Bug#484728: intent to NMU

Sat, 07 Jun 2008 01:29:28 -0700 

Hi,
attached is a debdiff (dropped the .bzr stuff) for an NMU.
It's also archived on:
http://people.debian.org/~nion/nmu-diff/roundup-1.4.4-1_1.4.4-1.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -Nru roundup-1.4.4/debian/changelog roundup-1.4.4/debian/changelog
--- roundup-1.4.4/debian/changelog	2008-04-05 21:08:23.000000000 +0200
+++ roundup-1.4.4/debian/changelog	2008-06-07 10:03:59.000000000 +0200
@@ -1,3 +1,12 @@
+roundup (1.4.4-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix privilege escalation leading to attackers being able to
+    edit or view restricted properties via the "list", "display"
+    and "set methods (10-CVE-2008-1475.dpatch; Closes: #484728).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Sat, 07 Jun 2008 10:02:05 +0200
+
 roundup (1.4.4-1) unstable; urgency=medium
 
   * new upstream
diff -Nru roundup-1.4.4/debian/patches/00list roundup-1.4.4/debian/patches/00list
--- roundup-1.4.4/debian/patches/00list	2008-04-01 18:34:45.000000000 +0200
+++ roundup-1.4.4/debian/patches/00list	2008-06-07 10:04:14.000000000 +0200
@@ -6,3 +6,4 @@
 # 06_remove_cruft
 08_update_manpages
 09_german_translation
+10-CVE-2008-1475
diff -Nru roundup-1.4.4/debian/patches/10-CVE-2008-1475.dpatch roundup-1.4.4/debian/patches/10-CVE-2008-1475.dpatch
--- roundup-1.4.4/debian/patches/10-CVE-2008-1475.dpatch	1970-01-01 01:00:00.000000000 +0100
+++ roundup-1.4.4/debian/patches/10-CVE-2008-1475.dpatch	2008-06-07 10:01:59.000000000 +0200
@@ -0,0 +1,210 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10-CVE-2008-1475.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad roundup-1.4.4~/roundup/xmlrpc.py roundup-1.4.4/roundup/xmlrpc.py
+--- roundup-1.4.4~/roundup/xmlrpc.py	2007-11-03 01:46:39.000000000 +0100
++++ roundup-1.4.4/roundup/xmlrpc.py	2008-06-07 10:01:57.000000000 +0200
+@@ -63,13 +63,10 @@
+     def close(self):
+         """Close the database, after committing any changes, if needed."""
+ 
+-        if getattr(self, 'db'):
+-            try:
+-                if self.db.transactions:
+-                    self.db.commit()
+-            finally:
+-                self.db.close()
+-
++        try:
++            self.db.commit()
++        finally:
++            self.db.close()
+ 
+     def get_class(self, classname):
+         """Return the class for the given classname."""
+@@ -115,51 +112,52 @@
+ 
+     def list(self, username, password, classname, propname=None):
+         r = RoundupRequest(self.tracker, username, password)
+-        cl = r.get_class(classname)
+-        if not propname:
+-            propname = cl.labelprop()
+-        def has_perm(itemid):
+-            return True
+-            r.db.security.hasPermission('View', r.userid, classname,
+-                itemid=itemid, property=propname)
+-        result = [cl.get(id, propname) for id in cl.list()
+-            if has_perm(id)]
+-        r.close()
++        try:
++            cl = r.get_class(classname)
++            if not propname:
++                propname = cl.labelprop()
++            result = [  cl.get(itemid, propname) for itemid in cl.list()
++                     if r.db.security.hasPermission \
++                        ('View', r.userid, classname, propname, itemid)
++                     ]
++        finally:
++            r.close()
+         return result
+ 
+     def display(self, username, password, designator, *properties):
+         r = RoundupRequest(self.tracker, username, password)
+-        classname, itemid = hyperdb.splitDesignator(designator)
+-
+-        if not r.db.security.hasPermission('View', r.userid, classname,
+-                itemid=itemid):
+-            raise Unauthorised('Permission to view %s denied'%designator)
+-
+-        cl = r.get_class(classname)
+-        props = properties and list(properties) or cl.properties.keys()
+-        props.sort()
+-        result = [(property, cl.get(itemid, property)) for property in props]
+-        r.close()
++        try:
++            classname, itemid = hyperdb.splitDesignator(designator)
++            cl    = r.get_class(classname)
++            props = properties and list(properties) or cl.properties.keys()
++            props.sort()
++            for p in props:
++                if not r.db.security.hasPermission \
++                    ('View', r.userid, classname, p, itemid):
++                    raise Unauthorised \
++                        ('Permission to view %s of %s denied' % (p, designator))
++            result = [(prop, cl.get(itemid, prop)) for prop in props]
++        finally:
++            r.close()
+         return dict(result)
+ 
+     def create(self, username, password, classname, *args):
+         r = RoundupRequest(self.tracker, username, password)
++        try:
++            if not r.db.security.hasPermission('Create', r.userid, classname):
++                raise Unauthorised('Permission to create %s denied'%classname)
+ 
+-        if not r.db.security.hasPermission('Create', r.userid, classname):
+-            raise Unauthorised('Permission to create %s denied'%classname)
+-
+-        cl = r.get_class(classname)
++            cl = r.get_class(classname)
+ 
+-        # convert types
+-        props = r.props_from_args(cl, args)
++            # convert types
++            props = r.props_from_args(cl, args)
+ 
+-        # check for the key property
+-        key = cl.getkey()
+-        if key and not props.has_key(key):
+-            raise UsageError, 'you must provide the "%s" property.'%key
++            # check for the key property
++            key = cl.getkey()
++            if key and not props.has_key(key):
++                raise UsageError, 'you must provide the "%s" property.'%key
+ 
+-        # do the actual create
+-        try:
++            # do the actual create
+             try:
+                 result = cl.create(**props)
+             except (TypeError, IndexError, ValueError), message:
+@@ -170,19 +168,17 @@
+ 
+     def set(self, username, password, designator, *args):
+         r = RoundupRequest(self.tracker, username, password)
+-        classname, itemid = hyperdb.splitDesignator(designator)
+-
+-        if not r.db.security.hasPermission('Edit', r.userid, classname,
+-                itemid=itemid):
+-            raise Unauthorised('Permission to edit %s denied'%designator)
+-
+-        cl = r.get_class(classname)
+-
+-        # convert types
+-        props = r.props_from_args(cl, args)
+         try:
++            classname, itemid = hyperdb.splitDesignator(designator)
++            cl                = r.get_class(classname)
++            props             = r.props_from_args(cl, args) # convert types
++            for p in props.iterkeys ():
++                if not r.db.security.hasPermission \
++                    ('Edit', r.userid, classname, p, itemid):
++                    raise Unauthorised\
++                        ('Permission to edit %s of %s denied'%(p, designator))
+             try:
+-                cl.set(itemid, **props)
++                return cl.set(itemid, **props)
+             except (TypeError, IndexError, ValueError), message:
+                 raise UsageError, message
+         finally:
+diff -urNad roundup-1.4.4~/test/db_test_base.py roundup-1.4.4/test/db_test_base.py
+--- roundup-1.4.4~/test/db_test_base.py	2008-02-07 09:20:52.000000000 +0100
++++ roundup-1.4.4/test/db_test_base.py	2008-06-07 10:01:57.000000000 +0200
+@@ -62,6 +62,7 @@
+     tracker = instance.open(dirname)
+     if tracker.exists():
+         tracker.nuke()
++        init.write_select_db(dirname, backend)
+     tracker.init(password.Password('sekrit'))
+     return tracker
+ 
+@@ -293,7 +294,7 @@
+             l = [u1,u2]; l.sort()
+             m = self.db.issue.get(nid, "nosy"); m.sort()
+             self.assertEqual(l, m)
+-       
++
+ 
+ # XXX one day, maybe...
+ #    def testMultilinkOrdering(self):
+diff -urNad roundup-1.4.4~/test/test_xmlrpc.py roundup-1.4.4/test/test_xmlrpc.py
+--- roundup-1.4.4~/test/test_xmlrpc.py	2007-11-03 01:48:01.000000000 +0100
++++ roundup-1.4.4/test/test_xmlrpc.py	2008-06-07 10:01:57.000000000 +0200
+@@ -9,23 +9,26 @@
+ from roundup.cgi.exceptions import *
+ from roundup import init, instance, password, hyperdb, date
+ from roundup.xmlrpc import RoundupServer
++from roundup.backends import list_backends
+ 
+ import db_test_base
+ 
+ NEEDS_INSTANCE = 1
+ 
+ class TestCase(unittest.TestCase):
++
++    backend = None
++
+     def setUp(self):
+         self.dirname = '_test_xmlrpc'
+         # set up and open a tracker
+-        self.instance = db_test_base.setupTracker(self.dirname)
++        self.instance = db_test_base.setupTracker(self.dirname, self.backend)
+ 
+         # open the database
+         self.db = self.instance.open('admin')
+         self.joeid = 'user' + self.db.user.create(username='joe',
+             password=password.Password('random'), address='[EMAIL PROTECTED]',
+             realname='Joe Random', roles='User')
+-
+         self.db.commit()
+         self.db.close()
+ 
+@@ -89,10 +92,12 @@
+ 
+ def test_suite():
+     suite = unittest.TestSuite()
+-    suite.addTest(unittest.makeSuite(TestCase))
++    for l in list_backends() :
++        dct    = dict(backend = l)
++        subcls = type(TestCase)('TestCase_%s' % l, (TestCase,), dct)
++        suite.addTest(unittest.makeSuite(subcls))
+     return suite
+ 
+ if __name__ == '__main__':
+     runner = unittest.TextTestRunner()
+     unittest.main(testRunner=runner)
+-

Attachment: pgp9NQJxW8re7.pgp
Description: PGP signature

Reply via email to