On Sat, Jun 13, 2009 at 05:25:33PM +0100, Dominic Hargreaves wrote: > On Sat, Jun 13, 2009 at 04:13:09PM +0100, Dominic Hargreaves wrote: > > A minory security update (probably not something that would justify > > an update on security.debian.org) has been anounced for RT3.6 which > > affects the version in lenny. > > > > http://lists.bestpractical.com/pipermail/rt-announce/2009-June/000169.html > > > > The patch is included in that message. > > > > Would it be okay to upload a fixed package to stable for the upcoming > > point release? > > Proposed patch (built and tested) attached. > > Security team CC'd in case they would prefer it to be handled as a > security update.
And here it really is... -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
diff -u request-tracker3.6-3.6.7/debian/changelog request-tracker3.6-3.6.7/debian/changelog --- request-tracker3.6-3.6.7/debian/changelog +++ request-tracker3.6-3.6.7/debian/changelog @@ -1,3 +1,10 @@ +request-tracker3.6 (3.6.7-5+lenny1) stable; urgency=low + + * Security fix: only allow SuperUsers to edit global RT at a Glance + (Closes: #532990) + + -- Dominic Hargreaves <[email protected]> Sat, 13 Jun 2009 17:12:04 +0100 + request-tracker3.6 (3.6.7-5) unstable; urgency=high * Urgency high due to RC bug-fix diff -u request-tracker3.6-3.6.7/debian/patches/00list request-tracker3.6-3.6.7/debian/patches/00list --- request-tracker3.6-3.6.7/debian/patches/00list +++ request-tracker3.6-3.6.7/debian/patches/00list @@ -14,0 +15 @@ +70_RT-ShowConfigTab-3.6 only in patch2: unchanged: --- request-tracker3.6-3.6.7.orig/debian/patches/70_RT-ShowConfigTab-3.6.dpatch +++ request-tracker3.6-3.6.7/debian/patches/70_RT-ShowConfigTab-3.6.dpatch @@ -0,0 +1,34 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 70_RT-ShowConfigTab-3.6.patch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Security fix: only allow SuperUsers to edit global RT at a Glance + +...@dpatch@ +--- share-old/html/Admin/Global/MyRT.html ++++ share-new/html/Admin/Global/MyRT.html +@@ -83,6 +83,8 @@ + + my ($default_portlets) = $sys->Attributes->Named('HomepageSettings'); + ++my $has_right = $session{'CurrentUser'}->HasRight( Object=> $RT::System, Right => 'SuperUser'); ++ + my @panes = $m->comp( + '/Admin/Elements/ConfigureMyRT', + panes => ['body', 'summary'], +@@ -91,8 +93,13 @@ + current_portlets => $default_portlets->Content, + OnSave => sub { + my ( $conf, $pane ) = @_; +- $default_portlets->SetContent( $conf ); +- push @actions, loc( 'Global portlet [_1] saved.', $pane ); ++ if (!$has_right) { ++ push @actions, loc( 'Permission denied' ); ++ } ++ else { ++ $default_portlets->SetContent( $conf ); ++ push @actions, loc( 'Global portlet [_1] saved.', $pane ); ++ } + } + ); +
