Debian Bug report logs - #614576
request-tracker3.8: CVE-2011-1008: Scrip information leakage

version graph

Package: request-tracker3.8; Maintainer for request-tracker3.8 is Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>;

Reported by: Dominic Hargreaves <dom@earth.li>

Date: Tue, 22 Feb 2011 11:48:18 UTC

Severity: important

Tags: security

Found in version request-tracker3.8/3.8.8-7

Fixed in versions request-tracker3.8/3.8.9-1, request-tracker3.8/3.8.8-7+squeeze1

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>:
Bug#614576; Package request-tracker3.8. (Tue, 22 Feb 2011 11:48:21 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>. (Tue, 22 Feb 2011 11:48:21 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: request-tracker3.8: Scrip information leakage
Date: Tue, 22 Feb 2011 11:46:04 +0000
Package: request-tracker3.8
Version: 3.8.8-7
Severity: important
Tags: security

The following appears in the changelog of 3.8.9:

 * Clone Scrip's TicketObj since we change the CurrentUser and it can leak
    information (Custom field values, etc)

This may warrant an update in s-p-u.




Bug Marked as fixed in versions request-tracker3.8/3.8.9-1. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Tue, 22 Feb 2011 11:54:09 GMT) Full text and rfc822 format available.

Changed Bug title to 'request-tracker3.8: CVE-2011-1008: Scrip information leakage' from 'request-tracker3.8: Scrip information leakage' Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Fri, 25 Feb 2011 18:09:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>:
Bug#614576; Package request-tracker3.8. (Fri, 25 Feb 2011 18:54:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>. (Fri, 25 Feb 2011 18:54:08 GMT) Full text and rfc822 format available.

Message #14 received at 614576@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 614575@bugs.debian.org, 614576@bugs.debian.org
Subject: CVE IDs etc.
Date: Fri, 25 Feb 2011 20:04:31 +0200
package request-tracker3.8
retitle 614575 request-tracker3.8: CVE-2011-1007: Back button attacks
retitle 614576 request-tracker3.8: CVE-2011-1008: Scrip information leakage
forwarded 614575 http://issues.bestpractical.com/Ticket/Display.html?id=15804
thanks

Just filling in some administrivia based on
 http://permalink.gmane.org/gmane.comp.security.oss.general/4243
 http://permalink.gmane.org/gmane.comp.security.oss.general/4247

On Tue, Feb 22, 2011 at 11:44:03AM +0000, Dominic Hargreaves wrote:
> Package: request-tracker3.8
> Version: 3.8.8-7
> Severity: important
> Tags: security
>
> The following appears in the changelog of 3.8.9:
>
>  * Redirect users to their desired pages after login.
>     This prevents possible back button attacks after a user logs out.
>

This has been assigned CVE-2011-1007. 

The base patch was
 https://github.com/bestpractical/rt/commit/917c211820590950f7eb0521f7f43b31aeed44c4
but, as discussed in
 http://permalink.gmane.org/gmane.comp.security.oss.general/4247
this breaks RT-Authen-ExternalAuth and was augmented by other changes on
the same branch later.

A targeted fix should be discussed with <security@bestpractical.com>,
as requested by Thomas Sibley in the above message.

On Tue, Feb 22, 2011 at 11:46:04AM +0000, Dominic Hargreaves wrote:
> Package: request-tracker3.8
> Version: 3.8.8-7
> Severity: important
> Tags: security
> 
> The following appears in the changelog of 3.8.9:
> 
>  * Clone Scrip's TicketObj since we change the CurrentUser and it can leak
>     information (Custom field values, etc)

This has been assigned CVE-2011-1008.
A patch is
 https://github.com/bestpractical/rt/commit/2338cd19ed7a7f4c1e94f639ab2789d6586d01f3
but again, upstream requests coordination for targeted fixes in
 http://permalink.gmane.org/gmane.comp.security.oss.general/4247

I don't have the time to drive this further myself, just noticed the
thread at oss-security.
-- 
Niko Tyni   ntyni@debian.org




Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Wed, 20 Apr 2011 02:03:59 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Wed, 20 Apr 2011 02:03:59 GMT) Full text and rfc822 format available.

