Hi Otavio, before uploading to stable i would like to clarify if this package should go via r1 or via security.debian.org.
Greetings Martin. On Wed May 23, 2007 at 21:32:53 -0300, Otavio Salvador wrote: > Hello, > > I've done the upload fixing CVE-2007-1405 and CVE-2007-1406 issues and > together a copyright typo. Please find the interdiff attached. > > debian/patches/02_CVE-2007-1405_CVE-2007-1406.dpatch | 115 > +++++++++++++++++++ > trac-0.10.3/debian/changelog | 8 + > trac-0.10.3/debian/copyright | 2 > trac-0.10.3/debian/patches/00list | 1 > 4 files changed, 125 insertions(+), 1 deletion(-) > > diff -u trac-0.10.3/debian/copyright trac-0.10.3/debian/copyright > --- trac-0.10.3/debian/copyright > +++ trac-0.10.3/debian/copyright > @@ -3,7 +3,7 @@ > Trac can be downloaded from: > http://projects.edgewall.com/trac/wiki/TracDownload > > -Tras is licensed under a modified BSD license, which follows: > +Trac is licensed under a modified BSD license, which follows: > > Redistribution and use in source and binary forms, with or without > modification, are permitted provided that the following conditions > diff -u trac-0.10.3/debian/changelog trac-0.10.3/debian/changelog > --- trac-0.10.3/debian/changelog > +++ trac-0.10.3/debian/changelog > @@ -1,3 +1,11 @@ > +trac (0.10.3-1etch1) stable; urgency=low > + > + * Add 02_CVE-2007-1405_CVE-2007-1406.dpatch patch to fix CVE-2007-1405 > + and CVE-2007-1406 security issues. (Closes: #414134, #420219) > + * Fixed typo in debian/copyright. (Closes: #422409) > + > + -- Otavio Salvador <[EMAIL PROTECTED]> Wed, 23 May 2007 21:18:41 -0300 > + > trac (0.10.3-1) unstable; urgency=low > > * New upstream upload. Final 0.10.3 release that will hopefully make it > into > diff -u trac-0.10.3/debian/patches/00list trac-0.10.3/debian/patches/00list > --- trac-0.10.3/debian/patches/00list > +++ trac-0.10.3/debian/patches/00list > @@ -1,0 +2 @@ > +02_CVE-2007-1405_CVE-2007-1406 > only in patch2: > unchanged: > --- trac-0.10.3.orig/debian/patches/02_CVE-2007-1405_CVE-2007-1406.dpatch > +++ trac-0.10.3/debian/patches/02_CVE-2007-1405_CVE-2007-1406.dpatch > @@ -0,0 +1,115 @@ > +#! /bin/sh /usr/share/dpatch/dpatch-run > +## 02_CVE-2007-1405_CVE-2007-1406_issue.dpatch by Luis Matos <[EMAIL > PROTECTED]> > +## > +## All lines beginning with `## DP:' are a description of the patch. > +## DP: Fixes CVE-2007-1405, CVE-2007-1406, closing #414134, #420219. > + > [EMAIL PROTECTED]@ > + > +--- trac-0.10.3.orig/trac/attachment.py 2007-05-24 01:31:24.000000000 > +0100 > ++++ trac-0.10.3/trac/attachment.py 2007-05-24 01:32:12.000000000 +0100 > +@@ -291,10 +291,10 @@ > + > + render_unsafe_content = BoolOption('attachment', > 'render_unsafe_content', > + 'false', > +- """Whether non-binary attachments should be rendered in the > browser, or > ++ """Whether attachments should be rendered in the browser, or > + only made downloadable. > + > +- Pretty much any text file may be interpreted as HTML by the browser, > ++ Pretty much any file may be interpreted as HTML by the browser, > + which allows a malicious user to attach a file containing cross-site > + scripting attacks. > + > +@@ -555,22 +555,24 @@ > + # Eventually send the file directly > + format = req.args.get('format') > + if format in ('raw', 'txt'): > +- if not self.render_unsafe_content and not binary: > +- # Force browser to download HTML/SVG/etc pages that may > +- # contain malicious code enabling XSS attacks > +- req.send_header('Content-Disposition', 'attachment;' + > +- 'filename=' + attachment.filename) > +- if not mime_type or (self.render_unsafe_content and \ > +- not binary and format == 'txt'): > +- mime_type = 'text/plain' > ++ if not self.render_unsafe_content: > ++ # Force browser to download files instead of rendering > ++ # them, since they might contain malicious code > enabling > ++ # XSS attacks > ++ req.send_header('Content-Disposition', 'attachment') > ++ if format == 'txt': > ++ mime_type = 'text/plain' > ++ elif not mime_type: > ++ mime_type = 'application/octet-stream' > + if 'charset=' not in mime_type: > + charset = mimeview.get_charset(str_data, mime_type) > + mime_type = mime_type + '; charset=' + charset > ++ > + req.send_file(attachment.path, mime_type) > + > + # add ''Plain Text'' alternate link if needed > +- if self.render_unsafe_content and not binary and \ > +- mime_type and not mime_type.startswith('text/plain'): > ++ if (self.render_unsafe_content and > ++ mime_type and not mime_type.startswith('text/plain')): > + plaintext_href = attachment.href(req, format='txt') > + add_link(req, 'alternate', plaintext_href, 'Plain Text', > + mime_type) > +diff -ur trac-0.10.3.orig/trac/mimeview/api.py > trac-0.10.3/trac/mimeview/api.py > +--- trac-0.10.3.orig/trac/mimeview/api.py 2007-05-24 01:31:24.000000000 > +0100 > ++++ trac-0.10.3/trac/mimeview/api.py 2007-05-24 01:32:12.000000000 +0100 > +@@ -604,8 +604,8 @@ > + content, selector) > + req.send_response(200) > + req.send_header('Content-Type', output_type) > +- req.send_header('Content-Disposition', 'filename=%s.%s' % (filename, > +- ext)) > ++ req.send_header('Content-Disposition', 'attachment; filename=%s.%s' > % > ++ (filename, ext)) > + req.end_headers() > + req.write(content) > + raise RequestDone > +diff -ur trac-0.10.3.orig/trac/versioncontrol/web_ui/browser.py > trac-0.10.3/trac/versioncontrol/web_ui/browser.py > +--- trac-0.10.3.orig/trac/versioncontrol/web_ui/browser.py 2007-05-24 > 01:31:24.000000000 +0100 > ++++ trac-0.10.3/trac/versioncontrol/web_ui/browser.py 2007-05-24 > 01:32:12.000000000 +0100 > +@@ -21,7 +21,7 @@ > + from fnmatch import fnmatchcase > + > + from trac import util > +-from trac.config import ListOption, Option > ++from trac.config import ListOption, BoolOption, Option > + from trac.core import * > + from trac.mimeview import Mimeview, is_binary, get_mimetype > + from trac.perm import IPermissionRequestor > +@@ -57,6 +57,18 @@ > + glob patterns, i.e. "*" can be used as a wild card) > + (''since 0.10'')""") > + > ++ render_unsafe_content = BoolOption('browser', 'render_unsafe_content', > ++ 'false', > ++ """Whether attachments should be rendered in the browser, or > ++ only made downloadable. > ++ > ++ Pretty much any file may be interpreted as HTML by the browser, > ++ which allows a malicious user to attach a file containing cross-site > ++ scripting attacks. > ++ > ++ For public sites where anonymous users can create attachments it is > ++ recommended to leave this option disabled (which is the > default).""") > ++ > + # INavigationContributor methods > + > + def get_active_navigation_item(self, req): > +@@ -216,6 +228,11 @@ > + format == 'txt' and 'text/plain' or mime_type) > + req.send_header('Content-Length', node.content_length) > + req.send_header('Last-Modified', http_date(node.last_modified)) > ++ if not self.render_unsafe_content: > ++ # Force browser to download files instead of rendering > ++ # them, since they might contain malicious code enabling > ++ # XSS attacks > ++ req.send_header('Content-Disposition', 'attachment') > + req.end_headers() > + > + while 1: -- [EMAIL PROTECTED] /root]# man real-life No manual entry for real-life -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]