Bug#690667: unblock: otrs2/3.1.7+dfsg1-6
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package otrs2
This is another security update, description follows in diff:
diff -Naur '--exclude=.svn' 3.1.7+dfsg1-5/debian/changelog 3.1.7+dfsg1-6/debian/changelog
--- 3.1.7+dfsg1-5/debian/changelog 2012-08-28 21:48:05.009944927 +0200
+++ 3.1.7+dfsg1-6/debian/changelog 2012-10-16 11:14:16.498983306 +0200
@@ -1,3 +1,11 @@
+otrs2 (3.1.7+dfsg1-6) unstable; urgency=medium
+
+ * Add upstream patch 30-osa-2012-03-js-xss to improve HTML security, where a
+ special prepared HTML e-mail could cause to execute JavaScript code within
+ your browser, as described in OSA-2012-03 and CVE-2012-4751.
+
+ -- Patrick Matthäi <pmatthaei@debian.org> Tue, 16 Oct 2012 11:10:43 +0200
+
otrs2 (3.1.7+dfsg1-5) unstable; urgency=medium
* Add upstream patch 29-security-tag-nesting to improve HTML security to
diff -Naur '--exclude=.svn' 3.1.7+dfsg1-5/debian/patches/30-osa-2012-03-js-xss.diff 3.1.7+dfsg1-6/debian/patches/30-osa-2012-03-js-xss.diff
--- 3.1.7+dfsg1-5/debian/patches/30-osa-2012-03-js-xss.diff 1970-01-01 01:00:00.000000000 +0100
+++ 3.1.7+dfsg1-6/debian/patches/30-osa-2012-03-js-xss.diff 2012-10-16 11:14:16.498983306 +0200
@@ -0,0 +1,37 @@
+# Upstream advisory 2012-03:
+# This advisory covers vulnerabilities discovered in the OTRS core system. This
+# is a variance of the XSS vulnerability, where an attacker could send a
+# specially prepared HTML email to OTRS which would cause JavaScript code to be
+# executed in your browser while displaying the email. In this case this is
+# achieved by using javascript source attributes with whitespaces.
+# This fixes CVE-2012-4751.
+
+diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/System/HTMLUtils.pm otrs2-3.1.7+dfsg1/Kernel/System/HTMLUtils.pm
+--- otrs2-3.1.7+dfsg1.orig/Kernel/System/HTMLUtils.pm 2012-10-16 11:00:00.000000000 +0200
++++ otrs2-3.1.7+dfsg1/Kernel/System/HTMLUtils.pm 2012-10-16 11:03:17.189097532 +0200
+@@ -1024,10 +1024,14 @@
+
+ # remove javascript in a href links or src links
+ $Replaced += $Tag =~ s{
+- ((\s|;)(background|url|src|href)=)('|"|)(javascript.+?)('|"|)(\s|$TagEnd)
++ ((?:\s|;)(?:background|url|src|href)=)
++ ('|"|) # delimiter, can be empty
++ (?:\s*javascript.*?) # javascript, followed by anything but the delimiter
++ \2 # delimiter again
++ (\s|$TagEnd)
+ }
+ {
+- "$1\"\"$7";
++ "$1\"\"$3";
+ }sgxime;
+
+ # remove link javascript tags
+@@ -1038,7 +1042,7 @@
+
+ # remove MS CSS expressions (JavaScript embedded in CSS)
+ $Replaced += $Tag =~ s{
+- \sstyle=("|')[^\1]*?expression[(][^\1]*?\1($TagEnd|\s)
++ \sstyle=("|')[^\1]*?expression[(].*?\1($TagEnd|\s)
+ }
+ {
+ $2;
diff -Naur '--exclude=.svn' 3.1.7+dfsg1-5/debian/patches/series 3.1.7+dfsg1-6/debian/patches/series
--- 3.1.7+dfsg1-5/debian/patches/series 2012-08-28 21:48:05.009944927 +0200
+++ 3.1.7+dfsg1-6/debian/patches/series 2012-10-16 11:14:16.498983306 +0200
@@ -17,3 +17,4 @@
27-imaptls-more-than-one-email.diff
28-osa-2012-01-ie-xss.diff
29-security-tag-nesting.diff
+30-osa-2012-03-js-xss.diff
unblock otrs2/3.1.7+dfsg1-6
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: