Bug 857902 (CVE-2012-4401)

Summary: CVE-2012-4401 moodle: Course topics permission issue (MSA-12-0052)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: limburgher
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120917,reported=20120904,source=distros,cvss2=3.3/AV:N/AC:L/Au:M/C:N/I:P/A:N,fedora-16/moodle=notaffected,fedora-17/moodle=affected,epel-6/moodle=notaffected,epel-5/moodle=notaffected
Fixed In Version: moodle 2.3.2, moodle 2.2.5, moodle 2.1.8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-21 15:55:49 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 857981    
Bug Blocks:    

Description Jan Lieskovsky 2012-09-17 08:53:08 EDT
A security flaw was found in the way Moodle course management system performed user permissions validation by course topic management. A remote attackers, with course editing capabilities, but without ability to show / hide topics or set the current topic for a particular course could use this flaw to successfully complete these actions under certain circumstances.

Upstream patch:
[1] http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28207

References:
[2] http://www.openwall.com/lists/oss-security/2012/09/17/1
Comment 1 Jan Lieskovsky 2012-09-17 09:31:40 EDT
This issue affects the version of the moodle package, as shipped with Fedora release of 17 (the upstream course/view.php patch part is applicable).

--

This issue did NOT affect the version of the moodle package, as shipped with Fedora release of 16.

This issue did NOT affect the versions of the moodle package, as shipped with Fedora EPEL 5 and 6.
Comment 2 Jon Ciesla 2012-09-17 12:18:57 EDT
Update in progress, not linked to any BZ, none assigned to me.
Comment 3 Prasad J Pandit 2012-09-17 12:48:33 EDT
Created moodle tracking bugs for this issue

Affects: fedora-17 [bug 857981]