From 6c1dfcb9214ecbf010719a846c8b3b8ea38f2653 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Wed, 27 Mar 2019 16:06:47 +0100
Subject: add security fix backported from 9.4.1:   [security] Bad chevrons
 rendering on dropdowns   [security] Iframe and forms are rendered in rich
 text contents   [security] Type juggling authentication bypass   [security]
 Malicious images upload   [security] Password token date was not reset  
 [security] Prevent timed attack and enforce cookie security

---
 glpi.spec | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

(limited to 'glpi.spec')

diff --git a/glpi.spec b/glpi.spec
index 618bfd1..f5d2159 100644
--- a/glpi.spec
+++ b/glpi.spec
@@ -1,6 +1,6 @@
 # Fedora/remirepo spec file for glpi
 #
-# Copyright (c) 2007-2018 Remi Collet
+# Copyright (c) 2007-2019 Remi Collet
 # License: CC-BY-SA
 # http://creativecommons.org/licenses/by-sa/4.0/
 #
@@ -56,7 +56,7 @@ Name:           %{gh_project}
 #global upstream_prever  RC2
 # use 9.3.0~RC2 < 9.3 (for plugin compatibility check)
 Version:        %{upstream_version}%{?upstream_prever:~%{upstream_prever}}
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Free IT asset management software
 Summary(fr):    Gestion Libre de Parc Informatique
 
@@ -76,6 +76,12 @@ Source6:        %{name}-minify.php
 # Override PHP configuration for php-fpm
 Source7:        %{name}-user.ini
 
+# Security patches backported from 9.4
+# https://github.com/glpi-project/glpi/pull/5606 merged
+Patch1:         glpi-security1.patch
+# Backports
+Patch2:         glpi-security2.patch
+
 BuildArch:      noarch
 BuildRequires:  gettext
 BuildRequires:  php-cli
@@ -308,6 +314,9 @@ techniciens grâce à une maintenance plus cohérente.
 
 %prep
 %setup -q -n %{name}-%{gh_commit}
+%patch1 -p1 -b .secfix
+%patch2 -p1 -b .secfix
+find . -name \*.secfix -delete -print
 
 grep %{upstream_version} inc/define.php
 
@@ -595,6 +604,15 @@ fi
 
 
 %changelog
+* Wed Mar 27 2019 Remi Collet <remi@remirepo.net> - 9.3.3-2
+- add security fix backported from 9.4.1:
+  [security] Bad chevrons rendering on dropdowns
+  [security] Iframe and forms are rendered in rich text contents
+  [security] Type juggling authentication bypass
+  [security] Malicious images upload
+  [security] Password token date was not reset
+  [security] Prevent timed attack and enforce cookie security
+
 * Tue Nov 27 2018 Remi Collet <remi@remirepo.net> - 9.3.3-1
 - update to 9.3.3
 
-- 
cgit