Bug#687924: moodle: diff for NMU version 2.2.3.dfsg-2.3
tags 687924 + patch
tags 687924 + pending
thanks
Dear maintainer,
I've prepared an NMU for moodle (versioned as 2.2.3.dfsg-2.3) and
uploaded it to DELAYED/1. Please feel free to tell me if I
should delay it longer.
Regards.
diff -Nru moodle-2.2.3.dfsg/debian/changelog moodle-2.2.3.dfsg/debian/changelog
--- moodle-2.2.3.dfsg/debian/changelog 2012-07-23 19:13:58.0 +0200
+++ moodle-2.2.3.dfsg/debian/changelog 2012-09-28 12:58:50.0 +0200
@@ -1,3 +1,22 @@
+moodle (2.2.3.dfsg-2.3) unstable; urgency=low
+
+ * Non-maintainer upload.
+
+ * Backport multiple security issues from upstream's MOODLE_22_STABLE
+branch. (Closes: #687924)
+- MSA-12-0051: MDL-30792 - File upload size constraint issue
+ Fixes CVE-2012-4400
+- MSA-12-0052: MDL-28207 - Course topics permission issue
+ Fixes CVE-2012-4401
+- MSA-12-0053: MDL-34585 - Blog file access issue
+ Fixes CVE-2012-4407
+- MSA-12-0054: MDL-34519 - Course reset permission issue
+ Fixes CVE-2012-4408
+- MSA-12-0055: MDL-34368 - Web service access token issue
+ Fixes CVE-2012-4402
+
+ -- Didier Raboud o...@debian.org Fri, 28 Sep 2012 12:52:21 +0200
+
moodle (2.2.3.dfsg-2.2) unstable; urgency=low
* Non-maintainer upload.
diff -Nru moodle-2.2.3.dfsg/debian/patches/0009-MDL-30792-Files-API-maxbytes-will-be-set-by-get_max_.patch moodle-2.2.3.dfsg/debian/patches/0009-MDL-30792-Files-API-maxbytes-will-be-set-by-get_max_.patch
--- moodle-2.2.3.dfsg/debian/patches/0009-MDL-30792-Files-API-maxbytes-will-be-set-by-get_max_.patch 1970-01-01 01:00:00.0 +0100
+++ moodle-2.2.3.dfsg/debian/patches/0009-MDL-30792-Files-API-maxbytes-will-be-set-by-get_max_.patch 2012-09-28 12:58:50.0 +0200
@@ -0,0 +1,51 @@
+From ebf253af171efbc5ff3a0074538c85a5edcb2ee2 Mon Sep 17 00:00:00 2001
+From: Rajesh Taneja raj...@moodle.com
+Date: Fri, 3 Aug 2012 11:44:20 +0800
+Subject: [PATCH] MDL-30792 Files API: maxbytes will be set by
+ get_max_upload_file_size if less then 0 or greater then max
+ moodle limit
+
+---
+ repository/filepicker.php |4 ++--
+ repository/repository_ajax.php |8 ++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/repository/filepicker.php b/repository/filepicker.php
+index 68aee10..610ef13 100644
+--- a/repository/filepicker.php
b/repository/filepicker.php
+@@ -93,9 +93,9 @@ if ($repository = $DB-get_record_sql($sql, array($repo_id))) {
+ }
+ }
+
+-$moodle_maxbytes = get_max_upload_file_size();
++$moodle_maxbytes = get_max_upload_file_size($CFG-maxbytes, $course-maxbytes);
+ // to prevent maxbytes greater than moodle maxbytes setting
+-if ($maxbytes == 0 || $maxbytes=$moodle_maxbytes) {
++if (($maxbytes = 0) || ($maxbytes = $moodle_maxbytes)) {
+ $maxbytes = $moodle_maxbytes;
+ }
+
+diff --git a/repository/repository_ajax.php b/repository/repository_ajax.php
+index b7793c8..b7f76d1 100644
+--- a/repository/repository_ajax.php
b/repository/repository_ajax.php
+@@ -83,9 +83,13 @@ if (!$repository = $DB-get_record_sql($sql, array($repo_id))) {
+ /// Check permissions
+ repository::check_capability($contextid, $repository);
+
+-$moodle_maxbytes = get_max_upload_file_size();
++$coursemaxbytes = 0;
++if (!empty($course)) {
++ $coursemaxbytes = $course-maxbytes;
++}
++$moodle_maxbytes = get_max_upload_file_size($CFG-maxbytes, $coursemaxbytes);
+ // to prevent maxbytes greater than moodle maxbytes setting
+-if ($maxbytes == 0 || $maxbytes=$moodle_maxbytes) {
++if (($maxbytes = 0) || ($maxbytes = $moodle_maxbytes)) {
+ $maxbytes = $moodle_maxbytes;
+ }
+
+--
+1.7.10.4
+
diff -Nru moodle-2.2.3.dfsg/debian/patches/0010-MDL-30792-Files-API-Cleaner-approach-to-get-maxbytes.patch moodle-2.2.3.dfsg/debian/patches/0010-MDL-30792-Files-API-Cleaner-approach-to-get-maxbytes.patch
--- moodle-2.2.3.dfsg/debian/patches/0010-MDL-30792-Files-API-Cleaner-approach-to-get-maxbytes.patch 1970-01-01 01:00:00.0 +0100
+++ moodle-2.2.3.dfsg/debian/patches/0010-MDL-30792-Files-API-Cleaner-approach-to-get-maxbytes.patch 2012-09-28 12:58:50.0 +0200
@@ -0,0 +1,74 @@
+From f7c9e3bb18e9e7fa06dff625042bf9572d709d45 Mon Sep 17 00:00:00 2001
+From: Rajesh Taneja raj...@moodle.com
+Date: Fri, 3 Aug 2012 11:47:44 +0800
+Subject: [PATCH] MDL-30792 Files API: Cleaner approach to get maxbytes size
+ in filepicker
+
+---
+ lib/moodlelib.php |6 +++---
+ repository/filepicker.php |7 ++-
+ repository/repository_ajax.php |7 ++-
+ 3 files changed, 7 insertions(+), 13 deletions(-)
+
+diff --git a/lib/moodlelib.php b/lib/moodlelib.php
+index 465226a..08b34ee 100644
+--- a/lib/moodlelib.php
b/lib/moodlelib.php
+@@ -5728,15 +5728,15 @@ function get_max_upload_file_size($sitebytes=0, $coursebytes=0, $modulebytes=0)
+ }
+ }
+
+-if ($sitebytes and $sitebytes $minimumsize) {
++if (($sitebytes 0) and ($sitebytes $minimumsize)) {
+ $minimumsize = $sitebytes;
+ }
+
+-if ($coursebytes and
Bug#687924: moodle: diff for NMU version 2.2.3.dfsg-2.3
Le dimanche, 30 septembre 2012 15.45:03, Didier Raboud a écrit :
tags 687924 + patch
tags 687924 + pending
thanks
Dear maintainer,
I've prepared an NMU for moodle (versioned as 2.2.3.dfsg-2.3) and
uploaded it to DELAYED/1. Please feel free to tell me if I
should delay it longer.
… and to help reviewing, these are the patches, cherry-picked from upstream's
branch if you want to comment.
Cheers,
OdyX
From ebf253af171efbc5ff3a0074538c85a5edcb2ee2 Mon Sep 17 00:00:00 2001
From: Rajesh Taneja raj...@moodle.com
Date: Fri, 3 Aug 2012 11:44:20 +0800
Subject: [PATCH] MDL-30792 Files API: maxbytes will be set by
get_max_upload_file_size if less then 0 or greater then max
moodle limit
---
repository/filepicker.php |4 ++--
repository/repository_ajax.php |8 ++--
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/repository/filepicker.php b/repository/filepicker.php
index 68aee10..610ef13 100644
--- a/repository/filepicker.php
+++ b/repository/filepicker.php
@@ -93,9 +93,9 @@ if ($repository = $DB-get_record_sql($sql, array($repo_id))) {
}
}
-$moodle_maxbytes = get_max_upload_file_size();
+$moodle_maxbytes = get_max_upload_file_size($CFG-maxbytes, $course-maxbytes);
// to prevent maxbytes greater than moodle maxbytes setting
-if ($maxbytes == 0 || $maxbytes=$moodle_maxbytes) {
+if (($maxbytes = 0) || ($maxbytes = $moodle_maxbytes)) {
$maxbytes = $moodle_maxbytes;
}
diff --git a/repository/repository_ajax.php b/repository/repository_ajax.php
index b7793c8..b7f76d1 100644
--- a/repository/repository_ajax.php
+++ b/repository/repository_ajax.php
@@ -83,9 +83,13 @@ if (!$repository = $DB-get_record_sql($sql, array($repo_id))) {
/// Check permissions
repository::check_capability($contextid, $repository);
-$moodle_maxbytes = get_max_upload_file_size();
+$coursemaxbytes = 0;
+if (!empty($course)) {
+ $coursemaxbytes = $course-maxbytes;
+}
+$moodle_maxbytes = get_max_upload_file_size($CFG-maxbytes, $coursemaxbytes);
