[Secure-testing-team] Re: Bug#342943: only kronolith2 fixed

Lionel Elie Mamane lionel at mamane.lu
Sun Jan 22 08:04:03 UTC 2006 

package kronolith
reopen 349261
tags 349261 +help
thanks

On Sat, Jan 21, 2006 at 03:56:30PM -0500, Joey Hess wrote:
> clone 342943 -1
> reassign -1 kronolith
> thanks

> This security hole was fixed in kronolith2, but the kronolith
> package is still present in unstable and still, presumably, has this
> hole.

Thank you for warning us. However, kronolith 1 is not maintained
upstream anymore and no patch for this issue is available from
upstream.

I've tried to backport the upstream patch for kronolith 2, but most
files touched don't actually exist in kronolith 1, as well as a
sizeable part of the code touched in the files that do exist. Here is
my measle backport attempt, but I'd really like someone that
understands the issue to review it and see if nothing has been left
out. Do we have someone of that calibre (and willing to do it)
available in Debian?


Maybe it is getting time to dump Horde2 from etch/sid, as the pain to
keeping it in has actually increased significantly. What do you think
about this Ola & Jose? The problem stays for sarge, though.


-- 
Lionel
-------------- next part --------------
diff --recursive -uN kronolith-1.1.4/templates/data/export.inc kronolith-1.1.4.deb/templates/data/export.inc
--- kronolith-1.1.4/templates/data/export.inc	2003-02-13 00:23:36.000000000 +0100
+++ kronolith-1.1.4.deb/templates/data/export.inc	2006-01-22 08:09:09.000000000 +0100
@@ -113,7 +113,7 @@
             <td>
 <?php
 $end_year_match = $start_year_match;
-$end_month_match = $start_month_match +1;
+$end_month_match = $start_month_match + 1;
 $end_day_match = $start_day_match;
 $end_hour_match = $start_hour_match;
 $end_min_match = $start_min_match;
diff --recursive -uN kronolith-1.1.4/templates/delete/delete.inc kronolith-1.1.4.deb/templates/delete/delete.inc
--- kronolith-1.1.4/templates/delete/delete.inc	2003-04-17 18:37:13.000000000 +0200
+++ kronolith-1.1.4.deb/templates/delete/delete.inc	2006-01-22 08:22:49.000000000 +0100
@@ -3,21 +3,24 @@
         $url = Kronolith::addParameter('month.php', 'month=' . $month);
         $url = Kronolith::addParameter($url, 'year=' . $year);
         $url = Horde::applicationUrl($url, true);
+    } else {
+    	// Escape URLs that came from client-side input.
+    	$url = htmlspecialchars($url);
     }
 ?>
 <form action="<?php echo Horde::applicationUrl('deleventaction.php') ?>" method="post" target="_self" name="delete">
-<input type="hidden" name="year" value="<?php if (isset($year)) echo $year ?>" />
-<input type="hidden" name="month" value="<?php if (isset($month)) echo $month ?>" />
-<input type="hidden" name="mday" value="<?php if (isset($day)) echo $day ?>" />
+<input type="hidden" name="year" value="<?php if (isset($year)) echo htmlspecialchars($year) ?>" />
+<input type="hidden" name="month" value="<?php if (isset($month)) echo htmlspecialchars($month) ?>" />
+<input type="hidden" name="mday" value="<?php if (isset($day)) echo htmlspecialchars($day) ?>" />
 <input type="hidden" name="url" value="<?php echo $url ?>" />
-<input type="hidden" name="eventID" value="<?php echo $event->getID() ?>" />
+<input type="hidden" name="eventID" value="<?php echo htmlspecialchars($event->getID()) ?>" />
 
 <center>
 <table border="0" cellspacing="0" cellpadding="4" align="center">
 
 <!-- header -->
 <tr class="header"> 
- <td align="left" class="header"><b><?php echo sprintf(_("Delete %s"), $event->getTitle()) ?></b></td>
+ <td align="left" class="header"><b><?php echo sprintf(_("Delete %s"), htmlspecialchars($event->getTitle())) ?></b></td>
 </tr>
 
 <!-- description -->
@@ -31,7 +34,7 @@
   <input type="submit" class="button" name="current" value="<?php echo _("Current") ?>" />
   <input type="submit" class="button" name="future" value="<?php echo _("Future") ?>" />
   <input type="submit" class="button" name="all" value="<?php echo _("All") ?>" />
-  <input type="submit" class="button" name="cancel" value="<?php echo _("Cancel") ?>" onclick="self.location = '<?php echo $url; ?>'; return false;" />
+  <input type="submit" class="button" name="cancel" value="<?php echo _("Cancel") ?>" onclick="self.location = '<?php echo htmlspecialchars($url); ?>'; return false;" />
  </td>
 </tr>
 
diff --recursive -uN kronolith-1.1.4/templates/delete/one.inc kronolith-1.1.4.deb/templates/delete/one.inc
--- kronolith-1.1.4/templates/delete/one.inc	2003-04-17 18:37:13.000000000 +0200
+++ kronolith-1.1.4.deb/templates/delete/one.inc	2006-01-22 08:16:23.000000000 +0100
@@ -6,18 +6,18 @@
     }
 ?>
 <form action="<?php echo Horde::applicationUrl('deleventaction.php') ?>" method="post" name="delete">
-<input type="hidden" name="year" value="<?php if (isset($year)) echo $year ?>" />
-<input type="hidden" name="month" value="<?php if (isset($month)) echo $month ?>" />
-<input type="hidden" name="mday" value="<?php if (isset($day)) echo $day ?>" />
-<input type="hidden" name="url" value="<?php echo $url ?>" />
-<input type="hidden" name="eventID" value="<?php echo $event->getID() ?>" />
+<input type="hidden" name="year" value="<?php if (isset($year)) echo htmlspecialchars($year) ?>" />
+<input type="hidden" name="month" value="<?php if (isset($month)) echo htmlspecialchars($month) ?>" />
+<input type="hidden" name="mday" value="<?php if (isset($day)) echo htmlspecialchars($day) ?>" />
+<input type="hidden" name="url" value="<?php echo htmlspecialchars($url) ?>" />
+<input type="hidden" name="eventID" value="<?php echo htmlspecialchars($event->getID()) ?>" />
 
 <center>
 <table border="0" cellspacing="0" cellpadding="4" align="center">
 
 <!-- header -->
 <tr class="header"> 
- <td align="left" class="header"><b><?php echo sprintf(_("Delete %s"), $event->getTitle()) ?></b></td>
+ <td align="left" class="header"><b><?php printf(_("Delete %s"), htmlspecialchars($event->getTitle())) ?></b></td>
 </tr>
 
 <!-- description -->
@@ -29,7 +29,7 @@
 <tr>
  <td align="left">
   <input type="submit" class="button" name="delete" value="<?php echo _("Delete") ?>" />
-  <input type="submit" class="button" name="cancel" value="<?php echo _("Cancel") ?>" onclick="self.location = '<?php echo $url; ?>'; return false;" />
+  <input type="submit" class="button" name="cancel" value="<?php echo _("Cancel") ?>" onclick="self.location = '<?php echo htmlspecialchars($url); ?>'; return false;" />
  </td>
 </tr>
 
diff --recursive -uN kronolith-1.1.4/templates/edit/edit.inc kronolith-1.1.4.deb/templates/edit/edit.inc
--- kronolith-1.1.4/templates/edit/edit.inc	2004-07-22 17:52:59.000000000 +0200
+++ kronolith-1.1.4.deb/templates/edit/edit.inc	2006-01-22 08:34:15.000000000 +0100
@@ -27,16 +27,16 @@
 ?>
 <form action="<?php echo ($event->isInitialized() ? 'editeventaction.php' : 'addeventaction.php') ?>" method="post" name="event">
 <?php Horde::pformInput() ?>
-<input type="hidden" name="year" value="<?php if (isset($year)) echo $year ?>" />
-<input type="hidden" name="month" value="<?php if (isset($month)) echo $month ?>" />
-<input type="hidden" name="mday" value="<?php if (isset($day)) echo $day ?>" />
-<input type="hidden" name="timestamp" value="<?php if (isset($timestamp)) echo $timestamp ?>" />
+<input type="hidden" name="year" value="<?php if (isset($year)) echo htmlspecialchars($year) ?>" />
+<input type="hidden" name="month" value="<?php if (isset($month)) echo htmlspecialchars($month) ?>" />
+<input type="hidden" name="mday" value="<?php if (isset($day)) echo htmlspecialchars($day) ?>" />
+<input type="hidden" name="timestamp" value="<?php if (isset($timestamp)) echo htmlspecialchars($timestamp) ?>" />
 <input type="hidden" name="new_category" value="" />
 <?php if (isset($url)): ?>
-<input type="hidden" name="url" value="<?php echo $url ?>" />
+<input type="hidden" name="url" value="<?php echo htmlspecialchars($url) ?>" />
 <?php endif; ?>
 <?php if ($event->isInitialized()): ?>
-<input type="hidden" name="eventID" value="<?php echo $event->getID() ?>" />
+<input type="hidden" name="eventID" value="<?php echo htmlspecialchars($event->getID()) ?>" />
 <?php endif; ?>
 
 <center>
@@ -55,7 +55,7 @@
   <input type="submit" class="button" name="saveAsNew" value="<?php echo _("Save As New") ?>" onclick="return checkCategory();" />
   <input type="submit" class="button" name="delete" value="<?php echo _("Delete Event") ?>" onclick="self.location = '<?php echo $delurl; ?>'; return false;" />
 <?php endif; ?>
-  <input type="submit" name="cancel" class="button" value="<?php echo _("Cancel") ?>" onclick="self.location = '<?php echo $cancelurl; ?>'; return false;" />
+  <input type="submit" name="cancel" class="button" value="<?php echo _("Cancel") ?>" onclick="self.location = '<?php echo $cancelurl ?>'; return false;" />
   <input type="button" name="resetButton" class="button" value="<?php echo _("Reset to Defaults") ?>" onclick="document.event.reset(); updateWday('start_wday'); updateWday('end_wday');" />
  </td>
 </tr>
@@ -335,7 +335,7 @@
     </td>
    <?php if (($count % 3 == 2) || ($count == count($keywords) - 1)): ?>
    </tr>
-   <?php endif; $count++; ?>
+   <?php endif; ++$count; ?>
    <?php endforeach; ?>
   </table>
  </td>
@@ -350,7 +350,7 @@
   <input type="submit" class="button" name="saveAsNew" value="<?php echo _("Save As New") ?>" onclick="return checkCategory();" />
   <input type="submit" class="button" name="delete" value="<?php echo _("Delete Event") ?>" onclick="self.location = '<?php echo $delurl; ?>'; return false;" />
 <?php endif; ?>
-  <input type="submit" name="cancel" class="button" value="<?php echo _("Cancel") ?>" onclick="self.location = '<?php echo $cancelurl; ?>'; return false;" />
+  <input type="submit" name="cancel" class="button" value="<?php echo _("Cancel") ?>" onclick="self.location = '<?php echo $cancelurl ?>'; return false;" />
   <input type="button" name="resetButton" class="button" value="<?php echo _("Reset to Defaults") ?>" onclick="document.event.reset(); updateWday('start_wday'); updateWday('end_wday');" />
   </td>
  </tr>
diff --recursive -uN kronolith-1.1.4/templates/view/view.inc kronolith-1.1.4.deb/templates/view/view.inc
--- kronolith-1.1.4/templates/view/view.inc	2003-04-17 18:37:13.000000000 +0200
+++ kronolith-1.1.4.deb/templates/view/view.inc	2006-01-22 08:24:08.000000000 +0100
@@ -137,10 +137,10 @@
 </tr>
 <?php foreach ($keyword_list as $cat => $list): ?>
 <tr>
- <td align="right" class="light" valign="top"><b><?php echo $cat ?>&nbsp;&nbsp;</b></td>
+ <td align="right" class="light" valign="top"><b><?php echo htmlspecialchars($cat) ?>&nbsp;&nbsp;</b></td>
  <td align="left" class="text" colspan="3">
 <?php foreach ($list as $entry): ?>
-  <?php echo $entry ?><br />
+  <?php echo htmlspecialchars($entry) ?><br />
 <?php endforeach; ?>
  </td>
 </tr>

More information about the Secure-testing-team mailing list