Bug#837607: marked as done (jessie-pu: package elog/2.9.2+2014.05.11git44800a7-2)

Sat, 14 Jan 2017 04:41:43 -0800 

Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.ca...@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #837607,
regarding jessie-pu: package elog/2.9.2+2014.05.11git44800a7-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
837607: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837607
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

Update closes bug https://bugs.debian.org/836505 which allowed to post entry as
arbitrary username by improper authentication.

-- System Information:
Debian Release: 8.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

diff -Nru elog-2.9.2+2014.05.11git44800a7/debian/changelog elog-2.9.2+2014.05.11git44800a7/debian/changelog
--- elog-2.9.2+2014.05.11git44800a7/debian/changelog	2014-10-23 20:38:25.000000000 +0200
+++ elog-2.9.2+2014.05.11git44800a7/debian/changelog	2016-09-12 22:22:49.000000000 +0200
@@ -1,3 +1,10 @@
+elog (2.9.2+2014.05.11git44800a7-3) jessie; urgency=medium
+
+  * Added patch 0005_elogd_CVE-2016-6342_fix to fix posting entry as
+    arbitrary username (Closes: #836505, CVE-2016-6342)
+
+ -- Roger Kalt <roger.k...@gmail.com>  Mon, 12 Sep 2016 20:22:36 +0200
+
 elog (2.9.2+2014.05.11git44800a7-2) unstable; urgency=low
 
   * debian/control:
diff -Nru elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix
--- elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix	1970-01-01 01:00:00.000000000 +0100
+++ elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix	2016-09-03 22:12:44.000000000 +0200
@@ -0,0 +1,345 @@
+backport these two upstream patches for newer release: https://bitbucket.org/ritt/elog/commits/2f6a300572bd6048351af8c45394ae62230c83d9 + https://bitbucket.org/ritt/elog/commits/9ca611aca2b1860efac15f806bf907cc2e6f870a/#Lsrc/elogd.cF26100T26104
+--- a/src/elogd.c
++++ b/src/elogd.c
+@@ -3443,7 +3443,7 @@
+             break;
+          get_user_line(lbs, login_name, NULL, NULL, email_from, NULL, NULL, NULL);
+          sprintf(email_from_name, "%s <%s>", login_name, email_from);
+-         if (is_admin_user(lbs->name, login_name) && strchr(email_from, '@'))
++         if (is_admin_user(lbs, login_name) && strchr(email_from, '@'))
+             break;
+       }
+    }
+@@ -8578,7 +8578,7 @@
+                wrong_pwd = 2;
+          } else {
+             /* administrator does not have to supply old password if changing other user's password */
+-            if (isparam("unm") && is_admin_user(lbs->name, getparam("unm"))
++            if (isparam("unm") && is_admin_user(lbs, getparam("unm"))
+                 && stricmp(getparam("unm"), user) != 0)
+                wrong_pwd = 0;
+             else {
+@@ -8652,7 +8652,7 @@
+ 
+    /* do not ask for old pwasword if admin changes other user's password */
+    if (isparam("unm")) {
+-      if (!is_admin_user(lbs->name, getparam("unm")) || stricmp(getparam("unm"), user) == 0) {
++      if (!is_admin_user(lbs, getparam("unm")) || stricmp(getparam("unm"), user) == 0) {
+          if (isparam("oldpwd") && !(wrong_pwd == 1))    // hidden password for password recovery
+             rsprintf("<input type=hidden name=oldpwd value=\"%s\"", getparam("oldpwd"));
+          else {
+@@ -8751,7 +8751,7 @@
+    int i;
+ 
+    /* check if current user is admin */
+-   if (is_admin_user(lbs->name, getparam("unm")))
++   if (is_admin_user(lbs, getparam("unm")))
+       return TRUE;
+ 
+    /* search attribute which contains short_name of author */
+@@ -12126,7 +12126,7 @@
+    rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Cancel"));
+ 
+    if (lbs->top_group[0] && (!top_group || strieq(top_group, "global"))) {
+-      if (is_admin_user("global", getparam("unm"))) {
++      if (is_admin_user(lbs, getparam("unm"))) {
+          if (lbs->top_group[0]) {
+ 
+             sprintf(str, "global %s", lbs->top_group);
+@@ -12159,7 +12159,7 @@
+    }
+ 
+    if (is_group("global") && !strieq(top_group, "global")) {
+-      if (is_admin_user("global", getparam("unm"))) {
++      if (is_admin_user(lbs, getparam("unm"))) {
+          rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Delete this logbook"));
+          rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Rename this logbook"));
+          rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Create new logbook"));
+@@ -13275,7 +13275,7 @@
+ 
+    /*---- if admin user, show user list ----*/
+ 
+-   if (is_admin_user(logbook, getparam("unm"))) {
++   if (is_admin_user(lbs, getparam("unm"))) {
+       rsprintf("<input type=hidden name=admin value=1>\n");
+       rsprintf("<tr><td nowrap width=\"10%%\">%s:</td>\n", loc("Select user"));
+       rsprintf("<td><select name=cfg_user onChange=\"document.form1.submit()\">\n");
+@@ -13323,7 +13323,7 @@
+    else
+       strlcpy(str, user, sizeof(str));
+ 
+-   if (is_admin_user(logbook, getparam("unm"))) {
++   if (is_admin_user(lbs, getparam("unm"))) {
+       rsprintf("<tr><td nowrap width=\"15%%\">%s:</td>\n", loc("Active"));
+       if (stricmp(user, getparam("unm")) == 0)
+          rsprintf
+@@ -13427,13 +13427,13 @@
+ 
+    rsprintf("<tr><td class=\"menuframe\"><span class=\"menu1\">\n");
+ 
+-   if (is_admin_user(logbook, getparam("unm")) || !getcfg(logbook, "allow password change", str, sizeof(str))
++   if (is_admin_user(lbs, getparam("unm")) || !getcfg(logbook, "allow password change", str, sizeof(str))
+        || atoi(str) == 1)
+       rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Change password"));
+ 
+    rsprintf("<input type=submit name=cmd value=\"%s\" onClick=\"return chkrem();\">\n", loc("Remove user"));
+ 
+-   if (is_admin_user(logbook, getparam("unm"))) {
++   if (is_admin_user(lbs, getparam("unm"))) {
+       rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("New user"));
+       strlcpy(str, loc("Change config file"), sizeof(str));
+       rsprintf("<input type=submit name=cmd value=\"%s\">\n", str);
+@@ -18079,6 +18079,17 @@
+ 
+ /*------------------------------------------------------------------*/
+ 
++BOOL logged_in(LOGBOOK *lbs)
++{
++   if (isparam("unm")) {
++      if (check_login_user(lbs, getparam("unm")) && check_login(lbs, getparam("sid")))
++          return TRUE;
++   }
++   return FALSE;
++}
++
++/*------------------------------------------------------------------*/
++
+ BOOL is_user_allowed(LOGBOOK * lbs, char *command)
+ {
+    char str[1000], users[2000];
+@@ -18109,7 +18120,7 @@
+    /* check admin command */
+    if (strieq(command, loc("Admin"))) {
+       if (getcfg(lbs->name, "Admin user", str, sizeof(str))) {
+-         return is_admin_user(lbs->name, getparam("unm"));
++         return is_admin_user(lbs, getparam("unm"));
+       }
+    }
+ 
+@@ -18142,7 +18153,7 @@
+       return TRUE;
+ 
+    /* check for guest access */
+-   if (!getcfg(lbs->name, "Guest Menu commands", menu_str, sizeof(menu_str)) || isparam("unm") != 0)
++   if (!getcfg(lbs->name, "Guest Menu commands", menu_str, sizeof(menu_str)) || logged_in(lbs))
+       getcfg(lbs->name, "Menu commands", menu_str, sizeof(menu_str));
+ 
+    /* default menu commands */
+@@ -18151,7 +18162,7 @@
+ 
+       if (getcfg(lbs->name, "Password file", str, sizeof(str))) {
+ 
+-         if (is_admin_user(lbs->name, getparam("unm"))) {
++         if (is_admin_user(lbs, getparam("unm"))) {
+ 
+             strcat(menu_str, "Admin, ");
+             strcat(menu_str, "Change config file, ");
+@@ -18160,7 +18171,7 @@
+             strcat(menu_str, "Create new logbook, ");
+             strcat(menu_str, "GetPwdFile, ");
+ 
+-            if (is_admin_user("global", getparam("unm"))) {
++            if (is_admin_user(lbs, getparam("unm"))) {
+ 
+                if (lbs->top_group[0]) {
+                   sprintf(str, "Change [global %s]", lbs->top_group);
+@@ -18168,7 +18179,7 @@
+                   strcat(menu_str, ", ");
+                }
+ 
+-               if (!lbs->top_group[0] || (is_admin_user("global", getparam("unm")))) {
++               if (!lbs->top_group[0] || (is_admin_user(NULL, getparam("unm")))) {
+ 
+                   strcat(menu_str, "Change [global]");
+                   strcat(menu_str, ", ");
+@@ -18192,7 +18203,7 @@
+       menu_str[0] = 0;
+       for (i = 0; i < n; i++) {
+          if (strcmp(menu_item[i], "Admin") == 0) {
+-            if (!is_admin_user(lbs->name, getparam("unm")))
++            if (!is_admin_user(lbs, getparam("unm")))
+                continue;
+          }
+          strcat(menu_str, menu_item[i]);
+@@ -18201,7 +18212,7 @@
+ 
+       strcat(menu_str, "HelpELCode, Synchronize, ");
+ 
+-      if (is_admin_user(lbs->name, getparam("unm"))) {
++      if (is_admin_user(lbs, getparam("unm"))) {
+ 
+          strcat(menu_str, "Change config file, ");
+          strcat(menu_str, "Delete this logbook, ");
+@@ -18209,7 +18220,7 @@
+          strcat(menu_str, "Create new logbook, ");
+          strcat(menu_str, "GetPwdFile, ");
+ 
+-         if (is_admin_user("global", getparam("unm"))) {
++         if (is_admin_user(lbs, getparam("unm"))) {
+ 
+             if (lbs->top_group[0]) {
+                sprintf(str, "Change [global %s]", lbs->top_group);
+@@ -18217,7 +18228,7 @@
+                strcat(menu_str, ", ");
+             }
+ 
+-            if (!lbs->top_group[0] || (is_admin_user("global", getparam("unm")))) {
++            if (!lbs->top_group[0] || (is_admin_user(NULL, getparam("unm")))) {
+ 
+                strcat(menu_str, "Change [global]");
+                strcat(menu_str, ", ");
+@@ -18228,11 +18239,11 @@
+ 
+    /* check list menu commands */
+    str[0] = 0;
+-   if (!getcfg(lbs->name, "Guest List Menu commands", str, sizeof(str)) || isparam("unm") != 0)
++   if (!getcfg(lbs->name, "Guest List Menu commands", str, sizeof(str)) || logged_in(lbs))
+       getcfg(lbs->name, "list menu commands", str, sizeof(str));
+ 
+    if (!str[0]) {
+-      if (!getcfg(lbs->name, "Guest Find Menu commands", str, sizeof(str)) || isparam("unm") != 0)
++      if (!getcfg(lbs->name, "Guest Find Menu commands", str, sizeof(str)) || logged_in(lbs))
+          getcfg(lbs->name, "Find Menu commands", str, sizeof(str));
+    }
+ 
+@@ -18259,7 +18270,7 @@
+       strlcat(other_str, "Save, ", sizeof(other_str));
+ 
+    /* admin commands */
+-   if (is_admin_user(lbs->name, getparam("unm"))) {
++   if (is_admin_user(lbs, getparam("unm"))) {
+       strcat(other_str, "Remove user, New user, Activate, ");
+    } else if (getcfg(lbs->name, "Self register", str, sizeof(str)) && atoi(str) > 0) {
+       strcat(other_str, "Remove user, New user, ");
+@@ -18298,6 +18309,10 @@
+       }
+    }
+ 
++   /* make sure user is logged in */
++   if (!logged_in(lbs))
++      return FALSE;
++
+    return TRUE;
+ }
+ 
+@@ -20382,13 +20397,11 @@
+             rsprintf("\">\n", str);
+          }
+ 
+-         if (!getcfg(lbs->name, "Guest Find menu commands", menu_str, sizeof(menu_str)) || isparam("unm")
+-             != 0)
++         if (!getcfg(lbs->name, "Guest Find menu commands", menu_str, sizeof(menu_str)) || logged_in(lbs))
+             getcfg(lbs->name, "Find menu commands", menu_str, sizeof(menu_str));
+ 
+          if (!menu_str[0]) {
+-            if (!getcfg(lbs->name, "Guest list menu commands", menu_str, sizeof(menu_str)) || isparam("unm")
+-                != 0)
++            if (!getcfg(lbs->name, "Guest list menu commands", menu_str, sizeof(menu_str)) || logged_in(lbs))
+                getcfg(lbs->name, "list menu commands", menu_str, sizeof(menu_str));
+          }
+ 
+@@ -23703,7 +23716,7 @@
+    }
+ 
+    /* check for guest access */
+-   if (!getcfg(lbs->name, "Guest Menu commands", menu_str, sizeof(menu_str)) || isparam("unm") != 0)
++   if (!getcfg(lbs->name, "Guest Menu commands", menu_str, sizeof(menu_str)) || logged_in(lbs))
+       getcfg(lbs->name, "Menu commands", menu_str, sizeof(menu_str));
+ 
+    /* default menu commands */
+@@ -23723,7 +23736,7 @@
+       menu_str[0] = 0;
+       for (i = 0; i < n; i++) {
+          if (strcmp(menu_item[i], "Admin") == 0) {
+-            if (!is_admin_user(lbs->name, getparam("unm")))
++            if (!is_admin_user(lbs, getparam("unm")))
+                continue;
+          }
+          strcat(menu_str, menu_item[i]);
+@@ -25026,7 +25039,9 @@
+    char str[256], global[256], orig_topgroup[256];
+    
+    orig_topgroup[0] = 0;
+-   getcfg("global", "Password file", global, sizeof(global));
++   if (!getcfg("global", "Password file", global, sizeof(global)))
++       return NULL;
++
+    if (getcfg_topgroup() && *getcfg_topgroup())
+       strcpy(orig_topgroup, getcfg_topgroup());
+    
+@@ -25076,6 +25091,8 @@
+       logbook with same password file than global section */
+    if (lbs == NULL)
+       lbs = get_first_lbs_with_global_passwd();
++   if (lbs == NULL)
++      return 0;
+    
+    getcfg(lbs->name, "Password file", str, sizeof(str));
+ 
+@@ -25438,16 +25455,27 @@
+       if (i == n)
+          return FALSE;
+    }
++
++   /* make sure user is logged in */
++   if (!logged_in(lbs))
++      return FALSE;
++
+    return TRUE;
+ }
+ 
+ /*------------------------------------------------------------------*/
+ 
+-BOOL is_admin_user(char *logbook, char *user)
++BOOL is_admin_user(LOGBOOK *lbs, char *user)
+ {
+    int i, n;
+    char str[1000];
+    char list[MAX_N_LIST][NAME_LENGTH];
++   char logbook[1000];
++   
++   if (lbs == NULL)
++      strlcpy(logbook, "global", sizeof(logbook));
++   else
++      strlcpy(logbook, lbs->name, sizeof(logbook));
+ 
+    /* Removed user[0] for cloning, have to check implications, same below.
+       if (getcfg(logbook, "Admin user", str, sizeof(str)) && user[0]) { */
+@@ -25464,6 +25492,10 @@
+       if (i == n)
+          return FALSE;
+    }
++   /* make sure user is logged in */
++   if (!logged_in(lbs))
++      return FALSE;
++   
+    return TRUE;
+ }
+ 
+@@ -25487,6 +25519,7 @@
+       if (i == n)
+          return FALSE;
+    }
++
+    return TRUE;
+ }
+ 
+--- a/src/elogd.h
++++ b/src/elogd.h
+@@ -292,7 +292,7 @@
+ BOOL check_login_user(LOGBOOK * lbs, char *user);
+ LBLIST get_logbook_hierarchy(void);
+ BOOL is_logbook_in_group(LBLIST pgrp, char *logbook);
+-BOOL is_admin_user(char *logbook, char *user);
++BOOL is_admin_user(LOGBOOK * lbs, char *user);
+ BOOL is_admin_user_global(char *user);
+ void free_logbook_hierarchy(LBLIST root);
+ void show_top_text(LOGBOOK * lbs);
+@@ -308,6 +308,7 @@
+ int parse_config_file(char *config_file);
+ PMXML_NODE load_password_file(LOGBOOK * lbs, char *error, int error_size);
+ int load_password_files();
++BOOL check_login(LOGBOOK * lbs, char *sid);
+ void compose_base_url(LOGBOOK * lbs, char *base_url, int size, BOOL email_notify);
+ void show_elog_entry(LOGBOOK * lbs, char *dec_path, char *command);
+ char *loc(char *orig);
diff -Nru elog-2.9.2+2014.05.11git44800a7/debian/patches/series elog-2.9.2+2014.05.11git44800a7/debian/patches/series
--- elog-2.9.2+2014.05.11git44800a7/debian/patches/series	2014-06-25 23:21:40.000000000 +0200
+++ elog-2.9.2+2014.05.11git44800a7/debian/patches/series	2016-09-03 21:35:05.000000000 +0200
@@ -2,3 +2,4 @@
 0002_html_doc.patch
 0003_elog.conf
 0004_Makefile.patch
+0005_elogd_CVE-2016-6342_fix

--- End Message ---
--- Begin Message --- 
Version: 8.7

Hi,

Each of these bugs refers to an update that was included in today's 8.7
point release.

Regards,

Adam

--- End Message ---

Reply via email to