Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Update closes bug https://bugs.debian.org/836505 which allowed to post entry as arbitrary username by improper authentication. -- System Information: Debian Release: 8.5 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
diff -Nru elog-2.9.2+2014.05.11git44800a7/debian/changelog elog-2.9.2+2014.05.11git44800a7/debian/changelog --- elog-2.9.2+2014.05.11git44800a7/debian/changelog 2014-10-23 20:38:25.000000000 +0200 +++ elog-2.9.2+2014.05.11git44800a7/debian/changelog 2016-09-12 22:22:49.000000000 +0200 @@ -1,3 +1,10 @@ +elog (2.9.2+2014.05.11git44800a7-3) jessie; urgency=medium + + * Added patch 0005_elogd_CVE-2016-6342_fix to fix posting entry as + arbitrary username (Closes: #836505, CVE-2016-6342) + + -- Roger Kalt <roger.k...@gmail.com> Mon, 12 Sep 2016 20:22:36 +0200 + elog (2.9.2+2014.05.11git44800a7-2) unstable; urgency=low * debian/control: diff -Nru elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix --- elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix 1970-01-01 01:00:00.000000000 +0100 +++ elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix 2016-09-03 22:12:44.000000000 +0200 @@ -0,0 +1,345 @@ +backport these two upstream patches for newer release: https://bitbucket.org/ritt/elog/commits/2f6a300572bd6048351af8c45394ae62230c83d9 + https://bitbucket.org/ritt/elog/commits/9ca611aca2b1860efac15f806bf907cc2e6f870a/#Lsrc/elogd.cF26100T26104 +--- a/src/elogd.c ++++ b/src/elogd.c +@@ -3443,7 +3443,7 @@ + break; + get_user_line(lbs, login_name, NULL, NULL, email_from, NULL, NULL, NULL); + sprintf(email_from_name, "%s <%s>", login_name, email_from); +- if (is_admin_user(lbs->name, login_name) && strchr(email_from, '@')) ++ if (is_admin_user(lbs, login_name) && strchr(email_from, '@')) + break; + } + } +@@ -8578,7 +8578,7 @@ + wrong_pwd = 2; + } else { + /* administrator does not have to supply old password if changing other user's password */ +- if (isparam("unm") && is_admin_user(lbs->name, getparam("unm")) ++ if (isparam("unm") && is_admin_user(lbs, getparam("unm")) + && stricmp(getparam("unm"), user) != 0) + wrong_pwd = 0; + else { +@@ -8652,7 +8652,7 @@ + + /* do not ask for old pwasword if admin changes other user's password */ + if (isparam("unm")) { +- if (!is_admin_user(lbs->name, getparam("unm")) || stricmp(getparam("unm"), user) == 0) { ++ if (!is_admin_user(lbs, getparam("unm")) || stricmp(getparam("unm"), user) == 0) { + if (isparam("oldpwd") && !(wrong_pwd == 1)) // hidden password for password recovery + rsprintf("<input type=hidden name=oldpwd value=\"%s\"", getparam("oldpwd")); + else { +@@ -8751,7 +8751,7 @@ + int i; + + /* check if current user is admin */ +- if (is_admin_user(lbs->name, getparam("unm"))) ++ if (is_admin_user(lbs, getparam("unm"))) + return TRUE; + + /* search attribute which contains short_name of author */ +@@ -12126,7 +12126,7 @@ + rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Cancel")); + + if (lbs->top_group[0] && (!top_group || strieq(top_group, "global"))) { +- if (is_admin_user("global", getparam("unm"))) { ++ if (is_admin_user(lbs, getparam("unm"))) { + if (lbs->top_group[0]) { + + sprintf(str, "global %s", lbs->top_group); +@@ -12159,7 +12159,7 @@ + } + + if (is_group("global") && !strieq(top_group, "global")) { +- if (is_admin_user("global", getparam("unm"))) { ++ if (is_admin_user(lbs, getparam("unm"))) { + rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Delete this logbook")); + rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Rename this logbook")); + rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Create new logbook")); +@@ -13275,7 +13275,7 @@ + + /*---- if admin user, show user list ----*/ + +- if (is_admin_user(logbook, getparam("unm"))) { ++ if (is_admin_user(lbs, getparam("unm"))) { + rsprintf("<input type=hidden name=admin value=1>\n"); + rsprintf("<tr><td nowrap width=\"10%%\">%s:</td>\n", loc("Select user")); + rsprintf("<td><select name=cfg_user onChange=\"document.form1.submit()\">\n"); +@@ -13323,7 +13323,7 @@ + else + strlcpy(str, user, sizeof(str)); + +- if (is_admin_user(logbook, getparam("unm"))) { ++ if (is_admin_user(lbs, getparam("unm"))) { + rsprintf("<tr><td nowrap width=\"15%%\">%s:</td>\n", loc("Active")); + if (stricmp(user, getparam("unm")) == 0) + rsprintf +@@ -13427,13 +13427,13 @@ + + rsprintf("<tr><td class=\"menuframe\"><span class=\"menu1\">\n"); + +- if (is_admin_user(logbook, getparam("unm")) || !getcfg(logbook, "allow password change", str, sizeof(str)) ++ if (is_admin_user(lbs, getparam("unm")) || !getcfg(logbook, "allow password change", str, sizeof(str)) + || atoi(str) == 1) + rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Change password")); + + rsprintf("<input type=submit name=cmd value=\"%s\" onClick=\"return chkrem();\">\n", loc("Remove user")); + +- if (is_admin_user(logbook, getparam("unm"))) { ++ if (is_admin_user(lbs, getparam("unm"))) { + rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("New user")); + strlcpy(str, loc("Change config file"), sizeof(str)); + rsprintf("<input type=submit name=cmd value=\"%s\">\n", str); +@@ -18079,6 +18079,17 @@ + + /*------------------------------------------------------------------*/ + ++BOOL logged_in(LOGBOOK *lbs) ++{ ++ if (isparam("unm")) { ++ if (check_login_user(lbs, getparam("unm")) && check_login(lbs, getparam("sid"))) ++ return TRUE; ++ } ++ return FALSE; ++} ++ ++/*------------------------------------------------------------------*/ ++ + BOOL is_user_allowed(LOGBOOK * lbs, char *command) + { + char str[1000], users[2000]; +@@ -18109,7 +18120,7 @@ + /* check admin command */ + if (strieq(command, loc("Admin"))) { + if (getcfg(lbs->name, "Admin user", str, sizeof(str))) { +- return is_admin_user(lbs->name, getparam("unm")); ++ return is_admin_user(lbs, getparam("unm")); + } + } + +@@ -18142,7 +18153,7 @@ + return TRUE; + + /* check for guest access */ +- if (!getcfg(lbs->name, "Guest Menu commands", menu_str, sizeof(menu_str)) || isparam("unm") != 0) ++ if (!getcfg(lbs->name, "Guest Menu commands", menu_str, sizeof(menu_str)) || logged_in(lbs)) + getcfg(lbs->name, "Menu commands", menu_str, sizeof(menu_str)); + + /* default menu commands */ +@@ -18151,7 +18162,7 @@ + + if (getcfg(lbs->name, "Password file", str, sizeof(str))) { + +- if (is_admin_user(lbs->name, getparam("unm"))) { ++ if (is_admin_user(lbs, getparam("unm"))) { + + strcat(menu_str, "Admin, "); + strcat(menu_str, "Change config file, "); +@@ -18160,7 +18171,7 @@ + strcat(menu_str, "Create new logbook, "); + strcat(menu_str, "GetPwdFile, "); + +- if (is_admin_user("global", getparam("unm"))) { ++ if (is_admin_user(lbs, getparam("unm"))) { + + if (lbs->top_group[0]) { + sprintf(str, "Change [global %s]", lbs->top_group); +@@ -18168,7 +18179,7 @@ + strcat(menu_str, ", "); + } + +- if (!lbs->top_group[0] || (is_admin_user("global", getparam("unm")))) { ++ if (!lbs->top_group[0] || (is_admin_user(NULL, getparam("unm")))) { + + strcat(menu_str, "Change [global]"); + strcat(menu_str, ", "); +@@ -18192,7 +18203,7 @@ + menu_str[0] = 0; + for (i = 0; i < n; i++) { + if (strcmp(menu_item[i], "Admin") == 0) { +- if (!is_admin_user(lbs->name, getparam("unm"))) ++ if (!is_admin_user(lbs, getparam("unm"))) + continue; + } + strcat(menu_str, menu_item[i]); +@@ -18201,7 +18212,7 @@ + + strcat(menu_str, "HelpELCode, Synchronize, "); + +- if (is_admin_user(lbs->name, getparam("unm"))) { ++ if (is_admin_user(lbs, getparam("unm"))) { + + strcat(menu_str, "Change config file, "); + strcat(menu_str, "Delete this logbook, "); +@@ -18209,7 +18220,7 @@ + strcat(menu_str, "Create new logbook, "); + strcat(menu_str, "GetPwdFile, "); + +- if (is_admin_user("global", getparam("unm"))) { ++ if (is_admin_user(lbs, getparam("unm"))) { + + if (lbs->top_group[0]) { + sprintf(str, "Change [global %s]", lbs->top_group); +@@ -18217,7 +18228,7 @@ + strcat(menu_str, ", "); + } + +- if (!lbs->top_group[0] || (is_admin_user("global", getparam("unm")))) { ++ if (!lbs->top_group[0] || (is_admin_user(NULL, getparam("unm")))) { + + strcat(menu_str, "Change [global]"); + strcat(menu_str, ", "); +@@ -18228,11 +18239,11 @@ + + /* check list menu commands */ + str[0] = 0; +- if (!getcfg(lbs->name, "Guest List Menu commands", str, sizeof(str)) || isparam("unm") != 0) ++ if (!getcfg(lbs->name, "Guest List Menu commands", str, sizeof(str)) || logged_in(lbs)) + getcfg(lbs->name, "list menu commands", str, sizeof(str)); + + if (!str[0]) { +- if (!getcfg(lbs->name, "Guest Find Menu commands", str, sizeof(str)) || isparam("unm") != 0) ++ if (!getcfg(lbs->name, "Guest Find Menu commands", str, sizeof(str)) || logged_in(lbs)) + getcfg(lbs->name, "Find Menu commands", str, sizeof(str)); + } + +@@ -18259,7 +18270,7 @@ + strlcat(other_str, "Save, ", sizeof(other_str)); + + /* admin commands */ +- if (is_admin_user(lbs->name, getparam("unm"))) { ++ if (is_admin_user(lbs, getparam("unm"))) { + strcat(other_str, "Remove user, New user, Activate, "); + } else if (getcfg(lbs->name, "Self register", str, sizeof(str)) && atoi(str) > 0) { + strcat(other_str, "Remove user, New user, "); +@@ -18298,6 +18309,10 @@ + } + } + ++ /* make sure user is logged in */ ++ if (!logged_in(lbs)) ++ return FALSE; ++ + return TRUE; + } + +@@ -20382,13 +20397,11 @@ + rsprintf("\">\n", str); + } + +- if (!getcfg(lbs->name, "Guest Find menu commands", menu_str, sizeof(menu_str)) || isparam("unm") +- != 0) ++ if (!getcfg(lbs->name, "Guest Find menu commands", menu_str, sizeof(menu_str)) || logged_in(lbs)) + getcfg(lbs->name, "Find menu commands", menu_str, sizeof(menu_str)); + + if (!menu_str[0]) { +- if (!getcfg(lbs->name, "Guest list menu commands", menu_str, sizeof(menu_str)) || isparam("unm") +- != 0) ++ if (!getcfg(lbs->name, "Guest list menu commands", menu_str, sizeof(menu_str)) || logged_in(lbs)) + getcfg(lbs->name, "list menu commands", menu_str, sizeof(menu_str)); + } + +@@ -23703,7 +23716,7 @@ + } + + /* check for guest access */ +- if (!getcfg(lbs->name, "Guest Menu commands", menu_str, sizeof(menu_str)) || isparam("unm") != 0) ++ if (!getcfg(lbs->name, "Guest Menu commands", menu_str, sizeof(menu_str)) || logged_in(lbs)) + getcfg(lbs->name, "Menu commands", menu_str, sizeof(menu_str)); + + /* default menu commands */ +@@ -23723,7 +23736,7 @@ + menu_str[0] = 0; + for (i = 0; i < n; i++) { + if (strcmp(menu_item[i], "Admin") == 0) { +- if (!is_admin_user(lbs->name, getparam("unm"))) ++ if (!is_admin_user(lbs, getparam("unm"))) + continue; + } + strcat(menu_str, menu_item[i]); +@@ -25026,7 +25039,9 @@ + char str[256], global[256], orig_topgroup[256]; + + orig_topgroup[0] = 0; +- getcfg("global", "Password file", global, sizeof(global)); ++ if (!getcfg("global", "Password file", global, sizeof(global))) ++ return NULL; ++ + if (getcfg_topgroup() && *getcfg_topgroup()) + strcpy(orig_topgroup, getcfg_topgroup()); + +@@ -25076,6 +25091,8 @@ + logbook with same password file than global section */ + if (lbs == NULL) + lbs = get_first_lbs_with_global_passwd(); ++ if (lbs == NULL) ++ return 0; + + getcfg(lbs->name, "Password file", str, sizeof(str)); + +@@ -25438,16 +25455,27 @@ + if (i == n) + return FALSE; + } ++ ++ /* make sure user is logged in */ ++ if (!logged_in(lbs)) ++ return FALSE; ++ + return TRUE; + } + + /*------------------------------------------------------------------*/ + +-BOOL is_admin_user(char *logbook, char *user) ++BOOL is_admin_user(LOGBOOK *lbs, char *user) + { + int i, n; + char str[1000]; + char list[MAX_N_LIST][NAME_LENGTH]; ++ char logbook[1000]; ++ ++ if (lbs == NULL) ++ strlcpy(logbook, "global", sizeof(logbook)); ++ else ++ strlcpy(logbook, lbs->name, sizeof(logbook)); + + /* Removed user[0] for cloning, have to check implications, same below. + if (getcfg(logbook, "Admin user", str, sizeof(str)) && user[0]) { */ +@@ -25464,6 +25492,10 @@ + if (i == n) + return FALSE; + } ++ /* make sure user is logged in */ ++ if (!logged_in(lbs)) ++ return FALSE; ++ + return TRUE; + } + +@@ -25487,6 +25519,7 @@ + if (i == n) + return FALSE; + } ++ + return TRUE; + } + +--- a/src/elogd.h ++++ b/src/elogd.h +@@ -292,7 +292,7 @@ + BOOL check_login_user(LOGBOOK * lbs, char *user); + LBLIST get_logbook_hierarchy(void); + BOOL is_logbook_in_group(LBLIST pgrp, char *logbook); +-BOOL is_admin_user(char *logbook, char *user); ++BOOL is_admin_user(LOGBOOK * lbs, char *user); + BOOL is_admin_user_global(char *user); + void free_logbook_hierarchy(LBLIST root); + void show_top_text(LOGBOOK * lbs); +@@ -308,6 +308,7 @@ + int parse_config_file(char *config_file); + PMXML_NODE load_password_file(LOGBOOK * lbs, char *error, int error_size); + int load_password_files(); ++BOOL check_login(LOGBOOK * lbs, char *sid); + void compose_base_url(LOGBOOK * lbs, char *base_url, int size, BOOL email_notify); + void show_elog_entry(LOGBOOK * lbs, char *dec_path, char *command); + char *loc(char *orig); diff -Nru elog-2.9.2+2014.05.11git44800a7/debian/patches/series elog-2.9.2+2014.05.11git44800a7/debian/patches/series --- elog-2.9.2+2014.05.11git44800a7/debian/patches/series 2014-06-25 23:21:40.000000000 +0200 +++ elog-2.9.2+2014.05.11git44800a7/debian/patches/series 2016-09-03 21:35:05.000000000 +0200 @@ -2,3 +2,4 @@ 0002_html_doc.patch 0003_elog.conf 0004_Makefile.patch +0005_elogd_CVE-2016-6342_fix
