moodle: CVE-2010-1619 cross-site scripting in KSES HTML text cleaning library

Debian Bug report logs - #585425
moodle: CVE-2010-1619 cross-site scripting in KSES HTML text cleaning library

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: moodle: CVE-2010-1619 cross-site scripting in KSES HTML text cleaning library

Date: Thu, 10 Jun 2010 15:22:26 +0200

[Message part 1 (text/plain, inline)]

Package: moodle
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for moodle.

CVE-2010-1619[0]:
| Cross-site scripting (XSS) vulnerability in the
| fix_non_standard_entities function in the KSES HTML text cleaning
| library (weblib.php), as used in Moodle 1.8.x before 1.8.12 and 1.9.x
| before 1.9.8, allows remote attackers to inject arbitrary web script
| or HTML via crafted HTML entities.

The function patched in the official upstream patch is not included in our 
version of the source code, a ported (untested) version of the patch is 
attached.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1619
    http://security-tracker.debian.org/tracker/CVE-2010-1619

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[CVE-2010-1619.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #10 received at 585425@bugs.debian.org (full text, mbox, reply):

From: Victor Martinez <vicm3@janus.ajusco.upn.mx>

To: 585425@bugs.debian.org

Cc: gwolf@gwolf.org

Subject: New problems found in KSES

Date: Thu, 17 Jun 2010 22:31:46 -0500

[Message part 1 (text/plain, inline)]

Tags: security patch

MSA-10-0012:
Topic: KSES Security Filter Bypassing vulnerability
Severity: Critical
Versions affected: <1.8.13 and <1.9.9
Reported by: Sascha Herzog
Issue no.: MDL-22042
Solution: upgrade to 1.8.13 or 1.9.9
Workaround: apply patch
http://git.moodle.org/gw?p=moodle.git;a=commit;h=8628d9d845b2641bd211adaeb2a06e6a2fdc0e3d
http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.812.2.114&r2=1.812.2.115
Description:
Sascha Herzog reported a critical vulnerability in KSES text cleaning filter may allows registered users to launch persistent cross-site scripting (XSS) attacks.

Patch provided

[weblib.php.patch (text/x-diff, attachment)]

Message #15 received at 585425-close@bugs.debian.org (full text, mbox, reply):

From: Tomasz Muras <nexor1984@gmail.com>

To: 585425-close@bugs.debian.org

Subject: Bug#585425: fixed in moodle 1.9.9-1

Date: Wed, 30 Jun 2010 21:34:44 +0000

Source: moodle
Source-Version: 1.9.9-1

We believe that the bug you reported is fixed in the latest version of
moodle, which is due to be installed in the Debian FTP archive:

moodle_1.9.9-1.debian.tar.gz
  to main/m/moodle/moodle_1.9.9-1.debian.tar.gz
moodle_1.9.9-1.dsc
  to main/m/moodle/moodle_1.9.9-1.dsc
moodle_1.9.9-1_all.deb
  to main/m/moodle/moodle_1.9.9-1_all.deb
moodle_1.9.9.orig.tar.gz
  to main/m/moodle/moodle_1.9.9.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 585425@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tomasz Muras <nexor1984@gmail.com> (supplier of updated moodle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 23 Jun 2010 21:00:39 +0100
Source: moodle
Binary: moodle
Architecture: source all
Version: 1.9.9-1
Distribution: unstable
Urgency: low
Maintainer: Moodle Packaging Team <pkg-moodle-maintainers@lists.alioth.debian.org>
Changed-By: Tomasz Muras <nexor1984@gmail.com>
Description: 
 moodle     - Course Management System for Online Learning
Closes: 585425 586280
Changes: 
 moodle (1.9.9-1) unstable; urgency=low
 .
   * Rewritten debian/rules
   * Removed unnecessary usr/share/moodle/update-notifier
   * New Upstream Version: 1.9.9
   * New upstream fixes CVE-2010-1619 (closes: #585425)
   * New upstream fixes MSA-10-0011 (closes: #586280)
Checksums-Sha1: 
 8e1bd6d6c913f2f1b68e716c0c71a96c578cca35 1337 moodle_1.9.9-1.dsc
 11f85f3b933bdc211c0590d480eccbd426cb9a31 13729451 moodle_1.9.9.orig.tar.gz
 4d644f30819ce64b71e3cb7aa99451c431a3a926 17362 moodle_1.9.9-1.debian.tar.gz
 82720d646c0c24cd86c1755f9999330a7fb3a5a9 10079970 moodle_1.9.9-1_all.deb
Checksums-Sha256: 
 66e4b09dcc5cc8d136a9590bb99d384825717e272845e3560dff900fabe3b76e 1337 moodle_1.9.9-1.dsc
 da8080f4e161bd262d68320e27d0c80dfee1e9eb6eb32995ee3f5afaba3b8433 13729451 moodle_1.9.9.orig.tar.gz
 8f82700f15fe52b2ba723c3e1da6f2d0158da606ca9739575a0080d99d2008ad 17362 moodle_1.9.9-1.debian.tar.gz
 182a73be3c88d69c524c48a1ae08c8cbad1026ec7b895b4b137cd88efe55e62f 10079970 moodle_1.9.9-1_all.deb
Files: 
 64c8aae6b95fd7efa2c5e45df5b24f3d 1337 web optional moodle_1.9.9-1.dsc
 3cf8f4dca5ed48537a44bc67e4636a15 13729451 web optional moodle_1.9.9.orig.tar.gz
 48091e2504a239cf1c6e37f208fffcfb 17362 web optional moodle_1.9.9-1.debian.tar.gz
 a6c149a34237385ea0ebed298dc4a106 10079970 web optional moodle_1.9.9-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwrr0QACgkQpDDGqoi7tR5L0QCgoYCg5Z1F44EaxoUFrF//hl/s
qDcAoMXRKnAJ4Fgo6E4rBX7zAWZdXyIQ
=a+7f
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.