MFH: r443668 r443686

Security Update: Add security patches from BestPractical. See http://lists.bestpractical.com/pipermail/rt-announce/\ 2017-June/000297.html Security: 7a92e958-5207-11e7-8d7c-6805ca0b3d42 Revert patch-config.layout to r354074 -- 'make makepatch' wiped out the %%PREFIX%% substitution token. Pointyhat to me. This, along with r443668 needs MFH to 2017Q2 Approved by: ports-secteam (zi)
author: Matthew Seaman <matthew@FreeBSD.org> 2017-06-16 14:32:27 +0000
committer: Matthew Seaman <matthew@FreeBSD.org> 2017-06-16 14:32:27 +0000
commit: a9e69f4adde0e8acf0bdc28b48ef046e377e6757 (patch)
tree: 3618c5803bfa8126fd02d236be71addd5fd46bbf
parent: 87de971af3d68d5b114a09b743c0bb459d504c7e (diff)
download: ports-a9e69f4adde0e8acf0bdc28b48ef046e377e6757.tar.gz
ports-a9e69f4adde0e8acf0bdc28b48ef046e377e6757.zip
10 files changed, 260 insertions, 4 deletions
diff --git a/www/rt42/Makefile b/www/rt42/Makefile
index 99e3117a348b..bba73e9c7cb6 100644
--- a/www/rt42/Makefile
+++ b/www/rt42/Makefile
@@ -2,6 +2,7 @@
 
 PORTNAME=	rt
 DISTVERSION=	4.2.13
+PORTREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=	http://download.bestpractical.com/pub/rt/release/
 PKGNAMESUFFIX=	42
diff --git a/www/rt42/files/patch-config.layout b/www/rt42/files/patch-config.layout
index 8d6e235c7a66..870db9083ecf 100644
--- a/www/rt42/files/patch-config.layout
+++ b/www/rt42/files/patch-config.layout
@@ -1,11 +1,19 @@
---- config.layout.orig	2016-06-08 21:49:02 UTC
-+++ config.layout
-@@ -110,24 +110,24 @@
+--- ./config.layout.orig	2014-05-06 17:59:04.000000000 +0100
++++ ./config.layout	2014-05-14 15:26:37.717215779 +0100
+@@ -103,31 +103,31 @@
+ </Layout>
+ 
+ <Layout FreeBSD>
+-  prefix:		/usr/local
++  prefix:		%%PREFIX%%
+   exec_prefix:		${prefix}
+   bindir:		${exec_prefix}/bin
+   sbindir:		${exec_prefix}/sbin
    sysconfdir:		${prefix}/etc+
    mandir:		${prefix}/man
    plugindir:		${prefix}/plugins
 -  libdir:		${prefix}/lib+
-+  libdir:		/usr/local/lib/perl5/site_perl
++  libdir:		%%SITE_PERL%%
    datadir:		${prefix}/share+
    htmldir:		${datadir}/html
    lexdir:		${datadir}/po
diff --git a/www/rt42/files/patch-lib_RT.pm b/www/rt42/files/patch-lib_RT.pm
new file mode 100644
index 000000000000..de66d2bd4542
--- /dev/null
+++ b/www/rt42/files/patch-lib_RT.pm
@@ -0,0 +1,13 @@
+--- lib/RT.pm.orig	2016-06-08 21:49:02 UTC
++++ lib/RT.pm
+@@ -81,6 +81,10 @@ use vars qw($BasePath
+  $MasonDataDir
+  $MasonSessionDir);
+ 
++# Set Email::Address module var before anything else loads.
++# This avoids an algorithmic complexity denial of service vulnerability.
++# See T#157608 and CVE-2015-7686 for more information.
