Re: Bug#471158: ships embedded copy of smarty with security bug

To: Thijs Kinkhorst <thijs@debian.org>,Gerfried Fuchs <rhonda@deb.at>, debian-release@lists.debian.org
Subject: Re: Bug#471158: ships embedded copy of smarty with security bug
From: Raphael Geissert <atomo64+debian@gmail.com>
Date: Mon, 06 Oct 2008 17:43:16 -0500
Message-id: <48ea9525.0508d00a.34b3.ffffd870@mx.google.com>
References: <200803161220.40057.thijs@debian.org> <20080316191256.GU4755@mykerinos.kheops.frmug.org> <20080319174523.GD19875@mykerinos.kheops.frmug.org> <200803192015.45585.thijs@debian.org> <20081006091203.GA25809@edna.gwendoline.at> <de48f4e5611faf8558d1db76bae4d247.squirrel@wm.kinkhorst.nl>

[Sorry for all the personal copies, just making sure the message is actually
read]

Thijs Kinkhorst wrote:
> 
> I'm not sure where you see that the severity is unjustified? As far as I
> know it still contains and uses an embedded code copy which is present as
> a separate package in the archive. I think that is a serious issue and
> don't see why it should go unresolved.
> 
> It has a similar problem with libphp-phpmailer. It has an XSS bug open
> without any action for months. It has had three NMU's in a row.  It's
> currently orphaned, new maintainership is there but is only just starting
> up as it seems.

Moodle was the source of my inspiration for some recent additions to lintian
(credits for the yahoo js check go to Chris Lamb, IIRC):

$ lintian -C files moodle_1.8.2-1.3_all.deb | g embedded
W: moodle: embedded-php-library usr/share/moodle/lib/adodb/adodb.inc.php
W: moodle: embedded-javascript-library
usr/share/moodle/lib/editor/tinymce/jscripts/tiny_mce/tiny_mce.js
W: moodle: embedded-javascript-library
usr/share/moodle/lib/editor/tinymce/jscripts/tiny_mce/tiny_mce_popup.js
W: moodle: embedded-javascript-library
usr/share/moodle/lib/editor/tinymce/jscripts/tiny_mce/tiny_mce_src.js
W: moodle: embedded-php-library
usr/share/moodle/lib/phpmailer/class.phpmailer.php
W: moodle: embedded-php-library usr/share/moodle/lib/smarty/Smarty.class.php
W: moodle: embedded-php-library
usr/share/moodle/lib/smarty/Smarty_Compiler.class.php
W: moodle: embedded-javascript-library
usr/share/moodle/lib/yui/yahoo-dom-event/yahoo-dom-event.js
W: moodle: embedded-javascript-library
usr/share/moodle/lib/yui/yahoo/yahoo-min.js
W: moodle: embedded-javascript-library
usr/share/moodle/lib/yui/yahoo/yahoo.js


PS. Thijs, this is an indirect way to point you (and the other security team
& related folks) to the new embedded code copies checks in lintian; HTH.

> 
> There are many more open security issues in stable:
> http://security-tracker.debian.net/tracker/source-package/moodle
> 
> Security issues are frequent in this package so it needs an active
> maintainer to keep up with it, which it currently hasn't got.
> 
> 
> Thijs
> 
> 

Cheers,
-- 
Atomo64 - Raphael

Please avoid sending me Word, PowerPoint or Excel attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Reply to:

References:
- Re: Bug#471158: ships embedded copy of smarty with security bug
  - From: Gerfried Fuchs <rhonda@deb.at>
- Re: Bug#471158: ships embedded copy of smarty with security bug
  - From: "Thijs Kinkhorst" <thijs@debian.org>

Prev by Date: Please accept lastfmsubmitd 0.37-3 into testing
Next by Date: Re: Bug#497871: php-suhosin: please package suhosin 0.9.27 and try to get it in lenny
Previous by thread: Re: Bug#471158: ships embedded copy of smarty with security bug
Next by thread: please unblock ifmail
Index(es):
- Date
- Thread