Debdiffs attached, release team cc'd. Sorry for the delay. Had some urgent important interruptions to deal with.
As far as I know, I do not have any upload rights, so I believe this is as far as I can go without assistance. My usual accomplice is busy until next week some time, so if the patches are deemed ok, please proceed to uploading if you can.
diff -Nru mahara-1.5.1/debian/changelog mahara-1.5.1/debian/changelog --- mahara-1.5.1/debian/changelog 2012-10-28 02:11:42.000000000 +0000 +++ mahara-1.5.1/debian/changelog 2012-11-12 23:07:24.000000000 +0000 @@ -1,3 +1,36 @@ + +mahara (1.5.1-3) unstable; urgency=high + + * SECURITY UPDATE: Disable XML entity parsing to prevent XEE + - debian/patches/CVE-2012-2239.patch: upstream patch + + * SECURITY UPDATE: Multiple cross-site scripting vulnerabilities + - Content passed to the error message was not escaped + - Escape pieform errors displayed to users + - debian/patches/CVE-2012-2243-0001.patch: upstream patch + - XHTML files prone to embedded javascript + - Prevent uploaded xhtml files from displaying verbatim + - debian/patches/CVE-2012-2243-0002.patch: upstream patch + + * SECURITY UPDATE: Arbitrary file execution via clam path + - Remove executable bit from existing uploaded files + - debian/patches/CVE-2012-2244-0001.patch: upstream patch + - Ensure future files will not be executable + - debian/patches/CVE-2012-2244-0002.patch: upstream patch + - Remove direct path option from web configuration + - debian/patches/CVE-2012-2244-0003.patch: upstream patch + + * SECURITY UPDATE: Prevent click-jacking attacks + - Add a HTTP header of X-Frame-Options to every page + - debian/patches/CVE-2012-2246.patch: upstream patch + + * SECURITY UPDATE: Prevent SVG images being displayed + - SVG images displayed inline + - Adds SVG files to the list of files to not display by default + - debian/patches/CVE-2012-2247.patch: upstream patch + + -- Melissa Draper <meli...@catalyst.net.nz> Tue, 12 Nov 2012 04:08:09 +0000 + mahara (1.5.1-2.1) unstable; urgency=low * Non-maintainer upload diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2239.patch mahara-1.5.1/debian/patches/CVE-2012-2239.patch --- mahara-1.5.1/debian/patches/CVE-2012-2239.patch 1970-01-01 00:00:00.000000000 +0000 +++ mahara-1.5.1/debian/patches/CVE-2012-2239.patch 2012-11-12 23:07:24.000000000 +0000 @@ -0,0 +1,70 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Description: Disable XML entity parsing +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/1047111 +Last-Update: 2012-09-11 + + Fix XML Security bug + + There is a security issue with the default XML parser for PHP, where ENTITY fields are + loaded and substituted in text parts. + + This allows possible attackers to read from internal networks, or files readable by the + web server user. + + This includes reading of the config.php file, which contains sensitive information such + as the database password, and the password salt field. + + The fix for this was to include a call to libxml_disable_entity_loader(true) during the + initialization of a page. This is based on a report from Mike Haworth + + The vulnerability was present in the admin area when uploading Leap2A users, and also in + the user page area where a user could provide a RSS feed with specific XML ENTITY fields. + + More information can be found at the following: + http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities + http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html + +diff --git a/htdocs/blocktype/externalfeed/db/upgrade.php b/htdocs/blocktype/externalfeed/db/upgrade.php +index 90e79f9..a6ba403 100644 +--- a/htdocs/blocktype/externalfeed/db/upgrade.php ++++ b/htdocs/blocktype/externalfeed/db/upgrade.php +@@ -106,5 +106,12 @@ function xmldb_blocktype_externalfeed_upgrade($oldversion=0) { + add_field($table, $field); + } + ++ if ($oldversion < 2011091402) { ++ // Reset all feeds to reset themselves ++ set_field('blocktype_externalfeed_data', 'lastupdate', db_format_timestamp('0')); ++ safe_require('blocktype', 'externalfeed'); ++ call_static_method('PluginBlocktypeExternalfeed', 'refresh_feeds'); ++ } ++ + return true; + } +diff --git a/htdocs/blocktype/externalfeed/version.php b/htdocs/blocktype/externalfeed/version.php +index 24b1e09..cd84230 100644 +--- a/htdocs/blocktype/externalfeed/version.php ++++ b/htdocs/blocktype/externalfeed/version.php +@@ -28,5 +28,5 @@ + defined('INTERNAL') || die(); + + $config = new StdClass; +-$config->version = 2011091401; ++$config->version = 2011091402; + $config->release = '1.0.3'; +diff --git a/htdocs/init.php b/htdocs/init.php +index 07c8c47..0865428 100644 +--- a/htdocs/init.php ++++ b/htdocs/init.php +@@ -58,6 +58,10 @@ if (!is_readable($CFG->docroot . 'config.php')) { + + init_performance_info(); + ++if (function_exists('libxml_disable_entity_loader')) { ++ libxml_disable_entity_loader(true); ++} ++ + require($CFG->docroot . 