Version in base suite: 1.0.4-4+lenny3 Version in overlay suite: (not present) Base version: mahara_1.0.4-4+lenny3 Target version: mahara_1.0.4-4+lenny4 Base file: /org/ftp.debian.org/ftp/pool/main/m/mahara/mahara_1.0.4-4+lenny3.dsc Target file: /org/ftp.debian.org/queue/p-u-new/mahara_1.0.4-4+lenny4.dsc debian/patches/CVE-2009-3298.dpatch | 58 ++++++++++++++++++++++++++++++++++++ debian/patches/CVE-2009-3299.dpatch | 18 +++++++++++ mahara-1.0.4/debian/changelog | 7 ++++ mahara-1.0.4/debian/patches/00list | 2 + 4 files changed, 85 insertions(+) diff -u mahara-1.0.4/debian/changelog mahara-1.0.4/debian/changelog --- mahara-1.0.4/debian/changelog +++ mahara-1.0.4/debian/changelog @@ -1,3 +1,10 @@ +mahara (1.0.4-4+lenny4) stable-security; urgency=high + + * Fix privilege escalation for institution admins (CVE-2009-3298) + * Fix XSS vulnerability in the resume blocktype (CVE-2009-3299) + + -- Francois Marier Thu, 29 Oct 2009 16:47:11 +1300 + mahara (1.0.4-4+lenny3) stable-security; urgency=high * Fix XSS vulnerabilities diff -u mahara-1.0.4/debian/patches/00list mahara-1.0.4/debian/patches/00list --- mahara-1.0.4/debian/patches/00list +++ mahara-1.0.4/debian/patches/00list @@ -4,0 +5,2 @@ +CVE-2009-3298.dpatch +CVE-2009-3299.dpatch only in patch2: unchanged: --- mahara-1.0.4.orig/debian/patches/CVE-2009-3299.dpatch +++ mahara-1.0.4/debian/patches/CVE-2009-3299.dpatch @@ -0,0 +1,18 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2009-3299.dpatch by Francois Marier +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: XSS vulnerability in the resume blocktype + +@DPATCH@ +--- a/htdocs/artefact/resume/lib.php ++++ b/htdocs/artefact/resume/lib.php +@@ -115,7 +115,7 @@ class ArtefactTypeResume extends ArtefactType { + * Default render method for resume fields - show their description + */ + public function render_self($options) { +- return array('html' => $this->description); ++ return array('html' => clean_text($this->description)); + } + + /** only in patch2: unchanged: --- mahara-1.0.4.orig/debian/patches/CVE-2009-3298.dpatch +++ mahara-1.0.4/debian/patches/CVE-2009-3298.dpatch @@ -0,0 +1,58 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2009-3298.dpatch by Francois Marier +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: privilege escalation from institution admin to site admin + +@DPATCH@ +--- a/htdocs/auth/user.php ++++ b/htdocs/auth/user.php +@@ -438,6 +438,14 @@ class User { + return $this->get('admin') || $this->is_institutional_admin($institution); + } + ++ /** ++ * Returns whether this user is allowed to perform administration type ++ * actions on another user. ++ * ++ * @param mixed $user The user to check we can perform actions on. Can ++ * either be a User object, a row from the usr table or ++ * an ID ++ */ + public function is_admin_for_user($user) { + if ($this->get('admin')) { + return true; +@@ -445,12 +453,29 @@ class User { + if (!$this->is_institutional_admin()) { + return false; + } ++ ++ // Check privileges for institutional admins now + if ($user instanceof User) { +- $userinstitutions = $user->get('institutions'); +- } else { +- $userinstitutions = load_user_institutions($user->id); ++ $userobj = $user; + } +- foreach ($userinstitutions as $i) { ++ else if (is_numeric($user)) { ++ $userobj = new User; ++ $userobj->find_by_id($user); ++ } ++ else if (is_object($user)) { ++ // Should be a row from the usr table ++ $userobj = new User; ++ $userobj->find_by_id($user->id); ++ } ++ else { ++ throw new SystemException("Invalid argument pass to is_admin_for_user method"); ++ } ++ ++ if ($userobj->get('admin')) { ++ return false; ++ } ++ ++ foreach ($userobj->get('institutions') as $i) { + if ($this->is_institutional_admin($i->institution)) { + return true; + }