Hi, Redmine package 1.0.1-1 is affected by several security issues : * Info leak in journals controller * Persistent XSS in wiki * Command Execution in SCM adapter
I prefer not to disclose here the full description. Ask me if needed, or find it in the encrypted email i sent to the security team (05/01/2011 00:58). Could you consider either of the following ? 1. Propose an update to redmine 1.0.5-1 It's been a while in testing, and is a good candidate to a proposed update, fixing the issues. 2. Use the attached security update The diff to redmine-1.0.1-2 is attached. It backports only the security fixes, and i verified it does not introduce new bugs. Best regards, Jérémy Lal
diff -Nru redmine-1.0.1/debian/changelog redmine-1.0.1/debian/changelog
--- redmine-1.0.1/debian/changelog 2010-08-23 12:03:18.000000000 +0200
+++ redmine-1.0.1/debian/changelog 2011-01-05 00:38:38.000000000 +0100
@@ -1,3 +1,13 @@
+redmine (1.0.1-2) testing-security; urgency=high
+
+ * Security update, fixes
+ - Infoleak in journals controller,
+ - Persistent XSS in issue description,
+ - Command Execution in repository.
+ (Closes: #608397)
+
+ -- Jérémy Lal <kapo...@melix.org> Tue, 04 Jan 2011 22:49:03 +0100
+
redmine (1.0.1-1) unstable; urgency=low
* Upstream update, fixes many 1.0.0 RC bugs, see :
diff -Nru redmine-1.0.1/debian/patches/changeset_r4535.diff
redmine-1.0.1/debian/patches/changeset_r4535.diff
--- redmine-1.0.1/debian/patches/changeset_r4535.diff 1970-01-01
01:00:00.000000000 +0100
+++ redmine-1.0.1/debian/patches/changeset_r4535.diff 2011-01-04
22:42:33.000000000 +0100
@@ -0,0 +1,35 @@
+--- a/test/functional/journals_controller_test.rb
++++ b/test/functional/journals_controller_test.rb
+@@ -33,14 +33,20 @@
+
+ def test_reply_to_issue
+ @request.session[:user_id] = 2
+- get :new, :id => 1
++ get :new, :id => 6
+ assert_response :success
+ assert_select_rjs :show, "update"
+ end
++
++ def test_reply_to_issue_without_permission
++ @request.session[:user_id] = 7
++ get :new, :id => 6
++ assert_response 403
++ end
+
+ def test_reply_to_note
+ @request.session[:user_id] = 2
+- get :new, :id => 1, :journal_id => 2
++ get :new, :id => 6, :journal_id => 4
+ assert_response :success
+ assert_select_rjs :show, "update"
+ end
+--- a/app/controllers/journals_controller.rb
++++ b/app/controllers/journals_controller.rb
+@@ -18,6 +18,7 @@
+ class JournalsController < ApplicationController
+ before_filter :find_journal, :only => [:edit]
+ before_filter :find_issue, :only => [:new]
++ before_filter :authorize, :only => [:new, :edit]
+
+ def new
+ journal = Journal.find(params[:journal_id]) if params[:journal_id]
diff -Nru redmine-1.0.1/debian/patches/changeset_r4538.diff
redmine-1.0.1/debian/patches/changeset_r4538.diff
--- redmine-1.0.1/debian/patches/changeset_r4538.diff 1970-01-01
01:00:00.000000000 +0100
+++ redmine-1.0.1/debian/patches/changeset_r4538.diff 2011-01-04
22:42:42.000000000 +0100
@@ -0,0 +1,23 @@
+--- a/test/unit/helpers/application_helper_test.rb
++++ b/test/unit/helpers/application_helper_test.rb
+@@ -265,6 +265,9 @@
+ "<!-- opening comment" => "<p><!-- opening comment</p>",
+ # remove attributes except class
+ "<pre class='foo'>some text</pre>" => "<pre class='foo'>some
text</pre>",
++ '<pre class="foo">some text</pre>' => '<pre class="foo">some
text</pre>',
++ "<pre class='foo bar'>some text</pre>" => "<pre class='foo bar'>some
text</pre>",
++ '<pre class="foo bar">some text</pre>' => '<pre class="foo bar">some
text</pre>',
+ "<pre onmouseover='alert(1)'>some text</pre>" => "<pre>some text</pre>",
+ }
