Please accept new typo3 packages into testing
Typo3 4.0.2 has a important security vulnerability caused by the
extension "rtehtmlarea". For futher information refer to this page:
http://news.typo3.org/news/article/typo3-security-bulletin-typo3-20061220-1-remote-command-execution-in-typo3/
Currently there is no CVE number for this issue available.
Please accept the fixed package
typo3-src_4.0.2+debian-2.dsc
which was already uploaded into testing-proposed-updates.
Please also accept the changed package
typo3-dummy_4.0.2-3.dsc
which adds some security enhancements to the typo3 installation
by adding php safe_mode to default configuration.
It was already uploaded into testing-proposed-updates.
I attached the debdiff output of both packages to the old ones already
in testing.
--
MfG, Christian Welzel
GPG-Key: http://www.camlann.de/key.asc
Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
diff -u typo3-dummy-4.0.2/debian/patches/01-defaults.dpatch typo3-dummy-4.0.2/debian/patches/01-defaults.dpatch
--- typo3-dummy-4.0.2/debian/patches/01-defaults.dpatch
+++ typo3-dummy-4.0.2/debian/patches/01-defaults.dpatch
@@ -7,7 +7,7 @@
--- typo3-dummy-4.0.2.orig/typo3conf/localconf.php 2006-09-11 09:18:23.000000000 +0200
+++ typo3-dummy-4.0.2/typo3conf/localconf.php 2006-09-23 18:30:33.072210250 +0200
-@@ -10,4 +10,61 @@
+@@ -10,4 +10,72 @@
## INSTALL SCRIPT EDIT POINT TOKEN - all lines after this points may be changed by the install script!
@@ -15,18 +15,21 @@
\ Kein Zeilenumbruch am Dateiende.
+// If safe_mode is activated with TYPO3, disable use of
+// external programs
-+//$TYPO3_CONF_VARS["BE"]["disable_exec_function"] = '1';
++$TYPO3_CONF_VARS["BE"]["disable_exec_function"] = '0';
+
+// TYPO3 prefers the use of GIF-files and most likely your visitors on
+// your website does too as not all browsers support PNG yet.
+$TYPO3_CONF_VARS["GFX"]["gdlib_png"] = '1';
+
++// set this true to get some better results in GIFBUILDER
++$TYPO3_CONF_VARS['GFX']['png_truecolor'] = '1';
++
+// enabling the use of gdblib2 for image processing
+$TYPO3_CONF_VARS["GFX"]["gdlib_2"] = '1';
+
+// last versions of imagemagick renamed combine to composite. It will
+// be set by basic configuration automatically.
-+$TYPO3_CONF_VARS["GFX"]["im_combine_filename"] = 'composite';
++$TYPO3_CONF_VARS["GFX"]["im_combine_filename"] = 'combine';
+
+// This value should be set to 1 if imagemagick version is greater
+// than 5.2
@@ -45,9 +48,10 @@
+// Path to the imagemagick manipulation tools like convert,
+// composite and identify
+$TYPO3_CONF_VARS["GFX"]["im_path"] = '/var/lib/typo3-dummy/execdir/';
++$TYPO3_CONF_VARS['GFX']["im_path_lzw"] = '/var/lib/typo3-dummy/execdir/';
+
+// Set Value to 1 if version of ImageMagick is greater than 4.9
-+$TYPO3_CONF_VARS["GFX"]["im_version_5"] = '1';
++$TYPO3_CONF_VARS["GFX"]["im_version_5"] = 'gm';
+
+// This variable can be empty if ImageMagick is compiled with LZW.
+// Otherwise you have to set the path to LZW
@@ -72,2 +76,9 @@
+
++// set memory limit to 48 mb.
++// You may want to set this limit higher to get the extension manager working.
++$TYPO3_CONF_VARS['SYS']['setMemoryLimit'] = '48';
++
++// Defines which of these PHP-features to use for various Charset conversing
++// functions in t3lib_cs.
++$TYPO3_CONF_VARS['SYS']['t3lib_cs_convMethod'] = 'iconv';
+?>
diff -u typo3-dummy-4.0.2/debian/apache.conf typo3-dummy-4.0.2/debian/apache.conf
--- typo3-dummy-4.0.2/debian/apache.conf
+++ typo3-dummy-4.0.2/debian/apache.conf
@@ -48,19 +48,28 @@
# enable safe PHP operation
php_admin_value safe_mode on
- php_admin_value safe_mode_include_dir /usr/share/typo3/typo3_src-4.0/
+ php_admin_value safe_mode_gid on
+ # php_admin_value safe_mode_include_dir /usr/share/typo3/typo3_src-4.0/
# Maximum allowed size for uploaded files (PHP defaults to 2MB)
php_admin_value upload_max_filesize 10M
# Maximum amount of memory a script may consume (PHP defaults to 8MB)
- php_admin_value memory_limit 16M
+ # You may want to set this higher as 48 mb if you have problems
+ # getting the extension manager to work.
+ php_admin_value memory_limit 48M
+
+ # Maximum amount of time a script my consume
+ # You may want to set this higher as 30 seconds if you have problems
+ # getting the extension manager to work.
+ # php_admin_value max_execution_time 90
# list of directories where require(), include() and fopen_with_path() look for files
- php_admin_value include_path /var/lib/typo3-dummy/:/usr/share/typo3/typo3_src-4.0/:.
+ php_admin_value include_path /var/lib/typo3-dummy/:/usr/share/typo3/typo3_src-4.0/:.
+ php_admin_value sendmail_path /var/lib/typo3-dummy/execdir/
# Limit the files that can be opened by PHP to the specified directory-tree(s)
- php_admin_value open_basedir /var/lib/typo3-dummy/:/usr/share/typo3/:/usr/share/typo3-dummy/:/etc/typo3-dummy/
+ php_admin_value open_basedir /var/lib/typo3-dummy/:/usr/share/typo3/:/usr/share/typo3-dummy/:/etc/typo3-dummy/:/usr/share/fonts/truetype/ttf-bitstream-vera/
# in safe mode programs that are not in this directory will not be started
php_admin_value safe_mode_exec_dir /var/lib/typo3-dummy/execdir/
@@ -86,6 +95,26 @@
php_value variables_order GPCS
</IfModule>
+ <IfModule mod_php5.c>
+ # for hints regarding these options see section above.
+
+ AddType application/x-httpd-php .php
+ php_admin_value safe_mode on
+ php_admin_value safe_mode_gid on
+ # php_admin_value safe_mode_include_dir /usr/share/typo3/typo3_src-4.0/
+ php_admin_value upload_max_filesize 10M
+ php_admin_value memory_limit 48M
+ # php_admin_value max_execution_time 90
+ php_admin_value include_path /var/lib/typo3-dummy/:/usr/share/typo3/typo3_src-4.0/:.
+ php_admin_value sendmail_path /var/lib/typo3-dummy/execdir/
+ php_admin_value open_basedir /var/lib/typo3-dummy/:/usr/share/typo3/:/etc/typo3-dummy/:/usr/share/fonts/truetype/ttf-bitstream-vera/
+ php_admin_value safe_mode_exec_dir /var/lib/typo3-dummy/execdir/
+ php_flag allow_call_time_pass_reference off
+ php_flag register_globals off
+ php_flag register_argc_argv off
+ php_flag magic_quotes_gpc off
+ php_value variables_order GPCS
+ </IfModule>
</IfModule>
### End: PHP optimisation ###
@@ -111,10 +140,10 @@
# Stop rewrite processing if we are in the typo3/ directory
# For httpd.conf, use this line instead of the next one:
- # RewriteRule ^/TYPO3root/(typo3|typo3temp|typo3conf|t3lib|tslib|fileadmin|uploads|showpic\.php)/ - [L]
- # RewriteRule ^(typo3|typo3temp|typo3conf|t3lib|tslib|fileadmin|uploads|showpic\.php)/ - [L]
- RewriteRule ^/typo3/(typo3|typo3temp|typo3conf|t3lib|tslib|fileadmin|uploads|showpic\.php)/ - [L]
- #RewriteRule ^/typo3-dummy/(typo3|typo3temp|typo3conf|t3lib|tslib|fileadmin|uploads|showpic\.php)/ - [L]
+ # RewriteRule ^/TYPO3root/(typo3|typo3temp|typo3conf|t3lib|fileadmin|uploads)/ - [L]
+ # RewriteRule ^(typo3|typo3temp|typo3conf|t3lib|fileadmin|uploads)/ - [L]
+ RewriteRule ^/typo3/(typo3|typo3temp|typo3conf|t3lib|fileadmin|uploads)/ - [L]
+ #RewriteRule ^/typo3-dummy/(typo3|typo3temp|typo3conf|t3lib|fileadmin|uploads)/ - [L]
# Redirect http://mysite/typo3 to http://mysite/typo3/index_re.php
# and stop the rewrite processing
diff -u typo3-dummy-4.0.2/debian/rules typo3-dummy-4.0.2/debian/rules
--- typo3-dummy-4.0.2/debian/rules
+++ typo3-dummy-4.0.2/debian/rules
@@ -56,6 +56,7 @@
/usr/bin/convert $(DOCROOTDIR)/execdir/convert \
/usr/bin/composite $(DOCROOTDIR)/execdir/composite \
/usr/bin/identify $(DOCROOTDIR)/execdir/identify \
+ /usr/bin/gm $(DOCROOTDIR)/execdir/gm \
/usr/sbin/sendmail $(DOCROOTDIR)/execdir/sendmail
dh_compress
dh_fixperms
diff -u typo3-dummy-4.0.2/debian/changelog typo3-dummy-4.0.2/debian/changelog
--- typo3-dummy-4.0.2/debian/changelog
+++ typo3-dummy-4.0.2/debian/changelog
@@ -1,3 +1,11 @@
+typo3-dummy (4.0.2-3) testing; urgency=medium
+
+ * adjusted apache.conf and localconf.php to work with php4/php5 and safe_mode
+ enabled.
+ * added fix for php memory limit to make the extension manager work again.
+
+ -- Christian Welzel <gawain@camlann.de> Mon, 20 Dec 2006 21:30:41 +0100
+
typo3-dummy (4.0.2-2) unstable; urgency=low
* Removed finding latest version of source by "latest"-link; now hardcoded.
diff -u typo3-src-4.0.2+debian/debian/control typo3-src-4.0.2+debian/debian/control
--- typo3-src-4.0.2+debian/debian/control
+++ typo3-src-4.0.2+debian/debian/control
@@ -2,7 +2,7 @@
Section: web
Priority: optional
Maintainer: Christian Welzel <gawain@camlann.de>
-Build-Depends: debhelper (>= 4)
+Build-Depends: debhelper (>= 4), dpatch
Standards-Version: 3.7.2
Package: typo3
diff -u typo3-src-4.0.2+debian/debian/rules typo3-src-4.0.2+debian/debian/rules
--- typo3-src-4.0.2+debian/debian/rules
+++ typo3-src-4.0.2+debian/debian/rules
@@ -3,6 +3,8 @@
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
+include /usr/share/dpatch/dpatch.make
+
SOURCEVERSION=4.0
PACKAGENAME=typo3_src-$(SOURCEVERSION)
SOURCEPACKAGE=typo3-src-$(SOURCEVERSION)
@@ -15,9 +17,9 @@
SOURCEINSTALLDIR=debian/$(SOURCEPACKAGE)/$(T3SRCDIR)
-build:
+build: patch-stamp
-clean:
+clean: unpatch
dh_testdir
dh_testroot
dh_clean
@@ -44,6 +46,7 @@
dh_strip
dh_compress
dh_fixperms
+ chown -hR root:www-data $(SOURCEINSTALLDIR)
dh_installdeb
dh_shlibdeps
dh_gencontrol
diff -u typo3-src-4.0.2+debian/debian/changelog typo3-src-4.0.2+debian/debian/changelog
--- typo3-src-4.0.2+debian/debian/changelog
+++ typo3-src-4.0.2+debian/debian/changelog
@@ -1,3 +1,12 @@
+typo3-src (4.0.2+debian-2) testing; urgency=high
+
+ * Fixed security problem in rtehtmlarea extension with patch from typo3-src
+ 4.0.4. (Closes: 403906)
+ * Changed ownership of /usr/share/typo3/typo3_src-4.0 to root:www-data
+ to make php safe_mode work for gid-check.
+
+ -- Christian Welzel <gawain@camlann.de> Wed, 20 Dec 2006 20:50:00 +0100
+
typo3-src (4.0.2+debian-1) unstable; urgency=low
* Depend on ttf-bitstream-vera for vera.ttf (Closes: 374141)
only in patch2:
unchanged:
--- typo3-src-4.0.2+debian.orig/debian/patches/00list
+++ typo3-src-4.0.2+debian/debian/patches/00list
@@ -0,0 +1 @@
+01-rtehtmlarea_fix
only in patch2:
unchanged:
--- typo3-src-4.0.2+debian.orig/debian/patches/01-rtehtmlarea_fix.dpatch
+++ typo3-src-4.0.2+debian/debian/patches/01-rtehtmlarea_fix.dpatch
@@ -0,0 +1,107 @@
+#!/bin/sh /usr/share/dpatch/dpatch-run
+## 01-rtehtmlarea_fix.dpatch by Christian Welzel <gawain@camlann.de>
+##
+## DP: fix a security-vulnerability in rtehtmlarea system extension
+
+@DPATCH@
+
+diff -Naur typo3_src-4.0.3/typo3/sysext/rtehtmlarea/htmlarea/plugins/SpellChecker/spell-check-logic.php typo3_src-4.0.4/typo3/sysext/rtehtmlarea/htmlarea/plugins/SpellChecker/spell-check-logic.php
+--- typo3_src-4.0.3/typo3/sysext/rtehtmlarea/htmlarea/plugins/SpellChecker/spell-check-logic.php 2006-12-05 01:35:48.000000000 +0100
++++ typo3_src-4.0.4/typo3/sysext/rtehtmlarea/htmlarea/plugins/SpellChecker/spell-check-logic.php 2006-12-20 13:38:21.000000000 +0100
+@@ -84,6 +84,37 @@
+ $GLOBALS['TSFE']->tmpl->getFileName_backPath = PATH_site;
+ $GLOBALS['TSFE']->forceTemplateParsing = 1;
+ $GLOBALS['TSFE']->getConfigArray();
++
++ // *********
++ // initialize a BE_USER if applicable
++ // *********
++ $BE_USER='';
++ if ($_COOKIE['be_typo_user']) { // If the backend cookie is set, we proceed and checks if a backend user is logged in.
++ $TYPO3_MISC['microtime_BE_USER_start'] = microtime();
++ $TT->push('Back End user initialized','');
++ require_once (PATH_t3lib.'class.t3lib_befunc.php');
++ require_once (PATH_t3lib.'class.t3lib_userauthgroup.php');
++ require_once (PATH_t3lib.'class.t3lib_beuserauth.php');
++ require_once (PATH_t3lib.'class.t3lib_tsfebeuserauth.php');
++
++ // the value this->formfield_status is set to empty in order to disable login-attempts to the backend account through this script
++ $BE_USER = t3lib_div::makeInstance('t3lib_tsfeBeUserAuth'); // New backend user object
++ $BE_USER->OS = TYPO3_OS;
++ $BE_USER->lockIP = $TYPO3_CONF_VARS['BE']['lockIP'];
++ $BE_USER->start(); // Object is initialized
++ $BE_USER->unpack_uc('');
++ if ($BE_USER->user['uid']) {
++ $BE_USER->fetchGroupData();
++ $TSFE->beUserLogin = 1;
++ }
++ // Now we need to do some additional checks for IP/SSL
++ if (!$BE_USER->checkLockToIP() || !$BE_USER->checkBackendAccessSettingsFromInitPhp()) {
++ // Unset the user initialization.
