Bug#695804: unblock: moodle/2.2.3.dfsg-2.6~wheezy0

Wed, 12 Dec 2012 12:42:18 -0800 

Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package moodle
I am about to get new version of the package uploaded to testing-proposed-updates. The new version fixes a security issue that is forwarded but not yet fixed upstream.
diff -Nru moodle-2.2.3.dfsg/debian/changelog moodle-2.2.3.dfsg/debian/changelog 
--- moodle-2.2.3.dfsg/debian/changelog  2012-11-16 09:07:18.000000000 +0100
+++ moodle-2.2.3.dfsg/debian/changelog  2012-12-12 19:19:22.000000000 +0100
@@ -1,3 +1,11 @@
+moodle (2.2.3.dfsg-2.6~wheezy1) testing-proposed-updates; urgency=low
+
+  * Fix possible security issue for curl in 3-rd party libraries:
+    * phpCAS (CVE-2012-5583)
+    * amazon-s3-php-class
+
+ -- Tomasz Muras <nexor1...@gmail.com>  Tue, 27 Nov 2012 23:15:45 +0100
+
 moodle (2.2.3.dfsg-2.6~wheezy0) testing-proposed-updates; urgency=low

   * Re-upload -2.6 towards Wheezy.
diff -Nru moodle-2.2.3.dfsg/debian/patches/0021-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch moodle-2.2.3.dfsg/debian/patches/0021-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch --- moodle-2.2.3.dfsg/debian/patches/0021-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch 1970-01-01 01:00:00.000000000 +0100 +++ moodle-2.2.3.dfsg/debian/patches/0021-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch 2012-12-12 19:20:03.000000000 +0100 
@@ -0,0 +1,49 @@
+From: Tomasz Muras <tom...@muras.eu>
+Last-Update: 2012-12-12
+Bug: http://tracker.moodle.org/browse/MDL-36818
+Bug-amazon-s3-php-class: https://github.com/tpyo/amazon-s3-php-class/pull/36 
+Bug-phpCAS: https://github.com/Jasig/phpCAS/pull/58
+Forwarded: yes
+Description: Fix the value of CURLOPT_SSL_VERIFYHOST option.
+ Wrong use of CURLOPT_SSL_VERIFYHOST is a potential security issue.
+ The bug was reported by Alessandro Ghedini <gh...@debian.org>, patch
+ created by Tomasz Muras and forwarded to Moodle and Moodle's upstream -
+ amazon-s3-php-class and phpCAS. There is no Debian bug or CVE issued yet
+ but Debian Security Team has been notified. CVE for phpCAS is CVE-2012-5583. 
+ The bug is not fixed in Moodle upstream yet.
+
+diff --git a/auth/cas/CAS/CAS/client.php b/auth/cas/CAS/CAS/client.php
+index 74d6893..d5c4212 100644
+--- a/auth/cas/CAS/CAS/client.php
++++ b/auth/cas/CAS/CAS/client.php
+@@ -2160,7 +2160,7 @@ class CASClient
+               if ($this->_cas_server_cert != '' && $this->_cas_server_ca_cert 
!= '') {
+ // This branch added by IDMS. Seems phpCAS implementor got a bit confused about the curl options CURLOPT_SSLCERT and CURLOPT_CAINFO 
+                       curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
+-                      curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
++                      curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
+                       curl_setopt($ch, CURLOPT_SSLCERT, 
$this->_cas_server_cert);
+                       curl_setopt($ch, CURLOPT_CAINFO, 
$this->_cas_server_ca_cert);
+                       curl_setopt($ch, CURLOPT_VERBOSE, '1');
+@@ -2172,7 +2172,7 @@ class CASClient
+                       curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
+                       curl_setopt($ch, CURLOPT_CAINFO, 
$this->_cas_server_ca_cert);
+               } else {
+-                      curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
++                      curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
+                       curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+               }
+               
+diff --git a/repository/s3/S3.php b/repository/s3/S3.php
+index dadfb5a..b5a11b6 100644
+--- a/repository/s3/S3.php
++++ b/repository/s3/S3.php
+@@ -1140,7 +1140,7 @@ final class S3Request {
+               curl_setopt($curl, CURLOPT_USERAGENT, 'S3/php');
+
+               if (S3::$useSSL) {
+-                      curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 1);
++                      curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2);
+                       curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 1);
+               }
+
diff -Nru moodle-2.2.3.dfsg/debian/patches/series moodle-2.2.3.dfsg/debian/patches/series --- moodle-2.2.3.dfsg/debian/patches/series 2012-11-10 16:09:16.000000000 +0100 +++ moodle-2.2.3.dfsg/debian/patches/series 2012-11-29 18:00:57.000000000 +0100 
@@ -18,3 +18,4 @@
 0018-MDL-34448-mod-data-Fixing-separate-groups-viewing-al.patch
 0019-MDL-33791-Portfolio-Fixed-security-issue-with-passin.patch
 0020-MDL-35558-mod_data-Show-only-own-entries-while-there.patch
+0021-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch


unblock moodle/2.2.3.dfsg-2.6~wheezy1


Tomasz Muras


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to