Bug#779658: unblock: request-tracker4/4.2.8-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#779658: unblock: request-tracker4/4.2.8-3
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Tue, 03 Mar 2015 18:16:08 +0100
Message-id: <[🔎] 20150303171608.6919.13364.reportbug@pisco.westfalen.local>
Reply-to: Moritz Muehlenhoff <jmm@debian.org>, 779658@bugs.debian.org
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package request-tracker4. It fixes multiple
security issues.

unblock request-tracker4/4.2.8-3

Debdiff:
diff -Nru request-tracker4-4.2.8/debian/changelog request-tracker4-4.2.8/debian/changelog
--- request-tracker4-4.2.8/debian/changelog	2015-01-01 17:47:33.000000000 +0100
+++ request-tracker4-4.2.8/debian/changelog	2015-02-26 11:05:27.000000000 +0100
@@ -1,3 +1,11 @@
+request-tracker4 (4.2.8-3) unstable; urgency=high
+
+  * Fix remote DoS via email gateway (CVE-2014-9472)
+  * Fix information discloure revealing RSS feed URLs (CVE-2015-1165)
+  * Fix privilege escalation via RSS feed URLs (CVE-2015-1464)
+
+ -- Dominic Hargreaves <dom@earth.li>  Thu, 26 Feb 2015 10:05:25 +0000
+
 request-tracker4 (4.2.8-2) unstable; urgency=medium
 