++ $BE_USER='';
++ $TSFE->beUserLogin=0;
++ }
++ }
++
+ $spellChecker = t3lib_div::makeInstance('tx_rtehtmlarea_pi1');
+ $spellChecker->cObj = t3lib_div::makeInstance('tslib_cObj');
+ $conf = $GLOBALS['TSFE']->tmpl->setup['plugin.'][$spellChecker->prefixId.'.'];
+diff -Naur typo3_src-4.0.3/typo3/sysext/rtehtmlarea/pi1/class.tx_rtehtmlarea_pi1.php typo3_src-4.0.4/typo3/sysext/rtehtmlarea/pi1/class.tx_rtehtmlarea_pi1.php
+--- typo3_src-4.0.3/typo3/sysext/rtehtmlarea/pi1/class.tx_rtehtmlarea_pi1.php 2006-12-05 01:35:48.000000000 +0100
++++ typo3_src-4.0.4/typo3/sysext/rtehtmlarea/pi1/class.tx_rtehtmlarea_pi1.php 2006-12-20 13:38:21.000000000 +0100
+@@ -142,6 +142,8 @@
+
+ // Setting the pspell suggestion mode
+ $this->pspellMode = t3lib_div::_POST('pspell_mode')?t3lib_div::_POST('pspell_mode'): $this->pspellMode;
++ // Now sanitize $this->pspellMode
++ $this->pspellMode = t3lib_div::inList('ultra,fast,normal,bad-spellers',$this->pspellMode)?$this->pspellMode:'normal';
+ switch($this->pspellMode) {
+ case 'ultra':
+ case 'fast':
+@@ -165,21 +167,24 @@
+ if($this->pspell_is_available && !$this->forceCommandMode) {
+ $this->pspell_link = pspell_new($this->dictionary, '', '', $this->parserCharset, $pspellModeFlag);
+ }
+
+ // Setting the path to user personal dicts, if any
+- if (t3lib_div::_POST('enablePersonalDicts') == 'true') {
+- $this->userUid = t3lib_div::_POST('userUid');
++ if (t3lib_div::_POST('enablePersonalDicts') == 'true' && $GLOBALS['TSFE']->beUserLogin) {
++ $this->userUid = 'BE_' . $GLOBALS['BE_USER']->user['uid'];
+ if ($this->userUid) {
+ $this->personalDictPath = t3lib_div::getFileAbsFileName($this->uploadFolder . $this->userUid);
+ if (!is_dir($this->personalDictPath)) {
+ t3lib_div::mkdir($this->personalDictPath);
+ }
+- $this->personalDictsArg = ' --home-dir=' . $this->personalDictPath;
++ // escape here for later use
++ $this->personalDictsArg = ' --home-dir=' . escapeshellarg($this->personalDictPath);
+ }
+ }
+
+ $cmd = t3lib_div::_POST('cmd');
+ if ($cmd == 'learn' && !$safe_mode_is_enabled) {
++ // Only availble for BE_USERS, die silently if someone has gotten here by accident
++ if(!$GLOBALS['TSFE']->beUserLogin) die('');
+ // Updating the personal word list
+ $to_p_dict = t3lib_div::_POST('to_p_dict');
+ $to_p_dict = $to_p_dict ? $to_p_dict : array();
+@@ -205,7 +210,8 @@
+ echo $cmd;
+ fwrite($filehandle, $cmd, strlen($cmd));
+ fclose($filehandle);
+- $AspellCommand = 'cat ' . $tmpFileName . ' | ' . $this->AspellDirectory . ' -a --mode=none' . $this->personalDictsArg . ' --lang=' .$this->dictionary . ' --encoding=' . $this->parserCharset . ' 2>&1';
++ // $this->personalDictsArg has already been escapeshellarg()'ed above, it is an optional paramter and might be empty here
++ $AspellCommand = 'cat ' . escapeshellarg($tmpFileName) . ' | ' . $this->AspellDirectory . ' -a --mode=none' . $this->personalDictsArg . ' --lang=' . escapeshellarg($this->dictionary) . ' --encoding=' . escapeshellarg($this->parserCharset) . ' 2>&1';
+ print $AspellCommand . "\n";
+ print shell_exec($AspellCommand);
+ t3lib_div::unlink_tempfile($tmpFileName);
+@@ -362,7 +368,7 @@
+ if(!$filehandle = fopen($tmpFileName,'wb')) echo('SpellChecker tempfile open error');
+ if(!fwrite($filehandle, $word)) echo('SpellChecker tempfile write error');
+ if(!fclose($filehandle)) echo('SpellChecker tempfile close error');
+- $AspellCommand = 'cat ' . $tmpFileName . ' | ' . $this->AspellDirectory . ' -a check --mode=none --sug-mode=' . $this->pspellMode . $this->personalDictsArg . ' --lang=' .$this->dictionary . ' --encoding=' . $this->parserCharset . ' 2>&1';
++ $AspellCommand = 'cat ' . escapeshellarg($tmpFileName) . ' | ' . $this->AspellDirectory . ' -a check --mode=none --sug-mode=' . escapeshellarg($this->pspellMode) . $this->personalDictsArg . ' --lang=' . escapeshellarg($this->dictionary) . ' --encoding=' . escapeshellarg($this->parserCharset) . ' 2>&1';
+ $AspellAnswer = shell_exec($AspellCommand);
+ $AspellResultLines = array();
+ $AspellResultLines = t3lib_div::trimExplode(chr(10), $AspellAnswer, 1);
Reply to: