From e63ae3a1f6ba587423565db1a739df251ce273c9 Mon Sep 17 00:00:00 2001 From: Jon Ciesla Date: Apr 01 2009 19:29:33 +0000 Subject: CVE-2009-1171 --- diff --git a/moodle-1.9.4-CVE-2009-1171-1.patch b/moodle-1.9.4-CVE-2009-1171-1.patch new file mode 100644 index 0000000..652cbb5 --- /dev/null +++ b/moodle-1.9.4-CVE-2009-1171-1.patch @@ -0,0 +1,39 @@ +--- filter/tex/filter.php.orig 2009/02/17 05:24:35 1.18.4.4 ++++ filter/tex/filter.php 2009/03/26 19:06:29 1.18.4.5 +@@ -133,6 +133,16 @@ + $text = str_replace($matches[0][$i],$replacement,$text); + } + ++ // TeX blacklist. MDL-18552 ++ $tex_blacklist = array( ++ 'include','def','command','loop','repeat','open','toks','output', ++ 'input','catcode','name','^^', ++ '\every','\errhelp','\errorstopmode','\scrollmode','\nonstopmode', ++ '\batchmode','\read','\write','csname','\newhelp','\uppercase', ++ '\lowercase','\relax','\aftergroup', ++ '\afterassignment','\expandafter','\noexpand','\special' ++ ); ++ + // TeX expression + // or TeX expression + // or $$ TeX expression $$ +@@ -155,6 +165,19 @@ + $align = "text-top"; + $texexp = preg_replace('/^align=top /','',$texexp); + } ++ /// Check $texexp against blacklist (whitelisting could be more complete but also harder to maintain). MDL-18552 ++ $invalidcommands = array(); ++ foreach($tex_blacklist as $command) { ++ if (stristr($texexp, $command)) { /// Found invalid command. Annotate. ++ $invalidcommands[] = $command; ++ } ++ } ++ if (!empty($invalidcommands)) { /// Invalid commands found. Output error and continue with next TeX element ++ $invalidstr = get_string('invalidtexcommand', 'error', implode(', ', $invalidcommands)); ++ $text = str_replace( $matches[0][$i], $invalidstr, $text); ++ continue; ++ } ++ /// Everything is ok, let's process the expression + $md5 = md5($texexp); + if (! $texcache = get_record("cache_filters","filter","tex", "md5key", $md5)) { + $texcache->filter = 'tex'; diff --git a/moodle-1.9.4-CVE-2009-1171-2.patch b/moodle-1.9.4-CVE-2009-1171-2.patch new file mode 100644 index 0000000..3844eed --- /dev/null +++ b/moodle-1.9.4-CVE-2009-1171-2.patch @@ -0,0 +1,107 @@ +--- filter/tex/filter.php.orig ++++ filter/tex/filter.php +@@ -133,16 +133,6 @@ function tex_filter ($courseid, $text) { + $text = str_replace($matches[0][$i],$replacement,$text); + } + +- // TeX blacklist. MDL-18552 +- $tex_blacklist = array( +- 'include','def','command','loop','repeat','open','toks','output', +- 'input','catcode','name','^^', +- '\every','\errhelp','\errorstopmode','\scrollmode','\nonstopmode', +- '\batchmode','\read','\write','csname','\newhelp','\uppercase', +- '\lowercase','\relax','\aftergroup', +- '\afterassignment','\expandafter','\noexpand','\special' +- ); +- + // TeX expression + // or TeX expression + // or $$ TeX expression $$ +@@ -165,19 +155,6 @@ function tex_filter ($courseid, $text) { + $align = "text-top"; + $texexp = preg_replace('/^align=top /','',$texexp); + } +- /// Check $texexp against blacklist (whitelisting could be more complete but also harder to maintain). MDL-18552 +- $invalidcommands = array(); +- foreach($tex_blacklist as $command) { +- if (stristr($texexp, $command)) { /// Found invalid command. Annotate. +- $invalidcommands[] = $command; +- } +- } +- if (!empty($invalidcommands)) { /// Invalid commands found. Output error and continue with next TeX element +- $invalidstr = get_string('invalidtexcommand', 'error', implode(', ', $invalidcommands)); +- $text = str_replace( $matches[0][$i], $invalidstr, $text); +- continue; +- } +- /// Everything is ok, let's process the expression + $md5 = md5($texexp); + if (! $texcache = get_record("cache_filters","filter","tex", "md5key", $md5)) { + $texcache->filter = 'tex'; +--- filter/tex/latex.php.orig ++++ filter/tex/latex.php +@@ -44,9 +44,11 @@ + * @return string the latex document + */ + function construct_latex_document( $formula, $fontsize=12 ) { +- // $fontsize don't affects to formula's size. $density can change size +- + global $CFG; ++ ++ $formula = tex_sanitize_formula($formula); ++ ++ // $fontsize don't affects to formula's size. $density can change size + $doc = "\\documentclass[{$fontsize}pt]{article}\n"; + $doc .= $CFG->filter_tex_latexpreamble; + $doc .= "\\pagestyle{empty}\n"; +--- filter/tex/lib.php.orig ++++ filter/tex/lib.php +@@ -34,8 +34,22 @@ function tex_filter_get_executable($debug=false) { + error($error_message1); + } + ++function tex_sanitize_formula($texexp) { ++ /// Check $texexp against blacklist (whitelisting could be more complete but also harder to maintain) ++ $tex_blacklist = array( ++ 'include','def','command','loop','repeat','open','toks','output', ++ 'input','catcode','name','^^', ++ '\every','\errhelp','\errorstopmode','\scrollmode','\nonstopmode', ++ '\batchmode','\read','\write','csname','\newhelp','\uppercase', ++ '\lowercase','\relax','\aftergroup', ++ '\afterassignment','\expandafter','\noexpand','\special' ++ ); ++ ++ return str_ireplace($tex_blacklist, 'forbiddenkeyword', $texexp); ++} + + function tex_filter_get_cmd($pathname, $texexp) { ++ $texexp = tex_sanitize_formula($texexp); + $texexp = escapeshellarg($texexp); + $executable = tex_filter_get_executable(false); + +--- lib/db/upgrade.php.orig ++++ lib/db/upgrade.php +@@ -3106,6 +3106,13 @@ function xmldb_main_upgrade($oldversion=0) { + upgrade_main_savepoint($result, 2007101542); + } + ++ if ($result && $oldversion < 2007101545.01) { ++ require_once("$CFG->dirroot/filter/tex/lib.php"); ++ filter_tex_updatedcallback(null); ++ /// Main savepoint reached ++ upgrade_main_savepoint($result, 2007101545.01); ++ } ++ + return $result; + } + +--- version.php.orig ++++ version.php +@@ -6,7 +6,7 @@ + // This is compared against the values stored in the database to determine + // whether upgrades should be performed (see lib/db/*.php) + +- $version = 2007101540; // YYYYMMDD = date of the 1.9 branch (don't change) ++ $version = 2007101545.01; // YYYYMMDD = date of the 1.9 branch (don't change) + // X = release number 1.9.[0,1,2,3,4,5...] + // Y.YY = micro-increments between releases + diff --git a/moodle.spec b/moodle.spec index 85a2874..e299a40 100644 --- a/moodle.spec +++ b/moodle.spec @@ -1,3 +1,4 @@ +%define _default_patch_fuzz 2 %define moodlewebdir %{_var}/www/moodle/web %define moodledatadir %{_var}/www/moodle/data @@ -7,7 +8,7 @@ Name: moodle Version: 1.9.4 -Release: 5%{?dist} +Release: 6%{?dist} Summary: A Course Management System Group: Applications/Publishing @@ -104,6 +105,8 @@ Source83: http://download.moodle.org/lang16/uz_utf8.zip BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch Patch0: moodle-1.9.3-rce-texed.patch +Patch1: moodle-1.9.4-CVE-2009-1171-1.patch +Patch2: moodle-1.9.4-CVE-2009-1171-2.patch BuildRequires: unzip Requires: php-gd vixie-cron mimetex perl(lib) php-mysql php-xmlrpc @@ -1478,6 +1481,8 @@ sed -i 's/\r//' mod/wiki/ewiki/README sed -i 's/\r//' mod/wiki/ewiki/README.de %patch0 -p0 +%patch1 -p0 +%patch2 -p0 %build rm config-dist.php install.php tags filter/tex/mimetex.* filter/tex/README.mimetex @@ -1689,6 +1694,9 @@ fi %{_sbindir}/%{name}-cron %changelog +* Wed Apr 01 2009 Jon Ciesla - 1.9.4-6 +- Patch for CVE-2009-1171, BZ 493109. + * Tue Mar 24 2009 Jon Ciesla - 1.9.4-5 - Update for freefont->gnu-free-fonts change.