Hi, attached is a debdiff (dropped the .bzr stuff) for an NMU. It's also archived on: http://people.debian.org/~nion/nmu-diff/roundup-1.4.4-1_1.4.4-1.1.patch
Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -Nru roundup-1.4.4/debian/changelog roundup-1.4.4/debian/changelog --- roundup-1.4.4/debian/changelog 2008-04-05 21:08:23.000000000 +0200 +++ roundup-1.4.4/debian/changelog 2008-06-07 10:03:59.000000000 +0200 @@ -1,3 +1,12 @@ +roundup (1.4.4-1.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix privilege escalation leading to attackers being able to + edit or view restricted properties via the "list", "display" + and "set methods (10-CVE-2008-1475.dpatch; Closes: #484728). + + -- Nico Golde <[EMAIL PROTECTED]> Sat, 07 Jun 2008 10:02:05 +0200 + roundup (1.4.4-1) unstable; urgency=medium * new upstream diff -Nru roundup-1.4.4/debian/patches/00list roundup-1.4.4/debian/patches/00list --- roundup-1.4.4/debian/patches/00list 2008-04-01 18:34:45.000000000 +0200 +++ roundup-1.4.4/debian/patches/00list 2008-06-07 10:04:14.000000000 +0200 @@ -6,3 +6,4 @@ # 06_remove_cruft 08_update_manpages 09_german_translation +10-CVE-2008-1475 diff -Nru roundup-1.4.4/debian/patches/10-CVE-2008-1475.dpatch roundup-1.4.4/debian/patches/10-CVE-2008-1475.dpatch --- roundup-1.4.4/debian/patches/10-CVE-2008-1475.dpatch 1970-01-01 01:00:00.000000000 +0100 +++ roundup-1.4.4/debian/patches/10-CVE-2008-1475.dpatch 2008-06-07 10:01:59.000000000 +0200 @@ -0,0 +1,210 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 10-CVE-2008-1475.dpatch by Nico Golde <[EMAIL PROTECTED]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + [EMAIL PROTECTED]@ +diff -urNad roundup-1.4.4~/roundup/xmlrpc.py roundup-1.4.4/roundup/xmlrpc.py +--- roundup-1.4.4~/roundup/xmlrpc.py 2007-11-03 01:46:39.000000000 +0100 ++++ roundup-1.4.4/roundup/xmlrpc.py 2008-06-07 10:01:57.000000000 +0200 +@@ -63,13 +63,10 @@ + def close(self): + """Close the database, after committing any changes, if needed.""" + +- if getattr(self, 'db'): +- try: +- if self.db.transactions: +- self.db.commit() +- finally: +- self.db.close() +- ++ try: ++ self.db.commit() ++ finally: ++ self.db.close() + + def get_class(self, classname): + """Return the class for the given classname.""" +@@ -115,51 +112,52 @@ + + def list(self, username, password, classname, propname=None): + r = RoundupRequest(self.tracker, username, password) +- cl = r.get_class(classname) +- if not propname: +- propname = cl.labelprop() +- def has_perm(itemid): +- return True +- r.db.security.hasPermission('View', r.userid, classname, +- itemid=itemid, property=propname) +- result = [cl.get(id, propname) for id in cl.list() +- if has_perm(id)] +- r.close() ++ try: ++ cl = r.get_class(classname) ++ if not propname: ++ propname = cl.labelprop() ++ result = [ cl.get(itemid, propname) for itemid in cl.list() ++ if r.db.security.hasPermission \ ++ ('View', r.userid, classname, propname, itemid) ++ ] ++ finally: ++ r.close() + return result + + def display(self, username, password, designator, *properties): + r = RoundupRequest(self.tracker, username, password) +- classname, itemid = hyperdb.splitDesignator(designator) +- +- if not r.db.security.hasPermission('View', r.userid, classname, +- itemid=itemid): +- raise Unauthorised('Permission to view %s denied'%designator) +- +- cl = r.get_class(classname) +- props = properties and list(properties) or cl.properties.keys() +- props.sort() +- result = [(property, cl.get(itemid, property)) for property in props] +- r.close() ++ try: ++ classname, itemid = hyperdb.splitDesignator(designator) ++ cl = r.get_class(classname) ++ props = properties and list(properties) or cl.properties.keys() ++ props.sort() ++ for p in props: ++ if not r.db.security.hasPermission \ ++ ('View', r.userid, classname, p, itemid): ++ raise Unauthorised \ ++ ('Permission to view %s of %s denied' % (p, designator)) ++ result = [(prop, cl.get(itemid, prop)) for prop in props] ++ finally: ++ r.close() + return dict(result) + + def create(self, username, password, classname, *args): + r = RoundupRequest(self.tracker, username, password) ++ try: ++ if not r.db.security.hasPermission('Create', r.userid, classname): ++ raise Unauthorised('Permission to create %s denied'%classname) + +- if not r.db.security.hasPermission('Create', r.userid, classname): +- raise Unauthorised('Permission to create %s denied'%classname) +- +- cl = r.get_class(classname) ++ cl = r.get_class(classname) + +- # convert types +- props = r.props_from_args(cl, args) ++ # convert types ++ props = r.props_from_args(cl, args) + +- # check for the key property +- key = cl.getkey() +- if key and not props.has_key(key): +- raise UsageError, 'you must provide the "%s" property.'%key ++ # check for the key property ++ key = cl.getkey() ++ if key and not props.has_key(key): ++ raise UsageError, 'you must provide the "%s" property.'%key + +- # do the actual create +- try: ++ # do the actual create + try: + result = cl.create(**props) + except (TypeError, IndexError, ValueError), message: +@@ -170,19 +168,17 @@ + + def set(self, username, password, designator, *args): + r = RoundupRequest(self.tracker, username, password) +- classname, itemid = hyperdb.splitDesignator(designator) +- +- if not r.db.security.hasPermission('Edit', r.userid, classname, +- itemid=itemid): +- raise Unauthorised('Permission to edit %s denied'%designator) +- +- cl = r.get_class(classname) +- +- # convert types +- props = r.props_from_args(cl, args) + try: ++ classname, itemid = hyperdb.splitDesignator(designator) ++ cl = r.get_class(classname) ++ props = r.props_from_args(cl, args) # convert types ++ for p in props.iterkeys (): ++ if not r.db.security.hasPermission \ ++ ('Edit', r.userid, classname, p, itemid): ++ raise Unauthorised\ ++ ('Permission to edit %s of %s denied'%(p, designator)) + try: +- cl.set(itemid, **props) ++ return cl.set(itemid, **props) + except (TypeError, IndexError, ValueError), message: + raise UsageError, message + finally: +diff -urNad roundup-1.4.4~/test/db_test_base.py roundup-1.4.4/test/db_test_base.py +--- roundup-1.4.4~/test/db_test_base.py 2008-02-07 09:20:52.000000000 +0100 ++++ roundup-1.4.4/test/db_test_base.py 2008-06-07 10:01:57.000000000 +0200 +@@ -62,6 +62,7 @@ + tracker = instance.open(dirname) + if tracker.exists(): + tracker.nuke() ++ init.write_select_db(dirname, backend) + tracker.init(password.Password('sekrit')) + return tracker + +@@ -293,7 +294,7 @@ + l = [u1,u2]; l.sort() + m = self.db.issue.get(nid, "nosy"); m.sort() + self.assertEqual(l, m) +- ++ + + # XXX one day, maybe... + # def testMultilinkOrdering(self): +diff -urNad roundup-1.4.4~/test/test_xmlrpc.py roundup-1.4.4/test/test_xmlrpc.py +--- roundup-1.4.4~/test/test_xmlrpc.py 2007-11-03 01:48:01.000000000 +0100 ++++ roundup-1.4.4/test/test_xmlrpc.py 2008-06-07 10:01:57.000000000 +0200 +@@ -9,23 +9,26 @@ + from roundup.cgi.exceptions import * + from roundup import init, instance, password, hyperdb, date + from roundup.xmlrpc import RoundupServer ++from roundup.backends import list_backends + + import db_test_base + + NEEDS_INSTANCE = 1 + + class TestCase(unittest.TestCase): ++ ++ backend = None ++ + def setUp(self): + self.dirname = '_test_xmlrpc' + # set up and open a tracker +- self.instance = db_test_base.setupTracker(self.dirname) ++ self.instance = db_test_base.setupTracker(self.dirname, self.backend) + + # open the database + self.db = self.instance.open('admin') + self.joeid = 'user' + self.db.user.create(username='joe', + password=password.Password('random'), address='[EMAIL PROTECTED]', + realname='Joe Random', roles='User') +- + self.db.commit() + self.db.close() + +@@ -89,10 +92,12 @@ + + def test_suite(): + suite = unittest.TestSuite() +- suite.addTest(unittest.makeSuite(TestCase)) ++ for l in list_backends() : ++ dct = dict(backend = l) ++ subcls = type(TestCase)('TestCase_%s' % l, (TestCase,), dct) ++ suite.addTest(unittest.makeSuite(subcls)) + return suite + + if __name__ == '__main__': + runner = unittest.TextTestRunner() + unittest.main(testRunner=runner) +-
pgp9NQJxW8re7.pgp
Description: PGP signature