Secure testing team - Jan 2010 - Bug#564526: moodle: User secrets on backup & restore CVE-2009-4303[2] Patch supplied

Package: moodle
Version: 1.8.2.dfsg-3+lenny2
Severity: grave
Tags: security
Justification: user security hole

CVE-2009-4303[2]:
| Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 stores (1) password
| hashes and (2) unspecified "secrets" in backup files, which might
| allow attackers to obtain sensitive information.

Searching on Moodle site I found the git commits that fixed this CVE, they are
not complex so I think it''s good idea to commit also to Debian Moodle.

http://git.moodle.org/gw?p=moodle.git;a=patch;h=306e851f93d67c6919f11d7c8910af301c57bbbf

Upstream data:
Bug  	MDL-20932 	  FIXED  	  Get rid of user->secret in backup files (and
ignore it on restore)  	 Major  	 Resolved


vicm3 at avalon:~$ svn diff -r3:4 moodle/backup/backuplib.php
Index: moodle/backup/backuplib.php
	--- moodle/backup/backuplib.php (revision 3)
+++ moodle/backup/backuplib.php (revision 4)
@@ -1126,7 +1126,6 @@
                 fwrite
($bf,full_tag("LASTLOGIN",4,false,$user->lastlogin));
                 fwrite
($bf,full_tag("CURRENTLOGIN",4,false,$user->currentlogin));
                 fwrite
($bf,full_tag("LASTIP",4,false,$user->lastip));
-                fwrite
($bf,full_tag("SECRET",4,false,$user->secret));
                 fwrite
($bf,full_tag("PICTURE",4,false,$user->picture));
                 fwrite ($bf,full_tag("URL",4,false,$user->url));
                 fwrite
($bf,full_tag("DESCRIPTION",4,false,$user->description));

vicm3 at avalon:~$ svn diff -r3:4 moodle/backup/restorelib.php
Index: moodle/backup/restorelib.php
	--- moodle/backup/restorelib.php        (revision 3)
+++ moodle/backup/restorelib.php        (revision 4)
@@ -4670,9 +4670,6 @@
                         case "LASTIP":
                             $this->info->tempuser->lastip =
$this->getContents();
                             break;
-                        case "SECRET":
-                            $this->info->tempuser->secret =
$this->getContents();
-                            break;
                         case "PICTURE":
                             $this->info->tempuser->picture =
$this->getContents();
                             break;


-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (900, ''stable'')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE= (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages moodle depends on:
ii  apache2-mpm-prefor 2.2.9-10+lenny6       Apache HTTP Server - traditional n
ii  debconf [debconf-2 1.5.24                Debian configuration management sy
ii  libapache2-mod-php 5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii  mimetex            1.50-1+lenny1         LaTeX math expressions to anti-ali
ii  mysql-client-5.0 [ 5.0.51a-24+lenny2     MySQL database client binaries
ii  php5-cli           5.2.6.dfsg.1-1+lenny4 command-line interpreter for the p
ii  php5-curl          5.2.6.dfsg.1-1+lenny4 CURL module for php5
ii  php5-gd            5.2.6.dfsg.1-1+lenny4 GD module for php5
ii  php5-mysql         5.2.6.dfsg.1-1+lenny4 MySQL module for php5
ii  smarty             2.6.20-1.2            Template engine for PHP
ii  ucf                3.0016                Update Configuration File: preserv
ii  wwwconfig-common   0.1.2                 Debian web auto configuration
ii  yui                2.5.0-1               Yahoo User Interface Library
ii  zip                2.32-1                Archiver for .zip files

Versions of packages moodle recommends:
ii  mysql-server-5.0 [ 5.0.51a-24+lenny2     MySQL database server binaries
ii  php5-ldap          5.2.6.dfsg.1-1+lenny4 LDAP module for php5

moodle suggests no packages.

-- debconf-show failed