diff --git a/moodle-1.8.8-CVE-2009-1171-1.patch b/moodle-1.8.8-CVE-2009-1171-1.patch
new file mode 100644
index 0000000..ed5ed6e
--- /dev/null
+++ b/moodle-1.8.8-CVE-2009-1171-1.patch
@@ -0,0 +1,39 @@
+--- filter/tex/filter.php.orig 2009/02/17 05:24:35 1.18.4.4
++++ filter/tex/filter.php 2009/03/26 19:06:29 1.18.4.5
+@@ -120,6 +120,16 @@
+ $text = str_replace($matches[0][$i],$replacement,$text);
+ }
+
++ // TeX blacklist. MDL-18552
++ $tex_blacklist = array(
++ 'include','def','command','loop','repeat','open','toks','output',
++ 'input','catcode','name','^^',
++ '\every','\errhelp','\errorstopmode','\scrollmode','\nonstopmode',
++ '\batchmode','\read','\write','csname','\newhelp','\uppercase',
++ '\lowercase','\relax','\aftergroup',
++ '\afterassignment','\expandafter','\noexpand','\special'
++ );
++
+ // TeX expression
+ // or TeX expression
+ // or $$ TeX expression $$
+@@ -155,6 +165,19 @@
+ $align = "text-top";
+ $texexp = preg_replace('/^align=top /','',$texexp);
+ }
++ /// Check $texexp against blacklist (whitelisting could be more complete but also harder to maintain). MDL-18552
++ $invalidcommands = array();
++ foreach($tex_blacklist as $command) {
++ if (stristr($texexp, $command)) { /// Found invalid command. Annotate.
++ $invalidcommands[] = $command;
++ }
++ }
++ if (!empty($invalidcommands)) { /// Invalid commands found. Output error and continue with next TeX element
++ $invalidstr = get_string('invalidtexcommand', 'error', implode(', ', $invalidcommands));
++ $text = str_replace( $matches[0][$i], $invalidstr, $text);
++ continue;
++ }
++ /// Everything is ok, let's process the expression
+ $md5 = md5($texexp);
+ if (! $texcache = get_record("cache_filters","filter","tex", "md5key", $md5)) {
+ $texcache->filter = 'tex';
diff --git a/moodle-1.8.8-CVE-2009-1171-2.patch b/moodle-1.8.8-CVE-2009-1171-2.patch
new file mode 100644
index 0000000..022f3b1
--- /dev/null
+++ b/moodle-1.8.8-CVE-2009-1171-2.patch
@@ -0,0 +1,225 @@
+--- filter/algebra/algebradebug.php
++++ filter/algebra/algebradebug.php
+@@ -16,6 +16,8 @@
+ }
+ }
+
++ require_once($CFG->dirroot.'/filter/tex/lib.php');
++
+ $CFG->texfilterdir = "filter/tex";
+ $CFG->algebrafilterdir = "filter/algebra";
+ $CFG->algebraimagedir = "filter/algebra";
+@@ -233,6 +235,7 @@ function tex2image($texexp, $md5, $return=false) {
+ }
+ $commandpath = "";
+ $cmd = "";
++ $texexp = tex_sanitize_formula($texexp);
+ $texexp = escapeshellarg($texexp);
+ switch (PHP_OS) {
+ case "Linux":
+--- filter/algebra/pix.php
++++ filter/algebra/pix.php
+@@ -19,6 +19,7 @@
+ // disable moodle specific debug messages
+ disable_debugging();
+
++ require_once($CFG->dirroot.'/filter/tex/lib.php');
+ require_once($CFG->libdir.'/filelib.php');
+
+ $CFG->texfilterdir = 'filter/tex';
+@@ -54,6 +55,7 @@
+ $texexp = str_replace('>','>',$texexp);
+ $texexp = preg_replace('!\r\n?!',' ',$texexp);
+ $texexp = '\Large ' . $texexp;
++ $texexp = tex_sanitize_formula($texexp);
+ $texexp = escapeshellarg($texexp);
+
+ if ((PHP_OS == "WINNT") || (PHP_OS == "WIN32") || (PHP_OS == "Windows")) {
+--- filter/tex/filter.php
++++ filter/tex/filter.php
+@@ -118,16 +118,6 @@ function tex_filter ($courseid, $text) {
+ $text = str_replace($matches[0][$i],$replacement,$text);
+ }
+
+- // TeX blacklist. MDL-18552
+- $tex_blacklist = array(
+- 'include','def','command','loop','repeat','open','toks','output',
+- 'input','catcode','name','^^',
+- '\every','\errhelp','\errorstopmode','\scrollmode','\nonstopmode',
+- '\batchmode','\read','\write','csname','\newhelp','\uppercase',
+- '\lowercase','\relax','\aftergroup',
+- '\afterassignment','\expandafter','\noexpand','\special'
+- );
+-
+ // TeX expression
+ // or $$ TeX expression $$
+ // or \[ TeX expression \] // original tag of MathType and TeXaide (dlnsk)
+@@ -148,19 +138,6 @@ function tex_filter ($courseid, $text) {
+ $align = "text-top";
+ $texexp = preg_replace('/^align=top /','',$texexp);
+ }
+- /// Check $texexp against blacklist (whitelisting could be more complete but also harder to maintain). MDL-18552
+- $invalidcommands = array();
+- foreach($tex_blacklist as $command) {
+- if (stristr($texexp, $command)) { /// Found invalid command. Annotate.
+- $invalidcommands[] = $command;
+- }
+- }
+- if (!empty($invalidcommands)) { /// Invalid commands found. Output error and continue with next TeX element
+- $invalidstr = get_string('invalidtexcommand', 'error', implode(', ', $invalidcommands));
+- $text = str_replace( $matches[0][$i], $invalidstr, $text);
+- continue;
+- }
+- /// Everything is ok, let's process the expression
+ $md5 = md5($texexp);
+ if (! $texcache = get_record("cache_filters","filter","tex", "md5key", $md5)) {
+ $texcache->filter = 'tex';
+--- filter/tex/latex.php
++++ filter/tex/latex.php
+@@ -44,9 +44,11 @@
+ * @return string the latex document
+ */
+ function construct_latex_document( $formula, $fontsize=12 ) {
+- // $fontsize don't affects to formula's size. $density can change size
+-
+ global $CFG;
++
++ $formula = tex_sanitize_formula($formula);
++
++ // $fontsize don't affects to formula's size. $density can change size
+ $doc = "\\documentclass[{$fontsize}pt]{article}\n";
+ $doc .= $CFG->filter_tex_latexpreamble;
+ $doc .= "\\pagestyle{empty}\n";
+--- /dev/null
++++ filter/tex/lib.php
+@@ -0,0 +1,37 @@
++dataroot/filter/tex")) {
++ remove_dir("$CFG->dataroot/filter/tex");
++ }
++ if (file_exists("$CFG->dataroot/filter/algebra")) {
++ remove_dir("$CFG->dataroot/filter/algebra");
++ }
++ if (file_exists("$CFG->dataroot/temp/latex")) {
++ remove_dir("$CFG->dataroot/temp/latex");
++ }
++
++ delete_records('cache_filters', 'filter', 'tex');
++ delete_records('cache_filters', 'filter', 'algebra');
++}
++
++?>
+\ No newline at end of file
+--- filter/tex/pix.php
++++ filter/tex/pix.php
+@@ -20,8 +20,9 @@
+ disable_debugging();
+
+ require_once($CFG->libdir.'/filelib.php');
++ require_once($CFG->dirroot.'/filter/tex/lib.php');
++ require_once($CFG->dirroot.'/filter/tex/latex.php');
+ require_once('defaultsettings.php' );
+- require_once('latex.php');
+
+ $CFG->texfilterdir = 'filter/tex';
+ $CFG->teximagedir = 'filter/tex';
+@@ -69,6 +70,7 @@
+ $texexp = str_replace('>','>',$texexp);
+ $texexp = preg_replace('!\r\n?!',' ',$texexp);
+ $texexp = '\Large ' . $texexp;
++ $texexp = tex_sanitize_formula($texexp);
+ $texexp = escapeshellarg($texexp);
+
+ if ((PHP_OS == "WINNT") || (PHP_OS == "WIN32") || (PHP_OS == "Windows")) {
+--- filter/tex/texdebug.php
++++ filter/tex/texdebug.php
+@@ -4,7 +4,6 @@
+ // and uses mimeTeX to create the image file
+
+ require_once("../../config.php");
+- require( 'latex.php' );
+
+ if (empty($CFG->textfilters)) {
+ error ('Filter not enabled!');
+@@ -15,6 +14,9 @@
+ }
+ }
+
++ require_once($CFG->dirroot.'/filter/tex/lib.php');
++ require_once($CFG->dirroot.'/filter/tex/latex.php');
++
+ $CFG->texfilterdir = "filter/tex";
