Re: [SRM] New Trac package uploaded to stable
Hi Otavio,
before uploading to stable i would like to clarify if this package
should go via r1 or via security.debian.org.
Greetings
Martin.
On Wed May 23, 2007 at 21:32:53 -0300, Otavio Salvador wrote:
> Hello,
>
> I've done the upload fixing CVE-2007-1405 and CVE-2007-1406 issues and
> together a copyright typo. Please find the interdiff attached.
>
> debian/patches/02_CVE-2007-1405_CVE-2007-1406.dpatch | 115 +++++++++++++++++++
> trac-0.10.3/debian/changelog | 8 +
> trac-0.10.3/debian/copyright | 2
> trac-0.10.3/debian/patches/00list | 1
> 4 files changed, 125 insertions(+), 1 deletion(-)
>
> diff -u trac-0.10.3/debian/copyright trac-0.10.3/debian/copyright
> --- trac-0.10.3/debian/copyright
> +++ trac-0.10.3/debian/copyright
> @@ -3,7 +3,7 @@
> Trac can be downloaded from:
> http://projects.edgewall.com/trac/wiki/TracDownload
>
> -Tras is licensed under a modified BSD license, which follows:
> +Trac is licensed under a modified BSD license, which follows:
>
> Redistribution and use in source and binary forms, with or without
> modification, are permitted provided that the following conditions
> diff -u trac-0.10.3/debian/changelog trac-0.10.3/debian/changelog
> --- trac-0.10.3/debian/changelog
> +++ trac-0.10.3/debian/changelog
> @@ -1,3 +1,11 @@
> +trac (0.10.3-1etch1) stable; urgency=low
> +
> + * Add 02_CVE-2007-1405_CVE-2007-1406.dpatch patch to fix CVE-2007-1405
> + and CVE-2007-1406 security issues. (Closes: #414134, #420219)
> + * Fixed typo in debian/copyright. (Closes: #422409)
> +
> + -- Otavio Salvador <otavio@ossystems.com.br> Wed, 23 May 2007 21:18:41 -0300
> +
> trac (0.10.3-1) unstable; urgency=low
>
> * New upstream upload. Final 0.10.3 release that will hopefully make it into
> diff -u trac-0.10.3/debian/patches/00list trac-0.10.3/debian/patches/00list
> --- trac-0.10.3/debian/patches/00list
> +++ trac-0.10.3/debian/patches/00list
> @@ -1,0 +2 @@
> +02_CVE-2007-1405_CVE-2007-1406
> only in patch2:
> unchanged:
> --- trac-0.10.3.orig/debian/patches/02_CVE-2007-1405_CVE-2007-1406.dpatch
> +++ trac-0.10.3/debian/patches/02_CVE-2007-1405_CVE-2007-1406.dpatch
> @@ -0,0 +1,115 @@
> +#! /bin/sh /usr/share/dpatch/dpatch-run
> +## 02_CVE-2007-1405_CVE-2007-1406_issue.dpatch by Luis Matos <gass@otiliamatos.ath.cx>
> +##
> +## All lines beginning with `## DP:' are a description of the patch.
> +## DP: Fixes CVE-2007-1405, CVE-2007-1406, closing #414134, #420219.
> +
> +@DPATCH@
> +
> +--- trac-0.10.3.orig/trac/attachment.py 2007-05-24 01:31:24.000000000 +0100
> ++++ trac-0.10.3/trac/attachment.py 2007-05-24 01:32:12.000000000 +0100
> +@@ -291,10 +291,10 @@
> +
> + render_unsafe_content = BoolOption('attachment', 'render_unsafe_content',
> + 'false',
> +- """Whether non-binary attachments should be rendered in the browser, or
> ++ """Whether attachments should be rendered in the browser, or
> + only made downloadable.
> +
> +- Pretty much any text file may be interpreted as HTML by the browser,
> ++ Pretty much any file may be interpreted as HTML by the browser,
> + which allows a malicious user to attach a file containing cross-site
> + scripting attacks.