+ to_test.each { |text, result| assert_equal result, textilizable(text) }
+--- a/lib/redcloth3.rb
++++ b/lib/redcloth3.rb
+@@ -1078,7 +1078,7 @@
+ line = "<redpre##{ @pre_list.length }>"
+ first.match(/<#{ OFFTAGS }([^>]*)>/)
+ tag = $1
+- $2.to_s.match(/(class\=\S+)/i)
++ $2.to_s.match(/(class\=("[^"]+"|'[^']+'))/i)
+ tag << " #{$1}" if $1
+ @pre_list << "<#{ tag }>#{ aftertag }"
+ end
diff -Nru redmine-1.0.1/debian/patches/changeset_r4540.diff
redmine-1.0.1/debian/patches/changeset_r4540.diff
--- redmine-1.0.1/debian/patches/changeset_r4540.diff 1970-01-01
01:00:00.000000000 +0100
+++ redmine-1.0.1/debian/patches/changeset_r4540.diff 2011-01-04
22:42:46.000000000 +0100
@@ -0,0 +1,196 @@
+--- a/lib/redmine/scm/adapters/subversion_adapter.rb
++++ b/lib/redmine/scm/adapters/subversion_adapter.rb
+@@ -135,8 +135,8 @@
+
+ def revisions(path=nil, identifier_from=nil, identifier_to=nil,
options={})
+ path ||= ''
+- identifier_from = (identifier_from and identifier_from.to_i > 0) ?
identifier_from.to_i : "HEAD"
+- identifier_to = (identifier_to and identifier_to.to_i > 0) ?
identifier_to.to_i : 1
++ identifier_from = (identifier_from && identifier_from.to_i > 0) ?
identifier_from.to_i : "HEAD"
++ identifier_to = (identifier_to && identifier_to.to_i > 0) ?
identifier_to.to_i : 1
+ revisions = Revisions.new
+ cmd = "#{SVN_BIN} log --xml -r #{identifier_from}:#{identifier_to}"
+ cmd << credentials_string
+--- a/lib/redmine/scm/adapters/bazaar_adapter.rb
++++ b/lib/redmine/scm/adapters/bazaar_adapter.rb
+@@ -74,10 +74,10 @@
+
+ def revisions(path=nil, identifier_from=nil, identifier_to=nil,
options={})
+ path ||= ''
+- identifier_from = 'last:1' unless identifier_from and
identifier_from.to_i > 0
+- identifier_to = 1 unless identifier_to and identifier_to.to_i > 0
++ identifier_from = (identifier_from and identifier_from.to_i > 0) ?
identifier_from.to_i : 'last:1'
++ identifier_to = (identifier_to and identifier_to.to_i > 0) ?
identifier_to.to_i : 1
+ revisions = Revisions.new
+- cmd = "#{BZR_BIN} log -v --show-ids
-r#{identifier_to.to_i}..#{identifier_from} #{target(path)}"
++ cmd = "#{BZR_BIN} log -v --show-ids
-r#{identifier_to}..#{identifier_from} #{target(path)}"
+ shellout(cmd) do |io|
+ revision = nil
+ parsing = nil
+@@ -140,6 +140,9 @@
+ else
+ identifier_to = identifier_from.to_i - 1
+ end
++ if identifier_from
++ identifier_from = identifier_from.to_i
++ end
+ cmd = "#{BZR_BIN} diff -r#{identifier_to}..#{identifier_from}
#{target(path)}"
+ diff = []
+ shellout(cmd) do |io|
+--- a/lib/redmine/scm/adapters/git_adapter.rb
++++ b/lib/redmine/scm/adapters/git_adapter.rb
+@@ -117,7 +117,7 @@
+ cmd = "#{GIT_BIN} --git-dir #{target('')} log --raw --date=iso
--pretty=fuller "
+ cmd << " --reverse " if options[:reverse]
+ cmd << " --all " if options[:all]
+- cmd << " -n #{options[:limit]} " if options[:limit]
++ cmd << " -n #{options[:limit].to_i} " if options[:limit]
+ cmd << "#{shell_quote(identifier_from + '..')}" if identifier_from
+ cmd << "#{shell_quote identifier_to}" if identifier_to
+ cmd << " --since=#{shell_quote(options[:since].strftime("%Y-%m-%d
%H:%M:%S"))}" if options[:since]
+--- a/lib/redmine/scm/adapters/mercurial_adapter.rb
++++ b/lib/redmine/scm/adapters/mercurial_adapter.rb
+@@ -80,7 +80,7 @@
+ path ||= ''
+ entries = Entries.new
+ cmd = "#{HG_BIN} -R #{target('')} --cwd #{target('')} locate"
+- cmd << " -r " + (identifier ? identifier.to_s : "tip")
++ cmd << " -r " + shell_quote(identifier ? identifier.to_s : "tip")
+ cmd << " " + shell_quote("path:#{path}") unless path.empty?
+ shellout(cmd) do |io|
+ io.each_line do |line|
+@@ -112,7 +112,7 @@
+ cmd << " -r #{identifier_from.to_i}:"
+ end
+ cmd << " --limit #{options[:limit].to_i}" if options[:limit]
+- cmd << " #{path}" if path
++ cmd << " #{shell_quote path}" if path
+ shellout(cmd) do |io|
+ begin
+ # HG doesn't close the XML Document...
+@@ -157,6 +157,9 @@
+ else
+ identifier_to = identifier_from.to_i - 1
+ end
++ if identifier_from
++ identifier_from = identifier_from.to_i
++ end
+ cmd = "#{HG_BIN} -R #{target('')} diff -r #{identifier_to} -r
#{identifier_from} --nodates"
+ cmd << " -I #{target(path)}" unless path.empty?
+ diff = []
+@@ -171,7 +174,7 @@
+
+ def cat(path, identifier=nil)
+ cmd = "#{HG_BIN} -R #{target('')} cat"
+- cmd << " -r " + (identifier ? identifier.to_s : "tip")
++ cmd << " -r " + shell_quote(identifier ? identifier.to_s : "tip")
+ cmd << " #{target(path)}"
+ cat = nil
+ shellout(cmd) do |io|
+@@ -186,7 +189,7 @@
+ path ||= ''
+ cmd = "#{HG_BIN} -R #{target('')}"
+ cmd << " annotate -n -u"
+- cmd << " -r " + (identifier ? identifier.to_s : "tip")
++ cmd << " -r " + shell_quote(identifier ? identifier.to_s : "tip")
+ cmd << " -r #{identifier.to_i}" if identifier
+ cmd << " #{target(path)}"
+ blame = Annotate.new
+--- a/lib/redmine/scm/adapters/cvs_adapter.rb
++++ b/lib/redmine/scm/adapters/cvs_adapter.rb
+@@ -63,7 +63,7 @@
+ logger.debug "<cvs> entries '#{path}' with identifier
'#{identifier}'"
+ path_with_project="#{url}#{with_leading_slash(path)}"
+ entries = Entries.new
+- cmd = "#{CVS_BIN} -d #{root_url} rls -e"
++ cmd = "#{CVS_BIN} -d #{shell_quote root_url} rls -e"
+ cmd << " -D \"#{time_to_cvstime(identifier)}\"" if identifier
+ cmd << " #{shell_quote path_with_project}"
+ shellout(cmd) do |io|
+@@ -108,7 +108,7 @@
+ logger.debug "<cvs> revisions path:'#{path}',identifier_from
#{identifier_from}, identifier_to #{identifier_to}"
+
+ path_with_project="#{url}#{with_leading_slash(path)}"
+- cmd = "#{CVS_BIN} -d #{root_url} rlog"
++ cmd = "#{CVS_BIN} -d #{shell_quote root_url} rlog"
+ cmd << " -d\">#{time_to_cvstime(identifier_from)}\"" if
identifier_from
+ cmd << " #{shell_quote path_with_project}"
+ shellout(cmd) do |io|
+@@ -229,7 +229,7 @@
+ def diff(path, identifier_from, identifier_to=nil)
+ logger.debug "<cvs> diff path:'#{path}',identifier_from
#{identifier_from}, identifier_to #{identifier_to}"
+ path_with_project="#{url}#{with_leading_slash(path)}"
+- cmd = "#{CVS_BIN} -d #{root_url} rdiff -u -r#{identifier_to}
-r#{identifier_from} #{shell_quote path_with_project}"
++ cmd = "#{CVS_BIN} -d #{shell_quote root_url} rdiff -u
-r#{identifier_to.to_i} -r#{identifier_from.to_i} #{shell_quote
path_with_project}"
+ diff = []
+ shellout(cmd) do |io|
+ io.each_line do |line|
+@@ -244,7 +244,7 @@
+ identifier = (identifier) ? identifier : "HEAD"
+ logger.debug "<cvs> cat path:'#{path}',identifier #{identifier}"
+ path_with_project="#{url}#{with_leading_slash(path)}"
+- cmd = "#{CVS_BIN} -d #{root_url} co"
++ cmd = "#{CVS_BIN} -d #{shell_quote root_url} co"
+ cmd << " -D \"#{time_to_cvstime(identifier)}\"" if identifier
