Bug 878121 (CVE-2012-5471, CVE-2012-5472, CVE-2012-5473, CVE-2012-5479, CVE-2012-5480, CVE-2012-5481)

Summary: moodle: Various security issues fixed in upstream 2.3.3, 2.2.6 and 2.1.9 versions (MSA-12-0057, MSA-12-0058, MSA-12-0059, MSA-12-0060, MSA-12-0061, MSA-12-0062, MSA-12-0063)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: limburgher
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20121119,reported=20121109,source=distros,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,fedora-all/moodle=affected,epel-all/moodle=affected
Fixed In Version: Moodle 2.3.3, Moodle 2.2.6, Moodle 2.1.9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-21 15:53:19 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 878132, 878133    
Bug Blocks:    

Description Jan Lieskovsky 2012-11-19 12:17:00 EST
Moodle upstream has released 2.3.3, 2.2.6 and 2.1.9 version:
[1] http://docs.moodle.org/dev/Moodle_2.3.3_release_notes
[2] http://docs.moodle.org/dev/Moodle_2.2.6_release_notes
[3] http://docs.moodle.org/dev/Moodle_2.1.9_release_notes

correcting multiple security issues:
[4] http://www.openwall.com/lists/oss-security/2012/11/19/1

More from [4]:
MSA-12-0057: Access issue through repository

Topic:             User B is able to see and use Dropbox of User A
                    within Dropbox Repository File Picker
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Alexander Bias
Issue no.:         MDL-29872, MDL-36366
CVE Identifier:    CVE-2012-5471
Workaround:        Turn off Dropbox repository
Changes (master): 
Users who logged out of Dropbox through the Moodle repository were
disconnected in Moodle, but the user's access to Dropbox was still
allowed while their browser session continued.

MSA-12-0058: Possible form data manipulation issue

Topic:             add setConstant() for hardfreeze element
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+
Reported by:       Rossiani Wijaya
Issue no.:         MDL-32785
CVE Identifier:    CVE-2012-5472
Changes (master): 
Frozen form elements were open to manipulation when form data was

MSA-12-0059: Information leak in Database activity module

Topic:             Members of seperate groups can see Database activity
                    entries for other groups
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Richard Meyer
Issue no.:         MDL-34448
CVE Identifier:    CVE-2012-5473
Changes (master): 
Within the Database activity module, when separate groups were used,
members of one group were able to see entries created by members of
another group by completing an advanced search.

MSA-12-0060: Cross-site scripting vulnerability in YUI2

Topic:             yui2 swf vulnerability
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
                    1.9 to 1.9.18+
Reported by:       Petr �koda, Jenny Donnelly
Issue no.:         MDL-36346
CVE Identifier:    CVE-2012-5475
Workaround:        Delete YUI SWF files
Changes (master): 
A XSS vulnerability has been discovered in some YUI 2 .swf files from
versions 2.4.0 through 2.9.0. This defect allows JavaScript injection
exploits to be created against domains that host affected YUI .swf

MSA-12-0061: Remote code execution through Portfolio API

Topic:             Portfolio plugin: Local File Inclusion (LFI) and the
                    possibility of Remote Command Execution (RCE).
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Cristobal Leiva
Issue no.:         MDL-33791
CVE Identifier:    CVE-2012-5479
Changes (master): 
It was possible, when Moodle data is stored within the Web accessible
directory, to manipulate the Portfolio API callbacks to execute a file
uploaded by a user.

MSA-12-0062: Information leak in Database activity module

Topic:             Any user (including a guest) can view entries in
                    database activity when more entries are required
                    before viewing other participants entries
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Tabitha Roder
Issue no.:         MDL-35558
CVE Identifier:    CVE-2012-5480
Changes (master): 
The setting requiring that a number of entries be posted to a Database
activity before others' entries could be viewed could be circumvented
using an advanced search.

MSA-12-0063: Information leak in Check Permissions page

Topic:             Check Permissions page displays entire user base
                    without moodle/role:manage capability
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+
Reported by:       Jody Steele
Issue no.:         MDL-35381
CVE Identifier:    CVE-2012-5481
Changes (master): 
The Check Permissions page was allowing non-admin users to see the
capabilities of all users, not just users in a course/category.
Comment 1 Jan Lieskovsky 2012-11-19 12:28:39 EST
The table of affected moodle package versions (based on review of provided upstream patches if they would be applicable) as shipped with Fedora release of 16, 17, Fedora EPEL 6, and Fedora EPEL 5 is as follows:

[Legend: A = Affected, NA = Not Affected]

                  |  F-17 | F-16/EPEL-6 | EPEL-5 |
| CVE-2012-5471   |   A   |     A       |  NA    |
| CVE-2012-5472   |   A   |     A       |   A    |
| CVE-2012-5473   |   A   |     A       |   A    |
| CVE-2012-5475   |   A[*]|     A[*]    |   A[*] |
| CVE-2012-5479   |   A   |     A       |   A    |
| CVE-2012-5480   |   A   |     A       |   A    |
| CVE-2012-5481   |   A   |     A       |  NA    |

[*] Based on: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5475 the CVE-2012-5475 identifier has been rejected (in favour of CVE-2012-5881, CVE-2012-5882, CVE-2012-5883) => that being the reason CVE-2012-5475 not used in alias field of this bug.
Comment 2 Jan Lieskovsky 2012-11-19 12:30:53 EST
Created moodle tracking bugs for this issue

Affects: fedora-all [bug 878132]
Affects: epel-all [bug 878133]