> +
> +@@ -555,22 +555,24 @@
> + # Eventually send the file directly
> + format = req.args.get('format')
> + if format in ('raw', 'txt'):
> +- if not self.render_unsafe_content and not binary:
> +- # Force browser to download HTML/SVG/etc pages that may
> +- # contain malicious code enabling XSS attacks
> +- req.send_header('Content-Disposition', 'attachment;' +
> +- 'filename=' + attachment.filename)
> +- if not mime_type or (self.render_unsafe_content and \
> +- not binary and format == 'txt'):
> +- mime_type = 'text/plain'
> ++ if not self.render_unsafe_content:
> ++ # Force browser to download files instead of rendering
> ++ # them, since they might contain malicious code enabling
> ++ # XSS attacks
> ++ req.send_header('Content-Disposition', 'attachment')
> ++ if format == 'txt':
> ++ mime_type = 'text/plain'
> ++ elif not mime_type:
> ++ mime_type = 'application/octet-stream'
> + if 'charset=' not in mime_type:
> + charset = mimeview.get_charset(str_data, mime_type)
> + mime_type = mime_type + '; charset=' + charset
> ++
> + req.send_file(attachment.path, mime_type)
> +
> + # add ''Plain Text'' alternate link if needed
> +- if self.render_unsafe_content and not binary and \
> +- mime_type and not mime_type.startswith('text/plain'):
> ++ if (self.render_unsafe_content and
> ++ mime_type and not mime_type.startswith('text/plain')):
> + plaintext_href = attachment.href(req, format='txt')
> + add_link(req, 'alternate', plaintext_href, 'Plain Text',
> + mime_type)
> +diff -ur trac-0.10.3.orig/trac/mimeview/api.py trac-0.10.3/trac/mimeview/api.py
> +--- trac-0.10.3.orig/trac/mimeview/api.py 2007-05-24 01:31:24.000000000 +0100
> ++++ trac-0.10.3/trac/mimeview/api.py 2007-05-24 01:32:12.000000000 +0100
> +@@ -604,8 +604,8 @@
> + content, selector)
> + req.send_response(200)
> + req.send_header('Content-Type', output_type)
> +- req.send_header('Content-Disposition', 'filename=%s.%s' % (filename,
> +- ext))
> ++ req.send_header('Content-Disposition', 'attachment; filename=%s.%s' %
> ++ (filename, ext))
> + req.end_headers()
> + req.write(content)
> + raise RequestDone
> +diff -ur trac-0.10.3.orig/trac/versioncontrol/web_ui/browser.py trac-0.10.3/trac/versioncontrol/web_ui/browser.py
> +--- trac-0.10.3.orig/trac/versioncontrol/web_ui/browser.py 2007-05-24 01:31:24.000000000 +0100
> ++++ trac-0.10.3/trac/versioncontrol/web_ui/browser.py 2007-05-24 01:32:12.000000000 +0100
> +@@ -21,7 +21,7 @@
> + from fnmatch import fnmatchcase
> +
> + from trac import util
> +-from trac.config import ListOption, Option
> ++from trac.config import ListOption, BoolOption, Option
> + from trac.core import *
> + from trac.mimeview import Mimeview, is_binary, get_mimetype
> + from trac.perm import IPermissionRequestor
> +@@ -57,6 +57,18 @@
> + glob patterns, i.e. "*" can be used as a wild card)
> + (''since 0.10'')""")
> +
> ++ render_unsafe_content = BoolOption('browser', 'render_unsafe_content',
> ++ 'false',
> ++ """Whether attachments should be rendered in the browser, or
> ++ only made downloadable.
> ++
> ++ Pretty much any file may be interpreted as HTML by the browser,
> ++ which allows a malicious user to attach a file containing cross-site
> ++ scripting attacks.
> ++
> ++ For public sites where anonymous users can create attachments it is
> ++ recommended to leave this option disabled (which is the default).""")
> ++
> + # INavigationContributor methods
> +
> + def get_active_navigation_item(self, req):
> +@@ -216,6 +228,11 @@
> + format == 'txt' and 'text/plain' or mime_type)
> + req.send_header('Content-Length', node.content_length)
> + req.send_header('Last-Modified', http_date(node.last_modified))
> ++ if not self.render_unsafe_content:
> ++ # Force browser to download files instead of rendering
> ++ # them, since they might contain malicious code enabling
> ++ # XSS attacks
> ++ req.send_header('Content-Disposition', 'attachment')
> + req.end_headers()
> +
> + while 1:
--
[root@debian /root]# man real-life
No manual entry for real-life
Reply to: