param because it is used later in an eval. ++ push @PluginsToLoad, $value; next; ++ } + + # Other parameter checks we need to put after MaxNbOfExtra and MinHitExtra + if ( $param =~ /^MaxNbOf(\w+)/ ) { $MaxNbOf{$1} = $value; next; } +@@ -3154,7 +3157,7 @@ + } + my $ret; # To get init return + my $initfunction = +- "\$ret=Init_$pluginname('$pluginparam')"; ++ "\$ret=Init_$pluginname('$pluginparam')"; # Note that pluginname and pluginparam were sanitized when reading cong file entry 'LoadPlugin' + my $initret = eval("$initfunction"); + if ( $initret && $initret eq 'xxx' ) { + $initret = +@@ -16547,7 +16550,9 @@ + # No update but report by default when run from a browser + $UpdateStats = ( $QueryString =~ /update=1/i ? 1 : 0 ); + +- if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); } ++ if ( $QueryString =~ /config=([^&]+)/i ) { ++ $SiteConfig = &Sanitize("$1"); ++ } + if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; } + if ( $QueryString =~ /pluginmode=([^&]+)/i ) { + $PluginMode = &Sanitize( "$1", 1 ); +@@ -16592,10 +16597,13 @@ + # If migrate + if ( $QueryString =~ /(^|-|&|&)migrate=([^&]+)/i ) { + $MigrateStats = &Sanitize("$2"); ++ + $MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/; +- $SiteConfig = $5 ? $5 : 'xxx'; ++ $SiteConfig = &Sanitize($5 ? $5 : 'xxx'); + $SiteConfig =~ s/^\.//; # SiteConfig is used to find config file + } ++ ++ $SiteConfig =~ s/\.\.//g; # Avoid directory transversal + } + else { # Run from command line + $DebugMessages = 1; +@@ -16605,9 +16613,10 @@ + + # If migrate + if ( $ARGV[$_] =~ /(^|-|&|&)migrate=([^&]+)/i ) { +- $MigrateStats = "$2"; ++ $MigrateStats = &Sanitize("$2"); ++ + $MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/; +- $SiteConfig = $5 ? $5 : 'xxx'; ++ $SiteConfig = &Sanitize($5 ? $5 : 'xxx'); + $SiteConfig =~ s/^\.//; # SiteConfig is used to find config file + next; + } +@@ -16634,7 +16643,9 @@ + # Update with no report by default when run from command line + $UpdateStats = 1; + +- if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); } ++ if ( $QueryString =~ /config=([^&]+)/i ) { ++ $SiteConfig = &Sanitize("$1"); ++ } + if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; } + if ( $QueryString =~ /pluginmode=([^&]+)/i ) { + $PluginMode = &Sanitize( "$1", 1 ); +@@ -16699,6 +16710,8 @@ + $ShowDirectOrigin = 1; + $QueryString =~ s/showdirectorigin[^&]*//i; + } ++ ++ $SiteConfig =~ s/\.\.//g; + } + if ( $QueryString =~ /(^|&|&)staticlinks/i ) { + $StaticLinks = "$PROG.$SiteConfig"; diff -Nru awstats-7.0~dfsg/debian/patches/series awstats-7.0~dfsg/debian/patches/series --- awstats-7.0~dfsg/debian/patches/series 2012-06-14 04:07:00.000000000 +1000 +++ awstats-7.0~dfsg/debian/patches/series 2018-01-08 17:59:24.000000000 +1100 @@ -15,3 +15,4 @@ 1020_LogFile_usage_docs.patch 2001_awstatsprog_path.patch 2002_nboflastupdatelookuptosave.patch +CVE-2017-1000501.patch -- Brian May <b...@debian.org>