'config.php'); + $CFG = (object)array_merge((array)$cfg, (array)$CFG); + require_once('config-defaults.php'); diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2243-0001.patch mahara-1.5.1/debian/patches/CVE-2012-2243-0001.patch --- mahara-1.5.1/debian/patches/CVE-2012-2243-0001.patch 1970-01-01 00:00:00.000000000 +0000 +++ mahara-1.5.1/debian/patches/CVE-2012-2243-0001.patch 2012-11-12 23:07:24.000000000 +0000 @@ -0,0 +1,66 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Subject: Escape pieform errors displayed to users +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/1063480 +Last-Update: 2012-10-10 + + CVE-2012-2243 + + If a user modifies a form in such as way that an error + is caused based on their input there is a possible XSS + avenue. + + This was displayed in the user/group CSV uploads, with + a malicious script in the header which causes a CSV parsing + error and was then passed back to the user verbatim. + + This patch escapes all error messages in the pieform error + output. +--- + htdocs/lib/form/renderers/maharatable.php | 2 +- + htdocs/lib/pieforms/pieform/renderers/div.php | 2 +- + htdocs/lib/pieforms/pieform/renderers/table.php | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/htdocs/lib/form/renderers/maharatable.php b/htdocs/lib/form/renderers/maharatable.php +index d245648..94f45e2 100644 +--- a/htdocs/lib/form/renderers/maharatable.php ++++ b/htdocs/lib/form/renderers/maharatable.php +@@ -113,7 +113,7 @@ function pieform_renderer_maharatable(Pieform $form, $element) { + + if (!empty($element['error'])) { + $result .= "\t<tr>\n\t\t<td class=\"errmsg\">"; +- $result .= $element['error']; ++ $result .= hsc($element['error']); + $result .= "</td>\n\t</tr>\n"; + } + +diff --git a/htdocs/lib/pieforms/pieform/renderers/div.php b/htdocs/lib/pieforms/pieform/renderers/div.php +index 2a6833e..701847d 100644 +--- a/htdocs/lib/pieforms/pieform/renderers/div.php ++++ b/htdocs/lib/pieforms/pieform/renderers/div.php +@@ -61,7 +61,7 @@ function pieform_renderer_div(Pieform $form, $element) {/*{{{*/ + } + + if (!empty($element['error'])) { +- $result .= '<div class="errmsg">' . $element['error'] . '</div>'; ++ $result .= '<div class="errmsg">' . hsc($element['error']) . '</div>'; + } + + $result .= "</div>\n"; +diff --git a/htdocs/lib/pieforms/pieform/renderers/table.php b/htdocs/lib/pieforms/pieform/renderers/table.php +index feb077f..d7b1d91 100644 +--- a/htdocs/lib/pieforms/pieform/renderers/table.php ++++ b/htdocs/lib/pieforms/pieform/renderers/table.php +@@ -92,7 +92,7 @@ function pieform_renderer_table(Pieform $form, $element) {/*{{{*/ + + if (!empty($element['error'])) { + $result .= "\t<tr>\n\t\t<td colspan=\"2\" class=\"errmsg\">"; +- $result .= $element['error']; ++ $result .= hsc($element['error']); + $result .= "</td>\n\t</tr>\n"; + } + +-- +1.7.11.3 + diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2243-0002.patch mahara-1.5.1/debian/patches/CVE-2012-2243-0002.patch --- mahara-1.5.1/debian/patches/CVE-2012-2243-0002.patch 1970-01-01 00:00:00.000000000 +0000 +++ mahara-1.5.1/debian/patches/CVE-2012-2243-0002.patch 2012-11-12 23:07:24.000000000 +0000 @@ -0,0 +1,38 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Subject: Escape user uploaded XHTML files +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/1055232 +Last-Update: 2012-10-10 + + CVE-2012-2243 + + Before this patch, if a user uploaded HTML or XML files + then tried to download them, or linked other users to download + them, they would be presented with an escaped version along + with a link to download the original. + + This did not include XHTML files, which can cause the same + security issues as HTML or XML files. This patch includes the + XHTML mimetype of application/xhtml+xml in the test of which + files to escape. + +--- + htdocs/lib/file.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/htdocs/lib/file.php b/htdocs/lib/file.php +index 2a96cdc..19c7bf9 100644 +--- a/htdocs/lib/file.php ++++ b/htdocs/lib/file.php +@@ -70,7 +70,7 @@ function serve_file($path, $filename, $mimetype, $options=array()) { + $lastmodified = filemtime($path); + $filesize = filesize($path); + +- if ($mimetype == 'text/html' || $mimetype == 'text/xml') { ++ if ($mimetype == 'text/html' || $mimetype == 'text/xml' || $mimetype == 'application/xhtml+xml') { + if (isset($options['downloadurl']) && $filesize < 1024 * 1024) { + display_cleaned_html(file_get_contents($path), $filename, $options); + exit; +-- +1.7.11.3 + diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2244-0001.patch mahara-1.5.1/debian/patches/CVE-2012-2244-0001.patch --- mahara-1.5.1/debian/patches/CVE-2012-2244-0001.patch 1970-01-01 00:00:00.000000000 +0000 +++ mahara-1.5.1/debian/patches/CVE-2012-2244-0001.patch 2012-11-12 23:07:24.000000000 +0000 @@ -0,0 +1,58 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Subject: Fix up old file permissions to remove executable +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/1057238 +Last-Update: 2012-10-10 + + CVE-2012-2244 + + In previous versions of mahara, all the user uploaded files + had the executable bit set. This patch runs an upgrade script + to remove this executable bit. + +--- + htdocs/artefact/file/db/upgrade.php | 17 +++++++++++++++++ + htdocs/artefact/file/version.php | 2 +- + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/htdocs/artefact/file/db/upgrade.php b/htdocs/artefact/file/db/upgrade.php +index 92827cf..967539c 100644 +--- a/htdocs/artefact/file/db/upgrade.php ++++ b/htdocs/artefact/file/db/upgrade.php +@@ -392,5 +392,22 @@ function xmldb_artefact_file_upgrade($oldversion=0) { + } + } + ++ if ($oldversion < 2011082201) { ++ $baseiter = new DirectoryIterator(get_config('dataroot') . 'artefact/file/originals/'); ++ foreach ($baseiter as $dir) { ++ if ($dir->isDot()) continue; ++ $dirpath = $dir->getPath() . '/' . $dir->getFilename(); ++ $fileiter = new DirectoryIterator($dirpath); ++ foreach ($fileiter as $file) { ++ if ($file->isDot()) continue; ++ if (!$file->isFile()) { ++ log_error("Something was wrong about the dataroot in artefact/file/originals/$dir. Unexpected folder $file"); ++ continue; ++ } ++ chmod($file->getPathname(), $file->getPerms() & 0666); ++ } ++ } ++ } ++ + return $status; + } +diff --git a/htdocs/artefact/file/version.php b/htdocs/artefact/file/version.php +index 71d84e8..147ecf0 100644 +--- a/htdocs/artefact/file/version.php ++++ b/htdocs/artefact/file/version.php +@@ -28,5 +28,5 @@ + defined('INTERNAL') || die(); + + $config = new StdClass; +-$config->version = 2011082200; ++$config->version = 2011082201; + $config->release = '1.2.0'; +-- +1.7.11.3 + diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2244-0002.patch mahara-1.5.1/debian/patches/CVE-2012-2244-0002.patch --- mahara-1.5.1/debian/patches/CVE-2012-2244-0002.patch 1970-01-01 00:00:00.000000000 +0000 +++ mahara-1.5.1/debian/patches/CVE-2012-2244-0002.patch 2012-11-12 23:07:24.000000000 +0000 @@ -0,0 +1,109 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Subject: Fix saved file permissions +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/1057238 +Last-Update: 2012-10-10 + + + CVE-2012-2244 + + Currently, files that are saved by Mahara use the + directorypermissions config option, which defaults to + 0700, which allows execution. + + This allows users to potentially upload files with + executable bits set, and if they have control of the + config options pathtoclam, pathtozip, or pathtounzip + then they could run this command when one of those + commands are invocated. + + This patch bitwise-AND's the directory permissions + config with 0666, which removes any executable bit + and sets the result as a new config option + filepermissions. + + A change the upload code to use this new option is made + +--- + htdocs/artefact/file/lib.php | 3 ++- + htdocs/init.php | 1 + + htdocs/lib/db/upgrade.php | 2 +- + htdocs/lib/file.php | 2 +- + htdocs/lib/uploadmanager.php | 2 +- + 5 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/htdocs/artefact/file/lib.php b/htdocs/artefact/file/lib.php +index eeeebc2..491965e 100644 +--- a/htdocs/artefact/file/lib.php ++++ b/htdocs/artefact/file/lib.php +@@ -907,6 +907,7 @@ class ArtefactTypeFile extends ArtefactTypeFileBase { + $f->delete(); + return false; + } ++ chmod($newname, get_config('filepermissions')); + $owner = null; + if ($user) { + $owner = $user; +@@ -2138,7 +2139,7 @@ class ArtefactTypeArchive extends ArtefactTypeFile { + // Untar everything into a temp directory first + $tempsubdir = tempnam($tempdir, ''); + unlink($tempsubdir); +- mkdir($tempsubdir); ++ mkdir($tempsubdir, get_config('directorypermissions')); + if (!$this->handle->extract($tempsubdir)) { + throw new SystemException("Unable to extract archive into $tempsubdir"); + } +diff --git a/htdocs/init.php b/htdocs/init.php +index 89b8e50..3e167cc 100644 +--- a/htdocs/init.php ++++ b/htdocs/init.php +@@ -80,6 +80,7 @@ $CFG->xmldbdisablecommentchecking = true; + if (empty($CFG->directorypermissions)) { + $CFG->directorypermissions = 0700; + } ++$CFG->filepermissions = $CFG->directorypermissions & 0666; + + // core libraries + require('mahara.php'); +diff --git a/htdocs/lib/db/upgrade.php b/htdocs/lib/db/upgrade.php +index 4293c0f..fa223a5 100644 +--- a/htdocs/lib/db/upgrade.php ++++ b/htdocs/lib/db/upgrade.php +@@ -638,7 +638,7 @@ function xmldb_core_upgrade($oldversion=0) { + + if (is_dir($artefactdata . 'internal/profileicons')) { + if (!is_dir($artefactdata . 'file')) { +- mkdir($artefactdata . 'file'); ++ mkdir($artefactdata . 'file', get_config('directorypermissions')); + } + if (!rename($artefactdata . 'internal/profileicons', $artefactdata . 'file/profileicons')) { + throw new SystemException("Failed moving $artefactdata/internal/profileicons to $artefactdata/file/profileicons"); +diff --git a/htdocs/lib/file.php b/htdocs/lib/file.php +index 71e3da3..2a96cdc 100644 +--- a/htdocs/lib/file.php ++++ b/htdocs/lib/file.php +@@ -795,7 +795,7 @@ function copyr($source, $dest) + + // Make destination directory + if (!is_dir($dest)) { +- mkdir($dest); ++ mkdir($dest, get_config('directorypermissions')); + } + + // Loop through the folder +diff --git a/htdocs/lib/uploadmanager.php b/htdocs/lib/uploadmanager.php +index 322481a..0ad1efd 100644 +--- a/htdocs/lib/uploadmanager.php ++++ b/htdocs/lib/uploadmanager.php +@@ -171,7 +171,7 @@ class upload_manager { + $tmpname = $this->file['tmp_name']; + } + if (move_uploaded_file($tmpname, $destination . '/' . $newname)) { +- chmod($destination . '/' . $newname, get_config('directorypermissions')); ++ chmod($destination . '/' . $newname, get_config('filepermissions')); + return false; + } + return