++$Email::Address::COMMENT_NEST_LEVEL = 1;
+ 
+ RT->LoadGeneratedData();
+ 
diff --git a/www/rt42/files/patch-lib_RT_Config.pm b/www/rt42/files/patch-lib_RT_Config.pm
new file mode 100644
index 000000000000..db81ec3f5f6f
--- /dev/null
+++ b/www/rt42/files/patch-lib_RT_Config.pm
@@ -0,0 +1,17 @@
+--- lib/RT/Config.pm.orig	2016-06-08 21:49:02 UTC
++++ lib/RT/Config.pm
+@@ -143,6 +143,14 @@ can be set for each config optin:
+ our %META;
+ %META = (
+     # General user overridable options
++    RestrictReferrerLogin => {
++        PostLoadCheck => sub {
++            my $self = shift;
++            if (defined($self->Get('RestrictReferrerLogin'))) {
++                RT::Logger->error("The config option 'RestrictReferrerLogin' is incorrect, and should be 'RestrictLoginReferrer' instead.");
++            }
++        },
++    },
+     DefaultQueue => {
+         Section         => 'General',
+         Overridable     => 1,
diff --git a/www/rt42/files/patch-lib_RT_Interface_Web.pm b/www/rt42/files/patch-lib_RT_Interface_Web.pm
new file mode 100644
index 000000000000..c6b5a1ed3235
--- /dev/null
+++ b/www/rt42/files/patch-lib_RT_Interface_Web.pm
@@ -0,0 +1,20 @@
+--- lib/RT/Interface/Web.pm.orig	2016-06-08 21:49:02 UTC
++++ lib/RT/Interface/Web.pm
+@@ -1426,7 +1426,7 @@ sub IsCompCSRFWhitelisted {
+     # golden.  This acts on the presumption that external forms may
+     # hardcode a username and password -- if a malicious attacker knew
+     # both already, CSRF is the least of your problems.
+-    my $AllowLoginCSRF = not RT->Config->Get('RestrictReferrerLogin');
++    my $AllowLoginCSRF = not RT->Config->Get('RestrictLoginReferrer');
+     if ($AllowLoginCSRF and defined($args{user}) and defined($args{pass})) {
+         my $user_obj = RT::CurrentUser->new();
+         $user_obj->Load($args{user});
+@@ -1642,7 +1642,7 @@ sub MaybeShowInterstitialCSRFPage {
+     my $token = StoreRequestToken($ARGS);
+     $HTML::Mason::Commands::m->comp(
+         '/Elements/CSRF',
+-        OriginalURL => RT->Config->Get('WebPath') . $HTML::Mason::Commands::r->path_info,
++        OriginalURL => RT->Config->Get('WebBaseURL') . RT->Config->Get('WebPath') . $HTML::Mason::Commands::r->path_info,
+         Reason => HTML::Mason::Commands::loc( $msg, @loc ),
+         Token => $token,
+     );
diff --git a/www/rt42/files/patch-lib_RT_User.pm b/www/rt42/files/patch-lib_RT_User.pm
new file mode 100644
index 000000000000..4190d45f862a
--- /dev/null
+++ b/www/rt42/files/patch-lib_RT_User.pm
@@ -0,0 +1,87 @@
+--- lib/RT/User.pm.orig	2016-06-08 21:49:02 UTC
++++ lib/RT/User.pm
+@@ -84,6 +84,7 @@ use RT::Principals;
+ use RT::ACE;
+ use RT::Interface::Email;
+ use Text::Password::Pronounceable;
++use RT::Util;
+ 
+ sub _OverlayAccessible {
+     {
+@@ -977,11 +978,17 @@ sub IsPassword {
+         # If it's a new-style (>= RT 4.0) password, it starts with a '!'
+         my (undef, $method, @rest) = split /!/, $stored;
+         if ($method eq "bcrypt") {
+-            return 0 unless $self->_GeneratePassword_bcrypt($value, @rest) eq $stored;
++            return 0 unless RT::Util::constant_time_eq(
++                $self->_GeneratePassword_bcrypt($value, @rest),
++                $stored
++            );
+             # Upgrade to a larger number of rounds if necessary
+             return 1 unless $rest[0] < RT->Config->Get('BcryptCost');
+         } elsif ($method eq "sha512") {
+-            return 0 unless $self->_GeneratePassword_sha512($value, @rest) eq $stored;
++            return 0 unless RT::Util::constant_time_eq(
++                $self->_GeneratePassword_sha512($value, @rest),
++                $stored
++            );
+         } else {
+             $RT::Logger->warn("Unknown hash method $method");
