Hi, I intent to upload a 0-day NMU to fix this bug. Patch attached.
Cheers Nico -- Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u drupal5-5.17/debian/changelog drupal5-5.17/debian/changelog --- drupal5-5.17/debian/changelog +++ drupal5-5.17/debian/changelog @@ -1,3 +1,10 @@ +drupal5 (5.17-1.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix several XSS issues (SA-CORE-2009-006; Closes: #529191). + + -- Nico Golde <[email protected]> Thu, 28 May 2009 20:30:39 +0200 + drupal5 (5.17-1) unstable; urgency=low [ Luigi Gangitano ] diff -u drupal5-5.17/debian/patches/00list drupal5-5.17/debian/patches/00list --- drupal5-5.17/debian/patches/00list +++ drupal5-5.17/debian/patches/00list @@ -1,0 +2 @@ +20_xss only in patch2: unchanged: --- drupal5-5.17.orig/debian/patches/20_xss.dpatch +++ drupal5-5.17/debian/patches/20_xss.dpatch @@ -0,0 +1,63 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 20_xss.dpatch by Nico Golde <[email protected]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: fix SA-CORE-2009-006 + +...@dpatch@ +diff -urNad drupal5-5.17~/includes/theme.inc drupal5-5.17/includes/theme.inc +--- drupal5-5.17~/includes/theme.inc 2009-04-30 02:13:48.000000000 +0200 ++++ drupal5-5.17/includes/theme.inc 2009-05-28 20:28:29.000000000 +0200 +@@ -170,7 +170,7 @@ + if ($functions[$function]) { + $output = call_user_func_array($functions[$function], $args); + // Add final markup to the full page. +- if ($function == 'page') { ++ if ($function == 'page' || $function == 'book_export_html') { + $output = drupal_final_markup($output); + } + return $output; +diff -urNad drupal5-5.17~/modules/book/book.module drupal5-5.17/modules/book/book.module +--- drupal5-5.17~/modules/book/book.module 2007-02-14 05:30:33.000000000 +0100 ++++ drupal5-5.17/modules/book/book.module 2009-05-28 20:28:29.000000000 +0200 +@@ -702,8 +702,9 @@ + global $base_url; + $html = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\";>\n"; + $html .= '<html xmlns="http://www.w3.org/1999/xhtml"; lang="en" xml:lang="en">'; +- $html .= "<head>\n<title>". $title ."</title>\n"; ++ $html .= "\n<head>\n"; + $html .= '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />'; ++ $html .= "\n<title>". $title ."</title>\n"; + $html .= '<base href="'. $base_url .'/" />' . "\n"; + $html .= "<style type=\"text/css\">\...@import url(misc/print.css);\n</style>\n"; + $html .= "</head>\n<body>\n". $content ."\n</body>\n</html>\n"; +diff -urNad drupal5-5.17~/modules/taxonomy/taxonomy.module drupal5-5.17/modules/taxonomy/taxonomy.module +--- drupal5-5.17~/modules/taxonomy/taxonomy.module 2009-02-23 06:42:20.000000000 +0100 ++++ drupal5-5.17/modules/taxonomy/taxonomy.module 2009-05-28 20:28:29.000000000 +0200 +@@ -621,7 +621,7 @@ + */ + function taxonomy_form($vid, $value = 0, $help = NULL, $name = 'taxonomy') { + $vocabulary = taxonomy_get_vocabulary($vid); +- $help = ($help) ? $help : $vocabulary->help; ++ $help = ($help) ? $help : filter_xss_admin($vocabulary->help); + + if (!$vocabulary->multiple) { + $blank = ($vocabulary->required) ? t('- Please choose -') : t('- None selected -'); +@@ -718,7 +718,7 @@ + $typed_string = implode(', ', $typed_terms) . (array_key_exists('tags', $terms) ? $terms['tags'][$vocabulary->vid] : NULL); + + if ($vocabulary->help) { +- $help = $vocabulary->help; ++ $help = filter_xss_admin($vocabulary->help); + } + else { + $help = t('A comma-separated list of terms describing this content. Example: funny, bungee jumping, "Company, Inc.".'); +@@ -741,7 +741,7 @@ + $default_terms[$term->tid] = $term; + } + } +- $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), $vocabulary->help); ++ $form['taxonomy'][$vocabulary->vid] = taxonomy_form($vocabulary->vid, array_keys($default_terms), filter_xss_admin($vocabulary->help)); + $form['taxonomy'][$vocabulary->vid]['#weight'] = $vocabulary->weight; + $form['taxonomy'][$vocabulary->vid]['#required'] = $vocabulary->required; + }
pgp00D9VPJMuN.pgp
Description: PGP signature
