Re: In time for lenny update for request-tracker3.6?
On Sat, Jun 13, 2009 at 05:25:33PM +0100, Dominic Hargreaves wrote:
> On Sat, Jun 13, 2009 at 04:13:09PM +0100, Dominic Hargreaves wrote:
> > A minory security update (probably not something that would justify
> > an update on security.debian.org) has been anounced for RT3.6 which
> > affects the version in lenny.
> >
> > http://lists.bestpractical.com/pipermail/rt-announce/2009-June/000169.html
> >
> > The patch is included in that message.
> >
> > Would it be okay to upload a fixed package to stable for the upcoming
> > point release?
>
> Proposed patch (built and tested) attached.
>
> Security team CC'd in case they would prefer it to be handled as a
> security update.
And here it really is...
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
diff -u request-tracker3.6-3.6.7/debian/changelog request-tracker3.6-3.6.7/debian/changelog
--- request-tracker3.6-3.6.7/debian/changelog
+++ request-tracker3.6-3.6.7/debian/changelog
@@ -1,3 +1,10 @@
+request-tracker3.6 (3.6.7-5+lenny1) stable; urgency=low
+
+ * Security fix: only allow SuperUsers to edit global RT at a Glance
+ (Closes: #532990)
+
+ -- Dominic Hargreaves <dom@earth.li> Sat, 13 Jun 2009 17:12:04 +0100
+
request-tracker3.6 (3.6.7-5) unstable; urgency=high
* Urgency high due to RC bug-fix
diff -u request-tracker3.6-3.6.7/debian/patches/00list request-tracker3.6-3.6.7/debian/patches/00list
--- request-tracker3.6-3.6.7/debian/patches/00list
+++ request-tracker3.6-3.6.7/debian/patches/00list
@@ -14,0 +15 @@
+70_RT-ShowConfigTab-3.6
only in patch2:
unchanged:
--- request-tracker3.6-3.6.7.orig/debian/patches/70_RT-ShowConfigTab-3.6.dpatch
+++ request-tracker3.6-3.6.7/debian/patches/70_RT-ShowConfigTab-3.6.dpatch
@@ -0,0 +1,34 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 70_RT-ShowConfigTab-3.6.patch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Security fix: only allow SuperUsers to edit global RT at a Glance
+
+@DPATCH@
+--- share-old/html/Admin/Global/MyRT.html
++++ share-new/html/Admin/Global/MyRT.html
+@@ -83,6 +83,8 @@
+
+ my ($default_portlets) = $sys->Attributes->Named('HomepageSettings');
+
++my $has_right = $session{'CurrentUser'}->HasRight( Object=> $RT::System, Right => 'SuperUser');
++
+ my @panes = $m->comp(
+ '/Admin/Elements/ConfigureMyRT',
+ panes => ['body', 'summary'],
+@@ -91,8 +93,13 @@
+ current_portlets => $default_portlets->Content,
+ OnSave => sub {
+ my ( $conf, $pane ) = @_;
+- $default_portlets->SetContent( $conf );
+- push @actions, loc( 'Global portlet [_1] saved.', $pane );
++ if (!$has_right) {
++ push @actions, loc( 'Permission denied' );
++ }
++ else {
++ $default_portlets->SetContent( $conf );
++ push @actions, loc( 'Global portlet [_1] saved.', $pane );
++ }
+ }
+ );
+
Reply to: