[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: In time for lenny update for request-tracker3.6?

On Sat, Jun 13, 2009 at 05:25:33PM +0100, Dominic Hargreaves wrote:
> On Sat, Jun 13, 2009 at 04:13:09PM +0100, Dominic Hargreaves wrote:
> > A minory security update (probably not something that would justify
> > an update on security.debian.org) has been anounced for RT3.6 which
> > affects the version in lenny.
> > 
> > http://lists.bestpractical.com/pipermail/rt-announce/2009-June/000169.html
> > 
> > The patch is included in that message.
> > 
> > Would it be okay to upload a fixed package to stable for the upcoming
> > point release?
> 
> Proposed patch (built and tested) attached.
> 
> Security team CC'd in case they would prefer it to be handled as a
> security update.

And here it really is...

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

diff -u request-tracker3.6-3.6.7/debian/changelog request-tracker3.6-3.6.7/debian/changelog
--- request-tracker3.6-3.6.7/debian/changelog
+++ request-tracker3.6-3.6.7/debian/changelog
@@ -1,3 +1,10 @@
+request-tracker3.6 (3.6.7-5+lenny1) stable; urgency=low
+
+  * Security fix: only allow SuperUsers to edit global RT at a Glance
+    (Closes: #532990)
+
+ -- Dominic Hargreaves <dom@earth.li>  Sat, 13 Jun 2009 17:12:04 +0100
+
 request-tracker3.6 (3.6.7-5) unstable; urgency=high
 
   * Urgency high due to RC bug-fix
diff -u request-tracker3.6-3.6.7/debian/patches/00list request-tracker3.6-3.6.7/debian/patches/00list
--- request-tracker3.6-3.6.7/debian/patches/00list
+++ request-tracker3.6-3.6.7/debian/patches/00list
@@ -14,0 +15 @@
+70_RT-ShowConfigTab-3.6
only in patch2:
unchanged:
--- request-tracker3.6-3.6.7.orig/debian/patches/70_RT-ShowConfigTab-3.6.dpatch
+++ request-tracker3.6-3.6.7/debian/patches/70_RT-ShowConfigTab-3.6.dpatch
@@ -0,0 +1,34 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 70_RT-ShowConfigTab-3.6.patch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Security fix: only allow SuperUsers to edit global RT at a Glance
+
+@DPATCH@
+--- share-old/html/Admin/Global/MyRT.html
++++ share-new/html/Admin/Global/MyRT.html
+@@ -83,6 +83,8 @@
+ 
+ my ($default_portlets) = $sys->Attributes->Named('HomepageSettings');
+ 
++my $has_right = $session{'CurrentUser'}->HasRight( Object=> $RT::System, Right => 'SuperUser');
++
+ my @panes = $m->comp(
+     '/Admin/Elements/ConfigureMyRT',
+     panes  => ['body', 'summary'],
+@@ -91,8 +93,13 @@
+     current_portlets => $default_portlets->Content,
+     OnSave => sub {
+         my ( $conf, $pane ) = @_;
+-	$default_portlets->SetContent( $conf );
+-        push @actions, loc( 'Global portlet [_1] saved.', $pane );
++        if (!$has_right) {
++            push @actions, loc( 'Permission denied' );
++        }
++        else {
++            $default_portlets->SetContent( $conf );
++            push @actions, loc( 'Global portlet [_1] saved.', $pane );
++        }
+     }
+ );
+
Reply to: