Ubuntu
trac package

Merge lp:~ari-tczew/ubuntu/jaunty/trac/fix-CVE-2009-4405 into lp:ubuntu/jaunty/trac

  1. Jaunty (9.04)
  2. fix-CVE-2009-4405
  3. Merge into jaunty
Proposed by Artur Rona
Status: Needs review
Proposed branch: lp:~ari-tczew/ubuntu/jaunty/trac/fix-CVE-2009-4405
Merge into: lp:ubuntu/jaunty/trac
Diff against target: 152 lines (+98/-5)
5 files modified
debian/changelog (+17/-0)
debian/control (+2/-1)
debian/patches/00list (+1/-0)
debian/patches/18_CVE-2009-4405.dpatch (+71/-0)
debian/rules (+7/-4)
To merge this branch: bzr merge lp:~ari-tczew/ubuntu/jaunty/trac/fix-CVE-2009-4405
Reviewer Review Type Date Requested Status
Marc Deslauriers Approve
Review via email: mp+25569@code.launchpad.net
To post a comment you must log in.
lp:~ari-tczew/ubuntu/jaunty/trac/fix-CVE-2009-4405 updated
21. By Artur Rona

* debian/rules:
  - Include /usr/share/python/python.mk
  - Pass $(py_setup_install_args) to setup.py
  - Use $(py_libdir_sh) for matching distutils installation paths
  - Fixes FTBFS

Revision history for this message
Marc Deslauriers (mdeslaur) :
review: Approve
Reply

Unmerged revisions

21. By Artur Rona

* debian/rules:
  - Include /usr/share/python/python.mk
  - Pass $(py_setup_install_args) to setup.py
  - Use $(py_libdir_sh) for matching distutils installation paths
  - Fixes FTBFS

20. By Artur Rona

* SECURITY UPDATE (LP: #394290)
* debian/patches/20_CVE-2009-4405.dpatch:
  - Multiple unspecified vulnerabilities in Trac before 0.11.6 have
    unknown impact and attack vectors, possibly related to (1) "policy
    checks in report results when using alternate formats" or (2)
    a "check for the 'raw' role that is missing in docutils < 0.6."
  - CVE-2009-4405

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2008-11-16 18:34:25 +0000
3+++ debian/changelog 2010-05-19 15:59:33 +0000
4@@ -1,3 +1,20 @@
5+trac (0.11.1-2.1ubuntu0.1) jaunty-security; urgency=low
6+
7+ * SECURITY UPDATE (LP: #394290)
8+ * debian/patches/20_CVE-2009-4405.dpatch:
9+ - Multiple unspecified vulnerabilities in Trac before 0.11.6 have
10+ unknown impact and attack vectors, possibly related to (1) "policy
11+ checks in report results when using alternate formats" or (2)
12+ a "check for the 'raw' role that is missing in docutils < 0.6."
13+ - CVE-2009-4405
14+ * debian/rules:
15+ - Include /usr/share/python/python.mk
16+ - Pass $(py_setup_install_args) to setup.py
17+ - Use $(py_libdir_sh) for matching distutils installation paths
18+ - Fixes FTBFS
19+
20+ -- Artur Rona <ari-tczew@tlen.pl> Wed, 19 May 2010 17:48:56 +0200
21+
22 trac (0.11.1-2.1) unstable; urgency=high
23
24 * Non-maintainer upload.
25
26=== modified file 'debian/control'
27--- debian/control 2008-08-16 00:08:30 +0000
28+++ debian/control 2010-05-19 15:59:33 +0000
29@@ -3,7 +3,8 @@
30 Priority: optional
31 Build-Depends-Indep: python-setuptools (> 0.5)
32 Build-Depends: python-genshi (>= 0.5), python-central, python-all-dev, debhelper (>= 6.0.7), dpatch
33-Maintainer: Debian Trac Team <pkg-trac-devel@lists.alioth.debian.org>
34+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
35+XSBC-Original-Maintainer: Debian Trac Team <pkg-trac-devel@lists.alioth.debian.org>
36 Uploaders: Otavio Salvador <otavio@debian.org>, Andres Salomon <dilinger@debian.org>, Jesus Climent <jesus.climent@hispalinux.es>, Luis Matos <gass@otiliamatos.ath.cx>
37 Standards-Version: 3.8.0
38 VCS-Git: git://git.debian.org/git/pkg-trac/trac.git
39
40=== modified file 'debian/patches/00list'
41--- debian/patches/00list 2008-11-16 18:34:25 +0000
42+++ debian/patches/00list 2010-05-19 15:59:33 +0000
43@@ -2,3 +2,4 @@
44 15_remove_jquery_file.dpatch
45 16_install_contrib_dir.dpatch
46 17_SA32652.dpatch
47+18_CVE-2009-4405.dpatch
48
49=== added file 'debian/patches/18_CVE-2009-4405.dpatch'
50--- debian/patches/18_CVE-2009-4405.dpatch 1970-01-01 00:00:00 +0000
51+++ debian/patches/18_CVE-2009-4405.dpatch 2010-05-19 15:59:33 +0000
52@@ -0,0 +1,71 @@
53+#! /bin/sh /usr/share/dpatch/dpatch-run
54+## From: Artur Rona <ari-tczew@tlen.pl>
55+## Description: CVE-2009-4405. Added a missing check for the "raw" role when using docutils < 0.6.
56+## Enforce same policy checks for tabular text alternate formats in report results.
57+## Bug: https://launchpad.net/bugs/394290
58+## Origin: upstream, http://trac.edgewall.org/changeset/8813
59+## http://trac.edgewall.org/changeset/8816
60+## Author: Remy Blank, Christian Boos
61+
62+@DPATCH@
63+
64+diff -Nru -x '*~' trac-0.11.1.orig/trac/mimeview/rst.py trac-0.11.1/trac/mimeview/rst.py
65+--- trac-0.11.1.orig/trac/mimeview/rst.py 2008-08-07 03:00:20.000000000 +0200
66++++ trac-0.11.1/trac/mimeview/rst.py 2010-04-24 03:37:42.000000000 +0200
67+@@ -43,6 +43,23 @@
68+ from trac.wiki.api import WikiSystem
69+ from trac.wiki.formatter import WikiProcessor, Formatter, extract_link
70+
71++if has_docutils and StrictVersion(__version__) < StrictVersion('0.6'):
72++ # Monkey-patch "raw" role handler in docutils to add a missing check
73++ # See docutils bug #2845002 on SourceForge
74++ def raw_role(role, rawtext, text, lineno, inliner, options={}, content=[]):
75++ if not inliner.document.settings.raw_enabled:
76++ msg = inliner.reporter.warning('raw (and derived) roles disabled')
77++ prb = inliner.problematic(rawtext, rawtext, msg)
78++ return [prb], [msg]
79++ return _raw_role(role, rawtext, text, lineno, inliner, options,
80++ content)
81++
82++ from docutils.parsers.rst import roles
83++ raw_role.options = roles.raw_role.options
84++ _raw_role = roles.raw_role
85++ roles.raw_role = raw_role
86++ roles.register_canonical_role('raw', raw_role)
87++
88+ class ReStructuredTextRenderer(Component):
89+ """
90+ Renders plain text in reStructuredText format as HTML.
91+diff -Nru -x '*~' trac-0.11.1.orig/trac/ticket/report.py trac-0.11.1/trac/ticket/report.py
92+--- trac-0.11.1.orig/trac/ticket/report.py 2008-08-07 03:00:20.000000000 +0200
93++++ trac-0.11.1/trac/ticket/report.py 2010-04-24 03:37:42.000000000 +0200
94+@@ -396,6 +396,7 @@
95+ # - group rows according to __group__ value, if defined
96+ # - group cells the same way headers are grouped
97+ row_groups = []
98++ authorized_results = []
99+ prev_group_value = None
100+ for row_idx, result in enumerate(results):
101+ col_idx = 0
102+@@ -435,6 +436,7 @@
103+ # FIXME: for now, we still need to hardcode the realm in the action
104+ if resource.realm.upper()+'_VIEW' not in req.perm(resource):
105+ continue
106++ authorized_results.append(result)
107+ if email_cells:
108+ for cell in email_cells:
109+ emails = Chrome(self.env).format_emails(context(resource),
110+@@ -470,11 +472,11 @@
111+ return 'report.rss', data, 'application/rss+xml'
112+ elif format == 'csv':
113+ filename = id and 'report_%s.csv' % id or 'report.csv'
114+- self._send_csv(req, cols, results, mimetype='text/csv',
115++ self._send_csv(req, cols, authorized_results, mimetype='text/csv',
116+ filename=filename)
117+ elif format == 'tab':
118+ filename = id and 'report_%s.tsv' % id or 'report.tsv'
119+- self._send_csv(req, cols, results, '\t',
120++ self._send_csv(req, cols, authorized_results, '\t',
121+ mimetype='text/tab-separated-values',
122+ filename=filename)
123+ else:
124
125=== modified file 'debian/rules'
126--- debian/rules 2008-08-16 00:08:30 +0000
127+++ debian/rules 2010-05-19 15:59:33 +0000
128@@ -2,6 +2,7 @@
129
130 PYVER=$(shell python -c 'import sys; print sys.version[:3]')
131 include /usr/share/dpatch/dpatch.make
132+include /usr/share/python/python.mk
133
134 clean: unpatch
135 dh_testdir
136@@ -23,10 +24,12 @@
137 dh_installdirs
138 python setup.py install \
139 --root=$(CURDIR)/debian/trac \
140- --single-version-externally-managed
141- chmod +x $(CURDIR)/debian/trac/usr/lib/python$(PYVER)/site-packages/trac/admin/templates/deploy_trac.wsgi
142- chmod +x $(CURDIR)/debian/trac/usr/lib/python$(PYVER)/site-packages/trac/admin/templates/deploy_trac.fcgi
143- chmod +x $(CURDIR)/debian/trac/usr/lib/python$(PYVER)/site-packages/trac/admin/templates/deploy_trac.cgi
144+ --single-version-externally-managed \
145+ $(py_setup_install_args)
146+ chmod +x $(CURDIR)/debian/trac/$(py_libdir_sh)/trac/admin/templates/deploy_trac.wsgi
147+ chmod +x $(CURDIR)/debian/trac/$(py_libdir_sh)/trac/admin/templates/deploy_trac.fcgi
148+ chmod +x $(CURDIR)/debian/trac/$(py_libdir_sh)/trac/admin/templates/deploy_trac.cgi
149+ chmod +x $(CURDIR)/debian/trac/$(py_libdir_sh)/trac/web/*_frontend.py
150
151 binary-indep: build install
152 dh_testdir

Subscribers

People subscribed via source and target branches

to all changes: