[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#779658: marked as done (unblock: request-tracker4/4.2.8-3)

Your message dated Tue, 03 Mar 2015 21:01:46 +0100
with message-id <54F6132A.9090000@thykier.net>
and subject line Re: Bug#779658: unblock: request-tracker4/4.2.8-3
has caused the Debian Bug report #779658,
regarding unblock: request-tracker4/4.2.8-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
779658: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779658
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package request-tracker4. It fixes multiple
security issues.

unblock request-tracker4/4.2.8-3

Debdiff:
diff -Nru request-tracker4-4.2.8/debian/changelog request-tracker4-4.2.8/debian/changelog
--- request-tracker4-4.2.8/debian/changelog	2015-01-01 17:47:33.000000000 +0100
+++ request-tracker4-4.2.8/debian/changelog	2015-02-26 11:05:27.000000000 +0100
@@ -1,3 +1,11 @@
+request-tracker4 (4.2.8-3) unstable; urgency=high
+
+  * Fix remote DoS via email gateway (CVE-2014-9472)
+  * Fix information discloure revealing RSS feed URLs (CVE-2015-1165)
+  * Fix privilege escalation via RSS feed URLs (CVE-2015-1464)
+
+ -- Dominic Hargreaves <dom@earth.li>  Thu, 26 Feb 2015 10:05:25 +0000
+
 request-tracker4 (4.2.8-2) unstable; urgency=medium
 
   [ Niko Tyni ]
diff -Nru request-tracker4-4.2.8/debian/.git-dpm request-tracker4-4.2.8/debian/.git-dpm
--- request-tracker4-4.2.8/debian/.git-dpm	2015-01-01 17:46:41.000000000 +0100
+++ request-tracker4-4.2.8/debian/.git-dpm	2015-02-19 17:43:53.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-559785c4e88364b835823521a0e1648db985b05e
-559785c4e88364b835823521a0e1648db985b05e
+5324f915dd17ae61679a97226cd9fce35934cc7b
+5324f915dd17ae61679a97226cd9fce35934cc7b
 21890d09947710ac3f48ddd306fe5b6a50f5bbe9
 21890d09947710ac3f48ddd306fe5b6a50f5bbe9
 request-tracker4_4.2.8.orig.tar.gz
diff -Nru request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff
--- request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff	1970-01-01 01:00:00.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff	2015-02-19 17:43:53.000000000 +0100
@@ -0,0 +1,30 @@
+From d9cbc2f4f4df2b75e4527c2fb4f19dc087a1655e Mon Sep 17 00:00:00 2001
+From: Alex Vandiver <alexmv@bestpractical.com>
+Date: Mon, 1 Dec 2014 16:58:43 -0500
+Subject: Hide utf8 warnings during attempted decoding
+
+EncodeFromToWithCroak is used to exploratorily attempt to decode unknown
+byte strings.  This operation, under Encode::FB_DEFAULT, may generate
+warnings -- lots of warnings.  This can lead to denial of service in
+some situations.  This vulnerability has been assigned CVE-2014-9472.
+
+Unfortunately, "no warnings 'utf8'" does not work to quiet them until
+Encode 2.64; simply skip warnings of this type in the logging handler.
+
+Patch-Name: sec-2015-02-05-1.diff
+---
+ lib/RT.pm |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/RT.pm b/lib/RT.pm
+index 803d54b..3aa7542 100644
+--- a/lib/RT.pm
++++ b/lib/RT.pm
+@@ -374,6 +374,7 @@ sub InitSignalHandlers {
+ ## mechanism (see above).
+ 
+     $SIG{__WARN__} = sub {
++        return if $_[0] and $_[0] =~ /^Code point \S+ is not Unicode, may not be portable/;
+         # use 'goto &foo' syntax to hide ANON sub from stack
+         unshift @_, $RT::Logger, qw(level warning message);
+         goto &Log::Dispatch::log;
diff -Nru request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff
--- request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff	1970-01-01 01:00:00.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff	2015-02-19 17:43:53.000000000 +0100
@@ -0,0 +1,46 @@
+From af54a6d17773f5c9f8f785c8ccd9d1067679ce77 Mon Sep 17 00:00:00 2001
+From: Alex Vandiver <alexmv@bestpractical.com>
+Date: Fri, 30 Jan 2015 15:03:16 -0500
+Subject: Prevent text content from being interpreted as HTML by RSS clients
+
+The ->Content method is used to obtain the data to use in the RSS
+<description> tag.  However, most RSS feed readers display the contents
+of the <description> tag using a HTML rendering engine; this allows
+textual content to be mistakenly rendered as HTML.  This specifically
+includes links, which RSS readers may not hide the "Referer" header of,
+exposing the RSS feed URL and thus allowing for information disclosure.
+This vulnerability has been assigned CVE-2015-1165.
+
+Escape the textual content so that it is not interpreted as HTML by RSS
+readers.  This is suprior to requesting ->Content( Type => "text/html" )
+because it is guaranteed to not contain links, and thus not suffer from
+the above Referer disclosure.
+
+Patch-Name: sec-2015-02-05-2.diff
+---
+ share/html/Search/Elements/ResultsRSSView |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/share/html/Search/Elements/ResultsRSSView b/share/html/Search/Elements/ResultsRSSView
+index 45e7369..7381ba7 100644
+--- a/share/html/Search/Elements/ResultsRSSView
++++ b/share/html/Search/Elements/ResultsRSSView
+@@ -128,10 +128,17 @@ $r->content_type('application/rss+xml; charset=utf-8');
+     while ( my $Ticket = $Tickets->Next()) {
+         my $creator_str = $Ticket->CreatorObj->Format;
+         $creator_str =~ s/[\r\n]//g;
++
++        # Get the plain-text content; it is interpreted as HTML by RSS
++        # readers, so it must be escaped (and is escaped _again_ when
++        # inserted into the XML).
++        my $content = $Ticket->Transactions->First->Content;
++        $content = $m->interp->apply_escapes( $content, 'h');
++
+         $rss->add_item(
+           title       =>  $Ticket->Subject || loc('No Subject'),
+           link        => $url . "Ticket/Display.html?id=".$Ticket->id,
+-          description => $Ticket->Transactions->First->Content,
++          description => $content,
+           dc          => { creator => $creator_str,
+                            date => $Ticket->CreatedObj->RFC2822,
+                          },
diff -Nru request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff
--- request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff	1970-01-01 01:00:00.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff	2015-02-19 17:43:53.000000000 +0100
@@ -0,0 +1,54 @@
+From 5324f915dd17ae61679a97226cd9fce35934cc7b Mon Sep 17 00:00:00 2001
+From: Alex Vandiver <alexmv@bestpractical.com>
+Date: Mon, 2 Feb 2015 12:24:56 -0500
+Subject: Never place the temporary current user in the session
+
+Setting $session{'CurrentUser'} to a different user opens a window
+wherein if the request can be aborted, the client will be left with a
+session for the other user.  This allows escalation from knowing an RSS
+feed link (which is generally just information disclosure) into full
+login privileges, which may allow for arbitrary execution of code.
+
+Patch-Name: sec-2015-02-05-3.diff
+---
+ share/html/Search/Elements/ResultsRSSView |   11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/share/html/Search/Elements/ResultsRSSView b/share/html/Search/Elements/ResultsRSSView
+index 7381ba7..176da8d 100644
+--- a/share/html/Search/Elements/ResultsRSSView
++++ b/share/html/Search/Elements/ResultsRSSView
+@@ -46,7 +46,7 @@
+ %#
+ %# END BPS TAGGED BLOCK }}}
+ <%INIT>
+-my $old_current_user;
++my $current_user = $session{CurrentUser};
+ 
+ if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
+     my $path = $m->dhandler_arg;
+@@ -76,13 +76,11 @@ if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
+       unless $user->ValidateAuthString( $auth,
+               $ARGS{Query} . $ARGS{Order} . $ARGS{OrderBy} );
+ 
+-    $old_current_user = $session{'CurrentUser'};
+-    my $cu               = RT::CurrentUser->new;
+-    $cu->Load($user);
+-    $session{'CurrentUser'} = $cu;
++    $current_user = RT::CurrentUser->new;
++    $current_user->Load($user);
+ }
+ 
+-my $Tickets = RT::Tickets->new($session{'CurrentUser'});
++my $Tickets = RT::Tickets->new($current_user);
+ $Tickets->FromSQL($ARGS{'Query'});
+ if ($OrderBy =~ /\|/) {
+     # Multiple Sorts
+@@ -147,7 +145,6 @@ $r->content_type('application/rss+xml; charset=utf-8');
+     }
+ 
+ $m->out($rss->as_string);
+-$session{'CurrentUser'} = $old_current_user if $old_current_user;
+ $m->abort();
+ </%INIT>
+ <%ARGS>
diff -Nru request-tracker4-4.2.8/debian/patches/series request-tracker4-4.2.8/debian/patches/series
--- request-tracker4-4.2.8/debian/patches/series	2015-01-01 17:46:41.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/series	2015-02-19 17:43:53.000000000 +0100
@@ -10,3 +10,6 @@
 debianize_UPGRADING-4.2.diff
 font_path.diff
 assettracker-sysgroups.diff
+sec-2015-02-05-1.diff
+sec-2015-02-05-2.diff
+sec-2015-02-05-3.diff


-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
On 2015-03-03 18:16, Moritz Muehlenhoff wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package request-tracker4. It fixes multiple
> security issues.
> 
> unblock request-tracker4/4.2.8-3
> 
> [...]
> 
> 

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: