[Pkg-sympa-commits] [SCM] sympa Debian packaging branch, master, updated. debian/6.1.11_dfsg-1-2-g2436b42

Emmanuel Bouthenot kolter at openics.org
Sun May 20 12:49:31 UTC 2012


The following commit has been merged in the master branch:
commit c88e49874b20021e2be4d20aaed63d3366c57b43
Author: Emmanuel Bouthenot <kolter at openics.org>
Date:   Sun May 20 12:31:47 2012 +0000

    Properly fix CVE-2012-2352

diff --git a/debian/patches/2007_fix_CVE-2012-2352.patch b/debian/patches/2007_fix_CVE-2012-2352.patch
new file mode 100644
index 0000000..f9e431a
--- /dev/null
+++ b/debian/patches/2007_fix_CVE-2012-2352.patch
@@ -0,0 +1,32 @@
+Description: Properly fix CVE-2012-2352
+Author: Emmanuel Bouthenot <kolter at debian.org>
+Bug-Debian: http://bugs.debian.org/672893
+Last-Update: 2012-05-20
+--- a/wwsympa/wwsympa.fcgi.in
++++ b/wwsympa/wwsympa.fcgi.in
+@@ -573,7 +573,9 @@
+ ## Defines the required privileges to access privileged actions
+ ## You can define a set ofequiivalent privileges in the ARRAYREF
+ my %required_privileges = ('admin' => ['owner','editor'],
++			   'arc_delete' => ['owner'],
+ 			   'arc_download' => ['owner'],
++			   'arc_manage' => ['owner'],
+ 			   'blacklist' => ['owner','editor'],
+ 			   'close_list' => ['privileged_owner'],
+ 			   'close_list_request' => ['privileged_owner'],
+@@ -2240,6 +2242,7 @@
+ 	  &wwslog('info',"missing parameter '$arg_name'");
+ 	  &web_db_log({'status' => 'error',
+ 		       'error_type' => 'missing_parameter'});
++	  delete $param->{'list'};
+ 	  return undef;
+ 	}
+       }
+@@ -2261,6 +2264,7 @@
+       &wwslog('info','authorization failed, insufficient privileges');
+       &web_db_log({'status' => 'error',
+ 		   'error_type' => 'authorization'});		      
++      delete $param->{'list'};
+       return undef;
+     }
+   }
diff --git a/debian/patches/series b/debian/patches/series
index 54692bf..7e00a1e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@
 2005_disable_build_non_dfsg_po_files.patch
 #2991_sanitize_make_all.patch
 2006_disable_cssupdated_email_on_update.patch
+2007_fix_CVE-2012-2352.patch

-- 
sympa Debian packaging



More information about the Pkg-sympa-commits mailing list