diff --git a/moodle-1.9.4-CVE-2009-1171-1.patch b/moodle-1.9.4-CVE-2009-1171-1.patch
new file mode 100644
index 0000000..652cbb5
--- /dev/null
+++ b/moodle-1.9.4-CVE-2009-1171-1.patch
@@ -0,0 +1,39 @@
+--- filter/tex/filter.php.orig 2009/02/17 05:24:35 1.18.4.4
++++ filter/tex/filter.php 2009/03/26 19:06:29 1.18.4.5
+@@ -133,6 +133,16 @@
+ $text = str_replace($matches[0][$i],$replacement,$text);
+ }
+
++ // TeX blacklist. MDL-18552
++ $tex_blacklist = array(
++ 'include','def','command','loop','repeat','open','toks','output',
++ 'input','catcode','name','^^',
++ '\every','\errhelp','\errorstopmode','\scrollmode','\nonstopmode',
++ '\batchmode','\read','\write','csname','\newhelp','\uppercase',
++ '\lowercase','\relax','\aftergroup',
++ '\afterassignment','\expandafter','\noexpand','\special'
++ );
++
+ // TeX expression
+ // or TeX expression
+ // or $$ TeX expression $$
+@@ -155,6 +165,19 @@
+ $align = "text-top";
+ $texexp = preg_replace('/^align=top /','',$texexp);
+ }
++ /// Check $texexp against blacklist (whitelisting could be more complete but also harder to maintain). MDL-18552
++ $invalidcommands = array();
++ foreach($tex_blacklist as $command) {
++ if (stristr($texexp, $command)) { /// Found invalid command. Annotate.
++ $invalidcommands[] = $command;
++ }
++ }
++ if (!empty($invalidcommands)) { /// Invalid commands found. Output error and continue with next TeX element
++ $invalidstr = get_string('invalidtexcommand', 'error', implode(', ', $invalidcommands));
++ $text = str_replace( $matches[0][$i], $invalidstr, $text);
++ continue;
++ }
++ /// Everything is ok, let's process the expression
+ $md5 = md5($texexp);
+ if (! $texcache = get_record("cache_filters","filter","tex", "md5key", $md5)) {
+ $texcache->filter = 'tex';
diff --git a/moodle-1.9.4-CVE-2009-1171-2.patch b/moodle-1.9.4-CVE-2009-1171-2.patch
new file mode 100644
index 0000000..3844eed
--- /dev/null
+++ b/moodle-1.9.4-CVE-2009-1171-2.patch
@@ -0,0 +1,107 @@
+--- filter/tex/filter.php.orig
++++ filter/tex/filter.php
+@@ -133,16 +133,6 @@ function tex_filter ($courseid, $text) {
+ $text = str_replace($matches[0][$i],$replacement,$text);
+ }
+
+- // TeX blacklist. MDL-18552
+- $tex_blacklist = array(
+- 'include','def','command','loop','repeat','open','toks','output',
+- 'input','catcode','name','^^',
+- '\every','\errhelp','\errorstopmode','\scrollmode','\nonstopmode',
+- '\batchmode','\read','\write','csname','\newhelp','\uppercase',
+- '\lowercase','\relax','\aftergroup',
+- '\afterassignment','\expandafter','\noexpand','\special'
+- );
+-
+ // TeX expression
+ // or TeX expression
+ // or $$ TeX expression $$
+@@ -165,19 +155,6 @@ function tex_filter ($courseid, $text) {
+ $align = "text-top";
+ $texexp = preg_replace('/^align=top /','',$texexp);
+ }
+- /// Check $texexp against blacklist (whitelisting could be more complete but also harder to maintain). MDL-18552
+- $invalidcommands = array();
+- foreach($tex_blacklist as $command) {
+- if (stristr($texexp, $command)) { /// Found invalid command. Annotate.
+- $invalidcommands[] = $command;
+- }
+- }
+- if (!empty($invalidcommands)) { /// Invalid commands found. Output error and continue with next TeX element
+- $invalidstr = get_string('invalidtexcommand', 'error', implode(', ', $invalidcommands));
+- $text = str_replace( $matches[0][$i], $invalidstr, $text);
+- continue;
+- }
+- /// Everything is ok, let's process the expression
+ $md5 = md5($texexp);
+ if (! $texcache = get_record("cache_filters","filter","tex", "md5key", $md5)) {
+ $texcache->filter = 'tex';
+--- filter/tex/latex.php.orig
++++ filter/tex/latex.php
+@@ -44,9 +44,11 @@
+ * @return string the latex document
+ */
+ function construct_latex_document( $formula, $fontsize=12 ) {
+- // $fontsize don't affects to formula's size. $density can change size
+-
+ global $CFG;
++
++ $formula = tex_sanitize_formula($formula);
++
++ // $fontsize don't affects to formula's size. $density can change size
+ $doc = "\\documentclass[{$fontsize}pt]{article}\n";
+ $doc .= $CFG->filter_tex_latexpreamble;
+ $doc .= "\\pagestyle{empty}\n";
+--- filter/tex/lib.php.orig
++++ filter/tex/lib.php
+@@ -34,8 +34,22 @@ function tex_filter_get_executable($debug=false) {
+ error($error_message1);
+ }
+
++function tex_sanitize_formula($texexp) {
++ /// Check $texexp against blacklist (whitelisting could be more complete but also harder to maintain)
++ $tex_blacklist = array(
++ 'include','def','command','loop','repeat','open','toks','output',
++ 'input','catcode','name','^^',
++ '\every','\errhelp','\errorstopmode','\scrollmode','\nonstopmode',
++ '\batchmode','\read','\write','csname','\newhelp','\uppercase',
++ '\lowercase','\relax','\aftergroup',
++ '\afterassignment','\expandafter','\noexpand','\special'
++ );
++
++ return str_ireplace($tex_blacklist, 'forbiddenkeyword', $texexp);
++}
+
+ function tex_filter_get_cmd($pathname, $texexp) {
++ $texexp = tex_sanitize_formula($texexp);
+ $texexp = escapeshellarg($texexp);
+ $executable = tex_filter_get_executable(false);
+
+--- lib/db/upgrade.php.orig
++++ lib/db/upgrade.php
+@@ -3106,6 +3106,13 @@ function xmldb_main_upgrade($oldversion=0) {
+ upgrade_main_savepoint($result, 2007101542);
+ }
+
++ if ($result && $oldversion < 2007101545.01) {
++ require_once("$CFG->dirroot/filter/tex/lib.php");
++ filter_tex_updatedcallback(null);
++ /// Main savepoint reached
++ upgrade_main_savepoint($result, 2007101545.01);
++ }
++
+ return $result;
+ }
+
+--- version.php.orig
++++ version.php
+@@ -6,7 +6,7 @@
+ // This is compared against the values stored in the database to determine
+ // whether upgrades should be performed (see lib/db/*.php)
+
+- $version = 2007101540; // YYYYMMDD = date of the 1.9 branch (don't change)
++ $version = 2007101545.01; // YYYYMMDD = date of the 1.9 branch (don't change)
+ // X = release number 1.9.[0,1,2,3,4,5...]
+ // Y.YY = micro-increments between releases
+
diff --git a/moodle.spec b/moodle.spec
index 85a2874..e299a40 100644
--- a/moodle.spec
+++ b/moodle.spec
@@ -1,3 +1,4 @@
+%define _default_patch_fuzz 2
%define moodlewebdir %{_var}/www/moodle/web
%define moodledatadir %{_var}/www/moodle/data
@@ -7,7 +8,7 @@
Name: moodle
Version: 1.9.4
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: A Course Management System
Group: Applications/Publishing
@@ -104,6 +105,8 @@ Source83: http://download.moodle.org/lang16/uz_utf8.zip
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
Patch0: moodle-1.9.3-rce-texed.patch
+Patch1: moodle-1.9.4-CVE-2009-1171-1.patch
+Patch2: moodle-1.9.4-CVE-2009-1171-2.patch
BuildRequires: unzip
Requires: php-gd vixie-cron mimetex perl(lib) php-mysql php-xmlrpc
@@ -1478,6 +1481,8 @@ sed -i 's/\r//' mod/wiki/ewiki/README
sed -i 's/\r//' mod/wiki/ewiki/README.de
%patch0 -p0
+%patch1 -p0
+%patch2 -p0
%build
rm config-dist.php install.php tags filter/tex/mimetex.* filter/tex/README.mimetex
@@ -1689,6 +1694,9 @@ fi
%{_sbindir}/%{name}-cron
%changelog
+* Wed Apr 01 2009 Jon Ciesla - 1.9.4-6
+- Patch for CVE-2009-1171, BZ 493109.
+
* Tue Mar 24 2009 Jon Ciesla - 1.9.4-5
- Update for freefont->gnu-free-fonts change.