Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Toni Mueller <toni@debian.org>: Bug#518768; Package roundup.
(Sun, 08 Mar 2009 14:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastian Harl <sh@tokkee.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Toni Mueller <toni@debian.org>.
(Sun, 08 Mar 2009 14:03:06 GMT) (full text, mbox, link).
Package: roundup
Version: 1.2.1-5+etch2
Severity: grave
Tags: security
Justification: user security hole
Hi,
Daniel Diniz discovered that EditCSVAction does not include appropriate
permission checks allowing any user to edit any item in a class she has
create / edit privileges for. This includes, amongst others, modifying
content of existing messages or issues, changing user settings or adding
roles to existing users which allows to gain admin privileges
The attack may be done using specially crafted but simple URLs. I'm not
adding an example since I'm not sure this should be made public yet. I
will provide examples to the package maintainer and the security team on
request though.
See upstream issue 2550521 [1] for more details and the original report
by Daniel - that issue mentions editing saved queries only though as the
real impact of the bug was not known at that time.
Afaik, there is no CVE for this issue yet.
Cheers,
Sebastian
[1] http://issues.roundup-tracker.org/issue2550521
--
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/
Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
Bug marked as found in version 1.4.4-4.
Request was from Sebastian Harl <sh@tokkee.org>
to control@bugs.debian.org.
(Sun, 08 Mar 2009 14:21:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Toni Mueller <toni@debian.org>: Bug#518768; Package roundup.
(Sun, 08 Mar 2009 15:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastian Harl <sh@tokkee.org>:
Extra info received and forwarded to list. Copy sent to Toni Mueller <toni@debian.org>.
(Sun, 08 Mar 2009 15:39:04 GMT) (full text, mbox, link).
Hi again,
On Sun, Mar 08, 2009 at 03:01:36PM +0100, Sebastian Harl wrote:
> Daniel Diniz discovered that EditCSVAction does not include appropriate
> permission checks allowing any user to edit any item in a class she has
> create / edit privileges for. This includes, amongst others, modifying
> content of existing messages or issues, changing user settings or adding
> roles to existing users which allows to gain admin privileges
The attached trivial patch disabled EditCSVAction altogether. Afaik,
this feature is useful for batch editing only and isn't used by any
other parts of the web-interface (however, features like "roundup-admin
import" might use it as well), so it should be an appropriate counter-
measure in most cases for now.
Cheers,
Sebastian
PS: This patch is against the roundup source tree. To apply it to your
local installation use something like:
cd /usr/share/pyshared
patch -p1 < bts518768-disable-editcsv.patch
--
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/
Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
Subject: Bug#518768: fixed in roundup 1.4.4-4+lenny1
Date: Tue, 24 Mar 2009 19:53:39 +0000
Source: roundup
Source-Version: 1.4.4-4+lenny1
We believe that the bug you reported is fixed in the latest version of
roundup, which is due to be installed in the Debian FTP archive:
roundup_1.4.4-4+lenny1.diff.gz
to pool/main/r/roundup/roundup_1.4.4-4+lenny1.diff.gz
roundup_1.4.4-4+lenny1.dsc
to pool/main/r/roundup/roundup_1.4.4-4+lenny1.dsc
roundup_1.4.4-4+lenny1_all.deb
to pool/main/r/roundup/roundup_1.4.4-4+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 518768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Toni Mueller <toni@debian.org> (supplier of updated roundup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 22 Mar 2009 21:51:12 +0100
Source: roundup
Binary: roundup
Architecture: source all
Version: 1.4.4-4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Toni Mueller <toni@debian.org>
Changed-By: Toni Mueller <toni@debian.org>
Description:
roundup - an issue-tracking system
Closes: 518669518768
Changes:
roundup (1.4.4-4+lenny1) stable-security; urgency=high
.
* fix EditCSVAction and other security issues (closes: #518768)
Special thanks for this to Daniel (ajax) Diniz, Richard Jones,
and, by extension, to Stefan Seefeld.
Upstream issue: #2550529
* unbreak copying issue (closes: #518669)
* fix SMTP-TLS (upstream issue: #2484879)
* fix crashes on bogus pagination request (upstream issue: #2550530)
* fix a search problem (upstream issue: #2550505)
Checksums-Sha1:
2d0a968cc727e925ebef3160cc9653a83e4316db 1052 roundup_1.4.4-4+lenny1.dsc
d260eb90113d36b07d0b7ef42b1d81450d9bc2e7 31251 roundup_1.4.4-4+lenny1.diff.gz
7c43c7ce56cb16057a0f0f349c2805a5580c8845 1278600 roundup_1.4.4-4+lenny1_all.deb
Checksums-Sha256:
e2f9bb0d2e64747bd27948cbf635b568faf7bbce043e36074dc1f9a3121ed691 1052 roundup_1.4.4-4+lenny1.dsc
6c1f7508b034404dd8cbecef6a84faee8087c373611f984164c6d35ced65bba2 31251 roundup_1.4.4-4+lenny1.diff.gz
90a5b64fafd471beccea5e819d4a897fb54edbb69daf6d9795db1a6a58a66794 1278600 roundup_1.4.4-4+lenny1_all.deb
Files:
06b5d9261eae320131695bddb392d5c6 1052 web optional roundup_1.4.4-4+lenny1.dsc
28ebe811e6792bc75af81f6da4b62633 31251 web optional roundup_1.4.4-4+lenny1.diff.gz
35c30c9d48d1d264cd8564a6ab971c03 1278600 web optional roundup_1.4.4-4+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFJxsoEfoEUoHXLGtIRArIDAJ9XJhXXhmr4pT0obRnYlIVtP8n3HwCgxBBS
xcziq+6mGlhmzjq4zSIcgrs=
=OSEN
-----END PGP SIGNATURE-----
Reply sent
to Toni Mueller <toni@debian.org>:
You have taken responsibility.
(Sat, 11 Apr 2009 17:18:06 GMT) (full text, mbox, link).
Notification sent
to Sebastian Harl <sh@tokkee.org>:
Bug acknowledged by developer.
(Sat, 11 Apr 2009 17:18:06 GMT) (full text, mbox, link).
Subject: Bug#518768: fixed in roundup 1.4.4-4+lenny1
Date: Sat, 11 Apr 2009 16:47:41 +0000
Source: roundup
Source-Version: 1.4.4-4+lenny1
We believe that the bug you reported is fixed in the latest version of
roundup, which is due to be installed in the Debian FTP archive:
roundup_1.4.4-4+lenny1.diff.gz
to pool/main/r/roundup/roundup_1.4.4-4+lenny1.diff.gz
roundup_1.4.4-4+lenny1.dsc
to pool/main/r/roundup/roundup_1.4.4-4+lenny1.dsc
roundup_1.4.4-4+lenny1_all.deb
to pool/main/r/roundup/roundup_1.4.4-4+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 518768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Toni Mueller <toni@debian.org> (supplier of updated roundup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 22 Mar 2009 21:51:12 +0100
Source: roundup
Binary: roundup
Architecture: source all
Version: 1.4.4-4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Toni Mueller <toni@debian.org>
Changed-By: Toni Mueller <toni@debian.org>
Description:
roundup - an issue-tracking system
Closes: 518669518768
Changes:
roundup (1.4.4-4+lenny1) stable-security; urgency=high
.
* fix EditCSVAction and other security issues (closes: #518768)
Special thanks for this to Daniel (ajax) Diniz, Richard Jones,
and, by extension, to Stefan Seefeld.
Upstream issue: #2550529
* unbreak copying issue (closes: #518669)
* fix SMTP-TLS (upstream issue: #2484879)
* fix crashes on bogus pagination request (upstream issue: #2550530)
* fix a search problem (upstream issue: #2550505)
Checksums-Sha1:
2d0a968cc727e925ebef3160cc9653a83e4316db 1052 roundup_1.4.4-4+lenny1.dsc
d260eb90113d36b07d0b7ef42b1d81450d9bc2e7 31251 roundup_1.4.4-4+lenny1.diff.gz
7c43c7ce56cb16057a0f0f349c2805a5580c8845 1278600 roundup_1.4.4-4+lenny1_all.deb
Checksums-Sha256:
e2f9bb0d2e64747bd27948cbf635b568faf7bbce043e36074dc1f9a3121ed691 1052 roundup_1.4.4-4+lenny1.dsc
6c1f7508b034404dd8cbecef6a84faee8087c373611f984164c6d35ced65bba2 31251 roundup_1.4.4-4+lenny1.diff.gz
90a5b64fafd471beccea5e819d4a897fb54edbb69daf6d9795db1a6a58a66794 1278600 roundup_1.4.4-4+lenny1_all.deb
Files:
06b5d9261eae320131695bddb392d5c6 1052 web optional roundup_1.4.4-4+lenny1.dsc
28ebe811e6792bc75af81f6da4b62633 31251 web optional roundup_1.4.4-4+lenny1.diff.gz
35c30c9d48d1d264cd8564a6ab971c03 1278600 web optional roundup_1.4.4-4+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFJxsoEfoEUoHXLGtIRArIDAJ9XJhXXhmr4pT0obRnYlIVtP8n3HwCgxBBS
xcziq+6mGlhmzjq4zSIcgrs=
=OSEN
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 10 May 2009 07:34:03 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.