Bug#585425: marked as done (moodle: CVE-2010-1619 cross-site scripting in KSES HTML text cleaning library)

Wed, 30 Jun 2010 14:39:30 -0700 

Your message dated Wed, 30 Jun 2010 21:34:44 +0000
with message-id <e1ou4vc-0000py...@ries.debian.org>
and subject line Bug#585425: fixed in moodle 1.9.9-1
has caused the Debian Bug report #585425,
regarding moodle: CVE-2010-1619 cross-site scripting in KSES HTML text cleaning 
library
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
585425: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585425
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: moodle
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for moodle.

CVE-2010-1619[0]:
| Cross-site scripting (XSS) vulnerability in the
| fix_non_standard_entities function in the KSES HTML text cleaning
| library (weblib.php), as used in Moodle 1.8.x before 1.8.12 and 1.9.x
| before 1.9.8, allows remote attackers to inject arbitrary web script
| or HTML via crafted HTML entities.

The function patched in the official upstream patch is not included in our 
version of the source code, a ported (untested) version of the patch is 
attached.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1619
    http://security-tracker.debian.org/tracker/CVE-2010-1619

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

--- weblib.php	2010-06-10 15:03:59.000000000 +0200
+++ weblib.php.new	2010-06-10 15:12:30.000000000 +0200
@@ -1676,8 +1676,8 @@
         default:
 
         /// Fix non standard entity notations
-            $text = preg_replace('/(&#[0-9]+)(;?)/', "\\1;", $text);
-            $text = preg_replace('/(&#x[0-9a-fA-F]+)(;?)/', "\\1;", $text);
+            $text = preg_replace('/&#0*([0-9]+);?/', "&#\\1;", $text);
+            $text = preg_replace('/&#x0*([0-9a-fA-F]+);?/', "&#\\1;", $text);
 
         /// Remove tags that are not allowed
             $text = strip_tags($text, $ALLOWED_TAGS);

Attachment: pgp7PYNq0zSTh.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: moodle
Source-Version: 1.9.9-1

We believe that the bug you reported is fixed in the latest version of
moodle, which is due to be installed in the Debian FTP archive:

moodle_1.9.9-1.debian.tar.gz
  to main/m/moodle/moodle_1.9.9-1.debian.tar.gz
moodle_1.9.9-1.dsc
  to main/m/moodle/moodle_1.9.9-1.dsc
moodle_1.9.9-1_all.deb
  to main/m/moodle/moodle_1.9.9-1_all.deb
moodle_1.9.9.orig.tar.gz
  to main/m/moodle/moodle_1.9.9.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 585...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tomasz Muras <nexor1...@gmail.com> (supplier of updated moodle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 23 Jun 2010 21:00:39 +0100
Source: moodle
Binary: moodle
Architecture: source all
Version: 1.9.9-1
Distribution: unstable
Urgency: low
Maintainer: Moodle Packaging Team 
<pkg-moodle-maintain...@lists.alioth.debian.org>
Changed-By: Tomasz Muras <nexor1...@gmail.com>
Description: 
 moodle     - Course Management System for Online Learning
Closes: 585425 586280
Changes: 
 moodle (1.9.9-1) unstable; urgency=low
 .
   * Rewritten debian/rules
   * Removed unnecessary usr/share/moodle/update-notifier
   * New Upstream Version: 1.9.9
   * New upstream fixes CVE-2010-1619 (closes: #585425)
   * New upstream fixes MSA-10-0011 (closes: #586280)
Checksums-Sha1: 
 8e1bd6d6c913f2f1b68e716c0c71a96c578cca35 1337 moodle_1.9.9-1.dsc
 11f85f3b933bdc211c0590d480eccbd426cb9a31 13729451 moodle_1.9.9.orig.tar.gz
 4d644f30819ce64b71e3cb7aa99451c431a3a926 17362 moodle_1.9.9-1.debian.tar.gz
 82720d646c0c24cd86c1755f9999330a7fb3a5a9 10079970 moodle_1.9.9-1_all.deb
Checksums-Sha256: 
 66e4b09dcc5cc8d136a9590bb99d384825717e272845e3560dff900fabe3b76e 1337 
moodle_1.9.9-1.dsc
 da8080f4e161bd262d68320e27d0c80dfee1e9eb6eb32995ee3f5afaba3b8433 13729451 
moodle_1.9.9.orig.tar.gz
 8f82700f15fe52b2ba723c3e1da6f2d0158da606ca9739575a0080d99d2008ad 17362 
moodle_1.9.9-1.debian.tar.gz
 182a73be3c88d69c524c48a1ae08c8cbad1026ec7b895b4b137cd88efe55e62f 10079970 
moodle_1.9.9-1_all.deb
Files: 
 64c8aae6b95fd7efa2c5e45df5b24f3d 1337 web optional moodle_1.9.9-1.dsc
 3cf8f4dca5ed48537a44bc67e4636a15 13729451 web optional moodle_1.9.9.orig.tar.gz
 48091e2504a239cf1c6e37f208fffcfb 17362 web optional 
moodle_1.9.9-1.debian.tar.gz
 a6c149a34237385ea0ebed298dc4a106 10079970 web optional moodle_1.9.9-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwrr0QACgkQpDDGqoi7tR5L0QCgoYCg5Z1F44EaxoUFrF//hl/s
qDcAoMXRKnAJ4Fgo6E4rBX7zAWZdXyIQ
=a+7f
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to