Bug#471158: ships embedded copy of smarty with security bug

2008-10-06 Thread Gerfried Fuchs 
* Thijs Kinkhorst <[EMAIL PROTECTED]> [2008-10-06 12:05:21 CEST]:
> On Mon, October 6, 2008 11:12, Gerfried Fuchs wrote:
> > Copy to debian-release because this question is rather a question to
> > the release team, even though it's extremely late and hope is pretty low
> > ...
> >
> > * Thijs Kinkhorst <[EMAIL PROTECTED]> [2008-03-19 20:15:43 CET]:
> >> You would not interfere with any work from our (security team) point of
> >> view. Moodle does not use the code of this specific vulnerability so no
> >> patch is needed.
> >
> > Thijs, do I perceive it correctly that you just forgot to lower the
> > severity of this bugreport?
> 
> I'm not sure where you see that the severity is unjustified? As far as I
> know it still contains and uses an embedded code copy which is present as
> a separate package in the archive. I think that is a serious issue and
> don't see why it should go unresolved.

 You said yourself that the code of this vulnerability isn't used so I
don't understand how you can call this one justified. Yes, it contains
an embedded code copy, but it's not the only package that does and not
all get ripped off, and it's not like it's a hidden and unknown copy.

 Said that, on the other hand I regret to have sent this mail/request,
haven't thouht about past security-wise history of moodle and that the
package is lagging behing quite some bugfix releases - so I'm absolutely
fine with keeping it out until someone really up to the job keeps track
of this mess, and:

> There are many more open security issues in stable:
> http://security-tracker.debian.net/tracker/source-package/moodle

 ... and able to help to extract the relevant bits to ease the security
team's work. 
is there about this, and hopefully it will work out this time. If the
team performs well I'm propably willing to provide backports ...

> Security issues are frequent in this package so it needs an active
> maintainer to keep up with it, which it currently hasn't got.

 Right, and sorry for having acted blindfolded. It's often a thin line
between usefulness and painfulness and I forgot about the other part
here ...

 I take back my request, sorry for the fuss.
Rhonda



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#471158: ships embedded copy of smarty with security bug

2008-10-06 Thread Thijs Kinkhorst 
On Mon, October 6, 2008 11:12, Gerfried Fuchs wrote:
> Hi!
>
>
> Copy to debian-release because this question is rather a question to
> the release team, even though it's extremely late and hope is pretty low
> ...
>
>
> * Thijs Kinkhorst <[EMAIL PROTECTED]> [2008-03-19 20:15:43 CET]:
>
>> On Wednesday 19 March 2008 18:45, Christian Perrier wrote:
>>
>>> So, would an NMU *not* covering the security issue interfere with a
>>> security update ?
>>>
>>> Again, I'd be happy to do the ecurity update but I need a patch. I
>>> tried to have a look at the issue but it requires skills I don't have.
>>>
>>
>> You would not interfere with any work from our (security team) point of
>> view. Moodle does not use the code of this specific vulnerability so no
>> patch is needed.
>>
>> The bug itself stays open until the embedded smarty code has been
>> removed, because a next smarty bug could of course affect moodle.
>
> Thijs, do I perceive it correctly that you just forgot to lower the
> severity of this bugreport? From what I see this bug doesn't really justify
> keeping moodle out of the release. Unfortunately this hasn't get addressed
> in months (noone tracking this package seem to actually have cared?!) so I
> would be surprised if the release team would allow it back into lenny.
>
> On the other hand, the package hasn't changed at all since then, and
> that it got removed because of this bugreport which was mistakenly left at
> high severity seems like it had been an unfortunate error itself, too.
> Would it be possible to get moodle back into lenny given that the
> only reason (to my knowledge) was this mistakenly high severe set bugreport
> and no other serious or higher bugreports were filed against this package
> in months?

I'm not sure where you see that the severity is unjustified? As far as I
know it still contains and uses an embedded code copy which is present as
a separate package in the archive. I think that is a serious issue and
don't see why it should go unresolved.

It has a similar problem with libphp-phpmailer. It has an XSS bug open
without any action for months. It has had three NMU's in a row.  It's
currently orphaned, new maintainership is there but is only just starting
up as it seems.

There are many more open security issues in stable:
http://security-tracker.debian.net/tracker/source-package/moodle

Security issues are frequent in this package so it needs an active
maintainer to keep up with it, which it currently hasn't got.


Thijs




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#471158: ships embedded copy of smarty with security bug

2008-10-06 Thread Gerfried Fuchs 
Hi!

 Copy to debian-release because this question is rather a question to
the release team, even though it's extremely late and hope is pretty low
...

* Thijs Kinkhorst <[EMAIL PROTECTED]> [2008-03-19 20:15:43 CET]:
> On Wednesday 19 March 2008 18:45, Christian Perrier wrote:
> > So, would an NMU *not* covering the security issue interfere with a
> > security update ?
> >
> > Again, I'd be happy to do the ecurity update but I need a patch. I
> > tried to have a look at the issue but it requires skills I don't have.
> 
> You would not interfere with any work from our (security team) point of view. 
> Moodle does not use the code of this specific vulnerability so no patch is 
> needed.
> 
> The bug itself stays open until the embedded smarty code has been removed, 
> because a next smarty bug could of course affect moodle.

 Thijs, do I perceive it correctly that you just forgot to lower the
severity of this bugreport? From what I see this bug doesn't really
justify keeping moodle out of the release. Unfortunately this hasn't get
addressed in months (noone tracking this package seem to actually have
cared?!) so I would be surprised if the release team would allow it back
into lenny.

 On the other hand, the package hasn't changed at all since then, and
that it got removed because of this bugreport which was mistakenly left
at high severity seems like it had been an unfortunate error itself,
too. Would it be possible to get moodle back into lenny given that the
only reason (to my knowledge) was this mistakenly high severe set
bugreport and no other serious or higher bugreports were filed against
this package in months?

 Thanks for responses,
Rhonda



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#471158: ships embedded copy of smarty with security bug

2008-03-19 Thread Thijs Kinkhorst 
On Wednesday 19 March 2008 18:45, Christian Perrier wrote:
> So, would an NMU *not* covering the security issue interfere with a
> security update ?
>
> Again, I'd be happy to do the ecurity update but I need a patch. I
> tried to have a look at the issue but it requires skills I don't have.

You would not interfere with any work from our (security team) point of view. 
Moodle does not use the code of this specific vulnerability so no patch is 
needed.

The bug itself stays open until the embedded smarty code has been removed, 
because a next smarty bug could of course affect moodle.


Thijs


pgp7VmxVDPdnw.pgp
Description: PGP signature

Bug#471158: ships embedded copy of smarty with security bug

2008-03-19 Thread Christian Perrier 
Quoting Christian Perrier ([EMAIL PROTECTED]):

> > That means that there's no immediate security problem fortunately, but that 
> > still leaves the problem of removing the embedded smarty code before this 
> > package can be released.
> > 
> > As only this one file uses it, either removing it from that file, or making 
> > that file use the archive copy of smarty are acceptable solutions to this 
> > bug.
> 
> 
> Please note that I recently announced a possible NMU targeted at
> fixing longstanding l10n bugs.
> 
> I have no clue about this specific bug but in case someone provides a
> patch, I'll be happy to include it...in case the package maintainer
> doesn't give news in a timely manner.


There are two days left before the end of my normal delay for l10n
NMUs.

I don't really want to interfere with work on security issuesbut I
can't also hold this work for too long: there are other stuff to do
and I'd rather not have this rot in my hard disk.

So, would an NMU *not* covering the security issue interfere with a
security update ?

Again, I'd be happy to do the ecurity update but I need a patch. I
tried to have a look at the issue but it requires skills I don't have.






signature.asc
Description: Digital signature

Bug#471158: ships embedded copy of smarty with security bug

2008-03-16 Thread Christian Perrier 
Quoting Thijs Kinkhorst ([EMAIL PROTECTED]):

> I've checked this file out in detail, and it doesn't use the vulnerable 
> function of this Smarty security bug.
> 
> That means that there's no immediate security problem fortunately, but that 
> still leaves the problem of removing the embedded smarty code before this 
> package can be released.
> 
> As only this one file uses it, either removing it from that file, or making 
> that file use the archive copy of smarty are acceptable solutions to this 
> bug.


Please note that I recently announced a possible NMU targeted at
fixing longstanding l10n bugs.

I have no clue about this specific bug but in case someone provides a
patch, I'll be happy to include it...in case the package maintainer
doesn't give news in a timely manner.




signature.asc
Description: Digital signature

Bug#471158: ships embedded copy of smarty with security bug

2008-03-16 Thread Thijs Kinkhorst 
On Sunday 16 March 2008 13:36, you wrote:
> Hi Martin,
>
> On Sunday 16 March 2008 12:56, Martin Dougiamas wrote:
> > Actually Moodle doesn't even use smarty (we were going to but we
> > didn't) so this can be completely removed from the code base without
> > any effect.   I'll remove it upstream too.
> >
> > Is it still a security problem to have the script there if we don't use
> > it?
>
> Thanks for your quick response. I see that it's commented out in setup.php,
> however, the following file seems to include and use it:
> question/format/qti2/format.php
>
> Could you comment on that?

I've checked this file out in detail, and it doesn't use the vulnerable 
function of this Smarty security bug.

That means that there's no immediate security problem fortunately, but that 
still leaves the problem of removing the embedded smarty code before this 
package can be released.

As only this one file uses it, either removing it from that file, or making 
that file use the archive copy of smarty are acceptable solutions to this 
bug.


Thijs


pgpQRmP7pqV0l.pgp
Description: PGP signature

Bug#471158: ships embedded copy of smarty with security bug

2008-03-16 Thread Thijs Kinkhorst 
Hi Martin,

On Sunday 16 March 2008 12:56, Martin Dougiamas wrote:
> Actually Moodle doesn't even use smarty (we were going to but we
> didn't) so this can be completely removed from the code base without
> any effect.   I'll remove it upstream too.
>
> Is it still a security problem to have the script there if we don't use it?

Thanks for your quick response. I see that it's commented out in setup.php, 
however, the following file seems to include and use it:
question/format/qti2/format.php

Could you comment on that?


thanks!
Thijs



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#471158: ships embedded copy of smarty with security bug

2008-03-16 Thread Martin Dougiamas 
Actually Moodle doesn't even use smarty (we were going to but we
didn't) so this can be completely removed from the code base without
any effect.   I'll remove it upstream too.

Is it still a security problem to have the script there if we don't use it?

Cheers,
Martin



On 16/03/2008, Thijs Kinkhorst <[EMAIL PROTECTED]> wrote:
> Package: moodle
>  Severity: grave
>  Tags: security patch
>
>  Hi,
>
>  A security issue has been discovered in Smarty which is also shipped as part
>  of Moodle:
>
>  | The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used
>  | by Serendipity (S9Y) and other products, allows attackers to call
>  | arbitrary PHP functions via templates, related to a '0' character in
>  | a search string.
>
>  Please see the original bug in Smarty here: #469492. The patch is very
>  straigtforward.
>
>  The right solution here is to not ship Smarty as part of Moodle but make use
>  of the smarty package that is already in the archive, because the security
>  team now has to issue multiple DSA's for this single issue which is obviously
>  problematic.
>
>  Could you please take the following actions:
>  * To address this bug for lenny and sid, please prepare a version of Moodle
>  that works with the archive version of smarty;
>  * For sarge and etch, please prepare updated packages addressing this bug and
>  #432264, which is also still open in sarge/etch.
>
>
>
>  thanks,
>
> Thijs
>
>


-- 
/// Moodle - open-source software for collaborative learning
///
/// Free software, community, information: http://moodle.org
/// Commercial support and other services: http://moodle.com



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#471158: ships embedded copy of smarty with security bug

2008-03-16 Thread Thijs Kinkhorst 
Package: moodle
Severity: grave
Tags: security patch

Hi,

A security issue has been discovered in Smarty which is also shipped as part 
of Moodle:

| The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used
| by Serendipity (S9Y) and other products, allows attackers to call
| arbitrary PHP functions via templates, related to a '0' character in
| a search string.

Please see the original bug in Smarty here: #469492. The patch is very 
straigtforward.

The right solution here is to not ship Smarty as part of Moodle but make use 
of the smarty package that is already in the archive, because the security 
team now has to issue multiple DSA's for this single issue which is obviously 
problematic.

Could you please take the following actions:
* To address this bug for lenny and sid, please prepare a version of Moodle 
that works with the archive version of smarty;
* For sarge and etch, please prepare updated packages addressing this bug and 
#432264, which is also still open in sarge/etch.



thanks,
Thijs


pgpJP0bTIkimy.pgp
Description: PGP signature