Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package otrs2 diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/changelog 3.1.7+dfsg1-8/debian/changelog --- 3.1.7+dfsg1-7/debian/changelog 2013-02-27 10:25:48.144232210 +0100 +++ 3.1.7+dfsg1-8/debian/changelog 2013-04-02 10:48:16.815442475 +0200 @@ -1,3 +1,14 @@ +otrs2 (3.1.7+dfsg1-8) unstable; urgency=high + + * Add missing post database schemas for new installations with dbconfig. + Without it, new installations will miss some important foreign keys and + later fail to update to version 3.2.x. + Closes: #702251 + * Add upstream patch 31-CVE-2013-2625 to improve permission checks in + LinkObject. This fixes CVE-2013-2625. + + -- Patrick Matthäi <pmatth...@debian.org> Tue, 02 Apr 2013 10:39:24 +0200 + otrs2 (3.1.7+dfsg1-7) unstable; urgency=high * Do not call otrs.SetPermissions.pl in postinst, since it modificates a few diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/patches/31-CVE-2013-2625.diff 3.1.7+dfsg1-8/debian/patches/31-CVE-2013-2625.diff --- 3.1.7+dfsg1-7/debian/patches/31-CVE-2013-2625.diff 1970-01-01 01:00:00.000000000 +0100 +++ 3.1.7+dfsg1-8/debian/patches/31-CVE-2013-2625.diff 2013-04-02 10:48:16.819442449 +0200 @@ -0,0 +1,151 @@ +# Upstream patch from: +# https://github.com/OTRS/otrs/commit/d90b8715dc348d57ffc415aeb1f57c31fa90c509 +# Improved permission checks in LinkObject. +# This fixes CVE-2013-2625. + +diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/Modules/AgentLinkObject.pm otrs2-3.1.7+dfsg1/Kernel/Modules/AgentLinkObject.pm +--- otrs2-3.1.7+dfsg1.orig/Kernel/Modules/AgentLinkObject.pm 2012-01-06 14:00:04.000000000 +0100 ++++ otrs2-3.1.7+dfsg1/Kernel/Modules/AgentLinkObject.pm 2013-03-28 09:46:00.652927141 +0100 +@@ -63,6 +63,20 @@ + ); + } + ++ # permission check ++ my $Permission = $Self->{LinkObject}->ObjectPermission( ++ Object => $Form{SourceObject}, ++ Key => $Form{SourceKey}, ++ UserID => $Self->{UserID}, ++ ); ++ ++ if ( !$Permission ) { ++ return $Self->{LayoutObject}->NoPermission( ++ WithHeaderMessage => 'You need ro permission!', ++ WithHeader => 'yes', ++ ); ++ } ++ + # get form params + $Form{TargetIdentifier} = $Self->{ParamObject}->GetParam( Param => 'TargetIdentifier' ) + || $Form{SourceObject}; +@@ -140,6 +154,14 @@ + next IDENTIFIER if !$Target[1]; # TargetKey + next IDENTIFIER if !$Target[2]; # LinkType + ++ my $DeletePermission = $Self->{LinkObject}->ObjectPermission( ++ Object => $Target[0], ++ Key => $Target[1], ++ UserID => $Self->{UserID}, ++ ); ++ ++ next IDENTIFIER if !$DeletePermission; ++ + # delete link from database + my $Success = $Self->{LinkObject}->LinkDelete( + Object1 => $Form{SourceObject}, +@@ -336,6 +358,14 @@ + $TargetKey = $TargetKeyOrg; + } + ++ my $AddPermission = $Self->{LinkObject}->ObjectPermission( ++ Object => $TargetObject, ++ Key => $TargetKey, ++ UserID => $Self->{UserID}, ++ ); ++ ++ next TARGETKEYORG if !$AddPermission; ++ + # add links to database + my $Success = $Self->{LinkObject}->LinkAdd( + SourceObject => $SourceObject, +diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject/Ticket.pm otrs2-3.1.7+dfsg1/Kernel/System/LinkObject/Ticket.pm +--- otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject/Ticket.pm 2012-01-10 15:44:27.000000000 +0100 ++++ otrs2-3.1.7+dfsg1/Kernel/System/LinkObject/Ticket.pm 2013-03-28 09:46:00.656927287 +0100 +@@ -161,6 +161,39 @@ + return 1; + } + ++=item ObjectPermission() ++ ++checks read permission for a given object and UserID. ++ ++ $Permission = $LinkObject->ObjectPermission( ++ Object => 'Ticket', ++ Key => 123, ++ UserID => 1, ++ ); ++ ++=cut ++ ++sub ObjectPermission { ++ my ( $Self, %Param ) = @_; ++ ++ # check needed stuff ++ for my $Argument (qw(Object Key UserID)) { ++ if ( !$Param{$Argument} ) { ++ $Self->{LogObject}->Log( ++ Priority => 'error', ++ Message => "Need $Argument!", ++ ); ++ return; ++ } ++ } ++ ++ return $Self->{TicketObject}->TicketPermission( ++ Type => 'ro', ++ TicketID => $Param{Key}, ++ UserID => $Param{UserID}, ++ ); ++} ++ + =item ObjectDescriptionGet() + + return a hash of object descriptions +diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject.pm otrs2-3.1.7+dfsg1/Kernel/System/LinkObject.pm +--- otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject.pm 2010-08-27 21:07:11.000000000 +0200 ++++ otrs2-3.1.7+dfsg1/Kernel/System/LinkObject.pm 2013-03-28 09:46:00.652927141 +0100 +@@ -2218,6 +2218,45 @@ + return %StateList; + } + ++=item ObjectPermission() ++ ++checks read permission for a given object and UserID. ++ ++ $Permission = $LinkObject->ObjectPermission( ++ Object => 'Ticket', ++ Key => 123, ++ UserID => 1, ++ ); ++ ++=cut ++ ++sub ObjectPermission { ++ my ( $Self, %Param ) = @_; ++ ++ # check needed stuff ++ for my $Argument (qw(Object Key UserID)) { ++ if ( !$Param{$Argument} ) { ++ $Self->{LogObject}->Log( ++ Priority => 'error', ++ Message => "Need $Argument!", ++ ); ++ return; ++ } ++ } ++ ++ my $BackendObject = $Self->_LoadBackend( ++ Object => $Param{Object}, ++ UserID => $Param{UserID}, ++ ); ++ ++ return if !$BackendObject; ++ return 1 if !$BackendObject->can('ObjectPermission'); ++ ++ return $BackendObject->ObjectPermission( ++ %Param, ++ ); ++} ++ + =item ObjectDescriptionGet() + + return a hash of object descriptions diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/patches/series 3.1.7+dfsg1-8/debian/patches/series --- 3.1.7+dfsg1-7/debian/patches/series 2013-02-27 10:25:48.148232109 +0100 +++ 3.1.7+dfsg1-8/debian/patches/series 2013-04-02 10:48:16.819442449 +0200 @@ -18,3 +18,4 @@ 28-osa-2012-01-ie-xss.diff 29-security-tag-nesting.diff 30-osa-2012-03-js-xss.diff +31-CVE-2013-2625.diff diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/rules 3.1.7+dfsg1-8/debian/rules --- 3.1.7+dfsg1-7/debian/rules 2013-02-27 10:25:48.144232210 +0100 +++ 3.1.7+dfsg1-8/debian/rules 2013-04-02 10:48:16.815442475 +0200 @@ -11,7 +11,8 @@ # setup dbconfig-common # PostgreSQL cat scripts/database/otrs-schema.postgresql.sql \ - scripts/database/otrs-initial_insert.postgresql.sql > \ + scripts/database/otrs-initial_insert.postgresql.sql \ + scripts/database/otrs-schema-post.postgresql.sql > \ $(OTRS_DST)$(DB_DIR)/install/pgsql cp debian/schemas/DBUpdate-to-3.0.postgresql.sql \ $(OTRS_DST)$(DB_DIR)/upgrade/pgsql/3.0 @@ -25,7 +26,8 @@ $(OTRS_DST)$(DB_DIR)/upgrade/pgsql/3.1.2+dfsg1-2.2 # MySQL cat scripts/database/otrs-schema.mysql.sql \ - scripts/database/otrs-initial_insert.mysql.sql > \ + scripts/database/otrs-initial_insert.mysql.sql \ + scripts/database/otrs-schema-post.mysql.sql > \ $(OTRS_DST)$(DB_DIR)/install/mysql cp debian/schemas/DBUpdate-to-3.0.mysql.sql \ $(OTRS_DST)$(DB_DIR)/upgrade/mysql/3.0 unblock otrs2/3.1.7+dfsg1-8 -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org