Hi, I intent to upload an NMU to fix this bug. debdiff attached and archived on: http://people.debian.org/~nion/nmu-diff/drupal6-6.5-1_6.5-1.1.patch
Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u drupal6-6.5/debian/changelog drupal6-6.5/debian/changelog --- drupal6-6.5/debian/changelog +++ drupal6-6.5/debian/changelog @@ -1,3 +1,11 @@ +drupal6 (6.5-1.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix file inclusion and XSS vulnerability by adding upstream patch + (01-SA-2008-067.dpatch; CVE ids pending; Closes: #503222). + + -- Nico Golde <[EMAIL PROTECTED]> Mon, 27 Oct 2008 10:38:11 +0100 + drupal6 (6.5-1) unstable; urgency=low [ Luigi Gangitano ] diff -u drupal6-6.5/debian/patches/00list drupal6-6.5/debian/patches/00list --- drupal6-6.5/debian/patches/00list +++ drupal6-6.5/debian/patches/00list @@ -1 +1,2 @@ +01-SA-2008-067 10_cronjob only in patch2: unchanged: --- drupal6-6.5.orig/debian/patches/01-SA-2008-067.dpatch +++ drupal6-6.5/debian/patches/01-SA-2008-067.dpatch @@ -0,0 +1,36 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 01-SA-2008-067.dpatch by Nico Golde <[EMAIL PROTECTED]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: http://drupal.org/files/sa-2008-067/SA-2008-067-6.5.patch + [EMAIL PROTECTED]@ +diff -urNad drupal6-6.5~/includes/bootstrap.inc drupal6-6.5/includes/bootstrap.inc +--- drupal6-6.5~/includes/bootstrap.inc 2008-08-18 20:56:30.000000000 +0200 ++++ drupal6-6.5/includes/bootstrap.inc 2008-10-27 10:37:41.000000000 +0100 +@@ -238,6 +238,11 @@ + + $confdir = 'sites'; + $uri = explode('/', $_SERVER['SCRIPT_NAME'] ? $_SERVER['SCRIPT_NAME'] : $_SERVER['SCRIPT_FILENAME']); ++ if (strpos($_SERVER['HTTP_HOST'], '/') !== FALSE) { ++ // A HTTP_HOST containing slashes may be an attack and is invalid. ++ header('HTTP/1.1 400 Bad Request'); ++ exit; ++ } + $server = explode('.', implode('.', array_reverse(explode(':', rtrim($_SERVER['HTTP_HOST'], '.'))))); + for ($i = count($uri) - 1; $i > 0; $i--) { + for ($j = count($server); $j > 0; $j--) { +diff -urNad drupal6-6.5~/modules/book/book.admin.inc drupal6-6.5/modules/book/book.admin.inc +--- drupal6-6.5~/modules/book/book.admin.inc 2008-07-08 12:19:46.000000000 +0200 ++++ drupal6-6.5/modules/book/book.admin.inc 2008-10-27 10:37:41.000000000 +0100 +@@ -170,8 +170,8 @@ + * @see book_admin_edit() + */ + function _book_admin_table_tree($tree, &$form) { +- foreach ($tree as $key => $data) { +- $form[$key] = array( ++ foreach ($tree as $data) { ++ $form['book-admin-'. $data['link']['nid']] = array( + '#item' => $data['link'], + 'nid' => array('#type' => 'value', '#value' => $data['link']['nid']), + 'depth' => array('#type' => 'value', '#value' => $data['link']['depth']),
pgpK5INQ2JaND.pgp
Description: PGP signature
