Hi, I intent to upload a 0-day NMU as nothing happens with this bug but it's a security issue. Patch attached.
Cheers Nico -- Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u drupal6-6.11/debian/changelog drupal6-6.11/debian/changelog --- drupal6-6.11/debian/changelog +++ drupal6-6.11/debian/changelog @@ -1,3 +1,10 @@ +drupal6 (6.11-1.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix several XSS issues (SA-CORE-2009-006; Closes: #529190). + + -- Nico Golde <[email protected]> Thu, 28 May 2009 20:45:35 +0200 + drupal6 (6.11-1) unstable; urgency=low [ Luigi Gangitano ] diff -u drupal6-6.11/debian/patches/00list drupal6-6.11/debian/patches/00list --- drupal6-6.11/debian/patches/00list +++ drupal6-6.11/debian/patches/00list @@ -1,0 +2 @@ +20_xss only in patch2: unchanged: --- drupal6-6.11.orig/debian/patches/20_xss.dpatch +++ drupal6-6.11/debian/patches/20_xss.dpatch @@ -0,0 +1,98 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 20_xss.dpatch by Nico Golde <[email protected]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix SA-CORE-2009-006 + +...@dpatch@ +diff -urNad drupal6-6.11~/includes/theme.inc drupal6-6.11/includes/theme.inc +--- drupal6-6.11~/includes/theme.inc 2009-04-30 02:13:30.000000000 +0200 ++++ drupal6-6.11/includes/theme.inc 2009-05-28 20:29:17.000000000 +0200 +@@ -688,7 +688,7 @@ + // restore path_to_theme() + $theme_path = $temp; + // Add final markup to the full page. +- if ($hook == 'page') { ++ if ($hook == 'page' || $hook == 'book_export_html') { + $output = drupal_final_markup($output); + } + return $output; +diff -urNad drupal6-6.11~/modules/book/book-export-html.tpl.php drupal6-6.11/modules/book/book-export-html.tpl.php +--- drupal6-6.11~/modules/book/book-export-html.tpl.php 2007-11-04 15:29:09.000000000 +0100 ++++ drupal6-6.11/modules/book/book-export-html.tpl.php 2009-05-28 20:29:17.000000000 +0200 +@@ -20,8 +20,8 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> + <html xmlns="http://www.w3.org/1999/xhtml"; lang="<?php print $language->language; ?>" xml:lang="<?php print $language->language; ?>"> + <head> +- <title><?php print $title; ?></title> + <?php print $head; ?> ++ <title><?php print $title; ?></title> + <base href="<?php print $base_url; ?>" /> + <link type="text/css" rel="stylesheet" href="misc/print.css" /> + <?php if ($language_rtl): ?> +diff -urNad drupal6-6.11~/modules/taxonomy/taxonomy.module drupal6-6.11/modules/taxonomy/taxonomy.module +--- drupal6-6.11~/modules/taxonomy/taxonomy.module 2009-04-27 13:49:05.000000000 +0200 ++++ drupal6-6.11/modules/taxonomy/taxonomy.module 2009-05-28 20:29:17.000000000 +0200 +@@ -415,7 +415,7 @@ + */ + function taxonomy_form($vid, $value = 0, $help = NULL, $name = 'taxonomy') { + $vocabulary = taxonomy_vocabulary_load($vid); +- $help = ($help) ? $help : $vocabulary->help; ++ $help = ($help) ? $help : filter_xss_admin($vocabulary->help); + + if (!$vocabulary->multiple) { + $blank = ($vocabulary->required) ? t('- Please choose -') : t('- None selected -'); +@@ -514,7 +514,7 @@ + $typed_string = taxonomy_implode_tags($terms, $vocabulary->vid) . (array_key_exists('tags', $terms) ? $terms['tags'][$vocabulary->vid] : NULL); + } + if ($vocabulary->help) { +- $help = $vocabulary->help; ++ $help = filter_xss_admin($vocabulary->help); + } + else { + $help = t('A comma-separated list of terms describing this content. Example: funny, bungee jumping, "Company, Inc.".'); +@@ -538,7 +538,7 @@ + $default_terms[$term->tid] = $term; + } + } +- $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), $vocabulary->help); ++ $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), filter_xss_admin($vocabulary->help)); + $form['taxonomy'][$vocabulary->vid]['#weight'] = $vocabulary->weight; + $form['taxonomy'][$vocabulary->vid]['#required'] = $vocabulary->required; + } +@@ -1018,6 +1018,35 @@ + return $terms[$tid]; + } + ++/** ++ * Create a select form element for a given taxonomy vocabulary. ++ * ++ * NOTE: This function expects input that has already been sanitized and is ++ * safe for display. Callers must properly sanitize the $title and ++ * $description arguments to prevent XSS vulnerabilities. ++ * ++ * @param $title ++ * The title of the vocabulary. This MUST be sanitized by the caller. ++ * @param $name ++ * Ignored. ++ * @param $value ++ * The currently selected terms from this vocabulary, if any. ++ * @param $vocabulary_id ++ * The vocabulary ID to build the form element for. ++ * @param $description ++ * Help text for the form element. This MUST be sanitized by the caller. ++ * @param $multiple ++ * Boolean to control if the form should use a single or multiple select. ++ * @param $blank ++ * Optional form choice to use when no value has been selected. ++ * @param $exclude ++ * Optional array of term ids to exclude in the selector. ++ * @return ++ * A FAPI form array to select terms from the given vocabulary. ++ * ++ * @see taxonomy_form() ++ * @see taxonomy_form_term() ++ */ + function _taxonomy_term_select($title, $name, $value, $vocabulary_id, $description, $multiple, $blank, $exclude = array()) { + $tree = taxonomy_get_tree($vocabulary_id); + $options = array();
pgpPKJiPSPQaN.pgp
Description: PGP signature
