Bug#837607: jessie-pu: package elog/2.9.2+2014.05.11git44800a7-2
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Update closes bug https://bugs.debian.org/836505 which allowed to post entry as
arbitrary username by improper authentication.
-- System Information:
Debian Release: 8.5
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
diff -Nru elog-2.9.2+2014.05.11git44800a7/debian/changelog elog-2.9.2+2014.05.11git44800a7/debian/changelog
--- elog-2.9.2+2014.05.11git44800a7/debian/changelog 2014-10-23 20:38:25.000000000 +0200
+++ elog-2.9.2+2014.05.11git44800a7/debian/changelog 2016-09-12 22:22:49.000000000 +0200
@@ -1,3 +1,10 @@
+elog (2.9.2+2014.05.11git44800a7-3) jessie; urgency=medium
+
+ * Added patch 0005_elogd_CVE-2016-6342_fix to fix posting entry as
+ arbitrary username (Closes: #836505, CVE-2016-6342)
+
+ -- Roger Kalt <roger.kalt@gmail.com> Mon, 12 Sep 2016 20:22:36 +0200
+
elog (2.9.2+2014.05.11git44800a7-2) unstable; urgency=low
* debian/control:
diff -Nru elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix
--- elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix 1970-01-01 01:00:00.000000000 +0100
+++ elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix 2016-09-03 22:12:44.000000000 +0200
@@ -0,0 +1,345 @@
+backport these two upstream patches for newer release: https://bitbucket.org/ritt/elog/commits/2f6a300572bd6048351af8c45394ae62230c83d9 + https://bitbucket.org/ritt/elog/commits/9ca611aca2b1860efac15f806bf907cc2e6f870a/#Lsrc/elogd.cF26100T26104
+--- a/src/elogd.c
++++ b/src/elogd.c
+@@ -3443,7 +3443,7 @@
+ break;
+ get_user_line(lbs, login_name, NULL, NULL, email_from, NULL, NULL, NULL);
+ sprintf(email_from_name, "%s <%s>", login_name, email_from);
+- if (is_admin_user(lbs->name, login_name) && strchr(email_from, '@'))
++ if (is_admin_user(lbs, login_name) && strchr(email_from, '@'))
+ break;
+ }
+ }
+@@ -8578,7 +8578,7 @@
+ wrong_pwd = 2;
+ } else {
+ /* administrator does not have to supply old password if changing other user's password */
+- if (isparam("unm") && is_admin_user(lbs->name, getparam("unm"))
++ if (isparam("unm") && is_admin_user(lbs, getparam("unm"))
+ && stricmp(getparam("unm"), user) != 0)
+ wrong_pwd = 0;
+ else {
+@@ -8652,7 +8652,7 @@
+
+ /* do not ask for old pwasword if admin changes other user's password */
+ if (isparam("unm")) {
+- if (!is_admin_user(lbs->name, getparam("unm")) || stricmp(getparam("unm"), user) == 0) {
++ if (!is_admin_user(lbs, getparam("unm")) || stricmp(getparam("unm"), user) == 0) {
+ if (isparam("oldpwd") && !(wrong_pwd == 1)) // hidden password for password recovery
+ rsprintf("<input type=hidden name=oldpwd value=\"%s\"", getparam("oldpwd"));
+ else {
+@@ -8751,7 +8751,7 @@
+ int i;
+
+ /* check if current user is admin */
+- if (is_admin_user(lbs->name, getparam("unm")))
++ if (is_admin_user(lbs, getparam("unm")))
+ return TRUE;
+
+ /* search attribute which contains short_name of author */
+@@ -12126,7 +12126,7 @@
+ rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Cancel"));
+
+ if (lbs->top_group[0] && (!top_group || strieq(top_group, "global"))) {
+- if (is_admin_user("global", getparam("unm"))) {
++ if (is_admin_user(lbs, getparam("unm"))) {
+ if (lbs->top_group[0]) {
+
+ sprintf(str, "global %s", lbs->top_group);
+@@ -12159,7 +12159,7 @@
+ }
+
+ if (is_group("global") && !strieq(top_group, "global")) {
+- if (is_admin_user("global", getparam("unm"))) {
++ if (is_admin_user(lbs, getparam("unm"))) {
+ rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Delete this logbook"));
+ rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Rename this logbook"));
+ rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Create new logbook"));
+@@ -13275,7 +13275,7 @@
+
+ /*---- if admin user, show user list ----*/
+
+- if (is_admin_user(logbook, getparam("unm"))) {
++ if (is_admin_user(lbs, getparam("unm"))) {
+ rsprintf("<input type=hidden name=admin value=1>\n");
+ rsprintf("<tr><td nowrap width=\"10%%\">%s:</td>\n", loc("Select user"));
+ rsprintf("<td><select name=cfg_user onChange=\"document.form1.submit()\">\n");
+@@ -13323,7 +13323,7 @@
+ else
+ strlcpy(str, user, sizeof(str));
+
+- if (is_admin_user(logbook, getparam("unm"))) {
++ if (is_admin_user(lbs, getparam("unm"))) {
+ rsprintf("<tr><td nowrap width=\"15%%\">%s:</td>\n", loc("Active"));
+ if (stricmp(user, getparam("unm")) == 0)
+ rsprintf
+@@ -13427,13 +13427,13 @@
+
+ rsprintf("<tr><td class=\"menuframe\"><span class=\"menu1\">\n");
+
+- if (is_admin_user(logbook, getparam("unm")) || !getcfg(logbook, "allow password change", str, sizeof(str))
++ if (is_admin_user(lbs, getparam("unm")) || !getcfg(logbook, "allow password change", str, sizeof(str))
+ || atoi(str) == 1)
+ rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Change password"));
+
+ rsprintf("<input type=submit name=cmd value=\"%s\" onClick=\"return chkrem();\">\n", loc("Remove user"));
+
+- if (is_admin_user(logbook, getparam("unm"))) {
++ if (is_admin_user(lbs, getparam("unm"))) {
+ rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("New user"));
+ strlcpy(str, loc("Change config file"), sizeof(str));
+ rsprintf("<input type=submit name=cmd value=\"%s\">\n", str);
+@@ -18079,6 +18079,17 @@
+
+ /*------------------------------------------------------------------*/
+
++BOOL logged_in(LOGBOOK *lbs)
++{
++ if (isparam("unm")) {
++ if (check_login_user(lbs, getparam("unm")) && check_login(lbs, getparam("sid")))
++ return TRUE;
++ }
++ return FALSE;
++}
++
++/*------------------------------------------------------------------*/
++
+ BOOL is_user_allowed(LOGBOOK * lbs, char *command)
+ {
+ char str[1000], users[2000];
+@@ -18109,7 +18120,7 @@
+ /* check admin command */
+ if (strieq(command, loc("Admin"))) {
+ if (getcfg(lbs->name, "Admin user", str, sizeof(str))) {
+- return is_admin_user(lbs->name, getparam("unm"));
++ return is_admin_user(lbs, getparam("unm"));
+ }
+ }
+
+@@ -18142,7 +18153,7 @@
+ return TRUE;
+
+ /* check for guest access */
+- if (!getcfg(lbs->name, "Guest Menu commands", menu_str, sizeof(menu_str)) || isparam("unm") != 0)
++ if (!getcfg(lbs->name, "Guest Menu commands", menu_str, sizeof(menu_str)) || logged_in(lbs))
+ getcfg(lbs->name, "Menu commands", menu_str, sizeof(menu_str));
+
+ /* default menu commands */
+@@ -18151,7 +18162,7 @@
+
+ if (getcfg(lbs->name, "Password file", str, sizeof(str))) {
+
+- if (is_admin_user(lbs->name, getparam("unm"))) {
++ if (is_admin_user(lbs, getparam("unm"))) {
+
+ strcat(menu_str, "Admin, ");
+ strcat(menu_str, "Change config file, ");
+@@ -18160,7 +18171,7 @@
+ strcat(menu_str, "Create new logbook, ");
+ strcat(menu_str, "GetPwdFile, ");
+
+- if (is_admin_user("global", getparam("unm"))) {
++ if (is_admin_user(lbs, getparam("unm"))) {
+
+ if (lbs->top_group[0]) {
+ sprintf(str, "Change [global %s]", lbs->top_group);
+@@ -18168,7 +18179,7 @@
+ strcat(menu_str, ", ");
+ }
+
+- if (!lbs->top_group[0] || (is_admin_user("global", getparam("unm")))) {
++ if (!lbs->top_group[0] || (is_admin_user(NULL, getparam("unm")))) {
+
+ strcat(menu_str, "Change [global]");
+ strcat(menu_str, ", ");
+@@ -18192,7 +18203,7 @@
+ menu_str[0] = 0;
+ for (i = 0; i < n; i++) {
+ if (strcmp(menu_item[i], "Admin") == 0) {
+- if (!is_admin_user(lbs->name, getparam("unm")))
++ if (!is_admin_user(lbs, getparam("unm")))
+ continue;
+ }
+ strcat(menu_str, menu_item[i]);
+@@ -18201,7 +18212,7 @@
+
+ strcat(menu_str, "HelpELCode, Synchronize, ");
+
+- if (is_admin_user(lbs->name, getparam("unm"))) {
++ if (is_admin_user(lbs, getparam("unm"))) {
+
+ strcat(menu_str, "Change config file, ");
+ strcat(menu_str, "Delete this logbook, ");
+@@ -18209,7 +18220,7 @@
+ strcat(menu_str, "Create new logbook, ");
+ strcat(menu_str, "GetPwdFile, ");
+
+- if (is_admin_user("global", getparam("unm"))) {
++ if (is_admin_user(lbs, getparam("unm"))) {
+
+ if (lbs->top_group[0]) {
+ sprintf(str, "Change [global %s]", lbs->top_group);
+@@ -18217,7 +18228,7 @@
+ strcat(menu_str, ", ");
+ }
+
+- if (!lbs->top_group[0] || (is_admin_user("global", getparam("unm")))) {
++ if (!lbs->top_group[0] || (is_admin_user(NULL, getparam("unm")))) {
+
+ strcat(menu_str, "Change [global]");
+ strcat(menu_str, ", ");
+@@ -18228,11 +18239,11 @@
+
+ /* check list menu commands */
+ str[0] = 0;
+- if (!getcfg(lbs->name, "Guest List Menu commands", str, sizeof(str)) || isparam("unm") != 0)
++ if (!getcfg(lbs->name, "Guest List Menu commands", str, sizeof(str)) || logged_in(lbs))
+ getcfg(lbs->name, "list menu commands", str, sizeof(str));
+
+ if (!str[0]) {
+- if (!getcfg(lbs->name, "Guest Find Menu commands", str, sizeof(str)) || isparam("unm") != 0)
++ if (!getcfg(lbs->name, "Guest Find Menu commands", str, sizeof(str)) || logged_in(lbs))
+ getcfg(lbs->name, "Find Menu commands", str, sizeof(str));
+ }
+
+@@ -18259,7 +18270,7 @@
+ strlcat(other_str, "Save, ", sizeof(other_str));
+
+ /* admin commands */
+- if (is_admin_user(lbs->name, getparam("unm"))) {
++ if (is_admin_user(lbs, getparam("unm"))) {
+ strcat(other_str, "Remove user, New user, Activate, ");
+ } else if (getcfg(lbs->name, "Self register", str, sizeof(str)) && atoi(str) > 0) {
+ strcat(other_str, "Remove user, New user, ");
+@@ -18298,6 +18309,10 @@
+ }
+ }
+
++ /* make sure user is logged in */
++ if (!logged_in(lbs))
++ return FALSE;
++
+ return TRUE;
+ }
+
+@@ -20382,13 +20397,11 @@
+ rsprintf("\">\n", str);
+ }
+
+- if (!getcfg(lbs->name, "Guest Find menu commands", menu_str, sizeof(menu_str)) || isparam("unm")
+- != 0)
++ if (!getcfg(lbs->name, "Guest Find menu commands", menu_str, sizeof(menu_str)) || logged_in(lbs))
+ getcfg(lbs->name, "Find menu commands", menu_str, sizeof(menu_str));
+
+ if (!menu_str[0]) {
+- if (!getcfg(lbs->name, "Guest list menu commands", menu_str, sizeof(menu_str)) || isparam("unm")
+- != 0)
++ if (!getcfg(lbs->name, "Guest list menu commands", menu_str, sizeof(menu_str)) || logged_in(lbs))
+ getcfg(lbs->name, "list menu commands", menu_str, sizeof(menu_str));
+ }
+
+@@ -23703,7 +23716,7 @@
+ }
+
+ /* check for guest access */
+- if (!getcfg(lbs->name, "Guest Menu commands", menu_str, sizeof(menu_str)) || isparam("unm") != 0)
++ if (!getcfg(lbs->name, "Guest Menu commands", menu_str, sizeof(menu_str)) || logged_in(lbs))
+ getcfg(lbs->name, "Menu commands", menu_str, sizeof(menu_str));
+
+ /* default menu commands */
+@@ -23723,7 +23736,7 @@
+ menu_str[0] = 0;
+ for (i = 0; i < n; i++) {
+ if (strcmp(menu_item[i], "Admin") == 0) {
+- if (!is_admin_user(lbs->name, getparam("unm")))
++ if (!is_admin_user(lbs, getparam("unm")))
+ continue;
+ }
+ strcat(menu_str, menu_item[i]);
+@@ -25026,7 +25039,9 @@
+ char str[256], global[256], orig_topgroup[256];
+
+ orig_topgroup[0] = 0;
+- getcfg("global", "Password file", global, sizeof(global));
++ if (!getcfg("global", "Password file", global, sizeof(global)))
++ return NULL;
++
+ if (getcfg_topgroup() && *getcfg_topgroup())
+ strcpy(orig_topgroup, getcfg_topgroup());
+
+@@ -25076,6 +25091,8 @@
+ logbook with same password file than global section */
+ if (lbs == NULL)
+ lbs = get_first_lbs_with_global_passwd();
++ if (lbs == NULL)
++ return 0;
+
+ getcfg(lbs->name, "Password file", str, sizeof(str));
+
+@@ -25438,16 +25455,27 @@
+ if (i == n)
+ return FALSE;
+ }
++
++ /* make sure user is logged in */
++ if (!logged_in(lbs))
++ return FALSE;
++
+ return TRUE;
+ }
+
+ /*------------------------------------------------------------------*/
+
+-BOOL is_admin_user(char *logbook, char *user)
++BOOL is_admin_user(LOGBOOK *lbs, char *user)
+ {
+ int i, n;
+ char str[1000];
+ char list[MAX_N_LIST][NAME_LENGTH];
++ char logbook[1000];
++
++ if (lbs == NULL)
++ strlcpy(logbook, "global", sizeof(logbook));
++ else
++ strlcpy(logbook, lbs->name, sizeof(logbook));
+
+ /* Removed user[0] for cloning, have to check implications, same below.
+ if (getcfg(logbook, "Admin user", str, sizeof(str)) && user[0]) { */
+@@ -25464,6 +25492,10 @@
+ if (i == n)
+ return FALSE;
+ }
++ /* make sure user is logged in */
++ if (!logged_in(lbs))
++ return FALSE;
++
+ return TRUE;
+ }
+
+@@ -25487,6 +25519,7 @@
+ if (i == n)
+ return FALSE;
+ }
++
+ return TRUE;
+ }
+
+--- a/src/elogd.h
++++ b/src/elogd.h
+@@ -292,7 +292,7 @@
+ BOOL check_login_user(LOGBOOK * lbs, char *user);
+ LBLIST get_logbook_hierarchy(void);
+ BOOL is_logbook_in_group(LBLIST pgrp, char *logbook);
+-BOOL is_admin_user(char *logbook, char *user);
++BOOL is_admin_user(LOGBOOK * lbs, char *user);
+ BOOL is_admin_user_global(char *user);
+ void free_logbook_hierarchy(LBLIST root);
+ void show_top_text(LOGBOOK * lbs);
+@@ -308,6 +308,7 @@
+ int parse_config_file(char *config_file);
+ PMXML_NODE load_password_file(LOGBOOK * lbs, char *error, int error_size);
+ int load_password_files();
++BOOL check_login(LOGBOOK * lbs, char *sid);
+ void compose_base_url(LOGBOOK * lbs, char *base_url, int size, BOOL email_notify);
+ void show_elog_entry(LOGBOOK * lbs, char *dec_path, char *command);
+ char *loc(char *orig);
diff -Nru elog-2.9.2+2014.05.11git44800a7/debian/patches/series elog-2.9.2+2014.05.11git44800a7/debian/patches/series
--- elog-2.9.2+2014.05.11git44800a7/debian/patches/series 2014-06-25 23:21:40.000000000 +0200
+++ elog-2.9.2+2014.05.11git44800a7/debian/patches/series 2016-09-03 21:35:05.000000000 +0200
@@ -2,3 +2,4 @@
0002_html_doc.patch
0003_elog.conf
0004_Makefile.patch
+0005_elogd_CVE-2016-6342_fix
Reply to: