Multiple security vulnerabilities in request-tracker3.8

Status changed to 'Confirmed' because the bug affects multiple users.

Patches ready for testing attached. See also
svn://svn.debian.org/svn/pkg-request-tracker/packages/request-tracker3.8/branches/lucid
svn://svn.debian.org/svn/pkg-request-tracker/packages/request-tracker3.8/branches/natty
[oneric is the same as natty, so only version numbers to be updated there]
svn://svn.debian.org/svn/pkg-request-tracker/packages/request-tracker3.8/branches/precise

Note that I don't run RT on Ubuntu systems so can't help with testing.

--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Any word on when these security fixes might make it into lucid?

Sorry for the delayed response. ubuntu-security-sponsors was not subscribed as per https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures#Preparing_an_update so this didn't show up on the appropriate lists.

request-tracker3.8 does not exist in 12.10.

Thank you for submitting debdiffs for this issue. It looks like Debian had to add several regression fixes for request-tracker3.8. In particular:
request-tracker3.8 (3.8.8-7+squeeze5) stable-security; urgency=low

  * Apply upstream patch fixing regression in rt-email-dashboards, and
    whitelist search results and calendar helper from CSRF protection
    (Closes: #686392)

 -- Dominic Hargreaves <email address hidden> Thu, 13 Sep 2012 18:53:17 +0100

request-tracker3.8 (3.8.8-7+squeeze4) stable-security; urgency=low

  * Apply second fix for regression introduced by previous security fix
    when sending email with mod_perl (Closes: #674924)

 -- Dominic Hargreaves <email address hidden> Sun, 03 Jun 2012 19:31:47 +0100

request-tracker3.8 (3.8.8-7+squeeze3) stable-security; urgency=high

  * Apply fix for regression introduced by previous security fix
    when sending email with mod_perl (Closes: #674522)
  * Provide specific instructions for restarting a mod_perl based
    Apache server (Closes: #674558)

 -- Dominic Hargreaves <email address hidden> Sat, 26 May 2012 11:17:34 +0100

Should these fixes be incorporated into your debdiffs? Based on patch 79 and 80, it seems like squeeze3 and squeeze4 were incorporated, but not squeeze5 yet.

Also, the debdiff does not comply with https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging in the following ways:
 * SECURITY UPDATE is not listed in the debian/changelog
 * The patches do not contain DEP-3 comments (http://dep.debian.net/deps/dep3/). Lack of DEP-3 comments makes it difficult for reviewers to verify that the patches are correct. For example:
  * 77_patchset-2012-05-07-3.8.7.dpatch has comments but not the specific commit for the patch
  * 78_patchset-2012-05-15-3.8.7.dpatch does not have the specific commit for the patch
  * 79_sendmail_mod_perl_pipe_fix.dpatch has comments, but not in the form of DEP-3
  * 80_sendmail_mod_perl_pipe_fix_again.dpatch has comments, but not in the form of DEP-3

If you are going to resubmit to incorporate the squeeze5 changes, can you update the debdiffs for the above?

Unsubscribing ubuntu-security-sponsors for now. After resubmitting the new debdiffs, please resubscribe ubuntu-security-sponsors. Thanks again for all your work on this! :)

Hello Jamie,

I don't see any reference to DEP3 in your wiki page and even if it were there it doesn't seem like a good reason to reject changes (after all in Debian DEP3 is not a requirement, nor is it (AFAICR) mentioned in Policy at all yet). As for the source of the commits, the updates are based on rolled up commits from upstream. Note that I'm acting as the Debian maintainer of these packages, not an Ubuntu developer, so I was hoping that an Ubuntu developer would be able to make any fine tweaks to my submissions before uploading them to Ubuntu. There's only so much energy I have when it comes to rolling updates for Ubuntu, especially when it's not clear that they will ever get released (#750339) .

As for your question about the September regression: yes that should be applied, although it is a fairly minor regression compared to the other two, which as you have noticed were included.

As for the delay on this bug report - perhaps the bug system could be improved so that the security team are told about issues tagged as security issues?

There has been another round of updates from Best Practical (http://blog.bestpractical.com/2012/10/security-vulnerabilities-in-rt.html); they are available in Debian squeeze and the patch round-ups are at http://download.bestpractical.com/pub/rt/release/security-2012-10-25.tar.gz .

Please help me decide whether it's a good use of my time to submit updates for the latest issues based on the work I've already done in Debian.

Lastly, I notice that this bug was assigned to me, and then assigned to Marc instead. Please let me know the implications of this; is there work ongoing already? I don't want to duplicate work unnecessarily.

Typically, I see the DEP3 stuff jump out of the wiki page immediately after submitting the previous comment, so scratch that part of the comment.

Thanks for your response, I probably wouldn't have rejected on those points alone but I found it difficult to verify the fixes and had other questions anyway. We are subscribed to security bugs in Ubuntu, however do to a change in Launchpad we didn't see them in reports (those reports have since been fixed) and because ubuntu-security-sponsors wasn't subscribed we didn't see it there either. Again, sorry for the delay. Marc Deslauriers from the Ubuntu Security team will be incorporating these changes with a new update that has the fixes for the new vulnerabilities.

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

I have prepared some untested updates in the security team proposed PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages

If someone could give them a whirl, I'll get them pocket-copied into -proposed for more wider testing.

On Tue, Nov 13, 2012 at 03:01:33PM -0000, Marc Deslauriers wrote:
> I have prepared some untested updates in the security team proposed PPA
> here:
>
> https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages
>
> If someone could give them a whirl, I'll get them pocket-copied into
> -proposed for more wider testing.

I've asked on rt-users[1] for testing.

[1] <http://lists.bestpractical.com/pipermail/rt-users/2012-November/078449.html>

--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Great, thanks Dominic, and thanks for all your work on these updates!

This bug was fixed in the package request-tracker3.8 - 3.8.7-1ubuntu2.3

---------------
request-tracker3.8 (3.8.7-1ubuntu2.3) lucid-security; urgency=low

  [ Dominic Hargreaves ]
  * Multiple security fixes for:
    - XSS vulnerabilities (CVE-2011-2083)
    - information disclosure vulnerabilities including password hash
      exposure and correspondence disclosure to privileged users
      (CVE-2011-2084)
    - CSRF vulnerabilities allowing information disclosure,
      privilege escalation, and arbitrary code execution. Original
      behaviour may be restored by setting $RestrictReferrer to 0 for
      installations which rely on it (CVE-2011-2085)
    - remote code execution vulnerabilities including in VERP
      functionality (CVE-2011-4458)
  * Fix the vulnerable-passwords script to also upgrade password hashes
    for disabled users, and rerun the script in postinst (CVE-2011-2082)
  * Include clean-user-txns script to accompany the above fixes, and
    run in postinst
  * Provide specific instructions for restarting a mod_perl based
    Apache server

  [ Marc Deslauriers ]
  * debian/patches/81_misc_sec_regressions.dpatch: fix regression in
    rt-email-dashboards, and whitelist search results and calendar helper
    from CSRF protection
  * SECURITY UPDATE: Multiple security fixes (LP: #1004834):
    - Email header injection attack (CVE-2012-4730)
    - CSRF protection allows attack on bookmarks (CVE-2012-4732)
    - Confused deputy attack for non-logged-in users (CVE-2012-4734)
    - Multiple message signing/encryption attacks related to GnuPG
      (CVE-2012-4735)
    - Arbitrary command-line argument injection to GnuPG (CVE-2012-4884)
 -- Marc Deslauriers <email address hidden> Fri, 09 Nov 2012 15:15:40 -0500

This bug was fixed in the package request-tracker3.8 - 3.8.11-1ubuntu0.1

---------------
request-tracker3.8 (3.8.11-1ubuntu0.1) precise-security; urgency=low

  [ Dominic Hargreaves ]
  * Multiple security fixes for:
    - XSS vulnerabilities (CVE-2011-2083)
    - information disclosure vulnerabilities including password hash
      exposure and correspondence disclosure to privileged users
      (CVE-2011-2084)
    - CSRF vulnerabilities allowing information disclosure,
      privilege escalation, and arbitrary code execution. Original
      behaviour may be restored by setting $RestrictReferrer to 0 for
      installations which rely on it (CVE-2011-2085)
    - remote code execution vulnerabilities including in VERP
      functionality (CVE-2011-4458)
  * Fix the vulnerable-passwords script to also upgrade password hashes
    for disabled users, and rerun the script in postinst (CVE-2011-2082)
  * Include clean-user-txns script to accompany the above fixes, and
    run in postinst
  * Provide specific instructions for restarting a mod_perl based
    Apache server

  [ Marc Deslauriers ]
  * debian/patches/60_misc_sec_regressions.dpatch: fix regression in
    rt-email-dashboards, and whitelist search results and calendar helper
    from CSRF protection
  * SECURITY UPDATE: Multiple security fixes (LP: #1004834):
    - Email header injection attack (CVE-2012-4730)
    - CSRF protection allows attack on bookmarks (CVE-2012-4732)
    - Confused deputy attack for non-logged-in users (CVE-2012-4734)
    - Multiple message signing/encryption attacks related to GnuPG
      (CVE-2012-4735)
    - Arbitrary command-line argument injection to GnuPG (CVE-2012-4884)
 -- Marc Deslauriers <email address hidden> Fri, 09 Nov 2012 15:08:36 -0500

This bug was fixed in the package request-tracker3.8 - 3.8.10-1ubuntu0.1

---------------
request-tracker3.8 (3.8.10-1ubuntu0.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Multiple security fixes (LP: #1004834):
    - Email header injection attack (CVE-2012-4730)
    - CSRF protection allows attack on bookmarks (CVE-2012-4732)
    - Confused deputy attack for non-logged-in users (CVE-2012-4734)
    - Multiple message signing/encryption attacks related to GnuPG
      (CVE-2012-4735)
    - Arbitrary command-line argument injection to GnuPG (CVE-2012-4884)
    - XSS vulnerabilities (CVE-2011-2083)
    - information disclosure vulnerabilities including password hash
      exposure and correspondence disclosure to privileged users
      (CVE-2011-2084)
    - CSRF vulnerabilities allowing information disclosure,
      privilege escalation, and arbitrary code execution. Original
      behaviour may be restored by setting $RestrictReferrer to 0 for
      installations which rely on it (CVE-2011-2085)
    - remote code execution vulnerabilities including in VERP
      functionality (CVE-2011-4458)
  * Fix the vulnerable-passwords script to also upgrade password hashes
    for disabled users, and rerun the script in postinst (CVE-2011-2082)
  * Include clean-user-txns script to accompany the above fixes, and
    run in postinst
  * Provide specific instructions for restarting a mod_perl based
    Apache server
  * debian/patches/60_misc_sec_regressions.dpatch: fix regression in
    rt-email-dashboards, and whitelist search results and calendar helper
    from CSRF protection
 -- Marc Deslauriers <email address hidden> Fri, 09 Nov 2012 15:08:36 -0500