Freeze exception request for gforge 4.7~rc2-5

[Roland Mas]

Hi release team,

  I would like to request a freeze exception for the gforge package.
Version currently in lenny is 4.7~rc2-4, and 4.7~rc2-5 has been
uploaded to unstable with the following debdiff:

,----
| diff -u gforge-4.7~rc2/debian/changelog gforge-4.7~rc2/debian/changelog
| --- gforge-4.7~rc2/debian/changelog
| +++ gforge-4.7~rc2/debian/changelog
| @@ -1,3 +1,10 @@
| +gforge (4.7~rc2-5) unstable; urgency=high
| +
| +  * Fix several SQL injection vulnerabilities due to insufficient input
| +    sanitizing.
| +
| + -- Roland Mas <[EMAIL PROTECTED]>  Mon, 06 Oct 2008 16:12:50 +0200
| +
|  gforge (4.7~rc2-4) unstable; urgency=low
|  
|    * gforge-plugin-scmsvn: display SVN instructions corresponding to the
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/www/frs/shownotes.php
| +++ gforge-4.7~rc2/www/frs/shownotes.php
| @@ -35,7 +35,6 @@
|               
frs_release.preformatted,frs_release.name,frs_package.group_id,frs_package.is_public
|               FROM frs_release,frs_package 
|               WHERE frs_release.package_id=frs_package.package_id 
| -             $pub_sql
|               AND frs_release.release_id='$release_id'");
|  
|  if (!$result || db_numrows($result) < 1) {
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/www/include/logger.php
| +++ gforge-4.7~rc2/www/include/logger.php
| @@ -13,13 +13,17 @@
|       Determine group
|  */
|  
| -if (isset($group_id) && $group_id) {
| +if (isset($group_id) && is_numeric($group_id) && $group_id) {
|       $log_group=$group_id;
| -} else if (isset($form_grp) && $form_grp) {
| +} else if (isset($form_grp) && is_numeric($form_grp) && $form_grp) {
|       $log_group=$form_grp;
|  } else if (isset($group_name) && $group_name) {
|       $group =& group_get_object_by_name($group_name);
| -     if ($group) $log_group=$group->getID();
| +     if ($group) {
| +             $log_group=$group->getID();
| +     } else {
| +             $log_group=0;
| +     }
|  } else {
|       //
|       //
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/www/people/skills_utils.php
| +++ gforge-4.7~rc2/www/people/skills_utils.php
| @@ -101,9 +101,9 @@
|  function handle_multi_edit($skill_ids) {
|       global $HTML;
|       $numSkills = count($skill_ids);
| -     $SQL = "select * from skills_data where skills_data_id 
in(".$skill_ids[0];
| +     $SQL = "select * from skills_data where skills_data_id 
in(".(int)$skill_ids[0];
|       for($i = 1; $i < $numSkills; $i++) {
| -             $SQL .= ", ".$skill_ids[$i];
| +             $SQL .= ", ".(int)$skill_ids[$i];
|       }
|       $SQL .= ")";
|       
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/www/new/index.php
| +++ gforge-4.7~rc2/www/new/index.php
| @@ -19,7 +19,7 @@
|  
|  $offset = getIntFromRequest('offset');
|  
| -if ( !$offset || $offset < 0 ) {
| +if ( !$offset || $offset < 0 || !is_numeric($offset) ) {
|       $offset = 0;
|  }
|  
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/www/news/index.php
| +++ gforge-4.7~rc2/www/news/index.php
| @@ -41,13 +41,22 @@
|  /*
|       Put the result set (list of forums for this group) into a column with 
folders
|  */
| +if ( !$group_id || $group_id < 0 || !is_numeric($group_id) ) {
| +     $group_id = 0;
| +}
|  if ($group_id && ($group_id != $sys_news_group)) {
|       $sql="SELECT * FROM news_bytes WHERE group_id='$group_id' AND 
is_approved <> '4' ORDER BY post_date DESC";
|  } else {
|       $sql="SELECT * FROM news_bytes WHERE is_approved='1' ORDER BY post_date 
DESC";
|  }
|  
| -if (!$limit || $limit>50) $limit=50;
| +if ( !$offset || $offset < 0 || !is_numeric($offset) ) {
| +     $offset = 0;
| +}
| +if ( !$limit || $limit < 0 || $limit > 50 || !is_numeric($limit) ) {
| +     $limit = 50;
| +}
| +
|  $result=db_query($sql,$limit+1,$offset);
|  $rows=db_numrows($result);
|  $more=0;
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/common/include/database-pgsql.php
| +++ gforge-4.7~rc2/common/include/database-pgsql.php
| @@ -119,8 +119,11 @@
|       global $QUERY_COUNT;
|       $QUERY_COUNT++;
|  
| +     if (!$limit || !is_numeric($limit) || $limit < 0) {
| +             $limit=0;
| +     }
|       if ($limit > 0) {
| -             if (!$offset || $offset < 0) {
| +             if (!$offset || !is_numeric($offset) || $offset < 0) {
|                       $offset=0;
|               }
|               $qstring=$qstring." LIMIT $limit OFFSET $offset";
`----

  This is a straightforward port of several fixes for SQL injection
vulnerabilities due to insufficient input sanitizing.

  Thanks,

Roland.
-- 
Roland Mas

When I eat a biscuit, it stays eaten!
  -- Arthur Dent, in So Long, and Thanks for All the Fish (Douglas Adams)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]