[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#704514: marked as done (unblock: otrs2/3.1.7+dfsg1-8)

Your message dated Tue, 02 Apr 2013 20:41:09 +0100
with message-id <1364931669.4653.5.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#704514: unblock: otrs2/3.1.7+dfsg1-8
has caused the Debian Bug report #704514,
regarding unblock: otrs2/3.1.7+dfsg1-8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
704514: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704514
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package otrs2



diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/changelog 3.1.7+dfsg1-8/debian/changelog
--- 3.1.7+dfsg1-7/debian/changelog      2013-02-27 10:25:48.144232210 +0100
+++ 3.1.7+dfsg1-8/debian/changelog      2013-04-02 10:48:16.815442475 +0200
@@ -1,3 +1,14 @@
+otrs2 (3.1.7+dfsg1-8) unstable; urgency=high
+
+  * Add missing post database schemas for new installations with dbconfig.
+    Without it, new installations will miss some important foreign keys and
+    later fail to update to version 3.2.x.
+    Closes: #702251
+  * Add upstream patch 31-CVE-2013-2625 to improve permission checks in
+    LinkObject. This fixes CVE-2013-2625.
+
+ -- Patrick Matthäi <pmatthaei@debian.org>  Tue, 02 Apr 2013 10:39:24 +0200
+
 otrs2 (3.1.7+dfsg1-7) unstable; urgency=high

   * Do not call otrs.SetPermissions.pl in postinst, since it modificates a few
diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/patches/31-CVE-2013-2625.diff 3.1.7+dfsg1-8/debian/patches/31-CVE-2013-2625.diff
--- 3.1.7+dfsg1-7/debian/patches/31-CVE-2013-2625.diff  1970-01-01 01:00:00.000000000 +0100
+++ 3.1.7+dfsg1-8/debian/patches/31-CVE-2013-2625.diff  2013-04-02 10:48:16.819442449 +0200
@@ -0,0 +1,151 @@
+# Upstream patch from:
+# https://github.com/OTRS/otrs/commit/d90b8715dc348d57ffc415aeb1f57c31fa90c509
+# Improved permission checks in LinkObject.
+# This fixes CVE-2013-2625.
+
+diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/Modules/AgentLinkObject.pm otrs2-3.1.7+dfsg1/Kernel/Modules/AgentLinkObject.pm
+--- otrs2-3.1.7+dfsg1.orig/Kernel/Modules/AgentLinkObject.pm   2012-01-06 14:00:04.000000000 +0100
++++ otrs2-3.1.7+dfsg1/Kernel/Modules/AgentLinkObject.pm        2013-03-28 09:46:00.652927141 +0100
+@@ -63,6 +63,20 @@
+         );
+     }
+
++    # permission check
++    my $Permission = $Self->{LinkObject}->ObjectPermission(
++        Object => $Form{SourceObject},
++        Key    => $Form{SourceKey},
++        UserID => $Self->{UserID},
++    );
++
++    if ( !$Permission ) {
++        return $Self->{LayoutObject}->NoPermission(
++            WithHeaderMessage    => 'You need ro permission!',
++            WithHeader => 'yes',
++        );
++    }
++
+     # get form params
+     $Form{TargetIdentifier} = $Self->{ParamObject}->GetParam( Param => 'TargetIdentifier' )
+         || $Form{SourceObject};
+@@ -140,6 +154,14 @@
+                 next IDENTIFIER if !$Target[1];    # TargetKey
+                 next IDENTIFIER if !$Target[2];    # LinkType
+
++                my $DeletePermission = $Self->{LinkObject}->ObjectPermission(
++                    Object => $Target[0],
++                    Key    => $Target[1],
++                    UserID => $Self->{UserID},
++                );
++
++                next IDENTIFIER if !$DeletePermission;
++
+                 # delete link from database
+                 my $Success = $Self->{LinkObject}->LinkDelete(
+                     Object1 => $Form{SourceObject},
+@@ -336,6 +358,14 @@
+                         $TargetKey    = $TargetKeyOrg;
+                     }
+
++                    my $AddPermission = $Self->{LinkObject}->ObjectPermission(
++                        Object => $TargetObject,
++                        Key    => $TargetKey,
++                        UserID => $Self->{UserID},
++                    );
++
++                    next TARGETKEYORG if !$AddPermission;
++
+                     # add links to database
+                     my $Success = $Self->{LinkObject}->LinkAdd(
+                         SourceObject => $SourceObject,
+diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject/Ticket.pm otrs2-3.1.7+dfsg1/Kernel/System/LinkObject/Ticket.pm
+--- otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject/Ticket.pm  2012-01-10 15:44:27.000000000 +0100
++++ otrs2-3.1.7+dfsg1/Kernel/System/LinkObject/Ticket.pm       2013-03-28 09:46:00.656927287 +0100
+@@ -161,6 +161,39 @@
+     return 1;
+ }
+
++=item ObjectPermission()
++
++checks read permission for a given object and UserID.
++
++    $Permission = $LinkObject->ObjectPermission(
++        Object  => 'Ticket',
++        Key     => 123,
++        UserID  => 1,
++    );
++
++=cut
++
++sub ObjectPermission {
++    my ( $Self, %Param ) = @_;
++
++    # check needed stuff
++    for my $Argument (qw(Object Key UserID)) {
++        if ( !$Param{$Argument} ) {
++            $Self->{LogObject}->Log(
++                Priority => 'error',
++                Message  => "Need $Argument!",
++            );
++            return;
++        }
++    }
++
++    return $Self->{TicketObject}->TicketPermission(
++        Type     => 'ro',
++        TicketID => $Param{Key},
++        UserID   => $Param{UserID},
++    );
++}
++
+ =item ObjectDescriptionGet()
+
+ return a hash of object descriptions
+diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject.pm otrs2-3.1.7+dfsg1/Kernel/System/LinkObject.pm
+--- otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject.pm 2010-08-27 21:07:11.000000000 +0200
++++ otrs2-3.1.7+dfsg1/Kernel/System/LinkObject.pm      2013-03-28 09:46:00.652927141 +0100
+@@ -2218,6 +2218,45 @@
+     return %StateList;
+ }
+
++=item ObjectPermission()
++
++checks read permission for a given object and UserID.
++
++    $Permission = $LinkObject->ObjectPermission(
++        Object  => 'Ticket',
++        Key     => 123,
++        UserID  => 1,
++    );
++
++=cut
++
++sub ObjectPermission {
++    my ( $Self, %Param ) = @_;
++
++    # check needed stuff
++    for my $Argument (qw(Object Key UserID)) {
++        if ( !$Param{$Argument} ) {
++            $Self->{LogObject}->Log(
++                Priority => 'error',
++                Message  => "Need $Argument!",
++            );
++            return;
++        }
++    }
++
++    my $BackendObject = $Self->_LoadBackend(
++        Object => $Param{Object},
++        UserID => $Param{UserID},
++    );
++
++    return if !$BackendObject;
++    return 1 if !$BackendObject->can('ObjectPermission');
++
++    return $BackendObject->ObjectPermission(
++        %Param,
++    );
++}
++
+ =item ObjectDescriptionGet()
+
+ return a hash of object descriptions
diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/patches/series 3.1.7+dfsg1-8/debian/patches/series
--- 3.1.7+dfsg1-7/debian/patches/series 2013-02-27 10:25:48.148232109 +0100
+++ 3.1.7+dfsg1-8/debian/patches/series 2013-04-02 10:48:16.819442449 +0200
@@ -18,3 +18,4 @@
 28-osa-2012-01-ie-xss.diff
 29-security-tag-nesting.diff
 30-osa-2012-03-js-xss.diff
+31-CVE-2013-2625.diff
diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/rules 3.1.7+dfsg1-8/debian/rules
--- 3.1.7+dfsg1-7/debian/rules  2013-02-27 10:25:48.144232210 +0100
+++ 3.1.7+dfsg1-8/debian/rules  2013-04-02 10:48:16.815442475 +0200
@@ -11,7 +11,8 @@
        # setup dbconfig-common
        # PostgreSQL
        cat scripts/database/otrs-schema.postgresql.sql \
-           scripts/database/otrs-initial_insert.postgresql.sql > \
+           scripts/database/otrs-initial_insert.postgresql.sql \
+               scripts/database/otrs-schema-post.postgresql.sql > \
            $(OTRS_DST)$(DB_DIR)/install/pgsql
        cp  debian/schemas/DBUpdate-to-3.0.postgresql.sql \
                $(OTRS_DST)$(DB_DIR)/upgrade/pgsql/3.0
@@ -25,7 +26,8 @@
                $(OTRS_DST)$(DB_DIR)/upgrade/pgsql/3.1.2+dfsg1-2.2
        # MySQL
        cat scripts/database/otrs-schema.mysql.sql \
-           scripts/database/otrs-initial_insert.mysql.sql > \
+           scripts/database/otrs-initial_insert.mysql.sql \
+               scripts/database/otrs-schema-post.mysql.sql > \
            $(OTRS_DST)$(DB_DIR)/install/mysql
        cp  debian/schemas/DBUpdate-to-3.0.mysql.sql \
                $(OTRS_DST)$(DB_DIR)/upgrade/mysql/3.0




unblock otrs2/3.1.7+dfsg1-8

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---
--- Begin Message --- 
On Tue, 2013-04-02 at 11:12 +0200, Patrick Matthäi wrote:
> +otrs2 (3.1.7+dfsg1-8) unstable; urgency=high
> +
> +  * Add missing post database schemas for new installations with dbconfig.
> +    Without it, new installations will miss some important foreign keys and
> +    later fail to update to version 3.2.x.
> +    Closes: #702251
> +  * Add upstream patch 31-CVE-2013-2625 to improve permission checks in
> +    LinkObject. This fixes CVE-2013-2625.

Unblocked.

Regards,

Adam

--- End Message ---
Reply to: