Bug 13005 - moodle new security issues fixed in 2.4.9
: moodle new security issues fixed in 2.4.9
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/592585/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-12 22:02 CET by David Walser
Modified: 2014-04-03 19:24 CEST (History)
4 users (show)

See Also:
Source RPM: moodle-2.4.8-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-03-12 22:02:00 CET
Upstream has released updates on March 10:
https://moodle.org/mod/forum/discuss.php?d=255903

Details on the security issues fixed are not yet available, but likely will be next week (probably Monday) on the release notes pages:
http://docs.moodle.org/dev/Moodle_2.4.9_release_notes

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

I'll write an advisory once the details are available.

Updated packages in core/updates_testing:
========================
moodle-2.4.9-1.mga3
moodle-2.4.9-1.mga4

from SRPMS:
moodle-2.4.9-1.mga3.src.rpm
moodle-2.4.9-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-03-12 22:02:51 CET
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=10136#c3
Comment 2 David Walser 2014-03-17 14:18:02 CET
Advisory:
========================

Updated moodle package fixes security vulnerabilities:

In Moodle before 2.4.9, question strings were not being filtered correctly
possibly allowing cross site scripting, as quiz_question_tostring can cause
invalid HTML (MSA-14-0004).

Feedback Availability dates not honored in complete.php in Moodle before
2.4.9, therefore it was possible to start a Feedback activity while it was
supposed to be closed (CVE-2014-0127).

Broken access control vulnerability in Moodle before 2.4.9 with
/mod/chat/chat_ajax.php, where capabilities to chat were being checked at the
start of a chat, but not during, so changes were not effective immediately
(CVE-2014-0122).

In Moodle before 2.4.9, there were missing access checks on Wiki pages
allowing students to see pages of other students' individual wikis, through
the Recent activity block (CVE-2014-0123).

In Moodle before 2.4.9, cross site scripting was possible with Flowplayer
(MSA-14-0008).

In Moodle before 2.4.9, Forum and Quiz were showing users' email addresses
when settings were supposed to be preventing this (CVE-2014-0124).

In Moodle before 2.4.9, alias links to items in an Alfresco repository were
provided with information that would allow someone to impersonate the file
owner in Alfresco (CVE-2014-0125).

Cross Site Request Forgery in Moodle before 2.4.9 in
enrol/imsenterprise/importnow.php, due to inadequate session checking when
triggering the import of IMS Enterprise identities (CVE-2014-0126).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0122
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0123
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0124
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0125
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0127
https://moodle.org/mod/forum/discuss.php?d=256416
https://moodle.org/mod/forum/discuss.php?d=256417
https://moodle.org/mod/forum/discuss.php?d=256418
https://moodle.org/mod/forum/discuss.php?d=256419
https://moodle.org/mod/forum/discuss.php?d=256420
https://moodle.org/mod/forum/discuss.php?d=256421
https://moodle.org/mod/forum/discuss.php?d=256422
https://moodle.org/mod/forum/discuss.php?d=256423
http://docs.moodle.org/dev/Moodle_2.4.9_release_notes
https://moodle.org/mod/forum/discuss.php?d=255903
Comment 3 David Walser 2014-03-23 18:35:35 CET
CVEs were assigned for a few of the issues that were missing them:
http://openwall.com/lists/oss-security/2014/03/22/1

Advisory:
========================

Updated moodle package fixes security vulnerabilities:

In Moodle before 2.4.9, question strings were not being filtered correctly
possibly allowing cross site scripting, as quiz_question_tostring can cause
invalid HTML (CVE-2014-2571).

Feedback Availability dates not honored in complete.php in Moodle before
2.4.9, therefore it was possible to start a Feedback activity while it was
supposed to be closed (CVE-2014-0127).

Broken access control vulnerability in Moodle before 2.4.9 with
/mod/chat/chat_ajax.php, where capabilities to chat were being checked at the
start of a chat, but not during, so changes were not effective immediately
(CVE-2014-0122).

In Moodle before 2.4.9, there were missing access checks on Wiki pages
allowing students to see pages of other students' individual wikis, through
the Recent activity block (CVE-2014-0123).

In Moodle before 2.4.9, cross site scripting was possible with Flowplayer
(CVE-2013-7341).

In Moodle before 2.4.9, Forum and Quiz were showing users' email addresses
when settings were supposed to be preventing this (CVE-2014-0124).

In Moodle before 2.4.9, alias links to items in an Alfresco repository were
provided with information that would allow someone to impersonate the file
owner in Alfresco (CVE-2014-0125).

Cross Site Request Forgery in Moodle before 2.4.9 in
enrol/imsenterprise/importnow.php, due to inadequate session checking when
triggering the import of IMS Enterprise identities (CVE-2014-0126).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7341
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0122
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0123
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0124
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0125
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0127
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2571
https://moodle.org/mod/forum/discuss.php?d=256416
https://moodle.org/mod/forum/discuss.php?d=256417
https://moodle.org/mod/forum/discuss.php?d=256418
https://moodle.org/mod/forum/discuss.php?d=256419
https://moodle.org/mod/forum/discuss.php?d=256420
https://moodle.org/mod/forum/discuss.php?d=256421
https://moodle.org/mod/forum/discuss.php?d=256422
https://moodle.org/mod/forum/discuss.php?d=256423
http://docs.moodle.org/dev/Moodle_2.4.9_release_notes
https://moodle.org/mod/forum/discuss.php?d=255903
Comment 4 Lewis Smith 2014-03-30 21:46:10 CEST
Trying for M4 on real 64-bit hardware.

Installed & primed Moodle moodle-2.4.8-1.mga4 from normal repositories as per:
12385/10, 10755/2.
Updated to moodle-2.4.9-1.mga4 from Updates Testing, re-launched it.
It recognised that it had been updated, OK'd its system requirements, then its Plugin checks gave:
- Formal languages block addon to be Updated, with an Install button. Clicking this yielded ->
https://moodle.org/plugins/download.php/3120/block_formal_langs_moodle24_2012021402.zip, Install this update ->
"Failed to find /localhost/moodle/mdeploy.php"
A second attempt gave:
Oops! It did it again
Moodle deployment utility had a trouble with your request. See the docs page
http://docs.moodle.org/en/admin/mdeploy/unauthorized_access_exception
 and the debugging information for more details.
exception 'unauthorized_access_exception' with message 'Unable to read the passphrase file.' in mdeploy.php:845
Stack trace:
#0 mdeploy.php(714): worker->authorize()
#1 mdeploy.php(1399): worker->execute()
#2 {main}

- Alfresco repository To be upgraded.

Advice welcome to advance this, please.
Comment 5 David Walser 2014-03-30 21:49:37 CEST
It shouldn't be pulling anything from the internet or running mdeploy.  On the plugin checks page just click the thing at the bottom of the page.
Comment 6 David Walser 2014-03-31 18:35:50 CEST
Fedora has issued an advisory for this on March 21:
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130741.html
Comment 7 Lewis Smith 2014-03-31 20:56:03 CEST
(In reply to David Walser from comment #5)
> It shouldn't be pulling anything from the internet or running mdeploy.  On
> the plugin checks page just click the thing at the bottom of the page.
Thanks David. Yes, you ignore the individual plugin items, click 'update database' at page bottom, & the plugin updates happen.
A bit disconcerting that it then goes on to advise a more recent version available...
Ignoring that, login as admin, all trivial things I tried worked.
Deemed OK for MAG4 64-bit.
Comment 8 claire robinson 2014-04-02 13:29:30 CEST
Testing mga4 32
Comment 9 claire robinson 2014-04-02 14:15:33 CEST
Testing complete mga4 32

Testing mga3 64 next.
Comment 10 claire robinson 2014-04-02 14:39:55 CEST
Testing mga3 64

I'm finding when installing the current version it causes apache to segfault after the environment check.

http://mga364/moodle/admin/index.php?agreelicense=1&confirmrelease=1&lang=en

I'll see if the update does the same. Suhosin isn't installed.
Comment 11 claire robinson 2014-04-02 14:45:26 CEST
Yes, the update segfaults here too at the same stage. 
Tried with php-suhosin installed and it's the same.
Comment 12 claire robinson 2014-04-02 14:48:59 CEST
I'll clean all traces and try it again to rule out old cruft from previous testing.
Comment 13 David Walser 2014-04-02 14:55:53 CEST
Well apache segfaults aren't Moodle's fault, they're caused by bugs farther down the stack, either in PHP or Apache themselves, or in libraries they're using.  I already fixed one in Mageia 4 with the libzip update (pending QA), and I had yesterday Apache segfaulting whenever you tried to connect to https, but restarting httpd made that go away (for now I guess).  I haven't run it in production on Mageia 3, I just jumped from Mageia 2 to Mageia 4 last week.  I guess I can see why tmb has concerns about updating Mageia's wiki server from Mageia 2 to Mageia 4.

It'd be nice if we could see where the segfault is coming from exactly, but at least on Mageia 4, Apache will not produce a backtrace no matter what I do.  I think the closest thing I got to anything useful was running strace httpd -M, so I could at least get some idea of what was going on before the crash, but it should have been obvious anyway based on what I was doing in Moodle.
Comment 14 Frank Griffin 2014-04-02 15:08:27 CEST
(In reply to David Walser from comment #13)
> 
> It'd be nice if we could see where the segfault is coming from exactly, but
> at least on Mageia 4, Apache will not produce a backtrace no matter what I
> do.  I think the closest thing I got to anything useful was running strace
> httpd -M, so I could at least get some idea of what was going on before the
> crash, but it should have been obvious anyway based on what I was doing in
> Moodle.

gdb /sbin/httpd
run -X

should produce a backtrace.
Comment 15 claire robinson 2014-04-02 15:30:44 CEST
One problem solved, another encountered.

It was failing during installation due to missing some packages from the php update on that VM so php had mixed versions.

It now segfaults during the upgrade after installing updated moodle, same stage oddly enough, it does the environment check where everything was green OK and then segfaults at the next stage :\
Comment 16 claire robinson 2014-04-02 15:33:07 CEST
And now, 3rd time trying, it went OK. It's a bit hit'n'miss.
Comment 17 David Walser 2014-04-02 15:45:47 CEST
(In reply to Frank Griffin from comment #14)
> gdb /sbin/httpd
> run -X
> 
> should produce a backtrace.

Should.  Doesn't.
Comment 18 claire robinson 2014-04-02 16:10:20 CEST
Testing complete mga3 64. 

Once it worked, it upgraded itself OK and was fine afterwards. Not sure what was causing the apache segfaults but it'll be interesting to see if they happen for anybody else so I'll leave mga3 i586 for somebody else.
Comment 19 David Walser 2014-04-03 18:22:56 CEST
I just ran through a fresh Moodle setup in a Mageia 3 i586 VM and didn't have any issues.  I also tested an upgrade from Moodle 2.4.7.  I think this can be validated.
Comment 20 claire robinson 2014-04-03 19:10:57 CEST
Thanks David. Adding the OK.

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 21 Damien Lallement 2014-04-03 19:24:22 CEST
http://advisories.mageia.org/MGASA-2014-0160.html

Note You need to log in before you can comment on or make changes to this bug.