Bug#654972: pu: package bugzilla/3.6.2.0-4.5

2012-01-23 Thread Adam D. Barratt 
tag 654972 + pending
thanks

On Thu, 2012-01-12 at 21:24 +, Adam D. Barratt wrote:
> On Sat, 2012-01-07 at 14:40 +, Jonathan Wiltshire wrote:
> > bugzilla had another two security updates that we should consider for 
> > stable, 
> > they are no-dsa.
> > 
> > Debdiff attached, the unconventional version is a historical relic.
> 
> Please go ahead; thanks.

For the record this was accepted, as 3.6.2.0-4.5 (rather than -4.6 as in
the debdiff, due to fun with changelogs).

Regards,

Adam




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#654972: pu: package bugzilla/3.6.2.0-4.5

2012-01-12 Thread Adam D. Barratt 
tag 654972 + squeeze confirmed
thanks

On Sat, 2012-01-07 at 14:40 +, Jonathan Wiltshire wrote:
> bugzilla had another two security updates that we should consider for stable, 
> they are no-dsa.
> 
> Debdiff attached, the unconventional version is a historical relic.

Please go ahead; thanks.

Regards,

Adam




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#654972: pu: package bugzilla/3.6.2.0-4.5

2012-01-07 Thread Jonathan Wiltshire 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu

Hi,

bugzilla had another two security updates that we should consider for stable, 
they are no-dsa.

Debdiff attached, the unconventional version is a historical relic.




-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
diff -Nru bugzilla-3.6.2.0/debian/changelog bugzilla-3.6.2.0/debian/changelog
--- bugzilla-3.6.2.0/debian/changelog	2011-10-09 20:58:04.0 +0100
+++ bugzilla-3.6.2.0/debian/changelog	2012-01-07 14:22:10.0 +
@@ -1,3 +1,24 @@
+bugzilla (3.6.2.0-4.6) stable; urgency=low
+
+  * Non-maintainer upload.
+  * Add security patches:
+- 87_cve-2011-3657.sh
+  Tabular and graphical reports, as well as new charts have
+  a debug mode which displays raw data as plain text. This
+  text is not correctly escaped and a crafted URL could
+  use this vulnerability to inject code leading to XSS.
+- 88_cve-2011-3667.sh
+  The User.offer_account_by_email WebService method ignores
+  the user_can_create_account setting of the authentication
+  method and generates an email with a token in it which the
+  user can use to create an account. Depending on the
+  authentication method being active, this could allow the
+  user to log in using this account.
+  Installations where the createemailregexp parameter is
+  empty are not vulnerable to this issue.
+
+ -- Jonathan Wiltshire   Sat, 07 Jan 2012 14:16:43 +
+
 bugzilla (3.6.2.0-4.5) stable-security; urgency=low
 
   * Non-maintainer upload.
diff -Nru bugzilla-3.6.2.0/debian/maintenance/87_cve-2011-3657.sh bugzilla-3.6.2.0/debian/maintenance/87_cve-2011-3657.sh
--- bugzilla-3.6.2.0/debian/maintenance/87_cve-2011-3657.sh	1970-01-01 01:00:00.0 +0100
+++ bugzilla-3.6.2.0/debian/maintenance/87_cve-2011-3657.sh	2012-01-07 14:12:58.0 +
@@ -0,0 +1,41 @@
+#!/bin/sh
+# CVE-2011-3657
+set -e
+
+echo "> $0 $*"
+
+cd "$1" && patch -p1 < "$0"
+
+exit 0
+
+Description: CVE-2011-3657
+Origin: http://bzr.mozilla.org/bugzilla/3.6/revision/7266
+Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=697699
+
+--- a/Bugzilla/Chart.pm	2009-08-17 22:59:52 +
 b/Bugzilla/Chart.pm	2011-12-28 21:51:44 +
+@@ -438,7 +438,7 @@
+ 
+ require Data::Dumper;
+ print "Bugzilla::Chart object:\n";
+-print Data::Dumper::Dumper($self);
++print html_quote(Data::Dumper::Dumper($self));
+ print "";
+ }
+ 
+
+--- a/report.cgi	2010-12-08 20:16:46 +
 b/report.cgi	2011-12-28 21:51:44 +
+@@ -307,9 +307,9 @@
+ if ($cgi->param('debug')) {
+ require Data::Dumper;
+ print "data hash:\n";
+-print Data::Dumper::Dumper(%data) . "\n\n";
++print html_quote(Data::Dumper::Dumper(%data)) . "\n\n";
+ print "data array:\n";
+-print Data::Dumper::Dumper(@image_data) . "\n\n";
++print html_quote(Data::Dumper::Dumper(@image_data)) . "\n\n";
+ }
+ 
+ # All formats point to the same section of the documentation.
+
diff -Nru bugzilla-3.6.2.0/debian/maintenance/88_cve-2011-3667.sh bugzilla-3.6.2.0/debian/maintenance/88_cve-2011-3667.sh
--- bugzilla-3.6.2.0/debian/maintenance/88_cve-2011-3667.sh	1970-01-01 01:00:00.0 +0100
+++ bugzilla-3.6.2.0/debian/maintenance/88_cve-2011-3667.sh	2012-01-07 14:15:43.0 +
@@ -0,0 +1,206 @@
+#!/bin/sh
+# CVE-2011-3667
+set -e
+
+echo "> $0 $*"
+
+cd "$1" && patch -p1 < "$0"
+
+exit 0
+
+Description: CVE-2011-3667
+Origin: http://bzr.mozilla.org/bugzilla/3.6/revision/7267
+Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=711714
+
+--- a/Bugzilla/User.pm	2010-02-18 00:16:31 +
 b/Bugzilla/User.pm	2011-12-28 22:18:06 +
+@@ -1694,6 +1694,32 @@
+ return 1;
+ }
+ 
++sub check_account_creation_enabled {
++my $self = shift;
++
++# If we're using e.g. LDAP for login, then we can't create a new account.
++$self->authorizer->user_can_create_account
++  || ThrowUserError('auth_cant_create_account');
++
++Bugzilla->params->{'createemailregexp'}
++  || ThrowUserError('account_creation_disabled');
++}
++
++sub check_and_send_account_creation_confirmation {
++my ($self, $login) = @_;
++
++$login = $self->check_login_name_for_creation($login);
++my $creation_regexp = Bugzilla->params->{'createemailregexp'};
++
++if ($login !~ /$creation_regexp/i) {
++ThrowUserError('account_creation_restricted');
++}
++
++# Create and send a token for this new account.
++require Bugzilla::Token;
++Bugzilla::Token::issue_new_user_account_token($login);
++}
++
+ sub login_to_id {
+ my ($login, $throw_error) = @_;
+ my $dbh = Bugzilla->dbh;
+@@ -2196,6 +