Ubuntu
mahara package

Several security updates for Mahara

Bug #888358 reported by Melissa Draper
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mahara (Ubuntu)
Fix Released
High
Unassigned
Lucid
Fix Released
High
Steve Beattie
Maverick
Fix Released
High
Steve Beattie
Natty
Fix Released
High
Steve Beattie
Oneiric
Fix Released
High
Steve Beattie
Precise
Fix Released
High
Unassigned

Bug Description

Here are patches to fix a number of very serious security issues in lucid, maverick, natty and oneiric versions of Mahara.

Issues affecting both 1.2.x and 1.4.0 are:

  * XSS in unvalidated URI attributes
    - CVE-2011-2771
    - Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4135

  * DoS attack via invalid or excessively large images
    - CVE-2011-2772
    - Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4133

  * XSRF allowing attackers to trick an admin into adding them to an institution
    - CVE-2011-2773
    - Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4137

  * Prevent masquerading users from jumping via XMLRPC as others
    - CVE pending from oss-sec list via debian security list
    - Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4138

One issue affects the 1.4.0 version of Mahara in Oneiric:

   * Information disclosure exposing private messages
     - CVE-2011-2774
     - Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4134

Revision history for this message
Melissa Draper (melissa) wrote :
Revision history for this message
Melissa Draper (melissa) wrote :
Revision history for this message
Melissa Draper (melissa) wrote :
Revision history for this message
Melissa Draper (melissa) wrote :
visibility: private → public
Revision history for this message
Dave Walker (davewalker) wrote :

Thanks for reporting this bug and attaching a series of debdiffs. As these are security uploads, they need to be sponsored by the security team.

The patches look great. Whilst reviewing, I did notice a couple of trivial things:
- debian/control: The Maintainer field update wouldn't normally be appropriate for a stable release update
- debian/changelog:
   - It is convention to wrap at 80 chars.
   - No LP: #888358, which will close these bugs.
   - The CVE numbers should be quoted on a standalone line.
   - "How the bad guys can win" is described, but a high level comment /how/ it is resolved isn't documented.
- debian/patches/*.patch: Great to see use of DEP-5 headers, although it's not clear to me if these patches are actually applied upstream or just submitted (useful to know when they can be dropped).

For an example of changelog formatting for security uploads, please see the template on:
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

Thanks.

Dave Walker (davewalker)
Changed in mahara (Ubuntu Lucid):
status: New → Confirmed
Changed in mahara (Ubuntu Maverick):
status: New → Confirmed
Changed in mahara (Ubuntu Natty):
status: New → Confirmed
Changed in mahara (Ubuntu Oneiric):
status: New → Confirmed
Changed in mahara (Ubuntu Precise):
status: New → Confirmed
Changed in mahara (Ubuntu Lucid):
importance: Undecided → High
Changed in mahara (Ubuntu Maverick):
importance: Undecided → High
Changed in mahara (Ubuntu Natty):
importance: Undecided → High
Changed in mahara (Ubuntu Oneiric):
importance: Undecided → High
Changed in mahara (Ubuntu Precise):
importance: Undecided → High
Revision history for this message
François Marier (fmarier) wrote :

All of these patches come from the upstream developers (who are also the Debian maintainers for the mahara package).

The 1.2 patches were made custom for Debian, the 1.4 ones were included as part of the 1.4.1 release.

Revision history for this message
Melissa Draper (melissa) wrote :
Revision history for this message
Melissa Draper (melissa) wrote :
Revision history for this message
Melissa Draper (melissa) wrote :
Revision history for this message
Melissa Draper (melissa) wrote :
Revision history for this message
Melissa Draper (melissa) wrote :

I've uploaded new patches with the requested alterations to debian/control and debian/changelog.

Did francois' comment above regarding Debian maintenance contain sufficient information regarding your query about the DEP-5 headers?

Is there anything else specific we need to do to get this reviewed and sponsored by the security team?

Thanks,
Melissa.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi Melissa,

In the oneiric debdiff, the patch for CVE-2011-2773 is significantly different from the one for prior versions (it removes addtoinstitution.php outright where the others add the session check). Based on perusing bug 800032, I'm assuming this is intended and will adjust the changelog to match.

Assigning the tasks to myself. Thanks

Changed in mahara (Ubuntu Lucid):
assignee: nobody → Steve Beattie (sbeattie)
Changed in mahara (Ubuntu Maverick):
assignee: nobody → Steve Beattie (sbeattie)
Changed in mahara (Ubuntu Natty):
assignee: nobody → Steve Beattie (sbeattie)
Changed in mahara (Ubuntu Oneiric):
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
François Marier (fmarier) wrote :

Precise has synced with Sid so it's all good now.

Steve: you're right, that's intended. In 1.4, due to a bug, that script was unreachable from the UI so it can easily be removed.

Changed in mahara (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mahara - 1.4.0-1ubuntu0.1

---------------
mahara (1.4.0-1ubuntu0.1) oneiric-security; urgency=low

  * SECURITY UPDATE: XSS in unvalidated URI attributes
    - Added a filter to sanitise user input urls (LP: #888358)
    - debian/patches/CVE-2011-2771.patch: upstream patch
    - CVE-2011-2771

  * SECURITY UPDATE: DoS attack via invalid or excessively large images
    - Added a check to evaluate available memory before processing
      (LP: #888358)
    - debian/patches/CVE-2011-2772.patch: upstream patch
    - CVE-2011-2772

  * SECURITY UPDATE: XSRF allowing attackers to trick an admin into adding
    them to an institution
    - remove unreferenced and vulnerable addtoinstitution.php (LP: #888358)
    - debian/patches/CVE-2011-2773.patch: upstream patch
    - CVE-2011-2773

  * SECURITY UPDATE: Information disclosure exposing private messages
    - User check to ensure they are conversation participant (LP: #888358)
    - debian/patches/CVE-2011-2774.patch: upstream patch
    - CVE-2011-2774

  * SECURITY UPDATE: Prevent masquerading users from jumping as others
    - Added a check to prevent jumping as other users. (LP: #888358)
    - debian/patches/mnet_masquerading.patch: upstream patch
 -- Melissa Draper <email address hidden> Thu, 03 Nov 2011 22:32:45 +0000

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mahara - 1.2.7-1ubuntu0.2

---------------
mahara (1.2.7-1ubuntu0.2) natty-security; urgency=low

  * SECURITY UPDATE: XSS in unvalidated URI attributes
    - Added a filter to sanitise user input urls (LP: #888358)
    - debian/patches/CVE-2011-2771.patch: upstream patch
    - CVE-2011-2771

  * SECURITY UPDATE: DoS attack via invalid or excessively large images
    - Added a check to evaluate available memory before processing
      (LP: #888358)
    - debian/patches/CVE-2011-2772.patch: upstream patch
    - CVE-2011-2772

  * SECURITY UPDATE: XSRF allowing attackers to trick an admin into adding
    them to an institution
    - Session check added (LP: #888358)
    - debian/patches/CVE-2011-2773.patch: upstream patch
    - CVE-2011-2773

  * SECURITY UPDATE: Prevent masquerading users from jumping as others
    - Added a check to prevent jumping as other users. (LP: #888358)
    - debian/patches/mnet_masquerading.patch: upstream patch
 -- Melissa Draper <email address hidden> Wed, 02 Nov 2011 21:50:04 +0000

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mahara - 1.2.5-2ubuntu0.3

---------------
mahara (1.2.5-2ubuntu0.3) maverick-security; urgency=low

  * SECURITY UPDATE: XSS in unvalidated URI attributes
    - Added a filter to sanitise user input urls (LP: #888358)
    - debian/patches/CVE-2011-2771.patch: upstream patch
    - CVE-2011-2771

  * SECURITY UPDATE: DoS attack via invalid or excessively large images
    - Added a check to evaluate available memory before processing
      (LP: #888358)
    - debian/patches/CVE-2011-2772.patch: upstream patch
    - CVE-2011-2772

  * SECURITY UPDATE: XSRF allowing attackers to trick an admin into adding
    them to an institution
    - Session check added (LP: #888358)
    - debian/patches/CVE-2011-2773.patch: upstream patch
    - CVE-2011-2773

  * SECURITY UPDATE: Prevent masquerading users from jumping as others
    - Added a check to prevent jumping as other users. (LP: #888358)
    - debian/patches/mnet_masquerading.patch: upstream patch
 -- Melissa Draper <email address hidden> Tue, 08 Nov 2011 18:59:14 +1300

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mahara - 1.2.4-1ubuntu0.4

---------------
mahara (1.2.4-1ubuntu0.4) lucid-security; urgency=low

  * SECURITY UPDATE: XSS in unvalidated URI attributes
    - Added a filter to sanitise user input urls (LP: #888358)
    - debian/patches/CVE-2011-2771.patch: upstream patch
    - CVE-2011-2771

  * SECURITY UPDATE: DoS attack via invalid or excessively large images
    - Added a check to evaluate available memory before processing
      (LP: #888358)
    - debian/patches/CVE-2011-2772.patch: upstream patch
    - CVE-2011-2772

  * SECURITY UPDATE: XSRF allowing attackers to trick an admin into adding
    them to an institution
    - Session check added (LP: #888358)
    - debian/patches/CVE-2011-2773.patch: upstream patch
    - CVE-2011-2773

  * SECURITY UPDATE: Prevent masquerading users from jumping as others
    - Added a check to prevent jumping as other users. (LP: #888358)
    - debian/patches/mnet_masquerading.patch: upstream patch
 -- Melissa Draper <email address hidden> Wed, 02 Nov 2011 21:26:46 +0000

Changed in mahara (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in mahara (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in mahara (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in mahara (Ubuntu Oneiric):
status: Confirmed → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

the masquerading issue is CVE-2011-4118, adding.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.