+ cmd << " -p #{shell_quote path_with_project}"
+ cat = nil
+@@ -256,10 +256,10 @@
+ end
+
+ def annotate(path, identifier=nil)
+- identifier = (identifier) ? identifier : "HEAD"
++ identifier = (identifier) ? identifier.to_i : "HEAD"
+ logger.debug "<cvs> annotate path:'#{path}',identifier
#{identifier}"
+ path_with_project="#{url}#{with_leading_slash(path)}"
+- cmd = "#{CVS_BIN} -d #{root_url} rannotate -r#{identifier}
#{shell_quote path_with_project}"
++ cmd = "#{CVS_BIN} -d #{shell_quote root_url} rannotate
-r#{identifier} #{shell_quote path_with_project}"
+ blame = Annotate.new
+ shellout(cmd) do |io|
+ io.each_line do |line|
+--- a/lib/redmine/scm/adapters/darcs_adapter.rb
++++ b/lib/redmine/scm/adapters/darcs_adapter.rb
+@@ -66,7 +66,7 @@
+ path_prefix = (path.blank? ? '' : "#{path}/")
+ path = '.' if path.blank?
+ entries = Entries.new
+- cmd = "#{DARCS_BIN} annotate --repodir #{@url} --xml-output"
++ cmd = "#{DARCS_BIN} annotate --repodir #{shell_quote @url}
--xml-output"
+ cmd << " --match #{shell_quote("hash #{identifier}")}" if identifier
+ cmd << " #{shell_quote path}"
+ shellout(cmd) do |io|
+@@ -90,7 +90,7 @@
+ def revisions(path=nil, identifier_from=nil, identifier_to=nil,
options={})
+ path = '.' if path.blank?
+ revisions = Revisions.new
+- cmd = "#{DARCS_BIN} changes --repodir #{@url} --xml-output"
++ cmd = "#{DARCS_BIN} changes --repodir #{shell_quote @url}
--xml-output"
+ cmd << " --from-match #{shell_quote("hash #{identifier_from}")}" if
identifier_from
+ cmd << " --last #{options[:limit].to_i}" if options[:limit]
+ shellout(cmd) do |io|
+@@ -116,7 +116,7 @@
+
+ def diff(path, identifier_from, identifier_to=nil)
+ path = '*' if path.blank?
+- cmd = "#{DARCS_BIN} diff --repodir #{@url}"
++ cmd = "#{DARCS_BIN} diff --repodir #{shell_quote @url}"
+ if identifier_to.nil?
+ cmd << " --match #{shell_quote("hash #{identifier_from}")}"
+ else
+@@ -135,7 +135,7 @@
+ end
+
+ def cat(path, identifier=nil)
+- cmd = "#{DARCS_BIN} show content --repodir #{@url}"
++ cmd = "#{DARCS_BIN} show content --repodir #{shell_quote @url}"
+ cmd << " --match #{shell_quote("hash #{identifier}")}" if identifier
+ cmd << " #{shell_quote path}"
+ cat = nil
+@@ -170,7 +170,7 @@
+
+ # Retrieve changed paths for a single patch
+ def get_paths_for_patch(hash)
+- cmd = "#{DARCS_BIN} annotate --repodir #{@url} --summary
--xml-output"
++ cmd = "#{DARCS_BIN} annotate --repodir #{shell_quote @url}
--summary --xml-output"
+ cmd << " --match #{shell_quote("hash #{hash}")} "
+ paths = []
+ shellout(cmd) do |io|
diff -Nru redmine-1.0.1/debian/patches/series
redmine-1.0.1/debian/patches/series
--- redmine-1.0.1/debian/patches/series 2010-08-01 14:27:41.000000000 +0200
+++ redmine-1.0.1/debian/patches/series 2011-01-04 22:38:55.000000000 +0100
@@ -1,3 +1,6 @@
+changeset_r4535.diff
+changeset_r4538.diff
+changeset_r4540.diff
0008-Wrong-path-for-interpreter.patch
0009-Allows-environment-variables-to-setup-debian-paths.patch
0014-Move-session-configuration-to-YML-file-next-to-datab.patch
signature.asc
Description: OpenPGP digital signature
