--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package otrs2
diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/changelog 3.1.7+dfsg1-8/debian/changelog
--- 3.1.7+dfsg1-7/debian/changelog 2013-02-27 10:25:48.144232210 +0100
+++ 3.1.7+dfsg1-8/debian/changelog 2013-04-02 10:48:16.815442475 +0200
@@ -1,3 +1,14 @@
+otrs2 (3.1.7+dfsg1-8) unstable; urgency=high
+
+ * Add missing post database schemas for new installations with dbconfig.
+ Without it, new installations will miss some important foreign keys and
+ later fail to update to version 3.2.x.
+ Closes: #702251
+ * Add upstream patch 31-CVE-2013-2625 to improve permission checks in
+ LinkObject. This fixes CVE-2013-2625.
+
+ -- Patrick Matthäi <pmatthaei@debian.org> Tue, 02 Apr 2013 10:39:24 +0200
+
otrs2 (3.1.7+dfsg1-7) unstable; urgency=high
* Do not call otrs.SetPermissions.pl in postinst, since it modificates a few
diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/patches/31-CVE-2013-2625.diff 3.1.7+dfsg1-8/debian/patches/31-CVE-2013-2625.diff
--- 3.1.7+dfsg1-7/debian/patches/31-CVE-2013-2625.diff 1970-01-01 01:00:00.000000000 +0100
+++ 3.1.7+dfsg1-8/debian/patches/31-CVE-2013-2625.diff 2013-04-02 10:48:16.819442449 +0200
@@ -0,0 +1,151 @@
+# Upstream patch from:
+# https://github.com/OTRS/otrs/commit/d90b8715dc348d57ffc415aeb1f57c31fa90c509
+# Improved permission checks in LinkObject.
+# This fixes CVE-2013-2625.
+
+diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/Modules/AgentLinkObject.pm otrs2-3.1.7+dfsg1/Kernel/Modules/AgentLinkObject.pm
+--- otrs2-3.1.7+dfsg1.orig/Kernel/Modules/AgentLinkObject.pm 2012-01-06 14:00:04.000000000 +0100
++++ otrs2-3.1.7+dfsg1/Kernel/Modules/AgentLinkObject.pm 2013-03-28 09:46:00.652927141 +0100
+@@ -63,6 +63,20 @@
+ );
+ }
+
++ # permission check
++ my $Permission = $Self->{LinkObject}->ObjectPermission(
++ Object => $Form{SourceObject},
++ Key => $Form{SourceKey},
++ UserID => $Self->{UserID},
++ );
++
++ if ( !$Permission ) {
++ return $Self->{LayoutObject}->NoPermission(
++ WithHeaderMessage => 'You need ro permission!',
++ WithHeader => 'yes',
++ );
++ }
++
+ # get form params
+ $Form{TargetIdentifier} = $Self->{ParamObject}->GetParam( Param => 'TargetIdentifier' )
+ || $Form{SourceObject};
+@@ -140,6 +154,14 @@
+ next IDENTIFIER if !$Target[1]; # TargetKey
+ next IDENTIFIER if !$Target[2]; # LinkType
+
++ my $DeletePermission = $Self->{LinkObject}->ObjectPermission(
++ Object => $Target[0],
++ Key => $Target[1],
++ UserID => $Self->{UserID},
++ );
++
++ next IDENTIFIER if !$DeletePermission;
++
+ # delete link from database
+ my $Success = $Self->{LinkObject}->LinkDelete(
+ Object1 => $Form{SourceObject},
+@@ -336,6 +358,14 @@
+ $TargetKey = $TargetKeyOrg;
+ }
+
++ my $AddPermission = $Self->{LinkObject}->ObjectPermission(
++ Object => $TargetObject,
++ Key => $TargetKey,
++ UserID => $Self->{UserID},
++ );
++
++ next TARGETKEYORG if !$AddPermission;
++
+ # add links to database
+ my $Success = $Self->{LinkObject}->LinkAdd(
+ SourceObject => $SourceObject,
+diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject/Ticket.pm otrs2-3.1.7+dfsg1/Kernel/System/LinkObject/Ticket.pm
+--- otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject/Ticket.pm 2012-01-10 15:44:27.000000000 +0100
++++ otrs2-3.1.7+dfsg1/Kernel/System/LinkObject/Ticket.pm 2013-03-28 09:46:00.656927287 +0100
+@@ -161,6 +161,39 @@
+ return 1;
+ }
+
++=item ObjectPermission()
++
++checks read permission for a given object and UserID.
++
++ $Permission = $LinkObject->ObjectPermission(
++ Object => 'Ticket',
++ Key => 123,
++ UserID => 1,
++ );
++
++=cut
++
++sub ObjectPermission {
++ my ( $Self, %Param ) = @_;
++
++ # check needed stuff
++ for my $Argument (qw(Object Key UserID)) {
++ if ( !$Param{$Argument} ) {
++ $Self->{LogObject}->Log(
++ Priority => 'error',
++ Message => "Need $Argument!",
++ );
++ return;
++ }
++ }
++
++ return $Self->{TicketObject}->TicketPermission(
++ Type => 'ro',
++ TicketID => $Param{Key},
++ UserID => $Param{UserID},
++ );
++}
++
+ =item ObjectDescriptionGet()
+
+ return a hash of object descriptions
+diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject.pm otrs2-3.1.7+dfsg1/Kernel/System/LinkObject.pm
+--- otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject.pm 2010-08-27 21:07:11.000000000 +0200
++++ otrs2-3.1.7+dfsg1/Kernel/System/LinkObject.pm 2013-03-28 09:46:00.652927141 +0100
+@@ -2218,6 +2218,45 @@
+ return %StateList;
+ }
+
++=item ObjectPermission()
++
++checks read permission for a given object and UserID.
++
++ $Permission = $LinkObject->ObjectPermission(
++ Object => 'Ticket',
++ Key => 123,
++ UserID => 1,
++ );
++
++=cut
++
++sub ObjectPermission {
++ my ( $Self, %Param ) = @_;
++
++ # check needed stuff
++ for my $Argument (qw(Object Key UserID)) {
++ if ( !$Param{$Argument} ) {
++ $Self->{LogObject}->Log(
++ Priority => 'error',
++ Message => "Need $Argument!",
++ );
++ return;
++ }
++ }
++
++ my $BackendObject = $Self->_LoadBackend(
++ Object => $Param{Object},
++ UserID => $Param{UserID},
++ );
++
++ return if !$BackendObject;
++ return 1 if !$BackendObject->can('ObjectPermission');
++
++ return $BackendObject->ObjectPermission(
++ %Param,
++ );
++}
++
+ =item ObjectDescriptionGet()
+
+ return a hash of object descriptions
diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/patches/series 3.1.7+dfsg1-8/debian/patches/series
--- 3.1.7+dfsg1-7/debian/patches/series 2013-02-27 10:25:48.148232109 +0100
+++ 3.1.7+dfsg1-8/debian/patches/series 2013-04-02 10:48:16.819442449 +0200
@@ -18,3 +18,4 @@
28-osa-2012-01-ie-xss.diff
29-security-tag-nesting.diff
30-osa-2012-03-js-xss.diff
+31-CVE-2013-2625.diff
diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/rules 3.1.7+dfsg1-8/debian/rules
--- 3.1.7+dfsg1-7/debian/rules 2013-02-27 10:25:48.144232210 +0100
+++ 3.1.7+dfsg1-8/debian/rules 2013-04-02 10:48:16.815442475 +0200
@@ -11,7 +11,8 @@
# setup dbconfig-common
# PostgreSQL
cat scripts/database/otrs-schema.postgresql.sql \
- scripts/database/otrs-initial_insert.postgresql.sql > \
+ scripts/database/otrs-initial_insert.postgresql.sql \
+ scripts/database/otrs-schema-post.postgresql.sql > \
$(OTRS_DST)$(DB_DIR)/install/pgsql
cp debian/schemas/DBUpdate-to-3.0.postgresql.sql \
$(OTRS_DST)$(DB_DIR)/upgrade/pgsql/3.0
@@ -25,7 +26,8 @@
$(OTRS_DST)$(DB_DIR)/upgrade/pgsql/3.1.2+dfsg1-2.2
# MySQL
cat scripts/database/otrs-schema.mysql.sql \
- scripts/database/otrs-initial_insert.mysql.sql > \
+ scripts/database/otrs-initial_insert.mysql.sql \
+ scripts/database/otrs-schema-post.mysql.sql > \
$(OTRS_DST)$(DB_DIR)/install/mysql
cp debian/schemas/DBUpdate-to-3.0.mysql.sql \
$(OTRS_DST)$(DB_DIR)/upgrade/mysql/3.0
unblock otrs2/3.1.7+dfsg1-8
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---