Dear maintainer,
I've prepared an NMU for moodle (versioned as 2.2.3.dfsg-2.2) and
uploaded it to DELAYED/1. Please feel free to tell me if I
should delay it longer.
Regards.
diff -Nru moodle-2.2.3.dfsg/debian/changelog moodle-2.2.3.dfsg/debian/changelog
--- moodle-2.2.3.dfsg/debian/changelog 2012-07-20 19:52:10.000000000 +0200
+++ moodle-2.2.3.dfsg/debian/changelog 2012-07-23 19:13:58.000000000 +0200
@@ -1,3 +1,17 @@
+moodle (2.2.3.dfsg-2.2) unstable; urgency=low
+
+ * Non-maintainer upload.
+
+ * Backport multiple security issues from upstream's MOODLE_22_STABLE
+ branch. (Closes: #682203)
+ - MDL-31692 mod_lti - ensure that various mforms are used properly
+ Fixes CVE-2012-3389
+ - MDL-33916 Ensure that capabilities are checked for cached user
+ enrolments
+ Fixes CVE-2012-3388
+
+ -- Didier Raboud <o...@debian.org> Mon, 23 Jul 2012 19:13:56 +0200
+
moodle (2.2.3.dfsg-2.1) unstable; urgency=low
* Non-maintainer upload.
diff -Nru moodle-2.2.3.dfsg/debian/patches/0007-MDL-31692-mod_lti-ensure-that-various-mforms-are-use.patch moodle-2.2.3.dfsg/debian/patches/0007-MDL-31692-mod_lti-ensure-that-various-mforms-are-use.patch
--- moodle-2.2.3.dfsg/debian/patches/0007-MDL-31692-mod_lti-ensure-that-various-mforms-are-use.patch 1970-01-01 01:00:00.000000000 +0100
+++ moodle-2.2.3.dfsg/debian/patches/0007-MDL-31692-mod_lti-ensure-that-various-mforms-are-use.patch 2012-07-23 19:11:27.000000000 +0200
@@ -0,0 +1,238 @@
+From 1d161e6802bc352c38014f59ed6eb4f63f860378 Mon Sep 17 00:00:00 2001
+From: Dan Poltawski <d...@moodle.com>
+Date: Fri, 22 Jun 2012 14:42:20 +0800
+Subject: [PATCH 7/8] MDL-31692 mod_lti - ensure that various mforms are used
+ properly
+
+* typesettings.php and instructor_edit_tool_type.php are tided
+ up properly to ensure proper use for form data
+* An incorrect PARAM type is corrected for typename
+---
+ mod/lti/edit_form.php | 2 +-
+ mod/lti/instructor_edit_tool_type.php | 9 +--
+ mod/lti/typessettings.php | 131 ++++++++-------------------------
+ 3 files changed, 34 insertions(+), 108 deletions(-)
+
+diff --git a/mod/lti/edit_form.php b/mod/lti/edit_form.php
+index 3cf2ef8..fec78ee 100644
+--- a/mod/lti/edit_form.php
++++ b/mod/lti/edit_form.php
+@@ -62,7 +62,7 @@ class mod_lti_edit_types_form extends moodleform{
+ $mform->addElement('header', 'setup', get_string('tool_settings', 'lti'));
+
+ $mform->addElement('text', 'lti_typename', get_string('typename', 'lti'));
+- $mform->setType('lti_typename', PARAM_INT);
++ $mform->setType('lti_typename', PARAM_TEXT);
+ $mform->addHelpButton('lti_typename', 'typename', 'lti');
+ $mform->addRule('lti_typename', null, 'required', null, 'client');
+
+diff --git a/mod/lti/instructor_edit_tool_type.php b/mod/lti/instructor_edit_tool_type.php
+index b0fe496..c65b3f4 100644
+--- a/mod/lti/instructor_edit_tool_type.php
++++ b/mod/lti/instructor_edit_tool_type.php
+@@ -47,9 +47,8 @@ if (!empty($typeid)) {
+ }
+ }
+
+-$data = data_submitted();
+-
+-if (isset($data->submitbutton) && confirm_sesskey()) {
++$form = new mod_lti_edit_types_form();
++if ($data = $form->get_data()) {
+ $type = new stdClass();
+
+ if (!empty($typeid)) {
+@@ -96,7 +95,7 @@ if (isset($data->submitbutton) && confirm_sesskey()) {
+
+ die;
+ }
+-} else if (isset($data->cancel)) {
++} else if ($form->is_cancelled()) {
+ $script = "
+ <html>
+ <script type=\"text/javascript\">
+@@ -120,10 +119,8 @@ echo $OUTPUT->header();
+ echo $OUTPUT->heading(get_string('toolsetup', 'lti'));
+
+ if ($action == 'add') {
+- $form = new mod_lti_edit_types_form();
+ $form->display();
+ } else if ($action == 'edit') {
+- $form = new mod_lti_edit_types_form();
+ $type = lti_get_type_type_config($typeid);
+ $form->set_data($type);
+ $form->display();
+diff --git a/mod/lti/typessettings.php b/mod/lti/typessettings.php
+index d6d2d18..f88cb5e 100644
+--- a/mod/lti/typessettings.php
++++ b/mod/lti/typessettings.php
+@@ -53,41 +53,42 @@ require_once($CFG->libdir.'/adminlib.php');
+ require_once($CFG->dirroot.'/mod/lti/edit_form.php');
+ require_once($CFG->dirroot.'/mod/lti/locallib.php');
+
+-$section = 'modsettinglti';
+-$return = optional_param('return', '', PARAM_ALPHA);
+-$adminediting = optional_param('adminedit', -1, PARAM_BOOL);
+ $action = optional_param('action', null, PARAM_ACTION);
+ $id = optional_param('id', null, PARAM_INT);
+-$useexisting = optional_param('useexisting', null, PARAM_INT);
+-$definenew = optional_param('definenew', null, PARAM_INT);
++$tab = optional_param('tab', '', PARAM_ALPHAEXT);
+
+ // no guest autologin
+ require_login(0, false);
++
+ $pageurl = new moodle_url('/mod/lti/typessettings.php');
++if (!empty($id)) {
++ $pageurl->param('id', $id);
++}
+ $PAGE->set_url($pageurl);
+
+ admin_externalpage_setup('managemodules'); // Hacky solution for printing the admin page
+
+-$tab = optional_param('tab', '', PARAM_ALPHAEXT);
+ $redirect = "$CFG->wwwroot/$CFG->admin/settings.php?section=modsettinglti&tab={$tab}";
+
+-// WRITING SUBMITTED DATA (IF ANY)
+-
+-$statusmsg = '';
+-$errormsg = '';
+-$focus = '';
++require_sesskey();
+
+-$data = data_submitted();
+-
+-// Any posted data & any action
+-if (!empty($data) || !empty($action)) {
+- require_sesskey();
++if ($action == 'accept') {
++ lti_set_state_for_type($id, LTI_TOOL_STATE_CONFIGURED);
++ redirect($redirect);
++} else if ($action == 'reject') {
++ lti_set_state_for_type($id, LTI_TOOL_STATE_REJECTED);
++ redirect($redirect);
++} else if ($action == 'delete') {
++ lti_delete_type($id);
++ redirect($redirect);
+ }
+
+-if (isset($data->submitbutton)) {
++$form = new mod_lti_edit_types_form($pageurl, (object)array('isadmin' => true));
++
++if ($data = $form->get_data()) {
+ $type = new stdClass();
+
+- if (isset($id)) {
++ if (!empty($id)) {
+ $type->id = $id;
+
+ lti_update_type($type, $data);
+@@ -100,94 +101,22 @@ if (isset($data->submitbutton)) {
+
+ redirect($redirect);
+ }
+-
+-} else if (isset($data->cancel)) {
+- redirect($redirect);
+-
+-} else if ($action == 'accept') {
+- lti_set_state_for_type($id, LTI_TOOL_STATE_CONFIGURED);
+- redirect($redirect);
+-
+-} else if ($action == 'reject') {
+- lti_set_state_for_type($id, LTI_TOOL_STATE_REJECTED);
+- redirect($redirect);
+-
+-} else if ($action == 'delete') {
+- lti_delete_type($id);
++} else if ($form->is_cancelled()) {
+ redirect($redirect);
+ }
+
+-// print header stuff
+-$PAGE->set_focuscontrol($focus);
+-if (empty($SITE->fullname)) {
+- $PAGE->set_title($settingspage->visiblename);
+- $PAGE->set_heading($settingspage->visiblename);
+-
+- $PAGE->navbar->add(get_string('lti_administration', 'lti'), $CFG->wwwroot.'/admin/settings.php?section=modsettinglti');
+-
+- echo $OUTPUT->header();
+-
+- echo $OUTPUT->box(get_string('configintrosite', 'admin'));
+-
+- if ($errormsg !== '') {
+- echo $OUTPUT->notification($errormsg);
+-
+- } else if ($statusmsg !== '') {
+- echo $OUTPUT->notification($statusmsg, 'notifysuccess');
+- }
+-
+- echo '<form action="typesettings.php" method="post" id="'.$id.'" >';
+- echo '<div class="settingsform clearfix">';
+- echo html_writer::input_hidden_params($PAGE->url);
+- echo '<input type="hidden" name="sesskey" value="'.sesskey().'" />';
+- echo '<input type="hidden" name="return" value="'.$return.'" />';
+-
+- echo $settingspage->output_html();
+-
+- echo '<div class="form-buttons"><input class="form-submit" type="submit" value="'.get_string('savechanges', 'admin').'" /></div>';
+-
+- echo '</div>';
+- echo '</form>';
+-
+-} else {
