[Secure-testing-team] Re: Bug#342943: only kronolith2 fixed

Martin Schulze Sun, 22 Jan 2006 02:37:33 -0800

Lionel Elie Mamane wrote:
> > This security hole was fixed in kronolith2, but the kronolith
> > package is still present in unstable and still, presumably, has this
> > hole.
> 
> Thank you for warning us. However, kronolith 1 is not maintained
> upstream anymore and no patch for this issue is available from
> upstream.


Thanks a lot.

> I've tried to backport the upstream patch for kronolith 2, but most
> files touched don't actually exist in kronolith 1, as well as a
> sizeable part of the code touched in the files that do exist. Here is
> my measle backport attempt, but I'd really like someone that
> understands the issue to review it and see if nothing has been left
> out. Do we have someone of that calibre (and willing to do it)
> available in Debian?

I've taken a look at the patch, and several lines contain changes not
suitable for a security update, i.e. fix different potential bugs or
change the code.  I'm attaching the patch.  More eyes checking would
be appreciated.

Regards,

        Joey

-- 
Have you ever noticed that "General Public Licence" contains the word "Pub"?

Please always Cc to me when replying to me on the lists.

diff -u kronolith-1.1.4/debian/changelog kronolith-1.1.4/debian/changelog
--- kronolith-1.1.4/debian/changelog
+++ kronolith-1.1.4/debian/changelog
@@ -1,3 +1,13 @@
+kronolith (1.1.4-2sarge1) unstable; urgency=low
+
+  * Non-maintainer upload by the Security Team
+  * Backported upstream security patch for kronolith2 to fix several
+    cross-site-scripting vulnerabilities [templates/edit/edit.inc,
+    templates/view/view.inc, templates/delete/one.inc,
+    templates/delete/delete.inc, CVE-2005-4189, Bug#342943, Bug#349261]
+
+ -- Martin Schulze <[EMAIL PROTECTED]>  Sun, 22 Jan 2006 11:30:50 +0100
+
 kronolith (1.1.4-2) unstable; urgency=low
 
   * Fixed grammar error, closes: #273190.
only in patch2:
unchanged:
--- kronolith-1.1.4.orig/templates/edit/edit.inc
+++ kronolith-1.1.4/templates/edit/edit.inc
@@ -27,16 +27,16 @@
 ?>
 <form action="<?php echo ($event->isInitialized() ? 'editeventaction.php' : 
'addeventaction.php') ?>" method="post" name="event">
 <?php Horde::pformInput() ?>
-<input type="hidden" name="year" value="<?php if (isset($year)) echo $year ?>" 
/>
-<input type="hidden" name="month" value="<?php if (isset($month)) echo $month 
?>" />
-<input type="hidden" name="mday" value="<?php if (isset($day)) echo $day ?>" />
-<input type="hidden" name="timestamp" value="<?php if (isset($timestamp)) echo 
$timestamp ?>" />
+<input type="hidden" name="year" value="<?php if (isset($year)) echo 
htmlspecialchars($year) ?>" />
+<input type="hidden" name="month" value="<?php if (isset($month)) echo 
htmlspecialchars($month) ?>" />
+<input type="hidden" name="mday" value="<?php if (isset($day)) echo 
htmlspecialchars($day) ?>" />
+<input type="hidden" name="timestamp" value="<?php if (isset($timestamp)) echo 
htmlspecialchars($timestamp) ?>" />
 <input type="hidden" name="new_category" value="" />
 <?php if (isset($url)): ?>
-<input type="hidden" name="url" value="<?php echo $url ?>" />
+<input type="hidden" name="url" value="<?php echo htmlspecialchars($url) ?>" />
 <?php endif; ?>
 <?php if ($event->isInitialized()): ?>
-<input type="hidden" name="eventID" value="<?php echo $event->getID() ?>" />
+<input type="hidden" name="eventID" value="<?php echo 
htmlspecialchars($event->getID()) ?>" />
 <?php endif; ?>
 
 <center>
only in patch2:
unchanged:
--- kronolith-1.1.4.orig/templates/view/view.inc
+++ kronolith-1.1.4/templates/view/view.inc
@@ -137,10 +137,10 @@
 </tr>
 <?php foreach ($keyword_list as $cat => $list): ?>
 <tr>
- <td align="right" class="light" valign="top"><b><?php echo $cat 
?>&nbsp;&nbsp;</b></td>
+ <td align="right" class="light" valign="top"><b><?php echo 
htmlspecialchars($cat) ?>&nbsp;&nbsp;</b></td>
  <td align="left" class="text" colspan="3">
 <?php foreach ($list as $entry): ?>
-  <?php echo $entry ?><br />
+  <?php echo htmlspecialchars($entry) ?><br />
 <?php endforeach; ?>
  </td>
 </tr>
only in patch2:
unchanged:
--- kronolith-1.1.4.orig/templates/delete/one.inc
+++ kronolith-1.1.4/templates/delete/one.inc
@@ -6,18 +6,18 @@
     }
 ?>
 <form action="<?php echo Horde::applicationUrl('deleventaction.php') ?>" 
method="post" name="delete">
-<input type="hidden" name="year" value="<?php if (isset($year)) echo $year ?>" 
/>
-<input type="hidden" name="month" value="<?php if (isset($month)) echo $month 
?>" />
-<input type="hidden" name="mday" value="<?php if (isset($day)) echo $day ?>" />
-<input type="hidden" name="url" value="<?php echo $url ?>" />
-<input type="hidden" name="eventID" value="<?php echo $event->getID() ?>" />
+<input type="hidden" name="year" value="<?php if (isset($year)) echo 
htmlspecialchars($year) ?>" />
+<input type="hidden" name="month" value="<?php if (isset($month)) echo 
htmlspecialchars($month) ?>" />
+<input type="hidden" name="mday" value="<?php if (isset($day)) echo 
htmlspecialchars($day) ?>" />
+<input type="hidden" name="url" value="<?php echo htmlspecialchars($url) ?>" />
+<input type="hidden" name="eventID" value="<?php echo 
htmlspecialchars($event->getID()) ?>" />
 
 <center>
 <table border="0" cellspacing="0" cellpadding="4" align="center">
 
 <!-- header -->
 <tr class="header"> 
- <td align="left" class="header"><b><?php echo sprintf(_("Delete %s"), 
$event->getTitle()) ?></b></td>
+ <td align="left" class="header"><b><?php echo sprintf(_("Delete %s"), 
htmlspecialchars($event->getTitle())) ?></b></td>
 </tr>
 
 <!-- description -->
@@ -29,7 +29,7 @@
 <tr>
  <td align="left">
   <input type="submit" class="button" name="delete" value="<?php echo 
_("Delete") ?>" />
-  <input type="submit" class="button" name="cancel" value="<?php echo 
_("Cancel") ?>" onclick="self.location = '<?php echo $url; ?>'; return false;" 
/>
+  <input type="submit" class="button" name="cancel" value="<?php echo 
_("Cancel") ?>" onclick="self.location = '<?php echo htmlspecialchars($url); 
?>'; return false;" />
  </td>
 </tr>
 
only in patch2:
unchanged:
--- kronolith-1.1.4.orig/templates/delete/delete.inc
+++ kronolith-1.1.4/templates/delete/delete.inc
@@ -6,18 +6,18 @@
     }
 ?>
 <form action="<?php echo Horde::applicationUrl('deleventaction.php') ?>" 
method="post" target="_self" name="delete">
-<input type="hidden" name="year" value="<?php if (isset($year)) echo $year ?>" 
/>
-<input type="hidden" name="month" value="<?php if (isset($month)) echo $month 
?>" />
-<input type="hidden" name="mday" value="<?php if (isset($day)) echo $day ?>" />
-<input type="hidden" name="url" value="<?php echo $url ?>" />
-<input type="hidden" name="eventID" value="<?php echo $event->getID() ?>" />
+<input type="hidden" name="year" value="<?php if (isset($year)) echo 
htmlspecialchars($year) ?>" />
+<input type="hidden" name="month" value="<?php if (isset($month)) echo 
htmlspecialchars($month) ?>" />
+<input type="hidden" name="mday" value="<?php if (isset($day)) echo 
htmlspecialchars($day) ?>" />
+<input type="hidden" name="url" value="<?php echo htmlspecialchars($url) ?>" />
+<input type="hidden" name="eventID" value="<?php echo 
htmlspecialchars($event->getID()) ?>" />
 
 <center>
 <table border="0" cellspacing="0" cellpadding="4" align="center">
 
 <!-- header -->
 <tr class="header"> 
- <td align="left" class="header"><b><?php echo sprintf(_("Delete %s"), 
$event->getTitle()) ?></b></td>
+ <td align="left" class="header"><b><?php echo sprintf(_("Delete %s"), 
htmlspecialchars($event->getTitle())) ?></b></td>
 </tr>
 
 <!-- description -->
@@ -31,7 +31,7 @@
   <input type="submit" class="button" name="current" value="<?php echo 
_("Current") ?>" />
   <input type="submit" class="button" name="future" value="<?php echo 
_("Future") ?>" />
   <input type="submit" class="button" name="all" value="<?php echo _("All") 
?>" />
-  <input type="submit" class="button" name="cancel" value="<?php echo 
_("Cancel") ?>" onclick="self.location = '<?php echo $url; ?>'; return false;" 
/>
+  <input type="submit" class="button" name="cancel" value="<?php echo 
_("Cancel") ?>" onclick="self.location = '<?php echo htmlspecialchars($url); 
?>'; return false;" />
  </td>
 </tr>

signature.asc
Description: Digital signature

_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team

[Secure-testing-team] Re: Bug#342943: only kronolith2 fixed

Reply via email to