   [ Niko Tyni ]
diff -Nru request-tracker4-4.2.8/debian/.git-dpm request-tracker4-4.2.8/debian/.git-dpm
--- request-tracker4-4.2.8/debian/.git-dpm	2015-01-01 17:46:41.000000000 +0100
+++ request-tracker4-4.2.8/debian/.git-dpm	2015-02-19 17:43:53.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-559785c4e88364b835823521a0e1648db985b05e
-559785c4e88364b835823521a0e1648db985b05e
+5324f915dd17ae61679a97226cd9fce35934cc7b
+5324f915dd17ae61679a97226cd9fce35934cc7b
 21890d09947710ac3f48ddd306fe5b6a50f5bbe9
 21890d09947710ac3f48ddd306fe5b6a50f5bbe9
 request-tracker4_4.2.8.orig.tar.gz
diff -Nru request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff
--- request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff	1970-01-01 01:00:00.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff	2015-02-19 17:43:53.000000000 +0100
@@ -0,0 +1,30 @@
+From d9cbc2f4f4df2b75e4527c2fb4f19dc087a1655e Mon Sep 17 00:00:00 2001
+From: Alex Vandiver <alexmv@bestpractical.com>
+Date: Mon, 1 Dec 2014 16:58:43 -0500
+Subject: Hide utf8 warnings during attempted decoding
+
+EncodeFromToWithCroak is used to exploratorily attempt to decode unknown
+byte strings.  This operation, under Encode::FB_DEFAULT, may generate
+warnings -- lots of warnings.  This can lead to denial of service in
+some situations.  This vulnerability has been assigned CVE-2014-9472.
+
+Unfortunately, "no warnings 'utf8'" does not work to quiet them until
+Encode 2.64; simply skip warnings of this type in the logging handler.
+
+Patch-Name: sec-2015-02-05-1.diff
+---
+ lib/RT.pm |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/RT.pm b/lib/RT.pm
+index 803d54b..3aa7542 100644
+--- a/lib/RT.pm
++++ b/lib/RT.pm
+@@ -374,6 +374,7 @@ sub InitSignalHandlers {
+ ## mechanism (see above).
+ 
+     $SIG{__WARN__} = sub {
++        return if $_[0] and $_[0] =~ /^Code point \S+ is not Unicode, may not be portable/;
+         # use 'goto &foo' syntax to hide ANON sub from stack
+         unshift @_, $RT::Logger, qw(level warning message);
+         goto &Log::Dispatch::log;
diff -Nru request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff
--- request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff	1970-01-01 01:00:00.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff	2015-02-19 17:43:53.000000000 +0100
@@ -0,0 +1,46 @@
+From af54a6d17773f5c9f8f785c8ccd9d1067679ce77 Mon Sep 17 00:00:00 2001
+From: Alex Vandiver <alexmv@bestpractical.com>
+Date: Fri, 30 Jan 2015 15:03:16 -0500
+Subject: Prevent text content from being interpreted as HTML by RSS clients
+
+The ->Content method is used to obtain the data to use in the RSS
+<description> tag.  However, most RSS feed readers display the contents
+of the <description> tag using a HTML rendering engine; this allows
+textual content to be mistakenly rendered as HTML.  This specifically
+includes links, which RSS readers may not hide the "Referer" header of,
+exposing the RSS feed URL and thus allowing for information disclosure.
+This vulnerability has been assigned CVE-2015-1165.
+
+Escape the textual content so that it is not interpreted as HTML by RSS
+readers.  This is suprior to requesting ->Content( Type => "text/html" )
+because it is guaranteed to not contain links, and thus not suffer from
+the above Referer disclosure.
+
+Patch-Name: sec-2015-02-05-2.diff
+---
+ share/html/Search/Elements/ResultsRSSView |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/share/html/Search/Elements/ResultsRSSView b/share/html/Search/Elements/ResultsRSSView
+index 45e7369..7381ba7 100644
+--- a/share/html/Search/Elements/ResultsRSSView
++++ b/share/html/Search/Elements/ResultsRSSView
+@@ -128,10 +128,17 @@ $r->content_type('application/rss+xml; charset=utf-8');
+     while ( my $Ticket = $Tickets->Next()) {
+         my $creator_str = $Ticket->CreatorObj->Format;
+         $creator_str =~ s/[\r\n]//g;
++
++        # Get the plain-text content; it is interpreted as HTML by RSS
++        # readers, so it must be escaped (and is escaped _again_ when
++        # inserted into the XML).
++        my $content = $Ticket->Transactions->First->Content;
++        $content = $m->interp->apply_escapes( $content, 'h');
++
+         $rss->add_item(
+           title       =>  $Ticket->Subject || loc('No Subject'),
+           link        => $url . "Ticket/Display.html?id=".$Ticket->id,
+-          description => $Ticket->Transactions->First->Content,
++          description => $content,
+           dc          => { creator => $creator_str,
+                            date => $Ticket->CreatedObj->RFC2822,
+                          },
diff -Nru request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff
--- request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff	1970-01-01 01:00:00.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff	2015-02-19 17:43:53.000000000 +0100
@@ -0,0 +1,54 @@
+From 5324f915dd17ae61679a97226cd9fce35934cc7b Mon Sep 17 00:00:00 2001
+From: Alex Vandiver <alexmv@bestpractical.com>
+Date: Mon, 2 Feb 2015 12:24:56 -0500
+Subject: Never place the temporary current user in the session
+
+Setting $session{'CurrentUser'} to a different user opens a window
+wherein if the request can be aborted, the client will be left with a
+session for the other user.  This allows escalation from knowing an RSS
+feed link (which is generally just information disclosure) into full
+login privileges, which may allow for arbitrary execution of code.
+
+Patch-Name: sec-2015-02-05-3.diff
+---
+ share/html/Search/Elements/ResultsRSSView |   11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/share/html/Search/Elements/ResultsRSSView b/share/html/Search/Elements/ResultsRSSView
+index 7381ba7..176da8d 100644
+--- a/share/html/Search/Elements/ResultsRSSView
++++ b/share/html/Search/Elements/ResultsRSSView
+@@ -46,7 +46,7 @@
+ %#
+ %# END BPS TAGGED BLOCK }}}
+ <%INIT>
+-my $old_current_user;
++my $current_user = $session{CurrentUser};
+ 
+ if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
+     my $path = $m->dhandler_arg;
+@@ -76,13 +76,11 @@ if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
+       unless $user->ValidateAuthString( $auth,
+               $ARGS{Query} . $ARGS{Order} . $ARGS{OrderBy} );
+ 
+-    $old_current_user = $session{'CurrentUser'};
+-    my $cu               = RT::CurrentUser->new;
+-    $cu->Load($user);
+-    $session{'CurrentUser'} = $cu;
++    $current_user = RT::CurrentUser->new;
++    $current_user->Load($user);
+ }
+ 
+-my $Tickets = RT::Tickets->new($session{'CurrentUser'});
++my $Tickets = RT::Tickets->new($current_user);
+ $Tickets->FromSQL($ARGS{'Query'});
+ if ($OrderBy =~ /\|/) {
+     # Multiple Sorts
+@@ -147,7 +145,6 @@ $r->content_type('application/rss+xml; charset=utf-8');
+     }
+ 
+ $m->out($rss->as_string);
+-$session{'CurrentUser'} = $old_current_user if $old_current_user;
+ $m->abort();
+ </%INIT>
+ <%ARGS>
diff -Nru request-tracker4-4.2.8/debian/patches/series request-tracker4-4.2.8/debian/patches/series
--- request-tracker4-4.2.8/debian/patches/series	2015-01-01 17:46:41.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/series	2015-02-19 17:43:53.000000000 +0100
@@ -10,3 +10,6 @@
 debianize_UPGRADING-4.2.diff
 font_path.diff
 assettracker-sysgroups.diff
+sec-2015-02-05-1.diff
+sec-2015-02-05-2.diff
+sec-2015-02-05-3.diff


-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to:
Follow-Ups:
- Bug#779658: marked as done (unblock: request-tracker4/4.2.8-3)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
Prev by Date: Bug#779656: unblock: freetype/2.5.2-3
Next by Date: Bug#779423: marked as done (unblock: llvm-toolchain-3.5/1:3.5-10)
Previous by thread: Bug#779656: marked as done (unblock: freetype/2.5.2-3)
Next by thread: Bug#779658: marked as done (unblock: request-tracker4/4.2.8-3)
Index(es):
- Date
- Thread