rpms/moodle/EL-4 moodle-1.8.8-CVE-2009-1171-1.patch, NONE, 1.1 moodle-1.8.8-CVE-2009-1171-2.patch, NONE, 1.1 moodle.spec, 1.20, 1.21
Jon Ciesla
limb at fedoraproject.org
Thu Apr 2 20:31:55 UTC 2009
Author: limb
Update of /cvs/pkgs/rpms/moodle/EL-4
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25333/EL-4
Modified Files:
moodle.spec
Added Files:
moodle-1.8.8-CVE-2009-1171-1.patch
moodle-1.8.8-CVE-2009-1171-2.patch
Log Message:
CVE-2009-1171
moodle-1.8.8-CVE-2009-1171-1.patch:
--- NEW FILE moodle-1.8.8-CVE-2009-1171-1.patch ---
--- filter/tex/filter.php.orig 2009/02/17 05:24:35 1.18.4.4
+++ filter/tex/filter.php 2009/03/26 19:06:29 1.18.4.5
@@ -120,6 +120,16 @@
$text = str_replace($matches[0][$i],$replacement,$text);
}
+ // TeX blacklist. MDL-18552
+ $tex_blacklist = array(
+ 'include','def','command','loop','repeat','open','toks','output',
+ 'input','catcode','name','^^',
+ '\every','\errhelp','\errorstopmode','\scrollmode','\nonstopmode',
+ '\batchmode','\read','\write','csname','\newhelp','\uppercase',
+ '\lowercase','\relax','\aftergroup',
+ '\afterassignment','\expandafter','\noexpand','\special'
+ );
+
// <tex> TeX expression </tex>
// or <tex alt="My alternative text to be used instead of the TeX form"> TeX expression </tex>
// or $$ TeX expression $$
@@ -155,6 +165,19 @@
$align = "text-top";
$texexp = preg_replace('/^align=top /','',$texexp);
}
+ /// Check $texexp against blacklist (whitelisting could be more complete but also harder to maintain). MDL-18552
+ $invalidcommands = array();
+ foreach($tex_blacklist as $command) {
+ if (stristr($texexp, $command)) { /// Found invalid command. Annotate.
+ $invalidcommands[] = $command;
+ }
+ }
+ if (!empty($invalidcommands)) { /// Invalid commands found. Output error and continue with next TeX element
+ $invalidstr = get_string('invalidtexcommand', 'error', implode(', ', $invalidcommands));
+ $text = str_replace( $matches[0][$i], $invalidstr, $text);
+ continue;
+ }
+ /// Everything is ok, let's process the expression
$md5 = md5($texexp);
if (! $texcache = get_record("cache_filters","filter","tex", "md5key", $md5)) {
$texcache->filter = 'tex';
moodle-1.8.8-CVE-2009-1171-2.patch:
--- NEW FILE moodle-1.8.8-CVE-2009-1171-2.patch ---
--- filter/algebra/algebradebug.php
+++ filter/algebra/algebradebug.php
@@ -16,6 +16,8 @@
}
}
+ require_once($CFG->dirroot.'/filter/tex/lib.php');
+
$CFG->texfilterdir = "filter/tex";
$CFG->algebrafilterdir = "filter/algebra";
$CFG->algebraimagedir = "filter/algebra";
@@ -233,6 +235,7 @@ function tex2image($texexp, $md5, $return=false) {
}
$commandpath = "";
$cmd = "";
+ $texexp = tex_sanitize_formula($texexp);
$texexp = escapeshellarg($texexp);
switch (PHP_OS) {
case "Linux":
--- filter/algebra/pix.php
+++ filter/algebra/pix.php
@@ -19,6 +19,7 @@
// disable moodle specific debug messages
disable_debugging();
+ require_once($CFG->dirroot.'/filter/tex/lib.php');
require_once($CFG->libdir.'/filelib.php');
$CFG->texfilterdir = 'filter/tex';
@@ -54,6 +55,7 @@
$texexp = str_replace('>','>',$texexp);
$texexp = preg_replace('!\r\n?!',' ',$texexp);
$texexp = '\Large ' . $texexp;
+ $texexp = tex_sanitize_formula($texexp);
$texexp = escapeshellarg($texexp);
if ((PHP_OS == "WINNT") || (PHP_OS == "WIN32") || (PHP_OS == "Windows")) {
--- filter/tex/filter.php
+++ filter/tex/filter.php
@@ -118,16 +118,6 @@ function tex_filter ($courseid, $text) {
$text = str_replace($matches[0][$i],$replacement,$text);
}
- // TeX blacklist. MDL-18552
- $tex_blacklist = array(
- 'include','def','command','loop','repeat','open','toks','output',
- 'input','catcode','name','^^',
- '\every','\errhelp','\errorstopmode','\scrollmode','\nonstopmode',
- '\batchmode','\read','\write','csname','\newhelp','\uppercase',
- '\lowercase','\relax','\aftergroup',
- '\afterassignment','\expandafter','\noexpand','\special'
- );
-
// <tex> TeX expression </tex>
// or $$ TeX expression $$
// or \[ TeX expression \] // original tag of MathType and TeXaide (dlnsk)
@@ -148,19 +138,6 @@ function tex_filter ($courseid, $text) {
$align = "text-top";
$texexp = preg_replace('/^align=top /','',$texexp);
}
- /// Check $texexp against blacklist (whitelisting could be more complete but also harder to maintain). MDL-18552
- $invalidcommands = array();
- foreach($tex_blacklist as $command) {
- if (stristr($texexp, $command)) { /// Found invalid command. Annotate.
