A shell command execution flaw was reported for Moodle 1.9.3 affecting "TeX Notation" filter (filter/tex/texed.php). According to the advisory and upstream commit message, this requires register_globals to be enabled and magic_quotes_gpc to be disabled. Due to that, upstream is reportedly treating this as low-impact issue and should include some more generic protection against flaws related to the enabled register_globals. Advisory: http://www.ush.it/team/ush/hack-moodle193/moodle193.txt http://marc.info/?l=full-disclosure&m=122910366131373&w=4 Upstream commit: http://cvs.moodle.org/moodle/filter/tex/texed.php?view=log#rev1.10 http://cvs.moodle.org/moodle/filter/tex/texed.php?r1=1.9&r2=1.10 Upstream bug (currently private): http://tracker.moodle.org/browse/MDL-17207 Should not affect 1.8.7
Current 1.9.3 in Fedora is a weekly snapshot from 11/7/08 that includes this patch.
(In reply to comment #1) > Current 1.9.3 in Fedora is a weekly snapshot from 11/7/08 that includes this > patch. Patch listed in comment #0 was committed upstream on Wed Nov 12 03:35:14 2008 WST, that should be after current Fedora snapshot. I checked the file in 1.9.3-3 srpm again, and it does not seem to be included. Again, please correct me if I'm wrong.
Dang, I should get more sleep. :) The patches above are partially applied. I'll create a custom patch to do the rest.
moodle-1.9.3-4.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/moodle-1.9.3-4.fc10
moodle-1.9.3-4.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/moodle-1.9.3-4.fc9
moodle-1.9.3-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
moodle-1.9.3-4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.