Hi,
I intent to NMU this bug.
debdiff attached and archived on:
http://people.debian.org/~nion/nmu-diff/moodle-1.8.2-1.2_1.8.2-1.3.patch

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
diff -u moodle-1.8.2/debian/patches/00list moodle-1.8.2/debian/patches/00list
--- moodle-1.8.2/debian/patches/00list
+++ moodle-1.8.2/debian/patches/00list
@@ -1,0 +2 @@
+CVE-2008-1502.dpatch
diff -u moodle-1.8.2/debian/changelog moodle-1.8.2/debian/changelog
--- moodle-1.8.2/debian/changelog
+++ moodle-1.8.2/debian/changelog
@@ -1,3 +1,12 @@
+moodle (1.8.2-1.3) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix broken HTML filtering which could be used to perform XSS attacks,
+    bypass restrictions or possibly execute arbitrary code
+    (CVE-2008-1502; Closes: #489533).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Sun, 20 Jul 2008 18:07:55 +0200
+
 moodle (1.8.2-1.2) unstable; urgency=low
 
   * Non-maintainer upload to fix pending l10n issues.
only in patch2:
unchanged:
--- moodle-1.8.2.orig/debian/patches/CVE-2008-1502.dpatch
+++ moodle-1.8.2/debian/patches/CVE-2008-1502.dpatch
@@ -0,0 +1,38 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2008-1502.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad moodle-1.8.2~/lib/kses.php moodle-1.8.2/lib/kses.php
+--- moodle-1.8.2~/lib/kses.php	2006-03-03 03:01:53.000000000 +0100
++++ moodle-1.8.2/lib/kses.php	2008-07-20 18:07:35.000000000 +0200
+@@ -469,10 +469,12 @@
+ # handling whitespace and HTML entities.
+ ###############################################################################
+ {
+-  return preg_replace('/^((&[^;]*;|[\sA-Za-z0-9])*)'.
+-                      '(:|&#0*58;|&#[Xx]3[Aa];)\s*/e',
+-                      'kses_bad_protocol_once2("\\1", $allowed_protocols)',
+-                      $string);
++  $string2 = preg_split('/:|&#58;|&#x3a;/i', $string, 2);
++  if(isset($string2[1]) && !preg_match('%/\?%',$string2[0]))
++  {
++    $string = kses_bad_protocol_once2($string2[0],$allowed_protocols).trim($string2[1]);
++  }
++  return $string;
+ } # function kses_bad_protocol_once
+ 
+ 
+diff -urNad moodle-1.8.2~/lib/weblib.php moodle-1.8.2/lib/weblib.php
+--- moodle-1.8.2~/lib/weblib.php	2007-07-04 04:55:40.000000000 +0200
++++ moodle-1.8.2/lib/weblib.php	2008-07-20 18:06:11.000000000 +0200
+@@ -1758,6 +1758,7 @@
+             }
+             $arreach['value'] = preg_replace("/j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t/i", "Xjavascript", $arreach['value']);
+             $arreach['value'] = preg_replace("/e\s*x\s*p\s*r\s*e\s*s\s*s\s*i\s*o\s*n/i", "Xexpression", $arreach['value']);
++            $arreach['value'] = preg_replace("/b\s*i\s*n\s*d\s*i\s*n\s*g/i", "Xbinding", $arreach['value']);
+         } else if ($arreach['name'] == 'href') {
+             //Adobe Acrobat Reader XSS protection
+             $arreach['value'] = preg_replace('/(\.(pdf|fdf|xfdf|xdp|xfd))[^a-z0-9_\.\-].*$/i', '$1', $arreach['value']);

Attachment: pgpinYdPQQlMN.pgp
Description: PGP signature

Reply via email to