Bug#779658: unblock: request-tracker4/4.2.8-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package request-tracker4. It fixes multiple
security issues.
unblock request-tracker4/4.2.8-3
Debdiff:
diff -Nru request-tracker4-4.2.8/debian/changelog request-tracker4-4.2.8/debian/changelog
--- request-tracker4-4.2.8/debian/changelog 2015-01-01 17:47:33.000000000 +0100
+++ request-tracker4-4.2.8/debian/changelog 2015-02-26 11:05:27.000000000 +0100
@@ -1,3 +1,11 @@
+request-tracker4 (4.2.8-3) unstable; urgency=high
+
+ * Fix remote DoS via email gateway (CVE-2014-9472)
+ * Fix information discloure revealing RSS feed URLs (CVE-2015-1165)
+ * Fix privilege escalation via RSS feed URLs (CVE-2015-1464)
+
+ -- Dominic Hargreaves <dom@earth.li> Thu, 26 Feb 2015 10:05:25 +0000
+
request-tracker4 (4.2.8-2) unstable; urgency=medium
[ Niko Tyni ]
diff -Nru request-tracker4-4.2.8/debian/.git-dpm request-tracker4-4.2.8/debian/.git-dpm
--- request-tracker4-4.2.8/debian/.git-dpm 2015-01-01 17:46:41.000000000 +0100
+++ request-tracker4-4.2.8/debian/.git-dpm 2015-02-19 17:43:53.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-559785c4e88364b835823521a0e1648db985b05e
-559785c4e88364b835823521a0e1648db985b05e
+5324f915dd17ae61679a97226cd9fce35934cc7b
+5324f915dd17ae61679a97226cd9fce35934cc7b
21890d09947710ac3f48ddd306fe5b6a50f5bbe9
21890d09947710ac3f48ddd306fe5b6a50f5bbe9
request-tracker4_4.2.8.orig.tar.gz
diff -Nru request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff
--- request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff 1970-01-01 01:00:00.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff 2015-02-19 17:43:53.000000000 +0100
@@ -0,0 +1,30 @@
+From d9cbc2f4f4df2b75e4527c2fb4f19dc087a1655e Mon Sep 17 00:00:00 2001
+From: Alex Vandiver <alexmv@bestpractical.com>
+Date: Mon, 1 Dec 2014 16:58:43 -0500
+Subject: Hide utf8 warnings during attempted decoding
+
+EncodeFromToWithCroak is used to exploratorily attempt to decode unknown
+byte strings. This operation, under Encode::FB_DEFAULT, may generate
+warnings -- lots of warnings. This can lead to denial of service in
+some situations. This vulnerability has been assigned CVE-2014-9472.
+
+Unfortunately, "no warnings 'utf8'" does not work to quiet them until
+Encode 2.64; simply skip warnings of this type in the logging handler.
+
+Patch-Name: sec-2015-02-05-1.diff
+---
+ lib/RT.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/RT.pm b/lib/RT.pm
+index 803d54b..3aa7542 100644
+--- a/lib/RT.pm
++++ b/lib/RT.pm
+@@ -374,6 +374,7 @@ sub InitSignalHandlers {
+ ## mechanism (see above).
+
+ $SIG{__WARN__} = sub {
++ return if $_[0] and $_[0] =~ /^Code point \S+ is not Unicode, may not be portable/;
+ # use 'goto &foo' syntax to hide ANON sub from stack
+ unshift @_, $RT::Logger, qw(level warning message);
+ goto &Log::Dispatch::log;
diff -Nru request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff
--- request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff 1970-01-01 01:00:00.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff 2015-02-19 17:43:53.000000000 +0100
@@ -0,0 +1,46 @@
+From af54a6d17773f5c9f8f785c8ccd9d1067679ce77 Mon Sep 17 00:00:00 2001
+From: Alex Vandiver <alexmv@bestpractical.com>
+Date: Fri, 30 Jan 2015 15:03:16 -0500
+Subject: Prevent text content from being interpreted as HTML by RSS clients
+
+The ->Content method is used to obtain the data to use in the RSS
+<description> tag. However, most RSS feed readers display the contents
+of the <description> tag using a HTML rendering engine; this allows
+textual content to be mistakenly rendered as HTML. This specifically
+includes links, which RSS readers may not hide the "Referer" header of,
+exposing the RSS feed URL and thus allowing for information disclosure.
+This vulnerability has been assigned CVE-2015-1165.
+
+Escape the textual content so that it is not interpreted as HTML by RSS
+readers. This is suprior to requesting ->Content( Type => "text/html" )
+because it is guaranteed to not contain links, and thus not suffer from
+the above Referer disclosure.
+
+Patch-Name: sec-2015-02-05-2.diff
+---
+ share/html/Search/Elements/ResultsRSSView | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/share/html/Search/Elements/ResultsRSSView b/share/html/Search/Elements/ResultsRSSView
+index 45e7369..7381ba7 100644
+--- a/share/html/Search/Elements/ResultsRSSView
++++ b/share/html/Search/Elements/ResultsRSSView
+@@ -128,10 +128,17 @@ $r->content_type('application/rss+xml; charset=utf-8');
+ while ( my $Ticket = $Tickets->Next()) {
+ my $creator_str = $Ticket->CreatorObj->Format;
+ $creator_str =~ s/[\r\n]//g;
++
++ # Get the plain-text content; it is interpreted as HTML by RSS
++ # readers, so it must be escaped (and is escaped _again_ when
++ # inserted into the XML).
++ my $content = $Ticket->Transactions->First->Content;
++ $content = $m->interp->apply_escapes( $content, 'h');
++
+ $rss->add_item(
+ title => $Ticket->Subject || loc('No Subject'),
+ link => $url . "Ticket/Display.html?id=".$Ticket->id,
+- description => $Ticket->Transactions->First->Content,
++ description => $content,
+ dc => { creator => $creator_str,
+ date => $Ticket->CreatedObj->RFC2822,
+ },
diff -Nru request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff
--- request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff 1970-01-01 01:00:00.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff 2015-02-19 17:43:53.000000000 +0100
@@ -0,0 +1,54 @@
+From 5324f915dd17ae61679a97226cd9fce35934cc7b Mon Sep 17 00:00:00 2001
+From: Alex Vandiver <alexmv@bestpractical.com>
+Date: Mon, 2 Feb 2015 12:24:56 -0500
+Subject: Never place the temporary current user in the session
+
+Setting $session{'CurrentUser'} to a different user opens a window
+wherein if the request can be aborted, the client will be left with a
+session for the other user. This allows escalation from knowing an RSS
+feed link (which is generally just information disclosure) into full
+login privileges, which may allow for arbitrary execution of code.
+
+Patch-Name: sec-2015-02-05-3.diff
+---
+ share/html/Search/Elements/ResultsRSSView | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/share/html/Search/Elements/ResultsRSSView b/share/html/Search/Elements/ResultsRSSView
+index 7381ba7..176da8d 100644
+--- a/share/html/Search/Elements/ResultsRSSView
++++ b/share/html/Search/Elements/ResultsRSSView
+@@ -46,7 +46,7 @@
+ %#
+ %# END BPS TAGGED BLOCK }}}
+ <%INIT>
+-my $old_current_user;
++my $current_user = $session{CurrentUser};
+
+ if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
+ my $path = $m->dhandler_arg;
+@@ -76,13 +76,11 @@ if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
+ unless $user->ValidateAuthString( $auth,
+ $ARGS{Query} . $ARGS{Order} . $ARGS{OrderBy} );
+
+- $old_current_user = $session{'CurrentUser'};
+- my $cu = RT::CurrentUser->new;
+- $cu->Load($user);
+- $session{'CurrentUser'} = $cu;
++ $current_user = RT::CurrentUser->new;
++ $current_user->Load($user);
+ }
+
+-my $Tickets = RT::Tickets->new($session{'CurrentUser'});
++my $Tickets = RT::Tickets->new($current_user);
+ $Tickets->FromSQL($ARGS{'Query'});
+ if ($OrderBy =~ /\|/) {
+ # Multiple Sorts
+@@ -147,7 +145,6 @@ $r->content_type('application/rss+xml; charset=utf-8');
+ }
+
+ $m->out($rss->as_string);
+-$session{'CurrentUser'} = $old_current_user if $old_current_user;
+ $m->abort();
+ </%INIT>
+ <%ARGS>
diff -Nru request-tracker4-4.2.8/debian/patches/series request-tracker4-4.2.8/debian/patches/series
--- request-tracker4-4.2.8/debian/patches/series 2015-01-01 17:46:41.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/series 2015-02-19 17:43:53.000000000 +0100
@@ -10,3 +10,6 @@
debianize_UPGRADING-4.2.diff
font_path.diff
assettracker-sysgroups.diff
+sec-2015-02-05-1.diff
+sec-2015-02-05-2.diff
+sec-2015-02-05-3.diff
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to: