oss-sec mailing list archives
Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition
From: Thomas Sibley <trs () bestpractical com>
Date: Tue, 22 Feb 2011 16:34:32 -0500
Hi folks, Is Redhat packaging RT now, or are you just handling the CVEs? In all future security mail, please use our security contact address security () bestpractical com, not developer email addresses pulled from commits. Details for our security contact are at: http://bestpractical.com/security/ We have no context for Redhat's (and Debian's?) involvement here. Can you bring us up to speed on your plans regarding CVEs and/or security releases in your distributions? On 22 Feb 2011 09:37, Jan Lieskovsky wrote:
2) * Redirect users to their desired pages after login.
[snip]
Upstream bug report: [c] http://issues.bestpractical.com/Ticket/Display.html?id=15804 Upstream changeset: [d] https://github.com/bestpractical/rt/commit/917c211820590950f7eb0521f7f43b31aeed44c4 Thomas, could you please confirm [d] is the proper fix for 2) issue? Thank you. (* Redirect users to their desired pages after login.)
The commit you linked to is not the full fix. As noted in our own bug report you also link to above, the fix was merged into 3.8-trunk with commit 057552287159e801535e59b8fbd5bd98d1322069. That said, what are your plans for the diffset? The commit itself can't be used as a standalone patch for the issue. It introduced a few other bugs in core RT and broke the current stable versions of RT-Authen-ExternalAuth (a very popular, critical extension). The bugs have been fixed by other commits and there are development releases of a fixed ExternalAuth. Are you trying to package a patch in a security update?
3) * Clone Scrip's TicketObj since we change the CurrentUser and it can leak information (Custom field values, etc)
[snip]
Upstream changeset (needs confirmation from upstream if it's real fix for the issue yet): [iii] https://github.com/bestpractical/rt/commit/56e20b874e8d67ab93aa80c2c00155110a27e764 Shawn, could you please confirm [iii] is the proper fix for 3) issue? (* Clone Scrip's TicketObj since we change the CurrentUser and it can leak)
The above commit is an unrelated bug fix. The correct commit is 2338cd19ed7a7f4c1e94f639ab2789d6586d01f3, however we've never tested it as a standalone fix. Again, what are your plans? Thomas, for Best Practical
Current thread:
- CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition Jan Lieskovsky (Feb 22)
- Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition Josh Bressers (Feb 22)
- Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition Thomas Sibley (Feb 22)
- Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition Josh Bressers (Feb 23)
- Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition Vincent Danen (Feb 24)
- Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition Ralf Corsepius (Feb 24)
- Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition Vincent Danen (Feb 24)
- Re: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form data resubmittion upon user log out 2) SQL queries information leak by user account transition Josh Bressers (Feb 23)