get_string('failedmovingfiletodataroot'); +-- +1.7.11.3 + diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2244-0003.patch mahara-1.5.1/debian/patches/CVE-2012-2244-0003.patch --- mahara-1.5.1/debian/patches/CVE-2012-2244-0003.patch 1970-01-01 00:00:00.000000000 +0000 +++ mahara-1.5.1/debian/patches/CVE-2012-2244-0003.patch 2012-11-12 23:07:24.000000000 +0000 @@ -0,0 +1,48 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Subject: Remove clamav from site admin options +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/1057238 +Last-Update: 2012-10-10 + + CVE-2012-2244 + + When a site administrator can manipulate the path for the + clamav scanner, they could produce either a reverse shell, + or allow any user to execute arbitrary remote commands by + setting it to an uploaded reverse shell, or to /bin/bash + respectively. + + Other executable paths, namely pathtozip, and pathtounzip + are only set via config.php, and not through the site admin + interface. This option, pathtoclam, should follow the same + design. + + +diff --git a/htdocs/admin/site/options.php b/htdocs/admin/site/options.php +index ab0bc6a..17c4e3d 100644 +--- a/htdocs/admin/site/options.php ++++ b/htdocs/admin/site/options.php +@@ -344,14 +344,6 @@ $siteoptionform = array( + 'help' => true, + 'disabled' => in_array('viruschecking', $OVERRIDDEN), + ), +- 'pathtoclam' => array( +- 'type' => 'text', +- 'title' => get_string('pathtoclam', 'admin'), +- 'description' => get_string('pathtoclamdescription', 'admin'), +- 'defaultvalue' => get_config('pathtoclam'), +- 'help' => true, +- 'disabled' => in_array('pathtoclam', $OVERRIDDEN), +- ), + 'antispam' => array( + 'type' => 'select', + 'title' => get_string('antispam', 'admin'), +@@ -612,7 +604,7 @@ function siteoptions_fail(Pieform $form, $field) { + + function siteoptions_submit(Pieform $form, $values) { + $fields = array( +- 'sitename','lang','theme', 'pathtoclam', 'dropdownmenu', ++ 'sitename','lang','theme', 'dropdownmenu', + 'defaultaccountlifetime', 'defaultaccountinactiveexpire', 'defaultaccountinactivewarn', + 'allowpublicviews', 'allowpublicprofiles', 'generatesitemap', + 'registration_sendweeklyupdates', 'institutionexpirynotification', 'institutionautosuspend', diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2246.patch mahara-1.5.1/debian/patches/CVE-2012-2246.patch --- mahara-1.5.1/debian/patches/CVE-2012-2246.patch 1970-01-01 00:00:00.000000000 +0000 +++ mahara-1.5.1/debian/patches/CVE-2012-2246.patch 2012-11-12 23:07:24.000000000 +0000 @@ -0,0 +1,32 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Subject: Fix Click-Jacking attack on account deletion page +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/1057240 +Last-Update: 2012-10-10 + + This attack has been mitigated by adding a HTTP header + of X-Frame-Options to every page in Mahara. + + CVE-2012-2246 + +--- + htdocs/init.php | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/htdocs/init.php b/htdocs/init.php +index 3e167cc..253721a 100644 +--- a/htdocs/init.php ++++ b/htdocs/init.php +@@ -46,6 +46,9 @@ header('Cache-Control: private, must-revalidate, pre-check=0, post-check=0, max- + header('Expires: '. gmdate('D, d M Y H:i:s', 507686400) .' GMT'); + header('Pragma: no-cache'); + ++// Prevent clickjacking through iframe tags ++header('X-Frame-Options: SAMEORIGIN'); ++ + // Set up error handling + require('errors.php'); + +-- +1.7.11.3 + diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2247.patch mahara-1.5.1/debian/patches/CVE-2012-2247.patch --- mahara-1.5.1/debian/patches/CVE-2012-2247.patch 1970-01-01 00:00:00.000000000 +0000 +++ mahara-1.5.1/debian/patches/CVE-2012-2247.patch 2012-11-12 23:07:24.000000000 +0000 @@ -0,0 +1,39 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Subject: Escape user uploaded SVG files +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/1061980 +Last-Update: 2012-10-10 + + CVE-2012-2247 + + Before this patch, if a user uploaded HTML or XML files + then tried to download them, or linked other users to download + them, they would be presented with an escaped version along + with a link to download the original. + + Unfortunately, an SVG file can possibly contain unsecure content, + such as javascript, that would be run on the victims browser. + + This patch adds SVG files (image/svg+xml) to the list of files + to not display by default. + +--- + htdocs/lib/file.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/htdocs/lib/file.php b/htdocs/lib/file.php +index 19c7bf9..e0199b9 100644 +--- a/htdocs/lib/file.php ++++ b/htdocs/lib/file.php +@@ -70,7 +70,7 @@ function serve_file($path, $filename, $mimetype, $options=array()) { + $lastmodified = filemtime($path); + $filesize = filesize($path); + +- if ($mimetype == 'text/html' || $mimetype == 'text/xml' || $mimetype == 'application/xhtml+xml') { ++ if ($mimetype == 'text/html' || $mimetype == 'text/xml' || $mimetype == 'application/xhtml+xml' || $mimetype == 'image/svg+xml') { + if (isset($options['downloadurl']) && $filesize < 1024 * 1024) { + display_cleaned_html(file_get_contents($path), $filename, $options); + exit; +-- +1.7.11.3 + diff -Nru mahara-1.5.1/debian/patches/series mahara-1.5.1/debian/patches/series --- mahara-1.5.1/debian/patches/series 2012-10-27 23:18:15.000000000 +0000 +++ mahara-1.5.1/debian/patches/series 2012-11-12 23:07:24.000000000 +0000 @@ -2,3 +2,11 @@ CVE-2012-2237-0002.patch CVE-2012-2237-0003.patch CVE-2012-2237-0004.patch +CVE-2012-2239.patch +CVE-2012-2243-0001.patch +CVE-2012-2243-0002.patch +CVE-2012-2244-0001.patch +CVE-2012-2244-0002.patch +CVE-2012-2244-0003.patch +CVE-2012-2246.patch +CVE-2012-2247.patch
diff -Nru mahara-1.2.6/debian/changelog mahara-1.2.6/debian/changelog --- mahara-1.2.6/debian/changelog 2012-08-13 11:24:08.000000000 +0000 +++ mahara-1.2.6/debian/changelog 2012-11-12 00:08:09.000000000 +0000 @@ -1,3 +1,35 @@ +mahara (1.2.6-2+squeeze6) stable-security; urgency=high + + * SECURITY UPDATE: Disable XML entity parsing to prevent XEE + - debian/patches/CVE-2012-2239.patch: upstream patch + + * SECURITY UPDATE: Multiple cross-site scripting vulnerabilities + - Content passed to the error message was not escaped + - Escape pieform errors displayed to users + - debian/patches/CVE-2012-2243-0001.patch: upstream patch + - XHTML files prone to embedded javascript + - Prevent uploaded xhtml files from displaying verbatim + - debian/patches/CVE-2012-2243-0002.patch: upstream patch + + * SECURITY UPDATE: Arbitrary file execution via clam path + - Remove executable bit from existing uploaded files + - debian/patches/CVE-2012-2244-0001.patch: upstream patch + - Ensure future files will not be executable + - debian/patches/CVE-2012-2244-0002.patch: upstream patch + - Remove direct path option from web configuration + - debian/patches/CVE-2012-2244-0003.patch: upstream patch + + * SECURITY UPDATE: Prevent click-jacking attacks + - Add a HTTP header of X-Frame-Options to every page + - debian/patches/CVE-2012-2246.patch: upstream patch + + * SECURITY UPDATE: Prevent SVG images being displayed + - SVG images displayed inline + - Adds SVG files to the list of files to not display by default + - debian/patches/CVE-2012-2247.patch: upstream patch + + -- Melissa Draper <meli...@catalyst.net.nz> Wed, 10 Oct 2012 01:27:23 +0000 + mahara (1.2.6-2+squeeze5) stable-security; urgency=high * SECURITY UPDATE: Fix multiple cross-site scripting vulnerabilities diff -Nru mahara-1.2.6/debian/patches/CVE-2012-2239.patch mahara-1.2.6/debian/patches/CVE-2012-2239.patch --- mahara-1.2.6/debian/patches/CVE-2012-2239.patch 1970-01-01 00:00:00.000000000 +0000 +++ mahara-1.2.6/debian/patches/CVE-2012-2239.patch 2012-11-12 00:08:09.000000000 +0000 @@ -0,0 +1,73 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Description: Disable XML entity parsing +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/1047111 +Last-Update: 2012-09-11 + + Fix XML Security bug + + There is a security issue with the default XML parser for PHP, where ENTITY fields are + loaded and substituted in text parts. + + This allows possible attackers to read from internal networks, or files readable by the + web server user. + + This includes reading of the config.php file, which contains sensitive information such + as the database password, and the password salt field. + + The fix for this was to include a call to libxml_disable_entity_loader(true) during the + initialization of a page. This is based on a report from Mike Haworth + + The vulnerability was present in the admin area when uploading Leap2A users, and also in + the user page area where a user could provide a RSS feed with specific XML ENTITY fields. + + More information can be found at the following: + http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities + http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html + +diff --git a/htdocs/blocktype/externalfeed/db/upgrade.php b/htdocs/blocktype/externalfeed/db/upgrade.php +index 8415c7d..a52c151 100644 +--- a/htdocs/blocktype/externalfeed/db/upgrade.php ++++ b/htdocs/blocktype/externalfeed/db/upgrade.php +@@ -61,6 +61,13 @@ function xmldb_blocktype_externalfeed_upgrade($oldversion=0) { + } + } + ++ if ($oldversion < 2009121601) { ++ // Reset all feeds to reset themselves ++ set_field('blocktype_externalfeed_data', 'lastupdate', db_format_timestamp(strtotime('-90 minutes'))); ++ safe_require('blocktype', 'externalfeed'); ++ call_static_method('PluginBlocktypeExternalfeed', 'refresh_feeds'); ++ } ++ + return true; + } + +diff --git a/htdocs/blocktype/externalfeed/version.php b/htdocs/blocktype/externalfeed/version.php +index 9e1f925..4a2da30 100644 +--- a/htdocs/blocktype/externalfeed/version.php ++++ b/htdocs/blocktype/externalfeed/version.php +@@ -28,7 +28,7 @@ + defined('INTERNAL') || die(); + + $config = new StdClass; +-$config->version = 2009121600; ++$config->version = 2009121601; + $config->release = '1.0.2'; + + ?> +diff --git a/htdocs/init.php b/htdocs/init.php +index 02a1dd8..7601a67 100644 +--- a/htdocs/init.php ++++ b/htdocs/init.php +@@ -56,6 +56,10 @@ if (!is_readable($CFG->docroot . 'config.php')) { + + init_performance_info(); + ++if (function_exists('libxml_disable_entity_loader')) { ++ libxml_disable_entity_loader(true); ++} ++ + require($CFG->docroot . 'config.php'); + $CFG = (object)array_merge((array)$cfg, (array)$CFG); + require_once('config-defaults.php'); diff -Nru mahara-1.2.6/debian/patches/CVE-2012-2243-0001.patch mahara-1.2.6/debian/patches/CVE-2012-2243-0001.patch --- mahara-1.2.6/debian/patches/CVE-2012-2243-0001.patch 1970-01-01 00:00:00.000000000 +0000 +++ mahara-1.2.6/debian/patches/CVE-2012-2243-0001.patch 2012-11-12 00:08:09.000000000 +0000 @@ -0,0 +1,53 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Subject: Escape pieform errors displayed to users +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/1063480 +Last-Update: 2012-10-10 + + CVE-2012-2243 + + If a user modifies a form in such as way that an error + is caused based on their input there is a possible XSS + avenue. + + This was displayed in the user/group CSV uploads, with + a malicious script in the header which causes a CSV parsing + error and was then passed back to the user verbatim. + + This patch escapes all error messages in the pieform error + output. + +--- + htdocs/lib/form/renderers/maharatable.php | 2 +- + htdocs/lib/pieforms/pieform/renderers/table.php | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/htdocs/lib/form/renderers/maharatable.php b/htdocs/lib/form/renderers/maharatable.php +index 23a76b4..0628df9 100644 +--- a/htdocs/lib/form/renderers/maharatable.php ++++ b/htdocs/lib/form/renderers/maharatable.php +@@ -109,7 +109,7 @@ function pieform_renderer_maharatable(Pieform $form, $element) { + + if (!empty($element['error'])) { + $result .= "\t<tr>\n\t\t<td class=\"errmsg\">"; +- $result .= $element['error']; ++ $result .= hsc($element['error']); + $result .= "</td>\n\t</tr>\n"; + } + +diff --git a/htdocs/lib/pieforms/pieform/renderers/table.php b/htdocs/lib/pieforms/pieform/renderers/table.php +index c09bbdc..3e7b649 100644 +--- a/htdocs/lib/pieforms/pieform/renderers/table.php ++++ b/htdocs/lib/pieforms/pieform/renderers/table.php +@@ -92,7 +92,7 @@ function pieform_renderer_table(Pieform $form, $element) {/*{{{*/ + + if (!empty($element['error'])) { + $result .= "\t<tr>\n\t\t<td colspan=\"2\" class=\"errmsg\">"; +- $result .= $element['error']; ++ $result .= hsc($element['error']); + $result .= "</td>\n\t</tr>\n"; + } + +-- +1.7.11.3 + diff -Nru mahara-1.2.6/debian/patches/CVE-2012-2243-0002.patch mahara-1.2.6/debian/patches/CVE-2012-2243-0002.patch --- mahara-1.2.6/debian/patches/CVE-2012-2243-0002.patch 1970-01-01 00:00:00.000000000 +0000 +++ mahara-1.2.6/debian/patches/CVE-2012-2243-0002.patch 2012-11-12 00:08:09.000000000 +0000 @@ -0,0 +1,37 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Subject: Escape user uploaded XHTML files +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/1055232 +Last-Update: 2012-10-10 + + CVE-2012-2243 + + Before this patch, if a user uploaded HTML or XML files + then tried to download them, or linked other users to download + them, they would be presented with an escaped version along + with a link to download the original. + + This did not include XHTML files, which can cause the same + security issues as HTML or XML files. This patch includes the + XHTML mimetype of application/xhtml+xml in the test of which + files to escape. +--- + htdocs/lib/file.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/htdocs/lib/file.php b/htdocs/lib/file.php +index 1c7481c..2b92193 100644 +--- a/htdocs/lib/file.php ++++ b/htdocs/lib/file.php +@@ -70,7 +70,7 @@ function serve_file($path, $filename, $mimetype, $options=array()) { + $lastmodified = filemtime($path); + $filesize = filesize($path); + +- if ($mimetype == 'text/html' || $mimetype == 'text/xml') { ++ if ($mimetype == 'text/html' || $mimetype == 'text/xml' || $mimetype == 'application/xhtml+xml') { + if (isset($options['downloadurl']) && $filesize < 1024 * 1024) { + display_cleaned_html(file_get_contents($path), $filename, $options); + exit; +-- +1.7.11.3 + diff -Nru mahara-1.2.6/debian/patches/CVE-2012-2244-0001.patch mahara-1.2.6/debian/patches/CVE-2012-2244-0001.patch --- mahara-1.2.6/debian/patches/CVE-2012-2244-0001.patch 1970-01-01 00:00:00.000000000 +0000 +++ mahara-1.2.6/debian/patches/CVE-2012-2244-0001.patch 2012-11-12 00:08:09.000000000 +0000 @@ -0,0 +1,61 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Subject: Fix up old file permissions to remove executable +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/1057238 +Last-Update: 2012-10-10 + + CVE-2012-2244 + + In previous versions of mahara, all the user uploaded files + had the executable bit set. This patch runs an upgrade script + to remove this executable bit. + +--- + htdocs/artefact/file/db/upgrade.php | 17 +++++++++++++++++ + htdocs/artefact/file/version.php | 2 +- + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/htdocs/artefact/file/db/upgrade.php b/htdocs/artefact/file/db/upgrade.php +index f83aa2d..ac41cab 100644 +--- a/htdocs/artefact/file/db/upgrade.php ++++ b/htdocs/artefact/file/db/upgrade.php +@@ -271,6 +271,23 @@ function xmldb_artefact_file_upgrade($oldversion=0) { + } + } + ++ if ($oldversion < 2009111202) { ++ $baseiter = new DirectoryIterator(get_config('dataroot') . 'artefact/file/originals/'); ++ foreach ($baseiter as $dir) { ++ if ($dir->isDot()) continue; ++ $dirpath = $dir->getPath() . '/' . $dir->getFilename(); ++ $fileiter = new DirectoryIterator($dirpath); ++ foreach ($fileiter as $file) { ++ if ($file->isDot()) continue; ++ if (!$file->isFile()) { ++ log_error("Something was wrong about the dataroot in artefact/file/originals/$dir. Unexpected folder $file"); ++ continue; ++ } ++ chmod($file->getPathname(), $file->getPerms() & 0666); ++ } ++ } ++ } ++ + return $status; + } + +diff --git a/htdocs/artefact/file/version.php b/htdocs/artefact/file/version.php +index 880a04b..1550ed2 100644 +--- a/htdocs/artefact/file/version.php ++++ b/htdocs/artefact/file/version.php +@@ -28,7 +28,7 @@ + defined('INTERNAL') || die(); + + $config = new StdClass; +-$config->version = 2009111201; ++$config->version = 2009111202; + $config->release = '1.2.0'; + + ?> +-- +1.7.11.3 + diff -Nru mahara-1.2.6/debian/patches/CVE-2012-2244-0002.patch mahara-1.2.6/debian/patches/CVE-2012-2244-0002.patch --- mahara-1.2.6/debian/patches/CVE-2012-2244-0002.patch 1970-01-01 00:00:00.000000000 +0000 +++ mahara-1.2.6/debian/patches/CVE-2012-2244-0002.patch 2012-11-12 00:08:09.000000000 +0000 @@ -0,0 +1,108 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Subject: Fix saved file permissions +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/1057238 +Last-Update: 2012-10-10 + + CVE-2012-2244 + + Currently, files that are saved by Mahara use the + directorypermissions config option, which defaults to + 0700, which allows execution. + + This allows users to potentially upload files with + executable bits set, and if they have control of the + config options pathtoclam, pathtozip, or pathtounzip + then they could run this command when one of those + commands are invocated. + + This patch bitwise-AND's the directory permissions + config with 0666, which removes any executable bit + and sets the result as a new config option + filepermissions. + + A change the upload code to use this new option is made + +--- + htdocs/artefact/file/lib.php | 3 ++- + htdocs/init.php | 1 + + htdocs/lib/db/upgrade.php | 2 +- + htdocs/lib/file.php | 2 +- + htdocs/lib/uploadmanager.php | 2 +- + 5 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/htdocs/artefact/file/lib.php b/htdocs/artefact/file/lib.php +index aacf11e..8345a0b 100644 +--- a/htdocs/artefact/file/lib.php ++++ b/htdocs/artefact/file/lib.php +@@ -815,6 +815,7 @@ class ArtefactTypeFile extends ArtefactTypeFileBase { + $f->delete(); + return false; + } ++ chmod($newname, get_config('filepermissions')); + if (empty($user)) { + global $USER; + $user = $USER; +@@ -1849,7 +1850,7 @@ class ArtefactTypeArchive extends ArtefactTypeFile { + // Untar everything into a temp directory first + $tempsubdir = tempnam($tempdir, ''); + unlink($tempsubdir); +- mkdir($tempsubdir); ++ mkdir($tempsubdir, get_config('directorypermissions')); + if (!$this->handle->extract($tempsubdir)) { + throw new SystemException("Unable to extract archive into $tempsubdir"); + } +diff --git a/htdocs/init.php b/htdocs/init.php +index 02a1dd8..0c13175 100644 +--- a/htdocs/init.php ++++ b/htdocs/init.php +@@ -74,6 +74,7 @@ $CFG->xmldbdisablecommentchecking = true; + if (empty($CFG->directorypermissions)) { + $CFG->directorypermissions = 0700; + } ++$CFG->filepermissions = $CFG->directorypermissions & 0666; + + // core libraries + require('mahara.php'); +diff --git a/htdocs/lib/db/upgrade.php b/htdocs/lib/db/upgrade.php +index c686cbd..5beddce 100644 +--- a/htdocs/lib/db/upgrade.php ++++ b/htdocs/lib/db/upgrade.php +@@ -633,7 +633,7 @@ function xmldb_core_upgrade($oldversion=0) { + $artefactdata = get_config('dataroot') . 'artefact/'; + if (is_dir($artefactdata . 'internal/profileicons')) { + if (!is_dir($artefactdata . 'file')) { +- mkdir($artefactdata . 'file'); ++ mkdir($artefactdata . 'file', get_config('directorypermissions')); + } + if (!rename($artefactdata . 'internal/profileicons', $artefactdata . 'file/profileicons')) { + throw new SystemException("Failed moving $artefactdata/internal/profileicons to $artefactdata/file/profileicons"); +diff --git a/htdocs/lib/file.php b/htdocs/lib/file.php +index a774213..1c7481c 100644 +--- a/htdocs/lib/file.php ++++ b/htdocs/lib/file.php +@@ -752,7 +752,7 @@ function copyr($source, $dest) + + // Make destination directory + if (!is_dir($dest)) { +- mkdir($dest); ++ mkdir($dest, get_config('directorypermissions')); + } + + // Loop through the folder +diff --git a/htdocs/lib/uploadmanager.php b/htdocs/lib/uploadmanager.php +index b49c1df..1bf3cb1 100644 +--- a/htdocs/lib/uploadmanager.php ++++ b/htdocs/lib/uploadmanager.php +@@ -155,7 +155,7 @@ class upload_manager { + } + + if (move_uploaded_file($this->file['tmp_name'], $destination . '/' . $newname)) { +- chmod($destination . '/' . $newname, 0700); ++ chmod($destination . '/' . $newname, get_config('filepermissions')); + return false; + } + return get_string('failedmovingfiletodataroot'); +-- +1.7.11.3 + diff -Nru mahara-1.2.6/debian/patches/CVE-2012-2244-0003.patch mahara-1.2.6/debian/patches/CVE-2012-2244-0003.patch --- mahara-1.2.6/debian/patches/CVE-2012-2244-0003.patch 1970-01-01 00:00:00.000000000 +0000 +++ mahara-1.2.6/debian/patches/CVE-2012-2244-0003.patch 2012-11-12 00:08:09.000000000 +0000 @@ -0,0 +1,53 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Subject: Remove clamav from site admin options +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/1057238 +Last-Update: 2012-10-10 + + CVE-2012-2244 + + When a site administrator can manipulate the path for the + clamav scanner, they could produce either a reverse shell, + or allow any user to execute arbitrary remote commands by + setting it to an uploaded reverse shell, or to /bin/bash + respectively. + + Other executable paths, namely pathtozip, and pathtounzip + are only set via config.php, and not through the site admin + interface. This option, pathtoclam, should follow the same + design. + +--- + htdocs/admin/site/options.php | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/htdocs/admin/site/options.php b/htdocs/admin/site/options.php +index 95b02e1..edcb1a5 100644 +--- a/htdocs/admin/site/options.php ++++ b/htdocs/admin/site/options.php +@@ -93,13 +93,6 @@ $siteoptionform = array( + 'defaultvalue' => get_config('viruschecking'), + 'help' => true, + ), +- 'pathtoclam' => array( +- 'type' => 'text', +- 'title' => get_string('pathtoclam', 'admin'), +- 'description' => get_string('pathtoclamdescription', 'admin'), +- 'defaultvalue' => get_config('pathtoclam'), +- 'help' => true, +- ), + 'sessionlifetime' => array( + 'type' => 'text', + 'size' => 4, +@@ -247,7 +240,7 @@ function siteoptions_fail(Pieform $form, $field) { + + function siteoptions_submit(Pieform $form, $values) { + $fields = array( +- 'sitename','lang','theme', 'pathtoclam', ++ 'sitename','lang','theme', + 'defaultaccountlifetime', 'defaultaccountinactiveexpire', 'defaultaccountinactivewarn', + 'allowpublicviews', 'allowpublicprofiles', 'creategroups', 'createpublicgroups', 'searchplugin', + 'registration_sendweeklyupdates', 'institutionexpirynotification', 'institutionautosuspend', +-- +1.7.11.3 + diff -Nru mahara-1.2.6/debian/patches/CVE-2012-2246.patch mahara-1.2.6/debian/patches/CVE-2012-2246.patch --- mahara-1.2.6/debian/patches/CVE-2012-2246.patch 1970-01-01 00:00:00.000000000 +0000 +++ mahara-1.2.6/debian/patches/CVE-2012-2246.patch 2012-11-12 00:08:09.000000000 +0000 @@ -0,0 +1,32 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Subject: Fix Click-Jacking attack on account deletion page +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/1057240 +Last-Update: 2012-10-10 + + This attack has been mitigated by adding a HTTP header + of X-Frame-Options to every page in Mahara. + + CVE-2012-2246 + +--- + htdocs/init.php | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/htdocs/init.php b/htdocs/init.php +index 0c13175..7da62d5 100644 +--- a/htdocs/init.php ++++ b/htdocs/init.php +@@ -44,6 +44,9 @@ header('Cache-Control: private, must-revalidate, pre-check=0, post-check=0, max- + header('Expires: '. gmdate('D, d M Y H:i:s', 507686400) .' GMT'); + header('Pragma: no-cache'); + ++// Prevent clickjacking through iframe tags ++header('X-Frame-Options: SAMEORIGIN'); ++ + // Set up error handling + require('errors.php'); + +-- +1.7.11.3 + diff -Nru mahara-1.2.6/debian/patches/CVE-2012-2247.patch mahara-1.2.6/debian/patches/CVE-2012-2247.patch --- mahara-1.2.6/debian/patches/CVE-2012-2247.patch 1970-01-01 00:00:00.000000000 +0000 +++ mahara-1.2.6/debian/patches/CVE-2012-2247.patch 2012-11-12 00:08:09.000000000 +0000 @@ -0,0 +1,41 @@ +Author: Hugh Davenport <h...@catalyst.net.nz> +Subject: Escape user uploaded SVG files +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/ +Last-Update: 2012-10-10 + +Bug #1061980 +CVE-2012-2247 + +Before this patch, if a user uploaded HTML or XML files +then tried to download them, or linked other users to download +them, they would be presented with an escaped version along +with a link to download the original. + +Unfortunately, an SVG file can possibly contain unsecure content, +such as javascript, that would be run on the victims browser. + +This patch adds SVG files (image/svg+xml) to the list of files +to not display by default. + +Change-Id: I56e7c9d2a7d8de03b5b3be31f0ac44198547ea09 +--- + htdocs/lib/file.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/htdocs/lib/file.php b/htdocs/lib/file.php +index 2b92193..a61daf5 100644 +--- a/htdocs/lib/file.php ++++ b/htdocs/lib/file.php +@@ -70,7 +70,7 @@ function serve_file($path, $filename, $mimetype, $options=array()) { + $lastmodified = filemtime($path); + $filesize = filesize($path); + +- if ($mimetype == 'text/html' || $mimetype == 'text/xml' || $mimetype == 'application/xhtml+xml') { ++ if ($mimetype == 'text/html' || $mimetype == 'text/xml' || $mimetype == 'application/xhtml+xml' || $mimetype == 'image/svg+xml') { + if (isset($options['downloadurl']) && $filesize < 1024 * 1024) { + display_cleaned_html(file_get_contents($path), $filename, $options); + exit; +-- +1.7.11.3 + diff -Nru mahara-1.2.6/debian/patches/series mahara-1.2.6/debian/patches/series --- mahara-1.2.6/debian/patches/series 2012-08-13 11:24:08.000000000 +0000 +++ mahara-1.2.6/debian/patches/series 2012-11-12 00:08:09.000000000 +0000 @@ -12,3 +12,11 @@ saml_multi_default_config.patch CVE-2012-2237-0001.patch CVE-2012-2237-0002.patch +CVE-2012-2239.patch +CVE-2012-2243-0001.patch +CVE-2012-2243-0002.patch +CVE-2012-2244-0001.patch +CVE-2012-2244-0002.patch +CVE-2012-2244-0003.patch +CVE-2012-2246.patch +CVE-2012-2247.patch