Message #19 received at 614576-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 614576-close@bugs.debian.org
Subject: Bug#614576: fixed in request-tracker3.8 3.8.8-7+squeeze1
Date: Wed, 20 Apr 2011 01:55:51 +0000
Source: request-tracker3.8
Source-Version: 3.8.8-7+squeeze1

We believe that the bug you reported is fixed in the latest version of
request-tracker3.8, which is due to be installed in the Debian FTP archive:

request-tracker3.8_3.8.8-7+squeeze1.diff.gz
  to main/r/request-tracker3.8/request-tracker3.8_3.8.8-7+squeeze1.diff.gz
request-tracker3.8_3.8.8-7+squeeze1.dsc
  to main/r/request-tracker3.8/request-tracker3.8_3.8.8-7+squeeze1.dsc
request-tracker3.8_3.8.8-7+squeeze1_all.deb
  to main/r/request-tracker3.8/request-tracker3.8_3.8.8-7+squeeze1_all.deb
rt3.8-apache2_3.8.8-7+squeeze1_all.deb
  to main/r/request-tracker3.8/rt3.8-apache2_3.8.8-7+squeeze1_all.deb
rt3.8-clients_3.8.8-7+squeeze1_all.deb
  to main/r/request-tracker3.8/rt3.8-clients_3.8.8-7+squeeze1_all.deb
rt3.8-db-mysql_3.8.8-7+squeeze1_all.deb
  to main/r/request-tracker3.8/rt3.8-db-mysql_3.8.8-7+squeeze1_all.deb
rt3.8-db-postgresql_3.8.8-7+squeeze1_all.deb
  to main/r/request-tracker3.8/rt3.8-db-postgresql_3.8.8-7+squeeze1_all.deb
rt3.8-db-sqlite_3.8.8-7+squeeze1_all.deb
  to main/r/request-tracker3.8/rt3.8-db-sqlite_3.8.8-7+squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 614576@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated request-tracker3.8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 14 Apr 2011 08:55:14 +0100
Source: request-tracker3.8
Binary: request-tracker3.8 rt3.8-clients rt3.8-apache2 rt3.8-db-postgresql rt3.8-db-mysql rt3.8-db-sqlite
Architecture: source all
Version: 3.8.8-7+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 request-tracker3.8 - extensible trouble-ticket tracking system
 rt3.8-apache2 - Apache 2 specific files for request-tracker3.8
 rt3.8-clients - mail gateway and command-line interface to request-tracker3.8
 rt3.8-db-mysql - MySQL database backend for request-tracker3.8
 rt3.8-db-postgresql - PostgreSQL database backend for request-tracker3.8
 rt3.8-db-sqlite - SQLite database backend for request-tracker3.8
Closes: 614576
Changes: 
 request-tracker3.8 (3.8.8-7+squeeze1) stable-security; urgency=high
 .
   * Security fix: fix information leakage in scrips (Closes: 614576;
     CVE-2011-1008)
   * Multiple security fixes for:
     - Remote code execution in external custom fields (CVE-2011-1685)
     - Information disclosure via SQL injection (CVE-2011-1686)
     - Information disclosure via search interface (CVE-2011-1687)
     - Information disclosure via directory traversal (CVE-2011-1688)
     - User javascript execution via XSS vulnerability (CVE-2011-1689)
     - Authentication credentials theft (CVE-2011-1690)
Checksums-Sha1: 
 ad823570406581796e6312f1016d188225057778 1632 request-tracker3.8_3.8.8-7+squeeze1.dsc
