Your message dated Sun, 29 Jan 2012 13:24:51 +0100
with message-id <[email protected]>
and subject line Re: Bug#647189: otrs2: Please backport security fixes in
Kernel/Modules/AdminPackageManager.pm
has caused the Debian Bug report #647189,
regarding otrs2: Please backport security fixes in
Kernel/Modules/AdminPackageManager.pm
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
647189: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=647189
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: otrs2
Version: 2.2.7-2lenny3
Severity: important
Tags: upstream patch
Dear maintainer,
Recently you fixed one or more security problems according to OSA-2011-03.
These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
lenny (5.0.10) - use target "oldstable"
squeeze (6.0.4) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track the progress of this request. I attach the upstream patches for your
convenience.
For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].
0: [email protected]
1: <[email protected]>
2: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire [email protected]
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
--- AdminPackageManager.pm 2010/05/20 17:07:50 1.81.2.2
+++ AdminPackageManager.pm 2011/07/28 09:07:35 1.81.2.3
@@ -1,8 +1,8 @@
# --
# Kernel/Modules/AdminPackageManager.pm - manage software packages
-# Copyright (C) 2001-2010 OTRS AG, http://otrs.org/
+# Copyright (C) 2001-2011 OTRS AG, http://otrs.org/
# --
-# $Id: AdminPackageManager.pm,v 1.81.2.2 2010/05/20 17:07:50 ub Exp $
+# $Id: AdminPackageManager.pm,v 1.81.2.3 2011/07/28 09:07:35 martin Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
@@ -18,7 +18,7 @@
use Kernel::System::Web::UploadCache;
use vars qw($VERSION);
-$VERSION = qw($Revision: 1.81.2.2 $) [1];
+$VERSION = qw($Revision: 1.81.2.3 $) [1];
sub new {
my ( $Type, %Param ) = @_;
@@ -120,6 +120,9 @@
}
}
my $LocalFile = $Self->{ConfigObject}->Get('Home') . "/$Location";
+
+ # do not allow to read file with including .. path (security related)
+ $LocalFile =~ s/\.\.//g;
if ( !-e $LocalFile ) {
$Self->{LayoutObject}->Block(
Name => 'FileDiff',
--- AdminPackageManager.pm 2011/07/28 09:07:35 1.81.2.3
+++ AdminPackageManager.pm 2011/07/29 11:37:34 1.81.2.4
@@ -2,7 +2,7 @@
# Kernel/Modules/AdminPackageManager.pm - manage software packages
# Copyright (C) 2001-2011 OTRS AG, http://otrs.org/
# --
-# $Id: AdminPackageManager.pm,v 1.81.2.3 2011/07/28 09:07:35 martin Exp $
+# $Id: AdminPackageManager.pm,v 1.81.2.4 2011/07/29 11:37:34 martin Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
@@ -18,7 +18,7 @@
use Kernel::System::Web::UploadCache;
use vars qw($VERSION);
-$VERSION = qw($Revision: 1.81.2.3 $) [1];
+$VERSION = qw($Revision: 1.81.2.4 $) [1];
sub new {
my ( $Type, %Param ) = @_;
@@ -123,14 +123,25 @@
# do not allow to read file with including .. path (security related)
$LocalFile =~ s/\.\.//g;
- if ( !-e $LocalFile ) {
+ if ( !$File ) {
$Self->{LayoutObject}->Block(
Name => 'FileDiff',
Data => {
Location => $Location,
Name => $Name,
Version => $Version,
- Diff => "No such file $LocalFile!",
+ Diff => "No such file $LocalFile in package!",
+ },
+ );
+ }
+ elsif ( !-e $LocalFile ) {
+ $Self->{LayoutObject}->Block(
+ Name => 'FileDiff',
+ Data => {
+ Location => $Location,
+ Name => $Name,
+ Version => $Version,
+ Diff => "No such file $LocalFile in local file system!",
},
);
}
--- End Message ---
--- Begin Message ---
Am 16.01.2012 09:43, schrieb Jonathan Wiltshire:
> On 2012-01-15 09:46, Patrick Matthäi wrote:
>> Am 08.01.2012 16:45, schrieb Patrick Matthäi:
>>>> Recently you fixed one or more security problems according to
>>>> OSA-2011-03.
>>>> These problems were not serious enough for a Debian Security
>>>> Advisory, so they are now on my radar for fixing in the following
>>>> suites
>>>> through point releases:
>>>
>>> Sorry for my very late response, I had just overseen this email :/
>>> I will have a look at the patch in the next days.
>>> Only the oldstable version is affected.
>>>
>>>
>>
>> I am unsure if Debian has to be patched, because to enable the
>> packagemanager you have to hack around the whole permissions of otrs in
>> an unsecure manner (described in README.Debian), which opens a RC bug.
>> So it is (in Debian) an unsupported function. :/
>> What do you think?
>
> If the vulnerability relies on a local configuration and it's already
> documented in README.Debian that we don't support this, then I think
> that for oldstable only it is not worth the effort. Do you agree?
>
> Thanks,
>
>
As we talked before, I am closing it.
--
/*
Mit freundlichem Gruß / With kind regards,
Patrick Matthäi
GNU/Linux Debian Developer
E-Mail: [email protected]
[email protected]
*/
signature.asc
Description: OpenPGP digital signature
--- End Message ---
