diff -u drupal6-6.14/debian/changelog drupal6-6.14/debian/changelog --- drupal6-6.14/debian/changelog +++ drupal6-6.14/debian/changelog @@ -1,3 +1,12 @@ +drupal6 (6.14-2) unstable; urgency=high + + * Apply patches to fix (Closes: #562165): + - XSS in the contact module (Ref: CVE-2009-4369, SA-CORE-2009-009) + - XSS in the menu module (Ref: CVE-2009-4370, SA-CORE-2009-009) + - XSS in the locale module (Ref: CVE-2009-4371) + + -- Bryan McLellan Wed, 30 Dec 2009 14:46:36 -0800 + drupal6 (6.14-1) unstable; urgency=low * New upstream release diff -u drupal6-6.14/debian/patches/00list drupal6-6.14/debian/patches/00list --- drupal6-6.14/debian/patches/00list +++ drupal6-6.14/debian/patches/00list @@ -1,0 +2,2 @@ +20_SA-CORE-2009-009 +21_CVE-2009-4371 only in patch2: unchanged: --- drupal6-6.14.orig/debian/patches/20_SA-CORE-2009-009.dpatch +++ drupal6-6.14/debian/patches/20_SA-CORE-2009-009.dpatch @@ -0,0 +1,42 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 20_SA-CORE-2009-009-6.14.dpatch by Bryan McLellan +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix a critical security vulnerability. +## +## Upstream: http://drupal.org/node/661586 +## Patch: http://drupal.org/files/sa-core-2009-009/SA-CORE-2009-009-6.14.patch + +@DPATCH@ + +Index: modules/contact/contact.admin.inc +=================================================================== +RCS file: /cvs/drupal/drupal/modules/contact/contact.admin.inc,v +retrieving revision 1.3 +diff -u -p -r1.3 contact.admin.inc +--- drupal6~/modules/contact/contact.admin.inc 9 Nov 2007 07:55:13 -0000 1.3 ++++ drupal6/modules/contact/contact.admin.inc 16 Dec 2009 20:09:37 -0000 +@@ -13,7 +13,7 @@ function contact_admin_categories() { + $result = db_query('SELECT cid, category, recipients, selected FROM {contact} ORDER BY weight, category'); + $rows = array(); + while ($category = db_fetch_object($result)) { +- $rows[] = array($category->category, $category->recipients, ($category->selected ? t('Yes') : t('No')), l(t('edit'), 'admin/build/contact/edit/'. $category->cid), l(t('delete'), 'admin/build/contact/delete/'. $category->cid)); ++ $rows[] = array(check_plain($category->category), check_plain($category->recipients), ($category->selected ? t('Yes') : t('No')), l(t('edit'), 'admin/build/contact/edit/'. $category->cid), l(t('delete'), 'admin/build/contact/delete/'. $category->cid)); + } + $header = array(t('Category'), t('Recipients'), t('Selected'), array('data' => t('Operations'), 'colspan' => 2)); + +Index: modules/menu/menu.admin.inc +=================================================================== +RCS file: /cvs/drupal/drupal/modules/menu/menu.admin.inc,v +retrieving revision 1.26.2.4 +diff -u -p -r1.26.2.4 menu.admin.inc +--- drupal6~/modules/menu/menu.admin.inc 25 Feb 2009 13:15:40 -0000 1.26.2.4 ++++ drupal6/modules/menu/menu.admin.inc 16 Dec 2009 20:09:37 -0000 +@@ -15,6 +15,7 @@ function menu_overview_page() { + while ($menu = db_fetch_array($result)) { + $menu['href'] = 'admin/build/menu-customize/'. $menu['menu_name']; + $menu['localized_options'] = array(); ++ $menu['description'] = filter_xss_admin($menu['description']); + $content[] = $menu; + } + return theme('admin_block_content', $content); only in patch2: unchanged: --- drupal6-6.14.orig/debian/patches/21_CVE-2009-4371.dpatch +++ drupal6-6.14/debian/patches/21_CVE-2009-4371.dpatch @@ -0,0 +1,22 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 21_CVE-2009-4371.dpatch by Bryan McLellan +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix a critical security vulnerability. +## +## Patch: http://www.madirish.net/?article=442 + +@DPATCH@ + +--- drupal6~/modules/locale/locale.module 2009-02-25 06:47:37.000000000 -0500 ++++ drupal6/modules/locale/locale.module 2009-11-11 14:26:40.704648132 -0500 +@@ -229,7 +229,7 @@ function locale_user($type, $edit, &$use + '#type' => (count($names) <= 5 ? 'radios' : 'select'), + '#title' => t('Language'), + '#default_value' => $user_preferred_language->language, +- '#options' => $names, ++ '#options' => array_map('filter_xss', $names), + '#description' => ($mode == LANGUAGE_NEGOTIATION_PATH) ? t("This account's default language for e-mails, and preferred language for site presentation.") : t("This account's default language for e-mails."), + ); + return $form; +