commit: 178ca30bd5ec0af0992f13539beedb22bcdf4666 Author: Conrad Kostecki <conikost <AT> gentoo <DOT> org> AuthorDate: Sun Mar 10 13:35:34 2024 +0000 Commit: Conrad Kostecki <conikost <AT> gentoo <DOT> org> CommitDate: Sun Mar 10 13:35:34 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=178ca30b
www-apps/phpsysinfo: fix CVE-2023-49006 Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org> .../files/phpsysinfo-3.4.3-cve-2023-49006.patch | 44 ++++++++++++++++++++++ ...nfo-3.4.3.ebuild => phpsysinfo-3.4.3-r1.ebuild} | 4 +- 2 files changed, 47 insertions(+), 1 deletion(-) diff --git a/www-apps/phpsysinfo/files/phpsysinfo-3.4.3-cve-2023-49006.patch b/www-apps/phpsysinfo/files/phpsysinfo-3.4.3-cve-2023-49006.patch new file mode 100644 index 000000000000..6bed16996d20 --- /dev/null +++ b/www-apps/phpsysinfo/files/phpsysinfo-3.4.3-cve-2023-49006.patch @@ -0,0 +1,44 @@ +From 4f2cee505e4f2e9b369a321063ff2c5e0c34ba45 Mon Sep 17 00:00:00 2001 +From: namiltd <[email protected]> +Date: Wed, 24 May 2023 10:39:48 +0200 +Subject: [PATCH] Disable JSONP data mode by default for security reasons + +--- + phpsysinfo.ini.new | 7 +++++++ + read_config.php | 5 +++++ + 2 files changed, 12 insertions(+) + +diff --git a/phpsysinfo.ini.new b/phpsysinfo.ini.new +index f2c90f24..25b67c26 100644 +--- a/phpsysinfo.ini.new ++++ b/phpsysinfo.ini.new +@@ -47,6 +47,13 @@ ADD_PATHS=false + ; + ALLOWED=false + ++; Enable JSONP data mode (e.g. /phpsysinfo/xml.php?plugin=complete&jsonp&callback=getData) ++; Disabled by default for security reasons. ++; - false : JSONP data mode disabled ++; - true : JSONP data mode enabled ++; ++;JSONP=false ++ + ; List of sudo commands + ; Example : SUDO_COMMANDS="iptables-save" //execute "sudo iptables-save" instead "iptables-save" + ; SUDO_COMMANDS=false //no sudo commands +diff --git a/read_config.php b/read_config.php +index 17d0683a..53fbf38e 100644 +--- a/read_config.php ++++ b/read_config.php +@@ -89,6 +89,11 @@ + } + } + ++ if (isset($_GET['jsonp']) && (!defined('PSI_JSONP') || !PSI_JSONP)) { ++ echo "JSONP data mode not enabled in phpsysinfo.ini."; ++ die(); ++ } ++ + /* default error handler */ + if (function_exists('errorHandlerPsi')) { + restore_error_handler(); diff --git a/www-apps/phpsysinfo/phpsysinfo-3.4.3.ebuild b/www-apps/phpsysinfo/phpsysinfo-3.4.3-r1.ebuild similarity index 94% rename from www-apps/phpsysinfo/phpsysinfo-3.4.3.ebuild rename to www-apps/phpsysinfo/phpsysinfo-3.4.3-r1.ebuild index bfc4f8956f79..9c6a04a29c14 100644 --- a/www-apps/phpsysinfo/phpsysinfo-3.4.3.ebuild +++ b/www-apps/phpsysinfo/phpsysinfo-3.4.3-r1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -16,6 +16,8 @@ RDEPEND=" virtual/httpd-php " +PATCHES=( "${FILESDIR}/${PN}-3.4.3-cve-2023-49006.patch" ) + need_httpd_cgi src_install() {