+             return 0;
+@@ -991,16 +998,28 @@ sub IsPassword {
+         my $hash = MIME::Base64::decode_base64($stored);
+         # Decoding yields 30 byes; first 4 are the salt, the rest are substr(SHA256,0,26)
+         my $salt = substr($hash, 0, 4, "");
+-        return 0 unless substr(Digest::SHA::sha256($salt . Digest::MD5::md5(Encode::encode( "UTF-8", $value))), 0, 26) eq $hash;
++        return 0 unless RT::Util::constant_time_eq(
++            substr(Digest::SHA::sha256($salt . Digest::MD5::md5(Encode::encode( "UTF-8", $value))), 0, 26),
++            $hash
++        );
+     } elsif (length $stored == 32) {
+         # Hex nonsalted-md5
+-        return 0 unless Digest::MD5::md5_hex(Encode::encode( "UTF-8", $value)) eq $stored;
++        return 0 unless RT::Util::constant_time_eq(
++            Digest::MD5::md5_hex(Encode::encode( "UTF-8", $value)),
++            $stored
++        );
+     } elsif (length $stored == 22) {
+         # Base64 nonsalted-md5
+-        return 0 unless Digest::MD5::md5_base64(Encode::encode( "UTF-8", $value)) eq $stored;
++        return 0 unless RT::Util::constant_time_eq(
++            Digest::MD5::md5_base64(Encode::encode( "UTF-8", $value)),
++            $stored
++        );
+     } elsif (length $stored == 13) {
+         # crypt() output
+-        return 0 unless crypt(Encode::encode( "UTF-8", $value), $stored) eq $stored;
++        return 0 unless RT::Util::constant_time_eq(
++            crypt(Encode::encode( "UTF-8", $value), $stored),
++            $stored
++        );
+     } else {
+         $RT::Logger->warning("Unknown password form");
+         return 0;
+@@ -1096,19 +1115,20 @@ sub GenerateAuthString {
+ 
+ =head3 ValidateAuthString
+ 
+-Takes auth string and protected string. Returns true is protected string
++Takes auth string and protected string. Returns true if protected string
+ has been protected by user's L</AuthToken>. See also L</GenerateAuthString>.
+ 
+ =cut
+ 
+ sub ValidateAuthString {
+     my $self = shift;
+-    my $auth_string = shift;
++    my $auth_string_to_validate = shift;
+     my $protected = shift;
+ 
+     my $str = Encode::encode( "UTF-8", $self->AuthToken . $protected );
++    my $valid_auth_string = substr(Digest::MD5::md5_hex($str),0,16);
+ 
+-    return $auth_string eq substr(Digest::MD5::md5_hex($str),0,16);
++    return RT::Util::constant_time_eq( $auth_string_to_validate, $valid_auth_string );
+ }
+ 
+ =head2 SetDisabled
diff --git a/www/rt42/files/patch-lib_RT_Util.pm b/www/rt42/files/patch-lib_RT_Util.pm
new file mode 100644
index 000000000000..4784c49008bd
--- /dev/null
+++ b/www/rt42/files/patch-lib_RT_Util.pm
@@ -0,0 +1,70 @@
+--- lib/RT/Util.pm.orig	2016-06-08 21:49:02 UTC
++++ lib/RT/Util.pm
+@@ -54,6 +54,8 @@ use warnings;
+ use base 'Exporter';
+ our @EXPORT = qw/safe_run_child mime_recommended_filename/;
+ 
++use Encode qw/encode/;
++
+ sub safe_run_child (&) {
+     my $our_pid = $$;
+ 
+@@ -150,6 +152,58 @@ sub assert_bytes {
+ }
+ 
+ 
++=head2 C<constant_time_eq($a, $b)>
++
++Compares two strings for equality in constant-time. Replacement for the C<eq>
++operator designed to avoid timing side-channel vulnerabilities. Returns zero
++or one.
++
++This is intended for use in cryptographic subsystems for comparing well-formed
++data such as hashes - not for direct use with user input or as a general
++replacement for the C<eq> operator.
++
++The two string arguments B<MUST> be of equal length. If the lengths differ,
++this function will call C<die()>, as proceeding with execution would create
++a timing vulnerability. Length is defined by characters, not bytes.
++
++This code has been tested to do what it claims. Do not change it without
++thorough statistical timing analysis to validate the changes.
++
++Added to resolve CVE-2017-5361
++
++For more on timing attacks, see this Wikipedia article:
++B<https://en.wikipedia.org/wiki/Timing_attack>
++
++=cut
++
++sub constant_time_eq {
++    my ($a, $b) = @_;
++
++    my $result = 0;
++
++    # generic error message avoids potential information leaks
++    my $generic_error = "Cannot compare values";
++    die $generic_error unless defined $a and defined $b;
++    die $generic_error unless length $a == length $b;
++    die $generic_error if ref($a) or ref($b);
++
++    for (my $i = 0; $i < length($a); $i++) {
++        my $a_char = substr($a, $i, 1);
++        my $b_char = substr($b, $i, 1);
++
++        # encode() is set to die on malformed
++        my @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK));
++        my @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK));
++        die $generic_error if (scalar @a_octets) != (scalar @b_octets);
++
++        for (my $j = 0; $j < scalar @a_octets; $j++) {
++            $result |= $a_octets[$j] ^ $b_octets[$j];
++        }
++    }
++    return 0 + not $result;
++}
++
++
+ RT::Base->_ImportOverlays();
+ 
+ 1;
diff --git a/www/rt42/files/patch-sbin_rt-test-dependencies b/www/rt42/files/patch-sbin_rt-test-dependencies
new file mode 100644
index 000000000000..9e775642b2c6
--- /dev/null
+++ b/www/rt42/files/patch-sbin_rt-test-dependencies
@@ -0,0 +1,11 @@
+--- sbin/rt-test-dependencies.orig	2017-06-15 22:12:17 UTC
++++ sbin/rt-test-dependencies
+@@ -206,7 +206,7 @@ Devel::StackTrace 1.19
+ Digest::base
+ Digest::MD5 2.27
+ Digest::SHA
+-Email::Address 1.897
++Email::Address 1.908
+ Email::Address::List 0.02
+ Encode 2.64
+ Errno
diff --git a/www/rt42/files/patch-share_html_Dashboards_Subscription.html b/www/rt42/files/patch-share_html_Dashboards_Subscription.html
new file mode 100644
index 000000000000..3e4e16e80888
--- /dev/null
+++ b/www/rt42/files/patch-share_html_Dashboards_Subscription.html
@@ -0,0 +1,11 @@
+--- share/html/Dashboards/Subscription.html.orig	2016-06-08 21:49:02 UTC
++++ share/html/Dashboards/Subscription.html
+@@ -75,7 +75,7 @@
+ <ol class="dashboard-queries">
+ %    for my $portlet (@portlets) {
+         <li class="dashboard-query">
+-            <% loc($portlet->{description}, $fields{'Rows'}) %>
++            <% loc( RT::SavedSearch->EscapeDescription($portlet->{description}), $fields{'Rows'}) %>
+         </li>
+ %    }
+ </ol>
diff --git a/www/rt42/files/patch-share_html_Ticket_Attachment_dhandler b/www/rt42/files/patch-share_html_Ticket_Attachment_dhandler
new file mode 100644
index 000000000000..ba3350cd59cf
--- /dev/null
+++ b/www/rt42/files/patch-share_html_Ticket_Attachment_dhandler
@@ -0,0 +1,18 @@
+--- share/html/Ticket/Attachment/dhandler.orig	2016-06-08 21:49:02 UTC
++++ share/html/Ticket/Attachment/dhandler
+@@ -68,11 +68,13 @@ unless ( $AttachmentObj->TransactionId()
+ my $content = $AttachmentObj->OriginalContent;
+ my $content_type = $AttachmentObj->ContentType || 'text/plain';
+ 
+-if ( RT->Config->Get('AlwaysDownloadAttachments') ) {
++my $attachment_regex = qr{^(image/svg\+xml|application/pdf)}i;
++if ( RT->Config->Get('AlwaysDownloadAttachments') || ($content_type =~ $attachment_regex) ) {
+     $r->headers_out->{'Content-Disposition'} = "attachment";
+ }
+ elsif ( !RT->Config->Get('TrustHTMLAttachments') ) {
+-    $content_type = 'text/plain' if ( $content_type =~ /^text\/html/i );
++    my $text_plain_regex = qr{^(text/html|application/xhtml\+xml|text/xml|application/xml)}i;
++    $content_type = 'text/plain' if ( $content_type =~ $text_plain_regex );
+ }
+ elsif (lc $content_type eq 'text/html') {
+     # If we're trusting and serving HTML for display not download, try to do
author	Matthew Seaman <matthew@FreeBSD.org>	2017-06-16 14:32:27 +0000
committer	Matthew Seaman <matthew@FreeBSD.org>	2017-06-16 14:32:27 +0000
commit	a9e69f4adde0e8acf0bdc28b48ef046e377e6757 (patch)
tree	3618c5803bfa8126fd02d236be71addd5fd46bbf
parent	87de971af3d68d5b114a09b743c0bb459d504c7e (diff)
download	ports-a9e69f4adde0e8acf0bdc28b48ef046e377e6757.tar.gz ports-a9e69f4adde0e8acf0bdc28b48ef046e377e6757.zip