ports/133550: [vuxml] [patch] www/drupal6-cck: update to 2.2 and document XSS issue

Eygene Ryabinkin rea-fbsd at codelabs.ru
Thu Apr 9 23:00:21 UTC 2009 

>Number:         133550
>Category:       ports
>Synopsis:       [vuxml] [patch] www/drupal6-cck: update to 2.2 and document XSS issue
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 09 23:00:20 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.2-PRERELEASE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.2-PRERELEASE amd64

>Description:

XSS vulnerability was found in Drupal's 6.x CCK < 2.2 [1]

>How-To-Repeat:

[1] http://www.securityfocus.com/bid/34172

>Fix:

The following patch updates the port:
--- update-2.1-to-2.2.diff begins here ---
>From 8f661d307d5030a76c277280b7c5cd7a2e43f637 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Fri, 10 Apr 2009 02:45:08 +0400

Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
 www/drupal6-cck/Makefile |    9 +++++----
 www/drupal6-cck/distinfo |    6 +++---
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/www/drupal6-cck/Makefile b/www/drupal6-cck/Makefile
index dc00434..7de2ee7 100644
--- a/www/drupal6-cck/Makefile
+++ b/www/drupal6-cck/Makefile
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	cck
-DISTVERSION=	6.x-2.1
+DISTVERSION=	6.x-2.2
 CATEGORIES=	www
 MASTER_SITES=	http://ftp.drupal.org/files/projects/
 
@@ -14,7 +14,7 @@ MAINTAINER=	rea-fbsd at codelabs.ru
 COMMENT=	Drupal 6 Content Construction Kit module
 
 DRUPAL6_MODULE=	yes
-MODULE_DIRS=	help examples \
+MODULE_DIRS=	help \
 		includes/views/handlers includes/views includes \
 		modules/content_copy/translations modules/content_copy \
 		modules/content_multigroup/translations \
@@ -107,12 +107,13 @@ MODULE_FILES=	help/add-existing-field.html \
 		modules/fieldgroup/translations/modules-fieldgroup.fr.po \
 		modules/fieldgroup/translations/modules-fieldgroup.hu.po \
 		modules/fieldgroup/translations/modules-fieldgroup.pot \
+		modules/fieldgroup/fieldgroup-rtl.css \
+		modules/fieldgroup/fieldgroup-simple.tpl.php \
 		modules/fieldgroup/fieldgroup.css \
 		modules/fieldgroup/fieldgroup.info \
 		modules/fieldgroup/fieldgroup.install \
 		modules/fieldgroup/fieldgroup.module \
 		modules/fieldgroup/fieldgroup.panels.inc \
-		modules/fieldgroup/fieldgroup.tpl.php \
 		modules/nodereference/help/nodereference.help.ini \
 		modules/nodereference/help/nodereference.html \
 		modules/nodereference/nodereference.info \
@@ -164,6 +165,7 @@ MODULE_FILES=	help/add-existing-field.html \
 		theme/content-admin-display-overview-form.tpl.php \
 		theme/content-admin-field-overview-form.tpl.php \
 		theme/content-field.tpl.php \
+		theme/content-module-rtl.css \
 		theme/content-module.css \
 		theme/theme.inc \
 		translations/help/de/add-existing-field.html \
@@ -191,7 +193,6 @@ MODULE_FILES=	help/add-existing-field.html \
 		translations/examples.fr.po \
 		translations/general.de.po \
 		translations/general.fr.po \
-		translations/general.hu.po \
 		translations/general.pot \
 		translations/hu.po \
 		translations/includes-views-handlers.de.po \
diff --git a/www/drupal6-cck/distinfo b/www/drupal6-cck/distinfo
index 0e99a22..ffce5f8 100644
--- a/www/drupal6-cck/distinfo
+++ b/www/drupal6-cck/distinfo
@@ -1,3 +1,3 @@
-MD5 (drupal/cck-6.x-2.1.tar.gz) = 6036acde1dbc0bad62681de5f94bc912
-SHA256 (drupal/cck-6.x-2.1.tar.gz) = 4267118d4aa89210a0a8f06454504a715aac518390313d203fc0eec13db3d0a4
-SIZE (drupal/cck-6.x-2.1.tar.gz) = 318865
+MD5 (drupal/cck-6.x-2.2.tar.gz) = 0fe5f8e6d1292fcfe98530a3dea0a1a1
+SHA256 (drupal/cck-6.x-2.2.tar.gz) = c271a716da1c81ccb8a31228233bf9f567983e368df22fcc06a51cfaf37cda63
+SIZE (drupal/cck-6.x-2.2.tar.gz) = 357660
-- 
1.6.1.3
--- update-2.1-to-2.2.diff ends here ---

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="4992df2b-2557-11de-8dc5-001b77d09812">
    <topic>drupal6-cck -- cross-site scripting</topic>
    <affects>
      <package>
        <name>drupal6-cck</name>
        <range><lt>2.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Drupal CCK plugin developer reports:</p>
        <blockquote
          cite="http://drupal.org/node/406520">
          <p>The Node reference and User reference sub-modules, which
          are part of the Content Construction Kit (CCK) project, lets
          administrators define node fields that are references to other
          nodes or to users. When displaying a node edit form, the
          titles of candidate referenced nodes or names of candidate
          referenced users are not properly filtered, allowing malicious
          users to inject arbitrary code on those pages. Such a cross
          site scripting (XSS) attack may lead to a malicious user
          gaining full administrative access.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <bid>34172</bid>
      <url>http://drupal.org/node/406520</url>
    </references>
    <dates>
      <discovery>2009-03-23</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list