Bug 133550 - [vuxml] [patch] www/drupal6-cck: update to 2.2 and document XSS issue
Summary: [vuxml] [patch] www/drupal6-cck: update to 2.2 and document XSS issue
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Martin Wilke
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-10 00:00 UTC by Eygene Ryabinkin
Modified: 2009-04-11 19:10 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eygene Ryabinkin 2009-04-10 00:00:20 UTC
XSS vulnerability was found in Drupal's 6.x CCK < 2.2 [1]

Fix: The following patch updates the port:


The following VuXML entry should be evaluated and added:
  <vuln vid="4992df2b-2557-11de-8dc5-001b77d09812">
    <topic>drupal6-cck -- cross-site scripting</topic>
    <affects>
      <package>
        <name>drupal6-cck</name>
        <range><lt>2.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Drupal CCK plugin developer reports:</p>
        <blockquote
          cite="http://drupal.org/node/406520">
          <p>The Node reference and User reference sub-modules, which
          are part of the Content Construction Kit (CCK) project, lets
          administrators define node fields that are references to other
          nodes or to users. When displaying a node edit form, the
          titles of candidate referenced nodes or names of candidate
          referenced users are not properly filtered, allowing malicious
          users to inject arbitrary code on those pages. Such a cross
          site scripting (XSS) attack may lead to a malicious user
          gaining full administrative access.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <bid>34172</bid>
      <url>http://drupal.org/node/406520</url>
    </references>
    <dates>
      <discovery>2009-03-23</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here -----5DvBRXcTMZWT5AAEMZrQ8gfkGBbVpjBnuTyHwpi2QfSpC3kI
Content-Type: text/plain; name="update-2.1-to-2.2.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="update-2.1-to-2.2.diff"

From 8f661d307d5030a76c277280b7c5cd7a2e43f637 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Fri, 10 Apr 2009 02:45:08 +0400

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 www/drupal6-cck/Makefile |    9 +++++----
 www/drupal6-cck/distinfo |    6 +++---
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/www/drupal6-cck/Makefile b/www/drupal6-cck/Makefile
index dc00434..7de2ee7 100644
--- a/www/drupal6-cck/Makefile
+++ b/www/drupal6-cck/Makefile
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	cck
-DISTVERSION=	6.x-2.1
+DISTVERSION=	6.x-2.2
 CATEGORIES=	www
 MASTER_SITES=	http://ftp.drupal.org/files/projects/
 
@@ -14,7 +14,7 @@ MAINTAINER=	rea-fbsd@codelabs.ru
 COMMENT=	Drupal 6 Content Construction Kit module
 
 DRUPAL6_MODULE=	yes
-MODULE_DIRS=	help examples \
+MODULE_DIRS=	help \
 		includes/views/handlers includes/views includes \
 		modules/content_copy/translations modules/content_copy \
 		modules/content_multigroup/translations \
@@ -107,12 +107,13 @@ MODULE_FILES=	help/add-existing-field.html \
 		modules/fieldgroup/translations/modules-fieldgroup.fr.po \
 		modules/fieldgroup/translations/modules-fieldgroup.hu.po \
 		modules/fieldgroup/translations/modules-fieldgroup.pot \
+		modules/fieldgroup/fieldgroup-rtl.css \
+		modules/fieldgroup/fieldgroup-simple.tpl.php \
 		modules/fieldgroup/fieldgroup.css \
 		modules/fieldgroup/fieldgroup.info \
 		modules/fieldgroup/fieldgroup.install \
 		modules/fieldgroup/fieldgroup.module \
 		modules/fieldgroup/fieldgroup.panels.inc \
-		modules/fieldgroup/fieldgroup.tpl.php \
 		modules/nodereference/help/nodereference.help.ini \
 		modules/nodereference/help/nodereference.html \
 		modules/nodereference/nodereference.info \
@@ -164,6 +165,7 @@ MODULE_FILES=	help/add-existing-field.html \
 		theme/content-admin-display-overview-form.tpl.php \
 		theme/content-admin-field-overview-form.tpl.php \
 		theme/content-field.tpl.php \
+		theme/content-module-rtl.css \
 		theme/content-module.css \
 		theme/theme.inc \
 		translations/help/de/add-existing-field.html \
@@ -191,7 +193,6 @@ MODULE_FILES=	help/add-existing-field.html \
 		translations/examples.fr.po \
 		translations/general.de.po \
 		translations/general.fr.po \
-		translations/general.hu.po \
 		translations/general.pot \
 		translations/hu.po \
 		translations/includes-views-handlers.de.po \
diff --git a/www/drupal6-cck/distinfo b/www/drupal6-cck/distinfo
index 0e99a22..ffce5f8 100644
--- a/www/drupal6-cck/distinfo
+++ b/www/drupal6-cck/distinfo
@@ -1,3 +1,3 @@
-MD5 (drupal/cck-6.x-2.1.tar.gz) = 6036acde1dbc0bad62681de5f94bc912
-SHA256 (drupal/cck-6.x-2.1.tar.gz) = 4267118d4aa89210a0a8f06454504a715aac518390313d203fc0eec13db3d0a4
-SIZE (drupal/cck-6.x-2.1.tar.gz) = 318865
+MD5 (drupal/cck-6.x-2.2.tar.gz) = 0fe5f8e6d1292fcfe98530a3dea0a1a1
+SHA256 (drupal/cck-6.x-2.2.tar.gz) = c271a716da1c81ccb8a31228233bf9f567983e368df22fcc06a51cfaf37cda63
+SIZE (drupal/cck-6.x-2.2.tar.gz) = 357660
-- 
1.6.1.3
How-To-Repeat: 
[1] http://www.securityfocus.com/bid/34172
Comment 1 Edwin Groothuis freebsd_committer 2009-04-10 00:00:30 UTC
Responsible Changed
From-To: freebsd-ports-bugs->miwi

miwi@ wants his PRs (via the GNATS Auto Assign Tool)
Comment 2 Eygene Ryabinkin 2009-04-10 00:24:44 UTC
Forgot to say that Tom Uffner, tom@uffner.com, should be credited
for pointing me to this update and fixed XSS issue.
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #
Comment 3 dfilter service freebsd_committer 2009-04-11 13:01:42 UTC
miwi        2009-04-11 12:01:18 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  - Document drupal6-cck -- cross-site scripting
  
  PR:             133550
  Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
  
  Revision  Changes    Path
  1.1909    +35 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 4 Martin Wilke freebsd_committer 2009-04-11 19:06:52 UTC
State Changed
From-To: open->closed

Committed. Thanks!
Comment 5 dfilter service freebsd_committer 2009-04-11 19:06:52 UTC
miwi        2009-04-11 18:06:44 UTC

  FreeBSD ports repository

  Modified files:
    www/drupal6-cck      Makefile distinfo 
  Log:
  - Update to 2.2
  
  PR:             133550
  Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru> (maintainer)
  Security:       http://www.vuxml.org/freebsd/03d22656-2690-11de-8226-0030843d3802.html
  
  Revision  Changes    Path
  1.3       +5 -4      ports/www/drupal6-cck/Makefile
  1.3       +3 -3      ports/www/drupal6-cck/distinfo
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"