 be3ac598dcbf584f9bcd9a49248a9ccd3affb330 5109734 request-tracker3.8_3.8.8.orig.tar.gz
 442bc7dfd8a46e1b034ae41a8505f17036183080 83370 request-tracker3.8_3.8.8-7+squeeze1.diff.gz
 144014473a8f3b1b224e7950a4186aa561b9dfb4 4656416 request-tracker3.8_3.8.8-7+squeeze1_all.deb
 267277fd65f83e2e8567d2616cb387e01f714eae 47020 rt3.8-clients_3.8.8-7+squeeze1_all.deb
 0608364eb70e163515c3921f1f42aabbeac461d3 12450 rt3.8-apache2_3.8.8-7+squeeze1_all.deb
 06041598f589105a3bbe03bade37470256e0230d 11134 rt3.8-db-postgresql_3.8.8-7+squeeze1_all.deb
 5e3aea667516da514a9a90501073e98d93aafa79 11134 rt3.8-db-mysql_3.8.8-7+squeeze1_all.deb
 b8222869f3a915fbe5f49c9a473f0b59d207ae1f 11226 rt3.8-db-sqlite_3.8.8-7+squeeze1_all.deb
Checksums-Sha256: 
 b5d3cfa8409b2c66df4f434705ab99af9e31c20684ea75b77dd14e5be1d0130a 1632 request-tracker3.8_3.8.8-7+squeeze1.dsc
 d3932febc5b3fa1da1168713f305a095ea6b40dd22d508849471e6637ba04c02 5109734 request-tracker3.8_3.8.8.orig.tar.gz
 f3713dc51a6dbb0e5a445626a462efdd29c4850fd1a7ced46d07fa4a8a53df8a 83370 request-tracker3.8_3.8.8-7+squeeze1.diff.gz
 beec7ee70ccbaed7d616dc54988d36c03fb5137548f5ee3863e0f596c3557ae1 4656416 request-tracker3.8_3.8.8-7+squeeze1_all.deb
 ec8ff0be77210063f840d5ad2ae720817ad235fcf86d651881c159c6d81cde00 47020 rt3.8-clients_3.8.8-7+squeeze1_all.deb
 fbd183972df1a3c30f6314d3c3b0373be22d6dfd811edd3bc8c0db8c79f077dd 12450 rt3.8-apache2_3.8.8-7+squeeze1_all.deb
 a83d45436c3fd9cc39d47a3d68bd3d10c266785ff9b502afcc6cf028ecf79d9d 11134 rt3.8-db-postgresql_3.8.8-7+squeeze1_all.deb
 00cafd445840905337c499855f76374d5179a864e3ece372f6f420c9b0e63b12 11134 rt3.8-db-mysql_3.8.8-7+squeeze1_all.deb
 deb075b3ce94babb4c274310f5a9142bcad878bac2fcf92ed7fa73bae50159e6 11226 rt3.8-db-sqlite_3.8.8-7+squeeze1_all.deb
Files: 
 89060935bb2e4552dcec70205480f315 1632 misc optional request-tracker3.8_3.8.8-7+squeeze1.dsc
 de062840ce6e2fdb323d77dddf8ff485 5109734 misc optional request-tracker3.8_3.8.8.orig.tar.gz
 30a52734a3aac6914591d3115707666c 83370 misc optional request-tracker3.8_3.8.8-7+squeeze1.diff.gz
 d677ce379af31b287a816e499a4561e9 4656416 misc optional request-tracker3.8_3.8.8-7+squeeze1_all.deb
 b11befa7a21f6d039a408adf62c524c5 47020 misc optional rt3.8-clients_3.8.8-7+squeeze1_all.deb
 6935f7973dd67f4456af062c8aecf4bc 12450 misc optional rt3.8-apache2_3.8.8-7+squeeze1_all.deb
 c199403b24b5e9e3c41b2d3b49412426 11134 misc optional rt3.8-db-postgresql_3.8.8-7+squeeze1_all.deb
 81d4715c06630ee391040e74e799f285 11134 misc optional rt3.8-db-mysql_3.8.8-7+squeeze1_all.deb
 4575725abd5cf5e7648ea6fb51b9d88f 11226 misc optional rt3.8-db-sqlite_3.8.8-7+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFNrbAfYzuFKFF44qURAtmxAJ9KVXwf7Mlu8d7eQs+R3ezKoH7/YACgnK0B
ZrycySH+GaSAyOMFgOBMyGM=
=A+fr
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 18 May 2011 07:41:43 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 13:21:50 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.