+ $CFG->teximagedir = "filter/tex";
+
+@@ -141,6 +143,7 @@
+ }
+ $commandpath = "";
+ $cmd = "";
++ $texexp = tex_sanitize_formula($texexp);
+ $texexp = escapeshellarg($texexp);
+ switch (PHP_OS) {
+ case "Linux":
+--- filter/tex/texed.php
++++ filter/tex/texed.php
+@@ -6,6 +6,7 @@
+ $nomoodlecookie = true; // Because it interferes with caching
+
+ require_once("../../config.php");
++ require_once($CFG->dirroot.'/filter/tex/lib.php');
+
+ if (empty($CFG->textfilters)) {
+ error ('Filter not enabled!');
+@@ -32,6 +33,7 @@
+ make_upload_directory($CFG->teximagedir);
+ }
+ $pathname = "$CFG->dataroot/$CFG->teximagedir/$image";
++ $texexp = tex_sanitize_formula($texexp);
+ $texexp = escapeshellarg($texexp);
+
+ switch (PHP_OS) {
+--- lib/db/upgrade.php
++++ lib/db/upgrade.php
+@@ -775,6 +775,11 @@ function xmldb_main_upgrade($oldversion=0) {
+ $db->debug = true;
+ }
+
++ if ($result && $oldversion < 2007021581) {
++ require_once("$CFG->dirroot/filter/tex/lib.php");
++ filter_tex_updatedcallback(null);
++ }
++
+ return $result;
+
+ }
+--- version.php
++++ version.php
+@@ -6,7 +6,7 @@
+ // This is compared against the values stored in the database to determine
+ // whether upgrades should be performed (see lib/db/*.php)
+
+- $version = 2007021580; // YYYYMMDD = date of the 1.8 branch (don't change)
++ $version = 2007021581; // YYYYMMDD = date of the 1.8 branch (don't change)
+ // X = release number 1.8.[0,1,2,3...]
+ // Y = micro-increments between releases
+
diff --git a/moodle.spec b/moodle.spec
index bf4b8d3..4af888e 100644
--- a/moodle.spec
+++ b/moodle.spec
@@ -1,3 +1,4 @@
+%define _default_patch_fuzz 2
%define moodlewebdir %{_var}/www/moodle/web
%define moodledatadir %{_var}/www/moodle/data
@@ -7,7 +8,7 @@
Name: moodle
Version: 1.8.8
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: A Course Management System
Group: Applications/Publishing
@@ -102,6 +103,9 @@ Source83: http://download.moodle.org/lang16/uz_utf8.zip
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
+Patch0: moodle-1.8.8-CVE-2009-1171-1.patch
+Patch1: moodle-1.8.8-CVE-2009-1171-2.patch
+
BuildRequires: unzip
Requires: php-gd vixie-cron mimetex perl(lib) php-mysql php-xmlrpc
Requires: perl(Encode) perl(Text::Aspell) perl(HTML::Parser) php
@@ -1470,6 +1474,9 @@ sed -i 's/\r//' lib/pclzip/readme.txt
sed -i 's/\r//' mod/wiki/ewiki/README
sed -i 's/\r//' mod/wiki/ewiki/README.de
+%patch0 -p0
+%patch1 -p0
+
%build
rm config-dist.php install.php tags filter/tex/mimetex.* filter/tex/README.mimetex
@@ -1652,6 +1659,9 @@ fi
%{_sbindir}/%{name}-cron
%changelog
+* Thu Apr 02 2009 Jon Ciesla - 1.8.8-3
+- Patch for CVE-2009-1171, BZ 493109.
+
* Mon Feb 23 2009 Jon Ciesla - 1.8.8-2
- Fixed cron.