Security bug in mahara-1.0.4-3: upload to testing-proposed-updates?

To: debian-release@lists.debian.org
Cc: pkg-debian@mahara.org
Subject: Security bug in mahara-1.0.4-3: upload to testing-proposed-updates?
From: Francois Marier <francois@debian.org>
Date: Wed, 4 Feb 2009 15:01:03 +1300
Message-id: <20090204020103.GA27435@isafjordur.dyndns.org>

(Please CC me on your replies, thanks!)

Hello,

The version of mahara that's in lenny (1.0.4-3) has an XSS vulnerability as
reported in the release notes:

  http://mahara.org/interaction/forum/topic.php?id=198

(no Debian bug or CVE number for it at the moment)

There is a new upstream release (1.0.9) containing these fixes in
sid. However, given that it contains other non-security changes, I have also
prepared a patched 1.0.4 version for lenny.

I have attached the very small debdiff between -3 and -4 to this email.

Please let me know whether I should upload 1.0.4-4 to
testing-proposed-updates or whether you prefer to unblock the package that's
in sid.

Cheers,
Francois

diff -u mahara-1.0.4/debian/changelog mahara-1.0.4/debian/changelog
--- mahara-1.0.4/debian/changelog
+++ mahara-1.0.4/debian/changelog
@@ -1,3 +1,12 @@
+mahara (1.0.4-4) testing-proposed-updates; urgency=low
+
+  * Fix XSS issues in forum descriptions and posts, backported from
+    these upstream commits:
+      a3a3824aadcaebd6e416d5b18b1f1129c0f30cac
+      b86d471361456a9b7c58492121feb1ae85222ada
+
+ -- Francois Marier <francois@debian.org>  Wed, 04 Feb 2009 14:51:32 +1300
+
 mahara (1.0.4-3) testing-proposed-updates; urgency=high
 
   * Depend on libphp-snoopy instead of using the embedded copy shipped
only in patch2:
unchanged:
--- mahara-1.0.4.orig/htdocs/interaction/forum/theme/default/view.tpl
+++ mahara-1.0.4/htdocs/interaction/forum/theme/default/view.tpl
@@ -8,7 +8,7 @@
 <div id="viewforum">
 <table id="forumdescription">
 <tr>
-	<td>{$forum->description}</td>
+	<td>{$forum->description|clean_text}</td>
 {if $admin}
 	<td align="right" class="nowrap">
 	<a href="{$WWWROOT}interaction/edit.php?id={$forum->id|escape}" class="btn-editdk">{str tag="edittitle" section="interaction.forum"}</a></td>
only in patch2:
unchanged:
--- mahara-1.0.4.orig/htdocs/interaction/forum/theme/default/simplepost.tpl
+++ mahara-1.0.4/htdocs/interaction/forum/theme/default/simplepost.tpl
@@ -19,6 +19,6 @@
 {$post->poster|display_name|escape}</a></h5>
 	<div><img src="{$WWWROOT}thumb.php?type=profileicon&amp;maxsize=100&amp;id={$post->poster}" alt=""></div>
 	<h5>{$post->postcount}</h5></td>
-	<td>{$post->body}</td>
+	<td>{$post->body|clean_text}</td>
 </tr>
 </table>
\ No newline at end of file

Reply to:

Follow-Ups:
- Re: Security bug in mahara-1.0.4-3: upload to testing-proposed-updates?
  - From: Luk Claes <luk@debian.org>

Prev by Date: Re: Permission to upload geordi 0:20080725T0146-1+lenny1?
Next by Date: Please unblock gnu-fdisk 1.2-1
Previous by thread: Re: Permission to upload geordi 0:20080725T0146-1+lenny1?
Next by thread: Re: Security bug in mahara-1.0.4-3: upload to testing-proposed-updates?
Index(es):
- Date
- Thread