apply the Request Tracker 4.0.0 patch for CVE-2014-9472, CVE-2015-1165 and CVE-2015-1464.diff -r1.55 -r1.56 pkgsrc/devel/rt3/Makefile
(spz)
@@ -1,17 +1,17 @@ | @@ -1,17 +1,17 @@ | |||
1 | # $NetBSD: Makefile,v 1.55 2014/05/31 12:22:42 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.56 2015/03/01 22:45:26 spz Exp $ | |
2 | 2 | |||
3 | DISTNAME= rt-3.8.17 | 3 | DISTNAME= rt-3.8.17 | |
4 | PKGREVISION= 3 | 4 | PKGREVISION= 4 | |
5 | CATEGORIES= devel | 5 | CATEGORIES= devel | |
6 | MASTER_SITES= http://download.bestpractical.com/pub/rt/release/ | 6 | MASTER_SITES= http://download.bestpractical.com/pub/rt/release/ | |
7 | 7 | |||
8 | MAINTAINER= spz@NetBSD.org | 8 | MAINTAINER= spz@NetBSD.org | |
9 | HOMEPAGE= http://bestpractical.com/rt/ | 9 | HOMEPAGE= http://bestpractical.com/rt/ | |
10 | COMMENT= Industrial-grade ticketing system | 10 | COMMENT= Industrial-grade ticketing system | |
11 | LICENSE= gnu-gpl-v2 | 11 | LICENSE= gnu-gpl-v2 | |
12 | 12 | |||
13 | PKG_DESTDIR_SUPPORT= destdir | 13 | PKG_DESTDIR_SUPPORT= destdir | |
14 | 14 | |||
15 | .include "options.mk" | 15 | .include "options.mk" | |
16 | 16 | |||
17 | USE_TOOLS+= perl:run | 17 | USE_TOOLS+= perl:run |
@@ -1,16 +1,17 @@ | @@ -1,16 +1,17 @@ | |||
1 | $NetBSD: distinfo,v 1.24 2013/05/26 16:55:53 spz Exp $ | 1 | $NetBSD: distinfo,v 1.25 2015/03/01 22:45:26 spz Exp $ | |
2 | 2 | |||
3 | SHA1 (rt-3.8.17.tar.gz) = 4765c68f91a0e8e21ed0fd39397cd8e3970ca992 | 3 | SHA1 (rt-3.8.17.tar.gz) = 4765c68f91a0e8e21ed0fd39397cd8e3970ca992 | |
4 | RMD160 (rt-3.8.17.tar.gz) = 6da8fca56976233417bd47b26e1a7326fde5d2d0 | 4 | RMD160 (rt-3.8.17.tar.gz) = 6da8fca56976233417bd47b26e1a7326fde5d2d0 | |
5 | Size (rt-3.8.17.tar.gz) = 5728368 bytes | 5 | Size (rt-3.8.17.tar.gz) = 5728368 bytes | |
6 | SHA1 (patch-aa) = 6f78710f4460a25c75afbdf7128c0fe34914927c | 6 | SHA1 (patch-aa) = 6f78710f4460a25c75afbdf7128c0fe34914927c | |
7 | SHA1 (patch-ab) = ee455dd683c84d3a745a29a132e28903ba03144d | 7 | SHA1 (patch-ab) = ee455dd683c84d3a745a29a132e28903ba03144d | |
8 | SHA1 (patch-lib_RT.pm) = f72c6cb6f94acf1296076423d26d7efa4ed78293 | 8 | SHA1 (patch-lib_RT.pm) = 4a4b56128c266aeadde8f254210aa1942430744a | |
9 | SHA1 (patch-lib_RT_CustomFieldValues_External.pm) = 4404ca98c9e50687323892df1aa95c8b5a6dedd9 | 9 | SHA1 (patch-lib_RT_CustomFieldValues_External.pm) = 4404ca98c9e50687323892df1aa95c8b5a6dedd9 | |
10 | SHA1 (patch-lib_RT_Interface_Email.pm) = 60d0c2c46ac3dc8172bdf16bbf43099b7dd87542 | 10 | SHA1 (patch-lib_RT_Interface_Email.pm) = 60d0c2c46ac3dc8172bdf16bbf43099b7dd87542 | |
11 | SHA1 (patch-lib_RT_Interface_Email_Auth_GnuPG.pm) = 60d53a4dcda8f3cda14350f34f74fddc6091c3ce | 11 | SHA1 (patch-lib_RT_Interface_Email_Auth_GnuPG.pm) = 60d53a4dcda8f3cda14350f34f74fddc6091c3ce | |
12 | SHA1 (patch-sbin_rt-attributes-viewer) = e1c963800b76282cda4ca46e006f30d9abfc29c9 | 12 | SHA1 (patch-sbin_rt-attributes-viewer) = e1c963800b76282cda4ca46e006f30d9abfc29c9 | |
13 | SHA1 (patch-sbin_rt-attributes-viewer.in) = 99a15cca9a394b5743edc3929f43593f1384c8da | 13 | SHA1 (patch-sbin_rt-attributes-viewer.in) = 99a15cca9a394b5743edc3929f43593f1384c8da | |
14 | SHA1 (patch-share_html_Helpers_CalPopup.html) = 3920ac6448d1d21c7ff32ef67344b19aa53616a4 | 14 | SHA1 (patch-share_html_Helpers_CalPopup.html) = 3920ac6448d1d21c7ff32ef67344b19aa53616a4 | |
15 | SHA1 (patch-share_html_Search_Elements_ResultsRSSView) = 62eeea9f4bea1bb98fd3509748123ecca3256185 | |||
15 | SHA1 (patch-t_approval_admincc.t) = 4fddf5fa844d15e8698e00fe6863daaafa661315 | 16 | SHA1 (patch-t_approval_admincc.t) = 4fddf5fa844d15e8698e00fe6863daaafa661315 | |
16 | SHA1 (patch-t_approval_basic.t) = 209303cc34370518a2600e28570627e1dc7e698b | 17 | SHA1 (patch-t_approval_basic.t) = 209303cc34370518a2600e28570627e1dc7e698b |
@@ -1,24 +1,34 @@ | @@ -1,24 +1,34 @@ | |||
1 | $NetBSD: patch-lib_RT.pm,v 1.1 2011/10/25 19:38:10 spz Exp $ | 1 | $NetBSD: patch-lib_RT.pm,v 1.2 2015/03/01 22:45:26 spz Exp $ | |
2 | 2 | |||
3 | perl 5.14 qw() in for* fixes | 3 | perl 5.14 qw() in for* fixes | |
4 | Fix for CVE-2014-9472 taken from the patch for RT 4.0.0 | |||
4 | 5 | |||
5 | --- lib/RT.pm.orig 2011-04-14 01:10:13.000000000 +0000 | 6 | --- lib/RT.pm.orig 2013-05-22 19:04:26.000000000 +0000 | |
6 | +++ lib/RT.pm | 7 | +++ lib/RT.pm | |
7 | @@ -459,7 +459,7 @@ sub InitClasses { | 8 | @@ -362,6 +362,8 @@ sub InitSignalHandlers { | |
9 | ## mechanism (see above). | |||
10 | ||||
11 | $SIG{__WARN__} = sub { | |||
12 | + return 'IGNORE' if $_[0] and $_[0] =~ /^Code point \S+ is not Unicode, may not be portable/; | |||
13 | + | |||
14 | # The 'wide character' warnings has to be silenced for now, at least | |||
15 | # until HTML::Mason offers a sane way to process both raw output and | |||
16 | # unicode strings. | |||
17 | @@ -459,7 +461,7 @@ sub InitClasses { | |||
8 | # in the session, as we deserialize it so we never call constructor | 18 | # in the session, as we deserialize it so we never call constructor | |
9 | # of the class, so the list of accessible fields is empty and we die | 19 | # of the class, so the list of accessible fields is empty and we die | |
10 | # with "Method xxx is not implemented in RT::SomeClass" | 20 | # with "Method xxx is not implemented in RT::SomeClass" | |
11 | - $_->_BuildTableAttributes foreach qw( | 21 | - $_->_BuildTableAttributes foreach qw( | |