// to prevent maxbytes greater than moodle maxbytes setting
-if ($maxbytes == 0 || $maxbytes=$moodle_maxbytes) {
+if (($maxbytes = 0) || ($maxbytes = $moodle_maxbytes)) {
$maxbytes = $moodle_maxbytes;
}
--
1.7.10.4
From f7c9e3bb18e9e7fa06dff625042bf9572d709d45 Mon Sep 17 00:00:00 2001
From: Rajesh Taneja raj...@moodle.com
Date: Fri, 3 Aug 2012 11:47:44 +0800
Subject: [PATCH] MDL-30792 Files API: Cleaner approach to get maxbytes size
in filepicker
---
lib/moodlelib.php |6 +++---
repository/filepicker.php |7 ++-
repository/repository_ajax.php |7 ++-
3 files changed, 7 insertions(+), 13 deletions(-)
diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index 465226a..08b34ee 100644
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -5728,15 +5728,15 @@ function get_max_upload_file_size($sitebytes=0, $coursebytes=0, $modulebytes=0)
}
}
-if ($sitebytes and $sitebytes $minimumsize) {
+if (($sitebytes 0) and ($sitebytes $minimumsize)) {
$minimumsize = $sitebytes;
}
-if ($coursebytes and $coursebytes $minimumsize) {
+if (($coursebytes 0) and ($coursebytes $minimumsize)) {
$minimumsize = $coursebytes;
}
-if ($modulebytes and $modulebytes $minimumsize) {
+if (($modulebytes 0) and ($modulebytes $minimumsize)) {
$minimumsize = $modulebytes;
}
diff --git a/repository/filepicker.php b/repository/filepicker.php
index 610ef13..fa759c5 100644
--- a/repository/filepicker.php
+++ b/repository/filepicker.php
@@ -93,11 +93,8 @@ if ($repository = $DB-get_record_sql($sql, array($repo_id))) {
}
}
-$moodle_maxbytes = get_max_upload_file_size($CFG-maxbytes, $course-maxbytes);
-// to prevent maxbytes greater than moodle maxbytes setting
-if (($maxbytes = 0) || ($maxbytes = $moodle_maxbytes)) {
-$maxbytes = $moodle_maxbytes;
-}
+// Make sure maxbytes passed is within site filesize limits.
+$maxbytes = get_max_upload_file_size($CFG-maxbytes, $coursemaxbytes, $maxbytes);
$params = array('ctx_id' = $contextid, 'itemid' = $itemid, 'env' = $env, 'course'=$courseid, 'maxbytes'=$maxbytes, 'maxfiles'=$maxfiles, 'subdirs'=$subdirs, 'sesskey'=sesskey());
$params['action'] = 'browse';
diff --git a/repository/repository_ajax.php b/repository/repository_ajax.php
index b7f76d1..f8c9fe5 100644
--- a/repository/repository_ajax.php
+++ b/repository/repository_ajax.php
@@ -87,11 +87,8 @@ $coursemaxbytes = 0;
if (!empty($course)) {
$coursemaxbytes = $course-maxbytes;
}
-$moodle_maxbytes = get_max_upload_file_size($CFG-maxbytes, $coursemaxbytes);
-// to prevent maxbytes greater than moodle maxbytes setting
-if (($maxbytes = 0) || ($maxbytes = $moodle_maxbytes)) {
-$maxbytes = $moodle_maxbytes;
-}
+// Make sure maxbytes passed is within site filesize limits.
+$maxbytes = get_max_upload_file_size($CFG-maxbytes, $coursemaxbytes, $maxbytes);
/// Wait as long as it takes for this script to finish
set_time_limit(0);
--
Bug#687924: moodle: diff for NMU version 2.2.3.dfsg-2.3
On 09/30/2012 04:24 PM, Didier 'OdyX' Raboud wrote: Le dimanche, 30 septembre 2012 15.45:03, Didier Raboud a écrit : tags 687924 + patch tags 687924 + pending thanks Dear maintainer, I've prepared an NMU for moodle (versioned as 2.2.3.dfsg-2.3) and uploaded it to DELAYED/1. Please feel free to tell me if I should delay it longer. … and to help reviewing, these are the patches, cherry-picked from upstream's branch if you want to comment. Much appreciated, thank you for your help OdyX. Tomek -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