- $invalidcommands[] = $command;
- }
- }
- if (!empty($invalidcommands)) { /// Invalid commands found. Output error and continue with next TeX element
- $invalidstr = get_string('invalidtexcommand', 'error', implode(', ', $invalidcommands));
- $text = str_replace( $matches[0][$i], $invalidstr, $text);
- continue;
- }
- /// Everything is ok, let's process the expression
$md5 = md5($texexp);
if (! $texcache = get_record("cache_filters","filter","tex", "md5key", $md5)) {
$texcache->filter = 'tex';
--- filter/tex/latex.php
+++ filter/tex/latex.php
@@ -44,9 +44,11 @@
* @return string the latex document
*/
function construct_latex_document( $formula, $fontsize=12 ) {
- // $fontsize don't affects to formula's size. $density can change size
-
global $CFG;
+
+ $formula = tex_sanitize_formula($formula);
+
+ // $fontsize don't affects to formula's size. $density can change size
$doc = "\\documentclass[{$fontsize}pt]{article}\n";
$doc .= $CFG->filter_tex_latexpreamble;
$doc .= "\\pagestyle{empty}\n";
--- /dev/null
+++ filter/tex/lib.php
@@ -0,0 +1,37 @@
+<?php //$Id$
+
+function tex_sanitize_formula($texexp) {
+ /// Check $texexp against blacklist (whitelisting could be more complete but also harder to maintain)
+ $tex_blacklist = array(
+ 'include','def','command','loop','repeat','open','toks','output',
+ 'input','catcode','name','^^',
+ '\every','\errhelp','\errorstopmode','\scrollmode','\nonstopmode',
+ '\batchmode','\read','\write','csname','\newhelp','\uppercase',
+ '\lowercase','\relax','\aftergroup',
+ '\afterassignment','\expandafter','\noexpand','\special'
+ );
+
+ return str_ireplace($tex_blacklist, 'forbiddenkeyword', $texexp);
+}
+
+/**
+ * Purge all caches when settings changed.
+ */
+function filter_tex_updatedcallback($name) {
+ global $CFG;
+
+ if (file_exists("$CFG->dataroot/filter/tex")) {
+ remove_dir("$CFG->dataroot/filter/tex");
+ }
+ if (file_exists("$CFG->dataroot/filter/algebra")) {
+ remove_dir("$CFG->dataroot/filter/algebra");
+ }
+ if (file_exists("$CFG->dataroot/temp/latex")) {
+ remove_dir("$CFG->dataroot/temp/latex");
+ }
+
+ delete_records('cache_filters', 'filter', 'tex');
+ delete_records('cache_filters', 'filter', 'algebra');
+}
+
+?>
\ No newline at end of file
--- filter/tex/pix.php
+++ filter/tex/pix.php
@@ -20,8 +20,9 @@
disable_debugging();
require_once($CFG->libdir.'/filelib.php');
+ require_once($CFG->dirroot.'/filter/tex/lib.php');
+ require_once($CFG->dirroot.'/filter/tex/latex.php');
require_once('defaultsettings.php' );
- require_once('latex.php');
$CFG->texfilterdir = 'filter/tex';
$CFG->teximagedir = 'filter/tex';
@@ -69,6 +70,7 @@
$texexp = str_replace('>','>',$texexp);
$texexp = preg_replace('!\r\n?!',' ',$texexp);
$texexp = '\Large ' . $texexp;
+ $texexp = tex_sanitize_formula($texexp);
$texexp = escapeshellarg($texexp);
if ((PHP_OS == "WINNT") || (PHP_OS == "WIN32") || (PHP_OS == "Windows")) {
--- filter/tex/texdebug.php
+++ filter/tex/texdebug.php
@@ -4,7 +4,6 @@
// and uses mimeTeX to create the image file
require_once("../../config.php");
- require( 'latex.php' );
if (empty($CFG->textfilters)) {
error ('Filter not enabled!');
@@ -15,6 +14,9 @@
}
}
+ require_once($CFG->dirroot.'/filter/tex/lib.php');
+ require_once($CFG->dirroot.'/filter/tex/latex.php');
+
$CFG->texfilterdir = "filter/tex";
$CFG->teximagedir = "filter/tex";
@@ -141,6 +143,7 @@
}
$commandpath = "";
$cmd = "";
+ $texexp = tex_sanitize_formula($texexp);
$texexp = escapeshellarg($texexp);
switch (PHP_OS) {
case "Linux":
--- filter/tex/texed.php
+++ filter/tex/texed.php
@@ -6,6 +6,7 @@
$nomoodlecookie = true; // Because it interferes with caching
require_once("../../config.php");
+ require_once($CFG->dirroot.'/filter/tex/lib.php');
if (empty($CFG->textfilters)) {
error ('Filter not enabled!');
@@ -32,6 +33,7 @@
make_upload_directory($CFG->teximagedir);
}
$pathname = "$CFG->dataroot/$CFG->teximagedir/$image";
+ $texexp = tex_sanitize_formula($texexp);
$texexp = escapeshellarg($texexp);
switch (PHP_OS) {
--- lib/db/upgrade.php
+++ lib/db/upgrade.php
@@ -775,6 +775,11 @@ function xmldb_main_upgrade($oldversion=0) {
$db->debug = true;
}
+ if ($result && $oldversion < 2007021581) {
+ require_once("$CFG->dirroot/filter/tex/lib.php");
+ filter_tex_updatedcallback(null);
+ }
+
return $result;
}
--- version.php
+++ version.php
@@ -6,7 +6,7 @@
// This is compared against the values stored in the database to determine
// whether upgrades should be performed (see lib/db/*.php)
- $version = 2007021580; // YYYYMMDD = date of the 1.8 branch (don't change)
+ $version = 2007021581; // YYYYMMDD = date of the 1.8 branch (don't change)
// X = release number 1.8.[0,1,2,3...]
// Y = micro-increments between releases
Index: moodle.spec
===================================================================
RCS file: /cvs/pkgs/rpms/moodle/EL-4/moodle.spec,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- moodle.spec 23 Feb 2009 19:04:04 -0000 1.20
+++ moodle.spec 2 Apr 2009 20:31:25 -0000 1.21
@@ -1,3 +1,4 @@
+%define _default_patch_fuzz 2
%define moodlewebdir %{_var}/www/moodle/web
%define moodledatadir %{_var}/www/moodle/data
@@ -7,7 +8,7 @@
Name: moodle
Version: 1.8.8
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: A Course Management System
Group: Applications/Publishing
@@ -102,6 +103,9 @@
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
+Patch0: moodle-1.8.8-CVE-2009-1171-1.patch
+Patch1: moodle-1.8.8-CVE-2009-1171-2.patch
+
BuildRequires: unzip
Requires: php-gd vixie-cron mimetex perl(lib) php-mysql php-xmlrpc
Requires: perl(Encode) perl(Text::Aspell) perl(HTML::Parser) php
@@ -1470,6 +1474,9 @@
sed -i 's/\r//' mod/wiki/ewiki/README
sed -i 's/\r//' mod/wiki/ewiki/README.de
+%patch0 -p0
+%patch1 -p0
+
%build
rm config-dist.php install.php tags filter/tex/mimetex.* filter/tex/README.mimetex
@@ -1652,6 +1659,9 @@
%{_sbindir}/%{name}-cron
%changelog
+* Thu Apr 02 2009 Jon Ciesla <limb at jcomserv.net> - 1.8.8-3
+- Patch for CVE-2009-1171, BZ 493109.
+
* Mon Feb 23 2009 Jon Ciesla <limb at jcomserv.net> - 1.8.8-2
- Fixed cron.
More information about the fedora-extras-commits
mailing list