apply the Request Tracker 4.0.0 patch for CVE-2014-9472, CVE-2015-1165

and CVE-2015-1464.
author: spz <spz> 2015-03-01 22:45:26 +0000
committer: spz <spz> 2015-03-01 22:45:26 +0000
commit: e7dd2c7c87fbe131cbc6d2f5b0e82f0d7f849d8f (patch)
tree: 36c45dda3521792a9449f907f121773f7040aee0 /devel/rt3
parent: e4af0b85636f9936d73e810fd1116c90c79948ff (diff)
download: pkgsrc-e7dd2c7c87fbe131cbc6d2f5b0e82f0d7f849d8f.tar.gz
4 files changed, 78 insertions, 8 deletions
diff --git a/devel/rt3/Makefile b/devel/rt3/Makefile
index b3830bb759b..c9cf4fb4fad 100644
--- a/devel/rt3/Makefile
+++ b/devel/rt3/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.55 2014/05/31 12:22:42 wiz Exp $
+# $NetBSD: Makefile,v 1.56 2015/03/01 22:45:26 spz Exp $
 
 DISTNAME=		rt-3.8.17
-PKGREVISION=		3
+PKGREVISION=		4
 CATEGORIES=		devel
 MASTER_SITES=		http://download.bestpractical.com/pub/rt/release/
 
diff --git a/devel/rt3/distinfo b/devel/rt3/distinfo
index 704a853b06a..76ec6b4a13a 100644
--- a/devel/rt3/distinfo
+++ b/devel/rt3/distinfo
@@ -1,16 +1,17 @@
-$NetBSD: distinfo,v 1.24 2013/05/26 16:55:53 spz Exp $
+$NetBSD: distinfo,v 1.25 2015/03/01 22:45:26 spz Exp $
 
 SHA1 (rt-3.8.17.tar.gz) = 4765c68f91a0e8e21ed0fd39397cd8e3970ca992
 RMD160 (rt-3.8.17.tar.gz) = 6da8fca56976233417bd47b26e1a7326fde5d2d0
 Size (rt-3.8.17.tar.gz) = 5728368 bytes
 SHA1 (patch-aa) = 6f78710f4460a25c75afbdf7128c0fe34914927c
 SHA1 (patch-ab) = ee455dd683c84d3a745a29a132e28903ba03144d
-SHA1 (patch-lib_RT.pm) = f72c6cb6f94acf1296076423d26d7efa4ed78293
+SHA1 (patch-lib_RT.pm) = 4a4b56128c266aeadde8f254210aa1942430744a
 SHA1 (patch-lib_RT_CustomFieldValues_External.pm) = 4404ca98c9e50687323892df1aa95c8b5a6dedd9
 SHA1 (patch-lib_RT_Interface_Email.pm) = 60d0c2c46ac3dc8172bdf16bbf43099b7dd87542
 SHA1 (patch-lib_RT_Interface_Email_Auth_GnuPG.pm) = 60d53a4dcda8f3cda14350f34f74fddc6091c3ce
 SHA1 (patch-sbin_rt-attributes-viewer) = e1c963800b76282cda4ca46e006f30d9abfc29c9
 SHA1 (patch-sbin_rt-attributes-viewer.in) = 99a15cca9a394b5743edc3929f43593f1384c8da
 SHA1 (patch-share_html_Helpers_CalPopup.html) = 3920ac6448d1d21c7ff32ef67344b19aa53616a4
+SHA1 (patch-share_html_Search_Elements_ResultsRSSView) = 62eeea9f4bea1bb98fd3509748123ecca3256185
 SHA1 (patch-t_approval_admincc.t) = 4fddf5fa844d15e8698e00fe6863daaafa661315
 SHA1 (patch-t_approval_basic.t) = 209303cc34370518a2600e28570627e1dc7e698b
diff --git a/devel/rt3/patches/patch-lib_RT.pm b/devel/rt3/patches/patch-lib_RT.pm
index c376293302a..1f7b6a2cb60 100644
--- a/devel/rt3/patches/patch-lib_RT.pm
+++ b/devel/rt3/patches/patch-lib_RT.pm
@@ -1,10 +1,20 @@
-$NetBSD: patch-lib_RT.pm,v 1.1 2011/10/25 19:38:10 spz Exp $
+$NetBSD: patch-lib_RT.pm,v 1.2 2015/03/01 22:45:26 spz Exp $
 
 perl 5.14 qw() in for* fixes
+Fix for CVE-2014-9472 taken from the patch for RT 4.0.0
 
---- lib/RT.pm.orig	2011-04-14 01:10:13.000000000 +0000
+--- lib/RT.pm.orig	2013-05-22 19:04:26.000000000 +0000
 +++ lib/RT.pm
-@@ -459,7 +459,7 @@ sub InitClasses {
+@@ -362,6 +362,8 @@ sub InitSignalHandlers {
+ ## mechanism (see above).
+ 
+     $SIG{__WARN__} = sub {
++        return 'IGNORE' if $_[0] and $_[0] =~ /^Code point \S+ is not Unicode, may not be portable/;
++
+         # The 'wide character' warnings has to be silenced for now, at least
+         # until HTML::Mason offers a sane way to process both raw output and
+         # unicode strings.
+@@ -459,7 +461,7 @@ sub InitClasses {
      # in the session, as we deserialize it so we never call constructor
      # of the class, so the list of accessible fields is empty and we die
      # with "Method xxx is not implemented in RT::SomeClass"
@@ -13,7 +23,7 @@ perl 5.14 qw() in for* fixes
          RT::Ticket
          RT::Transaction
          RT::Attachment
-@@ -477,7 +477,7 @@ sub InitClasses {
+@@ -477,7 +479,7 @@ sub InitClasses {
          RT::ObjectCustomField
          RT::ObjectCustomFieldValue
          RT::Attribute
diff --git a/devel/rt3/patches/patch-share_html_Search_Elements_ResultsRSSView b/devel/rt3/patches/patch-share_html_Search_Elements_ResultsRSSView
new file mode 100644
index 00000000000..dac39f5e33c
--- /dev/null
+++ b/devel/rt3/patches/patch-share_html_Search_Elements_ResultsRSSView
@@ -0,0 +1,59 @@
+$NetBSD: patch-share_html_Search_Elements_ResultsRSSView,v 1.1 2015/03/01 22:45:26 spz Exp $
+
+fixes for CVE-2015-1165 and CVE-2015-1464 taken from the patch for RT 4.0.0
+
+--- share/html/Search/Elements/ResultsRSSView.orig	2013-05-22 19:03:04.000000000 +0000
++++ share/html/Search/Elements/ResultsRSSView
+@@ -48,7 +48,7 @@
+ <%INIT>
+ use Encode ();
+ 
+-my $old_current_user;
++my $current_user = $session{CurrentUser};
+ 
+ if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
+     my $path = $m->dhandler_arg;
+@@ -78,13 +78,11 @@ if ( $m->request_comp->path =~ RT->Confi
+       unless $user->ValidateAuthString( $auth,
+               $ARGS{Query} . $ARGS{Order} . $ARGS{OrderBy} );
+ 
+-    $old_current_user = $session{'CurrentUser'};
+-    my $cu               = RT::CurrentUser->new;
+-    $cu->Load($user);
+-    $session{'CurrentUser'} = $cu;
++    $current_user = RT::CurrentUser->new;
++    $current_user->Load($user);
+ }
+ 
+-my $Tickets = RT::Tickets->new($session{'CurrentUser'});
++my $Tickets = RT::Tickets->new($current_user);
+ $Tickets->FromSQL($ARGS{'Query'});
+ if ($OrderBy =~ /\|/) {
+     # Multiple Sorts
+@@ -121,10 +119,17 @@ $r->content_type('application/rss+xml');
+     while ( my $Ticket = $Tickets->Next()) {
+         my $creator_str = $m->scomp('/Elements/ShowUser', User => $Ticket->CreatorObj);
+         $creator_str =~ s/[\r\n]//g;
++
++        # Get the plain-text content; it is interpreted as HTML by RSS
++        # readers, so it must be escaped (and is escaped _again_ when
++        # inserted into the XML).
++        my $content = $Ticket->Transactions->First->Content;
++        $content = $m->interp->apply_escapes( $content, 'h');
++
+         $rss->add_item(
+           title       =>  $Ticket->Subject || loc('No Subject'),
+           link        => RT->Config->Get('WebURL')."Ticket/Display.html?id=".$Ticket->id,
+-          description => $Ticket->Transactions->First->Content,
++          description => $content,
+           dc          => { creator => $creator_str,
+                            date => $Ticket->CreatedObj->RFC2822,
+                          },
+@@ -133,7 +138,6 @@ $r->content_type('application/rss+xml');
+     }
+ 
+ $m->out($rss->as_string);
+-$session{'CurrentUser'} = $old_current_user if $old_current_user;
+ $m->abort();
+ </%INIT>
+ <%ARGS>
author	spz <spz>	2015-03-01 22:45:26 +0000
committer	spz <spz>	2015-03-01 22:45:26 +0000
commit	e7dd2c7c87fbe131cbc6d2f5b0e82f0d7f849d8f (patch)
tree	36c45dda3521792a9449f907f121773f7040aee0 /devel/rt3
parent	e4af0b85636f9936d73e810fd1116c90c79948ff (diff)
download	pkgsrc-e7dd2c7c87fbe131cbc6d2f5b0e82f0d7f849d8f.tar.gz