Bug#856240: jessie-pu: package elog/2.9.2+2014.05.11git44800a7-2+deb8u1

Sun, 26 Feb 2017 12:36:35 -0800 

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

Update closes bug https://bugs.debian.org/851909 which allows no login except
admin user.

-- System Information:
Debian Release: 8.7
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

diff -Nru elog-2.9.2+2014.05.11git44800a7/debian/changelog elog-2.9.2+2014.05.11git44800a7/debian/changelog
--- elog-2.9.2+2014.05.11git44800a7/debian/changelog	2016-09-17 23:32:15.000000000 +0200
+++ elog-2.9.2+2014.05.11git44800a7/debian/changelog	2017-02-12 20:20:33.000000000 +0100
@@ -1,3 +1,10 @@
+elog (2.9.2+2014.05.11git44800a7-2+deb8u2) jessie; urgency=medium
+
+  * update patch 0005_elogd_CVE-2016-6342_fix to grant access
+    to logbooks also as normal login user (Closes: #851909)
+
+ -- Roger Kalt <roger.k...@gmail.com>  Thu, 19 Jan 2017 22:45:52 +0100
+
 elog (2.9.2+2014.05.11git44800a7-2+deb8u1) jessie; urgency=medium
 
   * Added patch 0005_elogd_CVE-2016-6342_fix to fix posting entry as
diff -Nru elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix
--- elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix	2016-09-03 22:12:44.000000000 +0200
+++ elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix	2017-02-02 21:28:38.000000000 +0100
@@ -42,7 +42,7 @@
  
     if (lbs->top_group[0] && (!top_group || strieq(top_group, "global"))) {
 -      if (is_admin_user("global", getparam("unm"))) {
-+      if (is_admin_user(lbs, getparam("unm"))) {
++      if (is_admin_user(NULL, getparam("unm"))) {
           if (lbs->top_group[0]) {
  
              sprintf(str, "global %s", lbs->top_group);
@@ -51,7 +51,7 @@
  
     if (is_group("global") && !strieq(top_group, "global")) {
 -      if (is_admin_user("global", getparam("unm"))) {
-+      if (is_admin_user(lbs, getparam("unm"))) {
++      if (is_admin_user(NULL, getparam("unm"))) {
           rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Delete this logbook"));
           rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Rename this logbook"));
           rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Create new logbook"));
@@ -139,7 +139,7 @@
              strcat(menu_str, "GetPwdFile, ");
  
 -            if (is_admin_user("global", getparam("unm"))) {
-+            if (is_admin_user(lbs, getparam("unm"))) {
++            if (is_admin_user(NULL, getparam("unm"))) {
  
                 if (lbs->top_group[0]) {
                    sprintf(str, "Change [global %s]", lbs->top_group);
@@ -175,7 +175,7 @@
           strcat(menu_str, "GetPwdFile, ");
  
 -         if (is_admin_user("global", getparam("unm"))) {
-+         if (is_admin_user(lbs, getparam("unm"))) {
++         if (is_admin_user(NULL, getparam("unm"))) {
  
              if (lbs->top_group[0]) {
                 sprintf(str, "Change [global %s]", lbs->top_group);
@@ -276,17 +276,7 @@
     
     getcfg(lbs->name, "Password file", str, sizeof(str));
  
-@@ -25438,16 +25455,27 @@
-       if (i == n)
-          return FALSE;
-    }
-+
-+   /* make sure user is logged in */
-+   if (!logged_in(lbs))
-+      return FALSE;
-+
-    return TRUE;
- }
+@@ -25443,11 +25460,17 @@
  
  /*------------------------------------------------------------------*/
  
@@ -305,18 +295,18 @@
  
     /* Removed user[0] for cloning, have to check implications, same below.
        if (getcfg(logbook, "Admin user", str, sizeof(str)) && user[0]) { */
-@@ -25464,6 +25492,10 @@
+@@ -25464,6 +25487,10 @@
        if (i == n)
           return FALSE;
     }
 +   /* make sure user is logged in */
-+   if (!logged_in(lbs))
++   if (lbs && !logged_in(lbs))
 +      return FALSE;
 +   
     return TRUE;
  }
  
-@@ -25487,6 +25519,7 @@
+@@ -25487,6 +25514,7 @@
        if (i == n)
           return FALSE;
     }
@@ -324,6 +314,15 @@
     return TRUE;
  }
  
+@@ -25988,7 +26016,7 @@
+    if (getcfg("global", "mirror server", str, sizeof(str))) {
+ 
+       /* only admin user sees synchronization link */
+-      if (is_admin_user("global", getparam("unm"))) {
++      if (is_admin_user(NULL, getparam("unm"))) {
+          rsprintf("<tr>\n");
+          rsprintf("<td colspan=13 class=\"seltitle\">\n");
+          rsprintf("<a href=\"?cmd=Synchronize\">%s</a></td>\n", loc("Synchronize all logbooks"));
 --- a/src/elogd.h
 +++ b/src/elogd.h
 @@ -292,7 +292,7 @@

Reply via email to