12 | + $_->_BuildTableAttributes foreach ( qw( | 22 | + $_->_BuildTableAttributes foreach ( qw( | |
13 | RT::Ticket | 23 | RT::Ticket | |
14 | RT::Transaction | 24 | RT::Transaction | |
15 | RT::Attachment | 25 | RT::Attachment | |
16 | @@ -477,7 +477,7 @@ sub InitClasses { | 26 | @@ -477,7 +479,7 @@ sub InitClasses { | |
17 | RT::ObjectCustomField | 27 | RT::ObjectCustomField | |
18 | RT::ObjectCustomFieldValue | 28 | RT::ObjectCustomFieldValue | |
19 | RT::Attribute | 29 | RT::Attribute | |
20 | - ); | 30 | - ); | |
21 | + ) ); | 31 | + ) ); | |
22 | 32 | |||
23 | if ( $args{'Heavy'} ) { | 33 | if ( $args{'Heavy'} ) { | |
24 | # load scrips' modules | 34 | # load scrips' modules |
$NetBSD: patch-share_html_Search_Elements_ResultsRSSView,v 1.1 2015/03/01 22:45:26 spz Exp $
fixes for CVE-2015-1165 and CVE-2015-1464 taken from the patch for RT 4.0.0
--- share/html/Search/Elements/ResultsRSSView.orig 2013-05-22 19:03:04.000000000 +0000
+++ share/html/Search/Elements/ResultsRSSView
@@ -48,7 +48,7 @@
<%INIT>
use Encode ();
-my $old_current_user;
+my $current_user = $session{CurrentUser};
if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
my $path = $m->dhandler_arg;
@@ -78,13 +78,11 @@ if ( $m->request_comp->path =~ RT->Confi
unless $user->ValidateAuthString( $auth,
$ARGS{Query} . $ARGS{Order} . $ARGS{OrderBy} );
- $old_current_user = $session{'CurrentUser'};
- my $cu = RT::CurrentUser->new;
- $cu->Load($user);
- $session{'CurrentUser'} = $cu;
+ $current_user = RT::CurrentUser->new;
+ $current_user->Load($user);
}
-my $Tickets = RT::Tickets->new($session{'CurrentUser'});
+my $Tickets = RT::Tickets->new($current_user);
$Tickets->FromSQL($ARGS{'Query'});
if ($OrderBy =~ /\|/) {
# Multiple Sorts
@@ -121,10 +119,17 @@ $r->content_type('application/rss+xml');
while ( my $Ticket = $Tickets->Next()) {
my $creator_str = $m->scomp('/Elements/ShowUser', User => $Ticket->CreatorObj);
$creator_str =~ s/[\r\n]//g;
+
+ # Get the plain-text content; it is interpreted as HTML by RSS
+ # readers, so it must be escaped (and is escaped _again_ when
+ # inserted into the XML).
+ my $content = $Ticket->Transactions->First->Content;
+ $content = $m->interp->apply_escapes( $content, 'h');
+
$rss->add_item(
title => $Ticket->Subject || loc('No Subject'),
link => RT->Config->Get('WebURL')."Ticket/Display.html?id=".$Ticket->id,
- description => $Ticket->Transactions->First->Content,
+ description => $content,
dc => { creator => $creator_str,
date => $Ticket->CreatedObj->RFC2822,
},
@@ -133,7 +138,6 @@ $r->content_type('application/rss+xml');
}
$m->out($rss->as_string);
-$session{'CurrentUser'} = $old_current_user if $old_current_user;
$m->abort();
</%INIT>
<%ARGS>