[DRE-commits] [redmine] 01/01: Security update
Antonio Terceiro
terceiro at moszumanska.debian.org
Sun Mar 20 13:12:30 UTC 2016
This is an automated email from the git hooks/post-receive script.
terceiro pushed a commit to branch debian/jessie
in repository redmine.
commit 486c21bb48c7958397d79eac9fa775c5b32c0df1
Author: Antonio Terceiro <terceiro at debian.org>
Date: Sun Mar 20 10:00:45 2016 -0300
Security update
---
debian/changelog | 15 ++++++
debian/patches/CVE-2015-8346.patch | 24 +++++++++
debian/patches/CVE-2015-8473.patch | 54 +++++++++++++++++++
debian/patches/CVE-2015-8474.patch | 106 +++++++++++++++++++++++++++++++++++++
debian/patches/CVE-2015-8537.patch | 85 +++++++++++++++++++++++++++++
debian/patches/series | 4 ++
6 files changed, 288 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 37db9cc..c4db2f7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+redmine (3.0~20140825-8~deb8u2) jessie-security; urgency=high
+
+ * Security update. Includes fixes for the following vulnerabilities:
+ - CVE-2015-8346: Data disclosure on the time logging form
+ (Closes: #806376)
+ - CVE-02015-8474: open redirect vulnerability
+ (Closes: #807272)
+ - CVE-2015-8473: Issues API may disclose changeset messages that are not
+ visible
+ (Closes: #807345)
+ - CVE-2015-8537: Data disclosure in atom feed
+ (Closes: #807826)
+
+ -- Antonio Terceiro <terceiro at debian.org> Sat, 19 Mar 2016 20:31:15 -0300
+
redmine (3.0~20140825-8~deb8u1) jessie; urgency=medium
* Backport as a stable update for Jessie.
diff --git a/debian/patches/CVE-2015-8346.patch b/debian/patches/CVE-2015-8346.patch
new file mode 100644
index 0000000..5ce85d1
--- /dev/null
+++ b/debian/patches/CVE-2015-8346.patch
@@ -0,0 +1,24 @@
+From c096dde88ff02872ba35edc4dc403c80a7867b5c Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Lang <jp_lang at yahoo.fr>
+Date: Wed, 4 Nov 2015 18:22:40 +0000
+Subject: [PATCH] Fixed that time logging form may disclose subjects of issues
+ that are not visible (#21150).
+
+Patch by Holger Just.
+
+git-svn-id: http://svn.redmine.org/redmine/trunk@14795 e93f8b46-1217-0410-a6f0-8f06a7374b81
+---
+ app/views/timelog/_form.html.erb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/app/views/timelog/_form.html.erb
++++ b/app/views/timelog/_form.html.erb
+@@ -15,7 +15,7 @@
+ <% end %>
+ <p>
+ <%= f.text_field :issue_id, :size => 6 %>
+- <span id="time_entry_issue"><%= h("#{@time_entry.issue.tracker.name} ##{@time_entry.issue.id}: #{@time_entry.issue.subject}") if @time_entry.issue %></span>
++ <span id="time_entry_issue"><%= h("#{@time_entry.issue.tracker.name} ##{@time_entry.issue.id}: #{@time_entry.issue.subject}") if @time_entry.issue.try(:visible?) %></span>
+ </p>
+ <p><%= f.text_field :spent_on, :size => 10, :required => true %><%= calendar_for('time_entry_spent_on') %></p>
+ <p><%= f.text_field :hours, :size => 6, :required => true %></p>
diff --git a/debian/patches/CVE-2015-8473.patch b/debian/patches/CVE-2015-8473.patch
new file mode 100644
index 0000000..df7c39a
--- /dev/null
+++ b/debian/patches/CVE-2015-8473.patch
@@ -0,0 +1,54 @@
+From a196aaa2a97b6ce23e6ec4c5d5fad30c65a22034 Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Lang <jp_lang at yahoo.fr>
+Date: Wed, 4 Nov 2015 18:17:07 +0000
+Subject: [PATCH] Fixed that Issues API may disclose changesets that are not
+ visible (#21136).
+
+git-svn-id: http://svn.redmine.org/redmine/trunk@14794 e93f8b46-1217-0410-a6f0-8f06a7374b81
+---
+ app/views/issues/show.api.rsb | 4 ++--
+ test/integration/api_test/issues_test.rb | 14 ++++++++++++++
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+--- a/app/views/issues/show.api.rsb
++++ b/app/views/issues/show.api.rsb
+@@ -39,14 +39,14 @@ api.issue do
+ end if include_in_api_response?('relations') && @relations.present?
+
+ api.array :changesets do
+- @issue.changesets.each do |changeset|
++ @changesets.each do |changeset|
+ api.changeset :revision => changeset.revision do
+ api.user(:id => changeset.user_id, :name => changeset.user.name) unless changeset.user.nil?
+ api.comments changeset.comments
+ api.committed_on changeset.committed_on
+ end
+ end
+- end if include_in_api_response?('changesets') && User.current.allowed_to?(:view_changesets, @project)
++ end if include_in_api_response?('changesets')
+
+ api.array :journals do
+ @journals.each do |journal|
+--- a/test/integration/api_test/issues_test.rb
++++ b/test/integration/api_test/issues_test.rb
+@@ -491,6 +491,20 @@ class Redmine::ApiTest::IssuesTest < Red
+ end
+ end
+
++ test "GET /issues/:id.xml should not disclose associated changesets from projects the user has no access to" do
++ project = Project.generate!(:is_public => false)
++ repository = Repository::Subversion.create!(:project => project, :url => "svn://localhost")
++ Issue.find(1).changesets << Changeset.generate!(:repository => repository)
++ assert Issue.find(1).changesets.any?
++
++ get '/issues/1.xml?include=changesets', {}, credentials('jsmith')
++
++ # the user jsmith has no permission to view the associated changeset
++ assert_select 'issue changesets[type=array]' do
++ assert_select 'changeset', 0
++ end
++ end
++
+ context "POST /issues.xml" do
+ should_allow_api_authentication(
+ :post,
diff --git a/debian/patches/CVE-2015-8474.patch b/debian/patches/CVE-2015-8474.patch
new file mode 100644
index 0000000..ace201c
--- /dev/null
+++ b/debian/patches/CVE-2015-8474.patch
@@ -0,0 +1,106 @@
+From 032f2c9be6520d9d1a1608aa4f1d5d1f184f2472 Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Lang <jp_lang at yahoo.fr>
+Date: Sun, 13 Sep 2015 14:35:20 +0000
+Subject: [PATCH] Open redirect vulnerability (#19577).
+
+Patch by Holger Just.
+
+git-svn-id: http://svn.redmine.org/redmine/trunk@14560 e93f8b46-1217-0410-a6f0-8f06a7374b81
+---
+ app/controllers/application_controller.rb | 34 +++++++++++++++++++++++-------
+ test/functional/account_controller_test.rb | 11 +++++++++-
+ 2 files changed, 36 insertions(+), 9 deletions(-)
+
+--- a/app/controllers/application_controller.rb
++++ b/app/controllers/application_controller.rb
+@@ -376,8 +376,8 @@ class ApplicationController < ActionCont
+
+ def redirect_back_or_default(default, options={})
+ back_url = params[:back_url].to_s
+- if back_url.present? && valid_back_url?(back_url)
+- redirect_to(back_url)
++ if back_url.present? && valid_url = validate_back_url(back_url)
++ redirect_to(valid_url)
+ return
+ elsif options[:referer]
+ redirect_to_referer_or default
+@@ -387,8 +387,9 @@ class ApplicationController < ActionCont
+ false
+ end
+
+- # Returns true if back_url is a valid url for redirection, otherwise false
+- def valid_back_url?(back_url)
++ # Returns a validated URL string if back_url is a valid url for redirection,
++ # otherwise false
++ def validate_back_url(back_url)
+ if CGI.unescape(back_url).include?('..')
+ return false
+ end
+@@ -399,19 +400,36 @@ class ApplicationController < ActionCont
+ return false
+ end
+
+- if uri.host.present? && uri.host != request.host
++ [:scheme, :host, :port].each do |component|
++ if uri.send(component).present? && uri.send(component) != request.send(component)
++ return false
++ end
++ uri.send(:"#{component}=", nil)
++ end
++ # Always ignore basic user:password in the URL
++ uri.userinfo = nil
++
++ path = uri.to_s
++ # Ensure that the remaining URL starts with a slash, followed by a
++ # non-slash character or the end
++ if path !~ %r{\A/([^/]|\z)}
+ return false
+ end
+
+- if uri.path.match(%r{/(login|account/register)})
++ if path.match(%r{/(login|account/register)})
+ return false
+ end
+
+- if relative_url_root.present? && !uri.path.starts_with?(relative_url_root)
++ if relative_url_root.present? && !path.starts_with?(relative_url_root)
+ return false
+ end
+
+- return true
++ return path
++ end
++ private :validate_back_url
++
++ def valid_back_url?(back_url)
++ !!validate_back_url(back_url)
+ end
+ private :valid_back_url?
+
+--- a/test/functional/account_controller_test.rb
++++ b/test/functional/account_controller_test.rb
+@@ -63,6 +63,7 @@ class AccountControllerTest < ActionCont
+ # request.uri is "test.host" in test environment
+ back_urls = [
+ 'http://test.host/issues/show/1',
++ 'http://test.host/',
+ '/'
+ ]
+ back_urls.each do |back_url|
+@@ -108,7 +109,15 @@ class AccountControllerTest < ActionCont
+ 'http://test.host/fake/issues',
+ 'http://test.host/redmine/../fake',
+ 'http://test.host/redmine/../fake/issues',
+- 'http://test.host/redmine/%2e%2e/fake'
++ 'http://test.host/redmine/%2e%2e/fake',
++ '//test.foo/fake',
++ 'http://test.host//fake',
++ 'http://test.host/\n//fake',
++ '//bar at test.foo',
++ '//test.foo',
++ '////test.foo',
++ '@test.foo',
++ 'fake at test.foo'
+ ]
+ back_urls.each do |back_url|
+ post :login, :username => 'jsmith', :password => 'jsmith', :back_url => back_url
diff --git a/debian/patches/CVE-2015-8537.patch b/debian/patches/CVE-2015-8537.patch
new file mode 100644
index 0000000..f217703
--- /dev/null
+++ b/debian/patches/CVE-2015-8537.patch
@@ -0,0 +1,85 @@
+From 7e423fb4538247d59e01958c48b491f196a1de56 Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Lang <jp_lang at yahoo.fr>
+Date: Fri, 4 Dec 2015 12:42:13 +0000
+Subject: [PATCH] Information leak in Atom feed (#21419).
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Patch by Jens Krämer.
+
+git-svn-id: http://svn.redmine.org/redmine/trunk@14913 e93f8b46-1217-0410-a6f0-8f06a7374b81
+---
+ app/views/journals/index.builder | 2 +-
+ test/functional/journals_controller_test.rb | 42 ++++++++++++++++++++++++++++-
+ 2 files changed, 42 insertions(+), 2 deletions(-)
+
+--- a/app/views/journals/index.builder
++++ b/app/views/journals/index.builder
+@@ -20,7 +20,7 @@ xml.feed "xmlns" => "http://www.w3.org/2
+ end
+ xml.content "type" => "html" do
+ xml.text! '<ul>'
+- details_to_strings(change.details, false).each do |string|
++ details_to_strings(change.visible_details, false).each do |string|
+ xml.text! '<li>' + string + '</li>'
+ end
+ xml.text! '</ul>'
+--- a/test/functional/journals_controller_test.rb
++++ b/test/functional/journals_controller_test.rb
+@@ -19,7 +19,7 @@ require File.expand_path('../../test_hel
+
+ class JournalsControllerTest < ActionController::TestCase
+ fixtures :projects, :users, :members, :member_roles, :roles, :issues, :journals, :journal_details, :enabled_modules,
+- :trackers, :issue_statuses, :enumerations, :custom_fields, :custom_values, :custom_fields_projects
++ :trackers, :issue_statuses, :enumerations, :custom_fields, :custom_values, :custom_fields_projects, :projects_trackers
+
+ def setup
+ User.current = nil
+@@ -46,6 +46,46 @@ class JournalsControllerTest < ActionCon
+ assert_not_include journal, assigns(:journals)
+ end
+
++ def test_index_should_show_visible_custom_fields_only
++ Issue.destroy_all
++ field_attributes = {:field_format => 'string', :is_for_all => true, :is_filter => true, :trackers => Tracker.all}
++ @fields = []
++ @fields << (@field1 = IssueCustomField.create!(field_attributes.merge(:name => 'Field 1', :visible => true)))
++ @fields << (@field2 = IssueCustomField.create!(field_attributes.merge(:name => 'Field 2', :visible => false, :role_ids => [1, 2])))
++ @fields << (@field3 = IssueCustomField.create!(field_attributes.merge(:name => 'Field 3', :visible => false, :role_ids => [1, 3])))
++ @issue = Issue.generate!(
++ :author_id => 1,
++ :project_id => 1,
++ :tracker_id => 1,
++ :custom_field_values => {@field1.id => 'Value0', @field2.id => 'Value1', @field3.id => 'Value2'}
++ )
++ @issue.init_journal(User.find(1))
++ @issue.update_attribute :custom_field_values, {@field1.id => 'NewValue0', @field2.id => 'NewValue1', @field3.id => 'NewValue2'}
++
++
++ user_with_role_on_other_project = User.generate!
++ User.add_to_project(user_with_role_on_other_project, Project.find(2), Role.find(3))
++ users_to_test = {
++ User.find(1) => [@field1, @field2, @field3],
++ User.find(3) => [@field1, @field2],
++ user_with_role_on_other_project => [@field1], # should see field1 only on Project 1
++ User.generate! => [@field1],
++ User.anonymous => [@field1]
++ }
++
++ users_to_test.each do |user, visible_fields|
++ get :index, :format => 'atom', :key => user.rss_key
++ @fields.each_with_index do |field, i|
++ if visible_fields.include?(field)
++ assert_select "content[type=html]", { :text => /NewValue#{i}/, :count => 1 }, "User #{user.id} was not able to view #{field.name} in API"
++ else
++ assert_select "content[type=html]", { :text => /NewValue#{i}/, :count => 0 }, "User #{user.id} was able to view #{field.name} in API"
++ end
++ end
++ end
++
++ end
++
+ def test_diff
+ get :diff, :id => 3, :detail_id => 4
+ assert_response :success
diff --git a/debian/patches/series b/debian/patches/series
index 8311190..05ce36f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,7 @@ invalidate-language-cache-from-older-versions.diff
avoid-crash-on-issues.diff
0001-Escape-flash-messages-19117.patch
fix-move-issue-between-projects.patch
+CVE-2015-8346.patch
+CVE-2015-8474.patch
+CVE-2015-8473.patch
+CVE-2015-8537.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/redmine.git
More information about the Pkg-ruby-extras-commits
mailing list