Re: Bug#606311: Acknowledgement (movabletype-opensource: Unspecified XSS and SQL injection vulnerabilities fixed in 4.35)
On Wed, Dec 08, 2010 at 11:15:24PM +0000, Dominic Hargreaves wrote:
> On Wed, Dec 08, 2010 at 07:51:50PM +0000, Dominic Hargreaves wrote:
>
> > The changes can be summarised roughly as follows:
> >
> > lib/MT/App/Search.pm | 22 +++++++++++++++++-----
> >
> > Input checking
>
> Patch does not apply to 4.2.3-1+lenny1
>
> > lib/MT/CMS/Tools.pm | 5 ++++-
> >
> > HTML/JS escaping
>
> Patch does not apply to 4.2.3-1+lenny1
>
> > lib/MT/Template/Context/Search.pm | 4 ++--
> >
> > URI encoding
>
> Applies to 4.2.3-1+lenny1
>
> > lib/MT/Template/ContextHandlers.pm | 26 ++++++++++++++++----------
> >
> > Input checking, HTML escaping
>
> Applied with small adaptation.
>
> > php/extlib/ezsql/ezsql_postgres.php | 2 +-
> >
> > Modifying input checking
>
> Applies to 4.2.3-1+lenny1
>
> > php/lib/mtdb_base.php | 23 +++++++++++++++++++----
> >
> > Modifying logic to accommodate escaping
>
> Applies to 4.2.3-1+lenny1
>
> > php/mt.php | 5 +++--
> >
> > Modifying input checking
>
> Applies to 4.2.3-1+lenny1
>
> > Although not well documented it's clear that these changes are all
> > security-relevant, so I propose to upload 4.3.5 to unstable and have it
> > migrate to testing. I will go ahead with an upload to unstable this
> > evening unless someone shouts.
>
> > Still TODO: assess stable.
>
> So, at least some of these issues probably apply to stable. I'd
> appreciate any help validating these changes (I haven't had a chance
> to build or test yet) and helping determine whether the two fixes which
> didn't apply at all need adjusting (ie whether the issues exist in 4.23
> in a different form).
>
> I've attached the results of the above patching.
I've pushed the diff to git now:
<http://git.debian.org/?p=pkg-mt-om/movabletype-opensource.git;a=commit;h=66daeefb9288a35e45a0634d5419fb0cf28c8d5f>
and built/basic sanity checked the resulting packages. It's quite
possibly not complete but in the absence of upstream support for older
versions is at least a decent attempt.
DSA and/or SRM, would this be okay to release as either a DSA or update
to stable?
Thanks,
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Reply to: