Bug#696670: unblock: mahara/1.5.1-3.1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#696670: unblock: mahara/1.5.1-3.1
From: Luca Falavigna <dktrkranz@debian.org>
Date: Tue, 25 Dec 2012 15:41:51 +0100
Message-id: <[🔎] 20121225144151.7163.96081.reportbug@utumno>
Reply-to: Luca Falavigna <dktrkranz@debian.org>, 696670@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package mahara

It provides a fix, cherry-picked from upstream repository, for a XSS
vulnerability as described in bug #695789

unblock mahara/1.5.1-3.1

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)

diff -Nru mahara-1.5.1/debian/changelog mahara-1.5.1/debian/changelog
--- mahara-1.5.1/debian/changelog	2012-11-16 09:33:12.000000000 +0100
+++ mahara-1.5.1/debian/changelog	2012-12-23 15:02:25.000000000 +0100
@@ -1,3 +1,14 @@
+mahara (1.5.1-3.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * SECURITY UPDATE: Fix a cross-site scripting (XSS) vulnerability
+    which allowed remote attackers to inject arbitrary web script or
+    HTML via the query parameter.
+    - debian/patches/CVE-2012-2253.patch
+    - Closes: #695789
+
+ -- Luca Falavigna <dktrkranz@debian.org>  Sun, 23 Dec 2012 14:53:41 +0100
+
 mahara (1.5.1-3) unstable; urgency=high
 
   * SECURITY UPDATE: Disable XML entity parsing to prevent XEE
diff -Nru mahara-1.5.1/debian/patches/CVE-2012-2253.patch mahara-1.5.1/debian/patches/CVE-2012-2253.patch
--- mahara-1.5.1/debian/patches/CVE-2012-2253.patch	1970-01-01 01:00:00.000000000 +0100
+++ mahara-1.5.1/debian/patches/CVE-2012-2253.patch	2012-12-23 15:02:25.000000000 +0100
@@ -0,0 +1,24 @@
+Author: Hugh Davenport <hugh@catalyst.net.nz>
+Subject: Cross-site scripting (XSS) vulnerability
+Origin: upstream
+Bug: https://bugs.launchpad.net/mahara/+bug/1079498
+
+    CVE-2012-2253
+
+    Cross-site scripting (XSS) vulnerability which allowed remote
+    attackers to inject arbitrary web script or HTML via the query
+    parameter.
+
+Index: mahara/htdocs/lib/web.php
+===================================================================
+--- mahara.orig/htdocs/lib/web.php	2012-12-23 14:44:57.009756577 +0100
++++ mahara/htdocs/lib/web.php	2012-12-23 14:47:02.405760418 +0100
+@@ -3273,7 +3273,7 @@
+     }
+     else {
+         $return .= '">'
+-            . '<a href="' . $url . '" title="' . $title
++            . '<a href="' . hsc($url) . '" title="' . $title
+             . '">' . $text . '</a></span>';
+     }
+ 
diff -Nru mahara-1.5.1/debian/patches/series mahara-1.5.1/debian/patches/series
--- mahara-1.5.1/debian/patches/series	2012-11-16 09:32:59.000000000 +0100
+++ mahara-1.5.1/debian/patches/series	2012-12-23 15:02:25.000000000 +0100
@@ -10,3 +10,4 @@
 CVE-2012-2244-0003.patch
 CVE-2012-2246.patch
 CVE-2012-2247.patch
+CVE-2012-2253.patch

Reply to:

Follow-Ups:
- Bug#696670: marked as done (unblock: mahara/1.5.1-3.1)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#696669: unblock: network-manager/0.9.4.0-7
Next by Date: Bug#696669: unblock: network-manager/0.9.4.0-7
Previous by thread: Bug#695764: partial review of unblock: packagekit/0.7.6-2
Next by thread: Bug#696670: marked as done (unblock: mahara/1.5.1-3.1)
Index(es):
- Date
- Thread