Lionel Elie Mamane wrote: > > This security hole was fixed in kronolith2, but the kronolith > > package is still present in unstable and still, presumably, has this > > hole. > > Thank you for warning us. However, kronolith 1 is not maintained > upstream anymore and no patch for this issue is available from > upstream.
Thanks a lot.
> I've tried to backport the upstream patch for kronolith 2, but most
> files touched don't actually exist in kronolith 1, as well as a
> sizeable part of the code touched in the files that do exist. Here is
> my measle backport attempt, but I'd really like someone that
> understands the issue to review it and see if nothing has been left
> out. Do we have someone of that calibre (and willing to do it)
> available in Debian?
I've taken a look at the patch, and several lines contain changes not
suitable for a security update, i.e. fix different potential bugs or
change the code. I'm attaching the patch. More eyes checking would
be appreciated.
Regards,
Joey
--
Have you ever noticed that "General Public Licence" contains the word "Pub"?
Please always Cc to me when replying to me on the lists.
diff -u kronolith-1.1.4/debian/changelog kronolith-1.1.4/debian/changelog
--- kronolith-1.1.4/debian/changelog
+++ kronolith-1.1.4/debian/changelog
@@ -1,3 +1,13 @@
+kronolith (1.1.4-2sarge1) unstable; urgency=low
+
+ * Non-maintainer upload by the Security Team
+ * Backported upstream security patch for kronolith2 to fix several
+ cross-site-scripting vulnerabilities [templates/edit/edit.inc,
+ templates/view/view.inc, templates/delete/one.inc,
+ templates/delete/delete.inc, CVE-2005-4189, Bug#342943, Bug#349261]
+
+ -- Martin Schulze <[EMAIL PROTECTED]> Sun, 22 Jan 2006 11:30:50 +0100
+
kronolith (1.1.4-2) unstable; urgency=low
* Fixed grammar error, closes: #273190.
only in patch2:
unchanged:
--- kronolith-1.1.4.orig/templates/edit/edit.inc
+++ kronolith-1.1.4/templates/edit/edit.inc
@@ -27,16 +27,16 @@
?>
<form action="<?php echo ($event->isInitialized() ? 'editeventaction.php' :
'addeventaction.php') ?>" method="post" name="event">
<?php Horde::pformInput() ?>
-<input type="hidden" name="year" value="<?php if (isset($year)) echo $year ?>"
/>
-<input type="hidden" name="month" value="<?php if (isset($month)) echo $month
?>" />
-<input type="hidden" name="mday" value="<?php if (isset($day)) echo $day ?>" />
-<input type="hidden" name="timestamp" value="<?php if (isset($timestamp)) echo
$timestamp ?>" />
+<input type="hidden" name="year" value="<?php if (isset($year)) echo
htmlspecialchars($year) ?>" />
+<input type="hidden" name="month" value="<?php if (isset($month)) echo
htmlspecialchars($month) ?>" />
+<input type="hidden" name="mday" value="<?php if (isset($day)) echo
htmlspecialchars($day) ?>" />
+<input type="hidden" name="timestamp" value="<?php if (isset($timestamp)) echo
htmlspecialchars($timestamp) ?>" />
<input type="hidden" name="new_category" value="" />
<?php if (isset($url)): ?>
-<input type="hidden" name="url" value="<?php echo $url ?>" />
+<input type="hidden" name="url" value="<?php echo htmlspecialchars($url) ?>" />
<?php endif; ?>
<?php if ($event->isInitialized()): ?>
-<input type="hidden" name="eventID" value="<?php echo $event->getID() ?>" />
+<input type="hidden" name="eventID" value="<?php echo
htmlspecialchars($event->getID()) ?>" />
<?php endif; ?>
<center>
only in patch2:
unchanged:
--- kronolith-1.1.4.orig/templates/view/view.inc
+++ kronolith-1.1.4/templates/view/view.inc
@@ -137,10 +137,10 @@
</tr>
<?php foreach ($keyword_list as $cat => $list): ?>
<tr>
- <td align="right" class="light" valign="top"><b><?php echo $cat
?> </b></td>
+ <td align="right" class="light" valign="top"><b><?php echo
htmlspecialchars($cat) ?> </b></td>
<td align="left" class="text" colspan="3">
<?php foreach ($list as $entry): ?>
- <?php echo $entry ?><br />
+ <?php echo htmlspecialchars($entry) ?><br />
<?php endforeach; ?>
</td>
</tr>
only in patch2:
unchanged:
--- kronolith-1.1.4.orig/templates/delete/one.inc
+++ kronolith-1.1.4/templates/delete/one.inc
@@ -6,18 +6,18 @@
}
?>
<form action="<?php echo Horde::applicationUrl('deleventaction.php') ?>"
method="post" name="delete">
-<input type="hidden" name="year" value="<?php if (isset($year)) echo $year ?>"
/>
-<input type="hidden" name="month" value="<?php if (isset($month)) echo $month
?>" />
-<input type="hidden" name="mday" value="<?php if (isset($day)) echo $day ?>" />
-<input type="hidden" name="url" value="<?php echo $url ?>" />
-<input type="hidden" name="eventID" value="<?php echo $event->getID() ?>" />
+<input type="hidden" name="year" value="<?php if (isset($year)) echo
htmlspecialchars($year) ?>" />
+<input type="hidden" name="month" value="<?php if (isset($month)) echo
htmlspecialchars($month) ?>" />
+<input type="hidden" name="mday" value="<?php if (isset($day)) echo
htmlspecialchars($day) ?>" />
+<input type="hidden" name="url" value="<?php echo htmlspecialchars($url) ?>" />
+<input type="hidden" name="eventID" value="<?php echo
htmlspecialchars($event->getID()) ?>" />
<center>
<table border="0" cellspacing="0" cellpadding="4" align="center">
<!-- header -->
<tr class="header">
- <td align="left" class="header"><b><?php echo sprintf(_("Delete %s"),
$event->getTitle()) ?></b></td>
+ <td align="left" class="header"><b><?php echo sprintf(_("Delete %s"),
htmlspecialchars($event->getTitle())) ?></b></td>
</tr>
<!-- description -->
@@ -29,7 +29,7 @@
<tr>
<td align="left">
<input type="submit" class="button" name="delete" value="<?php echo
_("Delete") ?>" />
- <input type="submit" class="button" name="cancel" value="<?php echo
_("Cancel") ?>" onclick="self.location = '<?php echo $url; ?>'; return false;"
/>
+ <input type="submit" class="button" name="cancel" value="<?php echo
_("Cancel") ?>" onclick="self.location = '<?php echo htmlspecialchars($url);
?>'; return false;" />
</td>
</tr>
only in patch2:
unchanged:
--- kronolith-1.1.4.orig/templates/delete/delete.inc
+++ kronolith-1.1.4/templates/delete/delete.inc
@@ -6,18 +6,18 @@
}
?>
<form action="<?php echo Horde::applicationUrl('deleventaction.php') ?>"
method="post" target="_self" name="delete">
-<input type="hidden" name="year" value="<?php if (isset($year)) echo $year ?>"
/>
-<input type="hidden" name="month" value="<?php if (isset($month)) echo $month
?>" />
-<input type="hidden" name="mday" value="<?php if (isset($day)) echo $day ?>" />
-<input type="hidden" name="url" value="<?php echo $url ?>" />
-<input type="hidden" name="eventID" value="<?php echo $event->getID() ?>" />
+<input type="hidden" name="year" value="<?php if (isset($year)) echo
htmlspecialchars($year) ?>" />
+<input type="hidden" name="month" value="<?php if (isset($month)) echo
htmlspecialchars($month) ?>" />
+<input type="hidden" name="mday" value="<?php if (isset($day)) echo
htmlspecialchars($day) ?>" />
+<input type="hidden" name="url" value="<?php echo htmlspecialchars($url) ?>" />
+<input type="hidden" name="eventID" value="<?php echo
htmlspecialchars($event->getID()) ?>" />
<center>
<table border="0" cellspacing="0" cellpadding="4" align="center">
<!-- header -->
<tr class="header">
- <td align="left" class="header"><b><?php echo sprintf(_("Delete %s"),
$event->getTitle()) ?></b></td>
+ <td align="left" class="header"><b><?php echo sprintf(_("Delete %s"),
htmlspecialchars($event->getTitle())) ?></b></td>
</tr>
<!-- description -->
@@ -31,7 +31,7 @@
<input type="submit" class="button" name="current" value="<?php echo
_("Current") ?>" />
<input type="submit" class="button" name="future" value="<?php echo
_("Future") ?>" />
<input type="submit" class="button" name="all" value="<?php echo _("All")
?>" />
- <input type="submit" class="button" name="cancel" value="<?php echo
_("Cancel") ?>" onclick="self.location = '<?php echo $url; ?>'; return false;"
/>
+ <input type="submit" class="button" name="cancel" value="<?php echo
_("Cancel") ?>" onclick="self.location = '<?php echo htmlspecialchars($url);
?>'; return false;" />
</td>
</tr>
signature.asc
Description: Digital signature
