[SRM] New Trac package uploaded to stable
Hello,
I've done the upload fixing CVE-2007-1405 and CVE-2007-1406 issues and
together a copyright typo. Please find the interdiff attached.
debian/patches/02_CVE-2007-1405_CVE-2007-1406.dpatch | 115 +++++++++++++++++++
trac-0.10.3/debian/changelog | 8 +
trac-0.10.3/debian/copyright | 2
trac-0.10.3/debian/patches/00list | 1
4 files changed, 125 insertions(+), 1 deletion(-)
diff -u trac-0.10.3/debian/copyright trac-0.10.3/debian/copyright
--- trac-0.10.3/debian/copyright
+++ trac-0.10.3/debian/copyright
@@ -3,7 +3,7 @@
Trac can be downloaded from:
http://projects.edgewall.com/trac/wiki/TracDownload
-Tras is licensed under a modified BSD license, which follows:
+Trac is licensed under a modified BSD license, which follows:
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
diff -u trac-0.10.3/debian/changelog trac-0.10.3/debian/changelog
--- trac-0.10.3/debian/changelog
+++ trac-0.10.3/debian/changelog
@@ -1,3 +1,11 @@
+trac (0.10.3-1etch1) stable; urgency=low
+
+ * Add 02_CVE-2007-1405_CVE-2007-1406.dpatch patch to fix CVE-2007-1405
+ and CVE-2007-1406 security issues. (Closes: #414134, #420219)
+ * Fixed typo in debian/copyright. (Closes: #422409)
+
+ -- Otavio Salvador <otavio@ossystems.com.br> Wed, 23 May 2007 21:18:41 -0300
+
trac (0.10.3-1) unstable; urgency=low
* New upstream upload. Final 0.10.3 release that will hopefully make it into
diff -u trac-0.10.3/debian/patches/00list trac-0.10.3/debian/patches/00list
--- trac-0.10.3/debian/patches/00list
+++ trac-0.10.3/debian/patches/00list
@@ -1,0 +2 @@
+02_CVE-2007-1405_CVE-2007-1406
only in patch2:
unchanged:
--- trac-0.10.3.orig/debian/patches/02_CVE-2007-1405_CVE-2007-1406.dpatch
+++ trac-0.10.3/debian/patches/02_CVE-2007-1405_CVE-2007-1406.dpatch
@@ -0,0 +1,115 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 02_CVE-2007-1405_CVE-2007-1406_issue.dpatch by Luis Matos <gass@otiliamatos.ath.cx>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fixes CVE-2007-1405, CVE-2007-1406, closing #414134, #420219.
+
+@DPATCH@
+
+--- trac-0.10.3.orig/trac/attachment.py 2007-05-24 01:31:24.000000000 +0100
++++ trac-0.10.3/trac/attachment.py 2007-05-24 01:32:12.000000000 +0100
+@@ -291,10 +291,10 @@
+
+ render_unsafe_content = BoolOption('attachment', 'render_unsafe_content',
+ 'false',
+- """Whether non-binary attachments should be rendered in the browser, or
++ """Whether attachments should be rendered in the browser, or
+ only made downloadable.
+
+- Pretty much any text file may be interpreted as HTML by the browser,
++ Pretty much any file may be interpreted as HTML by the browser,
+ which allows a malicious user to attach a file containing cross-site
+ scripting attacks.
+
+@@ -555,22 +555,24 @@
+ # Eventually send the file directly
+ format = req.args.get('format')
+ if format in ('raw', 'txt'):
+- if not self.render_unsafe_content and not binary:
+- # Force browser to download HTML/SVG/etc pages that may
+- # contain malicious code enabling XSS attacks
+- req.send_header('Content-Disposition', 'attachment;' +
+- 'filename=' + attachment.filename)
+- if not mime_type or (self.render_unsafe_content and \
+- not binary and format == 'txt'):
+- mime_type = 'text/plain'
++ if not self.render_unsafe_content:
++ # Force browser to download files instead of rendering
++ # them, since they might contain malicious code enabling
++ # XSS attacks
++ req.send_header('Content-Disposition', 'attachment')
++ if format == 'txt':
++ mime_type = 'text/plain'
++ elif not mime_type:
++ mime_type = 'application/octet-stream'
+ if 'charset=' not in mime_type:
+ charset = mimeview.get_charset(str_data, mime_type)
+ mime_type = mime_type + '; charset=' + charset
++
+ req.send_file(attachment.path, mime_type)
+
+ # add ''Plain Text'' alternate link if needed
+- if self.render_unsafe_content and not binary and \
+- mime_type and not mime_type.startswith('text/plain'):
++ if (self.render_unsafe_content and
++ mime_type and not mime_type.startswith('text/plain')):
+ plaintext_href = attachment.href(req, format='txt')
+ add_link(req, 'alternate', plaintext_href, 'Plain Text',
+ mime_type)
+diff -ur trac-0.10.3.orig/trac/mimeview/api.py trac-0.10.3/trac/mimeview/api.py
+--- trac-0.10.3.orig/trac/mimeview/api.py 2007-05-24 01:31:24.000000000 +0100
++++ trac-0.10.3/trac/mimeview/api.py 2007-05-24 01:32:12.000000000 +0100
+@@ -604,8 +604,8 @@
+ content, selector)
+ req.send_response(200)
+ req.send_header('Content-Type', output_type)
+- req.send_header('Content-Disposition', 'filename=%s.%s' % (filename,
+- ext))
++ req.send_header('Content-Disposition', 'attachment; filename=%s.%s' %
++ (filename, ext))
+ req.end_headers()
+ req.write(content)
+ raise RequestDone
+diff -ur trac-0.10.3.orig/trac/versioncontrol/web_ui/browser.py trac-0.10.3/trac/versioncontrol/web_ui/browser.py
+--- trac-0.10.3.orig/trac/versioncontrol/web_ui/browser.py 2007-05-24 01:31:24.000000000 +0100
++++ trac-0.10.3/trac/versioncontrol/web_ui/browser.py 2007-05-24 01:32:12.000000000 +0100
+@@ -21,7 +21,7 @@
+ from fnmatch import fnmatchcase
+
+ from trac import util
+-from trac.config import ListOption, Option
++from trac.config import ListOption, BoolOption, Option
+ from trac.core import *
+ from trac.mimeview import Mimeview, is_binary, get_mimetype
+ from trac.perm import IPermissionRequestor
+@@ -57,6 +57,18 @@
+ glob patterns, i.e. "*" can be used as a wild card)
+ (''since 0.10'')""")
+
++ render_unsafe_content = BoolOption('browser', 'render_unsafe_content',
++ 'false',
++ """Whether attachments should be rendered in the browser, or
++ only made downloadable.
++
++ Pretty much any file may be interpreted as HTML by the browser,
++ which allows a malicious user to attach a file containing cross-site
++ scripting attacks.
++
++ For public sites where anonymous users can create attachments it is
++ recommended to leave this option disabled (which is the default).""")
++
+ # INavigationContributor methods
+
+ def get_active_navigation_item(self, req):
+@@ -216,6 +228,11 @@
+ format == 'txt' and 'text/plain' or mime_type)
+ req.send_header('Content-Length', node.content_length)
+ req.send_header('Last-Modified', http_date(node.last_modified))
++ if not self.render_unsafe_content:
++ # Force browser to download files instead of rendering
++ # them, since they might contain malicious code enabling
++ # XSS attacks
++ req.send_header('Content-Disposition', 'attachment')
+ req.end_headers()
+
+ while 1:
--
O T A V I O S A L V A D O R
---------------------------------------------
E-mail: otavio@debian.org UIN: 5906116
GNU/Linux User: 239058 GPG ID: 49A5F855
Home Page: http://otavio.ossystems.com.br
---------------------------------------------
"Microsoft sells you Windows ... Linux gives
you the whole house."
Reply to: