Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package request-tracker4. It fixes multiple security issues. unblock request-tracker4/4.2.8-3 Debdiff: diff -Nru request-tracker4-4.2.8/debian/changelog request-tracker4-4.2.8/debian/changelog --- request-tracker4-4.2.8/debian/changelog 2015-01-01 17:47:33.000000000 +0100 +++ request-tracker4-4.2.8/debian/changelog 2015-02-26 11:05:27.000000000 +0100 @@ -1,3 +1,11 @@ +request-tracker4 (4.2.8-3) unstable; urgency=high + + * Fix remote DoS via email gateway (CVE-2014-9472) + * Fix information discloure revealing RSS feed URLs (CVE-2015-1165) + * Fix privilege escalation via RSS feed URLs (CVE-2015-1464) + + -- Dominic Hargreaves <[email protected]> Thu, 26 Feb 2015 10:05:25 +0000 + request-tracker4 (4.2.8-2) unstable; urgency=medium [ Niko Tyni ] diff -Nru request-tracker4-4.2.8/debian/.git-dpm request-tracker4-4.2.8/debian/.git-dpm --- request-tracker4-4.2.8/debian/.git-dpm 2015-01-01 17:46:41.000000000 +0100 +++ request-tracker4-4.2.8/debian/.git-dpm 2015-02-19 17:43:53.000000000 +0100 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -559785c4e88364b835823521a0e1648db985b05e -559785c4e88364b835823521a0e1648db985b05e +5324f915dd17ae61679a97226cd9fce35934cc7b +5324f915dd17ae61679a97226cd9fce35934cc7b 21890d09947710ac3f48ddd306fe5b6a50f5bbe9 21890d09947710ac3f48ddd306fe5b6a50f5bbe9 request-tracker4_4.2.8.orig.tar.gz diff -Nru request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff --- request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff 1970-01-01 01:00:00.000000000 +0100 +++ request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff 2015-02-19 17:43:53.000000000 +0100 @@ -0,0 +1,30 @@ +From d9cbc2f4f4df2b75e4527c2fb4f19dc087a1655e Mon Sep 17 00:00:00 2001 +From: Alex Vandiver <[email protected]> +Date: Mon, 1 Dec 2014 16:58:43 -0500 +Subject: Hide utf8 warnings during attempted decoding + +EncodeFromToWithCroak is used to exploratorily attempt to decode unknown +byte strings. This operation, under Encode::FB_DEFAULT, may generate +warnings -- lots of warnings. This can lead to denial of service in +some situations. This vulnerability has been assigned CVE-2014-9472. + +Unfortunately, "no warnings 'utf8'" does not work to quiet them until +Encode 2.64; simply skip warnings of this type in the logging handler. + +Patch-Name: sec-2015-02-05-1.diff +--- + lib/RT.pm | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/RT.pm b/lib/RT.pm +index 803d54b..3aa7542 100644 +--- a/lib/RT.pm ++++ b/lib/RT.pm +@@ -374,6 +374,7 @@ sub InitSignalHandlers { + ## mechanism (see above). + + $SIG{__WARN__} = sub { ++ return if $_[0] and $_[0] =~ /^Code point \S+ is not Unicode, may not be portable/; + # use 'goto &foo' syntax to hide ANON sub from stack + unshift @_, $RT::Logger, qw(level warning message); + goto &Log::Dispatch::log; diff -Nru request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff --- request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff 1970-01-01 01:00:00.000000000 +0100 +++ request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff 2015-02-19 17:43:53.000000000 +0100 @@ -0,0 +1,46 @@ +From af54a6d17773f5c9f8f785c8ccd9d1067679ce77 Mon Sep 17 00:00:00 2001 +From: Alex Vandiver <[email protected]> +Date: Fri, 30 Jan 2015 15:03:16 -0500 +Subject: Prevent text content from being interpreted as HTML by RSS clients + +The ->Content method is used to obtain the data to use in the RSS +<description> tag. However, most RSS feed readers display the contents +of the <description> tag using a HTML rendering engine; this allows +textual content to be mistakenly rendered as HTML. This specifically +includes links, which RSS readers may not hide the "Referer" header of, +exposing the RSS feed URL and thus allowing for information disclosure. +This vulnerability has been assigned CVE-2015-1165. + +Escape the textual content so that it is not interpreted as HTML by RSS +readers. This is suprior to requesting ->Content( Type => "text/html" ) +because it is guaranteed to not contain links, and thus not suffer from +the above Referer disclosure. + +Patch-Name: sec-2015-02-05-2.diff +--- + share/html/Search/Elements/ResultsRSSView | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/share/html/Search/Elements/ResultsRSSView b/share/html/Search/Elements/ResultsRSSView +index 45e7369..7381ba7 100644 +--- a/share/html/Search/Elements/ResultsRSSView ++++ b/share/html/Search/Elements/ResultsRSSView +@@ -128,10 +128,17 @@ $r->content_type('application/rss+xml; charset=utf-8'); + while ( my $Ticket = $Tickets->Next()) { + my $creator_str = $Ticket->CreatorObj->Format; + $creator_str =~ s/[\r\n]//g; ++ ++ # Get the plain-text content; it is interpreted as HTML by RSS ++ # readers, so it must be escaped (and is escaped _again_ when ++ # inserted into the XML). ++ my $content = $Ticket->Transactions->First->Content; ++ $content = $m->interp->apply_escapes( $content, 'h'); ++ + $rss->add_item( + title => $Ticket->Subject || loc('No Subject'), + link => $url . "Ticket/Display.html?id=".$Ticket->id, +- description => $Ticket->Transactions->First->Content, ++ description => $content, + dc => { creator => $creator_str, + date => $Ticket->CreatedObj->RFC2822, + }, diff -Nru request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff --- request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff 1970-01-01 01:00:00.000000000 +0100 +++ request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff 2015-02-19 17:43:53.000000000 +0100 @@ -0,0 +1,54 @@ +From 5324f915dd17ae61679a97226cd9fce35934cc7b Mon Sep 17 00:00:00 2001 +From: Alex Vandiver <[email protected]> +Date: Mon, 2 Feb 2015 12:24:56 -0500 +Subject: Never place the temporary current user in the session + +Setting $session{'CurrentUser'} to a different user opens a window +wherein if the request can be aborted, the client will be left with a +session for the other user. This allows escalation from knowing an RSS +feed link (which is generally just information disclosure) into full +login privileges, which may allow for arbitrary execution of code. + +Patch-Name: sec-2015-02-05-3.diff +--- + share/html/Search/Elements/ResultsRSSView | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/share/html/Search/Elements/ResultsRSSView b/share/html/Search/Elements/ResultsRSSView +index 7381ba7..176da8d 100644 +--- a/share/html/Search/Elements/ResultsRSSView ++++ b/share/html/Search/Elements/ResultsRSSView +@@ -46,7 +46,7 @@ + %# + %# END BPS TAGGED BLOCK }}} + <%INIT> +-my $old_current_user; ++my $current_user = $session{CurrentUser}; + + if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) { + my $path = $m->dhandler_arg; +@@ -76,13 +76,11 @@ if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) { + unless $user->ValidateAuthString( $auth, + $ARGS{Query} . $ARGS{Order} . $ARGS{OrderBy} ); + +- $old_current_user = $session{'CurrentUser'}; +- my $cu = RT::CurrentUser->new; +- $cu->Load($user); +- $session{'CurrentUser'} = $cu; ++ $current_user = RT::CurrentUser->new; ++ $current_user->Load($user); + } + +-my $Tickets = RT::Tickets->new($session{'CurrentUser'}); ++my $Tickets = RT::Tickets->new($current_user); + $Tickets->FromSQL($ARGS{'Query'}); + if ($OrderBy =~ /\|/) { + # Multiple Sorts +@@ -147,7 +145,6 @@ $r->content_type('application/rss+xml; charset=utf-8'); + } + + $m->out($rss->as_string); +-$session{'CurrentUser'} = $old_current_user if $old_current_user; + $m->abort(); + </%INIT> + <%ARGS> diff -Nru request-tracker4-4.2.8/debian/patches/series request-tracker4-4.2.8/debian/patches/series --- request-tracker4-4.2.8/debian/patches/series 2015-01-01 17:46:41.000000000 +0100 +++ request-tracker4-4.2.8/debian/patches/series 2015-02-19 17:43:53.000000000 +0100 @@ -10,3 +10,6 @@ debianize_UPGRADING-4.2.diff font_path.diff assettracker-sysgroups.diff +sec-2015-02-05-1.diff +sec-2015-02-05-2.diff +sec-2015-02-05-3.diff -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