+- if ($PAGE->user_allowed_editing()) {
+- $url = clone($PAGE->url);
+- if ($PAGE->user_is_editing()) {
+- $caption = get_string('blockseditoff');
+- $url->param('adminedit', 'off');
+- } else {
+- $caption = get_string('blocksediton');
+- $url->param('adminedit', 'on');
+- }
+- $buttons = $OUTPUT->single_button($url, $caption, 'get');
+- }
+-
+- $PAGE->set_title("$SITE->shortname: " . get_string('toolsetup', 'lti'));
+-
+- $PAGE->navbar->add(get_string('lti_administration', 'lti'), $CFG->wwwroot.'/admin/settings.php?section=modsettinglti');
++$PAGE->set_title("$SITE->shortname: " . get_string('toolsetup', 'lti'));
++$PAGE->navbar->add(get_string('lti_administration', 'lti'), $CFG->wwwroot.'/admin/settings.php?section=modsettinglti');
+
+- echo $OUTPUT->header();
+-
+- if ($errormsg !== '') {
+- echo $OUTPUT->notification($errormsg);
+-
+- } else if ($statusmsg !== '') {
+- echo $OUTPUT->notification($statusmsg, 'notifysuccess');
+- }
+-
+- echo $OUTPUT->heading(get_string('toolsetup', 'lti'));
+- echo $OUTPUT->box_start('generalbox');
+- if ($action == 'add') {
+- $form = new mod_lti_edit_types_form($pageurl, (object)array('isadmin' => true));
+- $form->display();
+- } else if ($action == 'update') {
+- $form = new mod_lti_edit_types_form('typessettings.php?id='.$id, (object)array('isadmin' => true));
+- $type = lti_get_type_type_config($id);
+- $form->set_data($type);
+- $form->display();
+- }
++echo $OUTPUT->header();
++echo $OUTPUT->heading(get_string('toolsetup', 'lti'));
++echo $OUTPUT->box_start('generalbox');
+
+- echo $OUTPUT->box_end();
++if ($action == 'update') {
++ $type = lti_get_type_type_config($id);
++ $form->set_data($type);
+ }
+
++$form->display();
++echo $OUTPUT->box_end();
+ echo $OUTPUT->footer();
+--
+1.7.10.4
+
diff -Nru moodle-2.2.3.dfsg/debian/patches/0008-MDL-33916-Ensure-that-capabilities-are-checked-for-c.patch moodle-2.2.3.dfsg/debian/patches/0008-MDL-33916-Ensure-that-capabilities-are-checked-for-c.patch
--- moodle-2.2.3.dfsg/debian/patches/0008-MDL-33916-Ensure-that-capabilities-are-checked-for-c.patch 1970-01-01 01:00:00.000000000 +0100
+++ moodle-2.2.3.dfsg/debian/patches/0008-MDL-33916-Ensure-that-capabilities-are-checked-for-c.patch 2012-07-23 19:11:27.000000000 +0200
@@ -0,0 +1,27 @@
+From a36b416641543c0cb267f2b88fba30206f1df2bd Mon Sep 17 00:00:00 2001
+From: Andrew Robert Nicols <andrew.nic...@luns.net.uk>
+Date: Wed, 20 Jun 2012 17:02:00 +0100
+Subject: [PATCH 8/8] MDL-33916 Ensure that capabilities are checked for
+ cached user enrolments
+
+---
+ lib/accesslib.php | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/accesslib.php b/lib/accesslib.php
+index dd7f5b0..084c4d5 100644
+--- a/lib/accesslib.php
++++ b/lib/accesslib.php
+@@ -1935,6 +1935,9 @@ function is_enrolled(context $context, $user = null, $withcapability = '', $only
+ $coursecontext->reload_if_dirty();
+ if (isset($USER->enrol['enrolled'][$coursecontext->instanceid])) {
+ if ($USER->enrol['enrolled'][$coursecontext->instanceid] > time()) {
++ if ($withcapability and !has_capability($withcapability, $context, $userid)) {
++ return false;
++ }
+ return true;
+ }
+ }
+--
+1.7.10.4
+
diff -Nru moodle-2.2.3.dfsg/debian/patches/series moodle-2.2.3.dfsg/debian/patches/series
--- moodle-2.2.3.dfsg/debian/patches/series 2012-07-20 19:59:27.000000000 +0200
+++ moodle-2.2.3.dfsg/debian/patches/series 2012-07-23 19:11:27.000000000 +0200
@@ -4,3 +4,5 @@
0004-MDL-23254-Authentication-used-httpswwwroot-as-root-u.patch
0005-MDL-33808-incorrect-cleaning-of-repository-names.patch
0006-MDL-33808-format-title-on-the-repository-instance-sc.patch
+0007-MDL-31692-mod_lti-ensure-that-various-mforms-are-use.patch
+0008-MDL-33916-Ensure-that-capabilities-are-checked-for-c.patch
