Bug#683441: unblock: otrs2/3.1.7+dfsg1-3

To: Debian Bug Tracking System <683441@bugs.debian.org>
Subject: Bug#683441: unblock: otrs2/3.1.7+dfsg1-3
From: Patrick Matthäi <pmatthaei@debian.org>
Date: Wed, 22 Aug 2012 18:59:05 +0200
Message-id: <[🔎] 20120822165905.29505.34868.reportbug@srv1.linux-dev.org>
Reply-to: Patrick MatthÃ¤i <pmatthaei@debian.org>, 683441@bugs.debian.org
Package: release.debian.org
Followup-For: Bug #683441

Hey kibi,

I have prepared an new upload with urgency high, because now it also needs an
security fix. I will wait on your approve before I upload it.
diff:

diff -Naur '--exclude=.svn' tags/3.1.7+dfsg1-3/debian/changelog branches/wheezy/debian/changelog
--- tags/3.1.7+dfsg1-3/debian/changelog 2012-07-30 10:01:45.000000000 +0200
+++ branches/wheezy/debian/changelog    2012-08-22 18:50:11.539325047 +0200
@@ -1,9 +1,20 @@
+otrs2 (3.1.7+dfsg1-4) UNRELEASED; urgency=high
+
+  * Correct typo in changelog from my last upload.
+  * Add upstream patch 28-osa-2012-01-ie-xss from OSA-2012-01, which fixes a
+    XSS vulnerability when using the Internet Explorer.
+  * Move libmail-imapclient-perl from Suggests to Depends and also depend on
+    the version in Wheezy. This is an additional fix for the 3.1.7+dfsg1-3
+    upload to ensure that the correct version is installed.
+
+ -- Patrick Matthäi <pmatthaei@debian.org>  Sun, 19 Aug 2012 12:47:35 +0200
+
 otrs2 (3.1.7+dfsg1-3) unstable; urgency=low
 
   * Add backported upstream patch 27-imaptls-more-than-one-email. Using IMAPTLS
     will purge all e-mails, if more than one is located in the inbox. This is
     because of newer Mail::IMAPClient module versions return an array reference
-    insteaf of an array on the ->message action.
+    instead of an array on the ->message action.
 
  -- Patrick Matthäi <pmatthaei@debian.org>  Mon, 30 Jul 2012 09:53:24 +0200
 
diff -Naur '--exclude=.svn' tags/3.1.7+dfsg1-3/debian/control branches/wheezy/debian/control
--- tags/3.1.7+dfsg1-3/debian/control   2012-07-30 10:01:45.000000000 +0200
+++ branches/wheezy/debian/control      2012-08-22 18:48:03.458134088 +0200
@@ -47,6 +47,7 @@
  ttf-dejavu-extra,
  ttf-dejavu-core,
  libyaml-perl,
+ libmail-imapclient-perl (>= 3.31),
  libjson-perl
 Recommends: postgresql | mysql-server,
  procmail | maildrop,
@@ -55,7 +56,6 @@
 Suggests: otrs2-doc-en | otrs2-doc-de,
  libnet-ldap-perl,
  libjson-xs-perl,
- libmail-imapclient-perl,
  libnet-smtp-tls-butmaintained-perl,
  libtext-csv-xs-perl,
  libencode-hanextra-perl
diff -Naur '--exclude=.svn' tags/3.1.7+dfsg1-3/debian/patches/28-osa-2012-01-ie-xss.diff branches/wheezy/debian/patches/28-osa-2012-01-ie-xss.diff
--- tags/3.1.7+dfsg1-3/debian/patches/28-osa-2012-01-ie-xss.diff        1970-01-01 01:00:00.000000000 +0100
+++ branches/wheezy/debian/patches/28-osa-2012-01-ie-xss.diff   2012-08-22 18:44:14.328005878 +0200
@@ -0,0 +1,70 @@
+# Upstream advisory 2012-01:
+# This advisory covers vulnerabilities discovered in the OTRS core system. Due
+# to the XSS vulnerability in Internet Explorer an attacker could send a
+# specially prepared HTML email to OTRS which would cause JavaScript code to be
+# executed in your Internet Explorer while displaying the email.
+
+diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/Output/HTML/Standard/AgentTicketZoom.dtl otrs2-3.1.7+dfsg1/Kernel/Output/HTML/Standard/AgentTicketZoom.dtl
+--- otrs2-3.1.7+dfsg1.orig/Kernel/Output/HTML/Standard/AgentTicketZoom.dtl     2012-06-21 13:40:05.000000000 +0200
++++ otrs2-3.1.7+dfsg1/Kernel/Output/HTML/Standard/AgentTicketZoom.dtl  2012-08-22 18:38:22.676743135 +0200
+@@ -2,7 +2,7 @@
+ # AgentTicketZoom.dtl - provides HTML for AgentTicketZoom.pm
+ # Copyright (C) 2001-2012 OTRS AG, http://otrs.org/
+ # --
+-# $Id: AgentTicketZoom.dtl,v 1.207.2.2 2012/06/11 08:20:01 mg Exp $
++# $Id: AgentTicketZoom.dtl,v 1.207.2.4 2012/08/17 08:52:41 mg Exp $
+ # --
+ # This software comes with ABSOLUTELY NO WARRANTY. For details, see
+ # the enclosed file COPYING for license information (AGPL). If you
+@@ -177,7 +177,11 @@
+ <!-- dtl:block:TotalAccountedTime -->
+ <!-- dtl:block:PendingUntil -->
+                         <label>$Text{"Pending till"}:</label>
+-                        <p class="Value $QData{"PendingUntilClass"}">$Data{"PendingUntil"}</p>
++                        <p class="Value $QData{"PendingUntilClass"}">
++                            $Data{"PendingUntil"}
++                            <br/>
++                            $TimeShort{"$QData{"UntilTimeHuman"}"}
++                        </p>
+                         <div class="Clear"></div>
+ <!-- dtl:block:PendingUntil -->
+ <!-- dtl:block:Owner -->
+@@ -628,7 +632,9 @@
+ <!-- dtl:block:BodyHTML -->
+                 <div>
+ # execute IFrame JS asynchronously. Otherwise it could happen before our API was loaded
+-                    <iframe width="100%" frameborder="0" id="Iframe$QData{"ArticleID"}" onload="window.setTimeout( function (){ if (typeof Core === 'object' && typeof Core.Agent === 'object' && typeof Core.Agent.TicketZoom === 'object') { Core.Agent.TicketZoom.IframeAutoHeight($('#Iframe$QData{"ArticleID"}')); } }, 500);" src="$Env{"Baselink"}Action=AgentTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"}"></iframe>
++# Use the HTML5 sandbox attribute to prevent plugins and scripts from being executed in the browser.
++# Use IE's (non-standard) security attribute to achieve something similar in older IE browsers. Append session info to URL because IE will not send cookies.
++                    <iframe sandbox="allow-same-origin" security="restricted" width="100%" frameborder="0" id="Iframe$QData{"ArticleID"}" onload="window.setTimeout( function (){ if (typeof Core === 'object' && typeof Core.Agent === 'object' && typeof Core.Agent.TicketZoom === 'object') { Core.Agent.TicketZoom.IframeAutoHeight($('#Iframe$QData{"ArticleID"}')); } }, 500);" src="$Env{"Baselink"}Action=AgentTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"};$QEnv{"SessionName"}=$QEnv{"SessionID"}"></iframe>
+                 </div>
+ <!-- dtl:block:BodyHTML -->
+             </div>
+diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl otrs2-3.1.7+dfsg1/Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl
+--- otrs2-3.1.7+dfsg1.orig/Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl  2012-05-31 11:17:27.000000000 +0200
++++ otrs2-3.1.7+dfsg1/Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl       2012-08-22 18:38:30.552816289 +0200
+@@ -2,7 +2,7 @@
+ # CustomerTicketZoom.dtl - provides HTML TicketZoom for CustomerTicketZoom.pm
+ # Copyright (C) 2001-2012 OTRS AG, http://otrs.org/
+ # --
+-# $Id: CustomerTicketZoom.dtl,v 1.116.2.1 2012/05/30 16:20:22 mg Exp $
++# $Id: CustomerTicketZoom.dtl,v 1.116.2.2 2012/08/17 08:52:41 mg Exp $
+ # --
+ # This software comes with ABSOLUTELY NO WARRANTY. For details, see
+ # the enclosed file COPYING for license information (AGPL). If you
+@@ -170,11 +170,13 @@
+                             </div>
+ <!-- dtl:block:BodyPlain -->
+ <!-- dtl:block:BodyHTMLLoad -->
+-                            <iframe title="about:blank" frameborder="0" id="VisibleFrame" src="$Env{"Baselink"}Action=CustomerTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"}"></iframe>
++# Use the HTML5 sandbox attribute to prevent plugins and scripts from being executed in the browser.
++# Use IE's (non-standard) security attribute to achieve something similar in older IE browsers. Append session info to URL because IE will not send cookies.
++                            <iframe sandbox="allow-same-origin" security="restricted" title="about:blank" frameborder="0" id="VisibleFrame" src="$Env{"Baselink"}Action=CustomerTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"};$QEnv{"SessionName"}=$QEnv{"SessionID"}"></iframe>
+ <!-- dtl:block:BodyHTMLLoad -->
+ <!-- dtl:block:BodyHTMLPlaceholder -->
+ #                           <!-- Here we need to append the session info if cookies are disabled, because the layout object cannot automatically do that here, like in the other iframe (only for src attribute). -->
+-                            <iframe src="about:blank" frameborder="0" title="$Env{"Baselink"}Action=CustomerTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"};$QData{"SessionInformation"}"></iframe>
++                            <iframe sandbox="allow-same-origin" security="restricted" src="about:blank" frameborder="0" title="$Env{"Baselink"}Action=CustomerTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"};$QData{"SessionInformation"};$QEnv{"SessionName"}=$QEnv{"SessionID"}"></iframe>
+ <!-- dtl:block:BodyHTMLPlaceholder -->
+                         </div>
+                     </div>
diff -Naur '--exclude=.svn' tags/3.1.7+dfsg1-3/debian/patches/series branches/wheezy/debian/patches/series
--- tags/3.1.7+dfsg1-3/debian/patches/series    2012-07-30 10:01:45.000000000 +0200
+++ branches/wheezy/debian/patches/series       2012-08-22 18:44:25.108105907 +0200
@@ -15,3 +15,4 @@
 25-use-locale-country.diff
 26-font-paths.diff
 27-imaptls-more-than-one-email.diff
+28-osa-2012-01-ie-xss.diff

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to:
Follow-Ups:
- Bug#683441: unblock: otrs2/3.1.7+dfsg1-3
  - From: Cyril Brulebois <kibi@debian.org>
Prev by Date: python-distutils-extra needs update in wheezy to fix FTBFS on linaro-image-tools and nautilus-image-manipulator (#682631)
Next by Date: Bug#685284: unblock: first bunch of packages switching to xz
Previous by thread: Bug#683441: unblock: otrs2/3.1.7+dfsg1-3
Next by thread: Bug#683441: unblock: otrs2/3.1.7+dfsg1-3
Index(es):
- Date
- Thread