commit otrs for openSUSE:11.2

1 Apr 2011

Hello community,

here is the log from the commit of package otrs for openSUSE:11.2
checked in at Fri Apr 1 10:42:49 CEST 2011.



--------

--- old-versions/11.2/UPDATES/all/otrs/otrs.changes	2010-07-07 16:49:22.000000000 +0200
+++ 11.2/otrs/otrs.changes	2011-03-31 17:01:55.000000000 +0200
@@ -1,0 +2,9 @@
+Thu Mar 31 14:54:19 UTC 2011 - chris@computersalat.de
+
+- fix for CVE-2011-0456 [bnc#679292]
+  o added CVE-2011-0456 patch
+  o This issue is related to scripts/webform.pl, an example file which
+    is not used by default in OTRS, and therefore not directly
+    vulnerable from outside.
+
+-------------------------------------------------------------------

calling whatdependson for 11.2-i586


New:
----
  otrs-2.2.6-CVE-2011-0456.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ otrs.spec ++++++
--- /var/tmp/diff_new_pack.jlQ3Ai/_old	2011-04-01 10:41:00.000000000 +0200
+++ /var/tmp/diff_new_pack.jlQ3Ai/_new	2011-04-01 10:41:00.000000000 +0200
@@ -1,7 +1,7 @@
 #
-# spec file for package otrs (Version 2.2.6)
+# spec file for package otrs
 #
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
 
 Name:           otrs
 Version:        2.2.6
-Release:        46.<RELEASE3>
+Release:        46.<RELEASE5>
 License:        GPLv2+
 Group:          Productivity/Networking/Email/Utilities
 Url:            http://otrs.org/
@@ -33,6 +33,9 @@
 Patch:          otrs-init.diff
 Patch1:         otrs-nochown.diff
 Patch2:         otrs-2.2-OSA-2010-01.diff
+# patch for CVE-2011-0456
+# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0456
+Patch3:         otrs-2.2.6-CVE-2011-0456.patch
 Summary:        Open Ticket Request System
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  pwdutils
@@ -181,6 +184,7 @@
 %patch -p1
 %patch1
 %patch2
+%patch3 -p1
 find -name ".cvsignore" -type f | xargs rm -fv
 
 %build

++++++ otrs-2.2.6-CVE-2011-0456.patch ++++++
diff -ruN otrs-2.2.6-orig/scripts/webform.pl otrs-2.2.6/scripts/webform.pl
--- otrs-2.2.6-orig/scripts/webform.pl	2007-02-07 06:27:22.000000000 +0100
+++ otrs-2.2.6/scripts/webform.pl	2009-02-20 13:05:54.000000000 +0100
@@ -2,50 +2,57 @@
 # --
 # webform.pl - a simple web form script to generate email with
 # X-OTRS-Queue header for an OTRS system (x-headers for dispatching!).
-# Copyright (C) 2001-2007 OTRS GmbH, http://otrs.org/
+# Copyright (C) 2001-2009 OTRS AG, http://otrs.org/
 # --
-# $Id: webform.pl,v 1.8 2007/02/07 05:27:22 tr Exp $
+# $Id: webform.pl,v 1.14 2009/02/20 12:05:54 mh Exp $
 # --
 # This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
+# it under the terms of the GNU AFFERO General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Affero General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+# or see http://www.gnu.org/licenses/agpl.txt.
 # --
 
 use strict;
+use warnings;
+
 # to get the errors on screen
 use CGI::Carp qw(fatalsToBrowser);
+
 # Simple Common Gateway Interface Class
 use CGI;
 
-my $VERSION = '$Revision: 1.8 $';
-$VERSION =~ s/^\$.*:\W(.*)\W.+?$/$1/;
+my $VERSION = qw($Revision: 1.14 $) [1];
 
 # --------------------------
 # web form options
 # --------------------------
 my $Ident = 'ahfiw2Fw32r230dddl2foeo3r';
+
 # sendmail location and options
-my $Sendmail = '/usr/sbin/sendmail -t -i -f ';
+my $Sendmail = '/usr/sbin/sendmail -t -i -f';
+
 # email where the emails of the form will send to
 my $OTRSEmail = 'otrs-system@example.com';
+
 # topics and dest. queues
 my %Topics = (
+
     # topic => OTRS queue
-    'Info' => 'info',
-    'Support' => 'support',
-    'Bugs' => 'bugs',
-    'Sales' => 'sales',
-    'Billing' => 'billing',
+    'Info'      => 'info',
+    'Support'   => 'support',
+    'Bugs'      => 'bugs',
+    'Sales'     => 'sales',
+    'Billing'   => 'billing',
     'Webmaster' => 'webmaster',
 );
 
@@ -54,17 +61,23 @@
 # --------------------------
 
 sub Header {
-    my %Param = @_;
-    (my $Output = <param($_) || '';
 }
+
 # what should I do?
-if ($GetParam{Action} eq 'SendMail') {
+if ( $GetParam{Action} eq 'SendMail' ) {
     SendMail(%GetParam);
 }
 else {
@@ -129,8 +155,8 @@
 # web form
 # ------------------------
 sub WebForm {
-    print Header(Title => 'Submit Request');
-print '
+    print Header( Title => 'Submit Request' );
+    print '
     <form action="webform.pl" method="post">
         <input type="hidden" name="Action" value="SendMail">
         <table>
@@ -138,10 +164,12 @@
                 <td>Topic:</td>
                 <td>
 ';
-    foreach (sort keys %Topics) {
-        print $_.'<input type="radio" name="Topic" value="'.$Topics{$_}.'">';
+    for my $Key ( sort keys %Topics ) {
+        my $HTMLKey   = _Ascii2Html($Key);
+        my $HTMLValue = _Ascii2Html( $Topics{$Key} );
+        print $HTMLKey . '<input type="radio" name="Topic" value="' . $HTMLValue . '">';
     }
-print '
+    print '
                 </td>
             </tr>
             <tr>
@@ -169,48 +197,53 @@
 ';
     print Footer();
 }
+
 # --------------------------
 # send email
 # --------------------------
 
 sub SendMail {
-    my %Param = @_;
-    my $Output = '';
+    my (%Param) = @_;
 
     # check needed params
-    foreach (qw(From FromEmail Subject Topic Body)) {
-        if (!$Param{$_}) {
-            $Output .= Error(Message => "Param $_ is needed!");
+    my $Output = '';
+    for (qw(From FromEmail Subject Topic Body)) {
+        if ( !$Param{$_} ) {
+            $Output .= Error( Message => "Param $_ is needed!" );
         }
     }
     if ($Output) {
-        $Output = Header(Title => 'Error!') . $Output;
-        $Output .= Footer();
-        print $Output;
+        print Header( Title => 'Error!' ) . $Output . Footer();
         return;
     }
 
     # simple email check
-    my $NonAscii      = "\x80-\xff"; # Non-ASCII-Chars are not allowed
-    my $Nqtext        = "[^\\\\$NonAscii\015\012\"]";
-    my $Qchar         = "\\\\[^$NonAscii]";
-    my $Protocol      = '(?:mailto:)';
-    my $NormUser      = '[a-zA-Z0-9][a-zA-Z0-9_.-]*';
-    my $QuotedString  = "\"(?:$Nqtext|$Qchar)+\"";
+    my $NonAscii     = "\x80-\xff";                            # Non-ASCII-Chars are not allowed
+    my $Nqtext       = "[^\\\\$NonAscii\015\012\"]";
+    my $Qchar        = "\\\\[^$NonAscii]";
+    my $Protocol     = '(?:mailto:)';
+    my $NormUser     = '[a-zA-Z0-9][a-zA-Z0-9_.-]*';
+    my $QuotedString = "\"(?:$Nqtext|$Qchar)+\"";
     my $UserPart     = "(?:$NormUser|$QuotedString)";
     my $DomMainPart  = '[a-zA-Z0-9][a-zA-Z0-9._-]*\\.';
     my $DomSubPart   = '(?:[a-zA-Z0-9][a-zA-Z0-9._-]*\\.)*';
     my $DomTldPart   = '[a-zA-Z]{2,5}';
     my $DomainPart   = "$DomSubPart$DomMainPart$DomTldPart";
-    my $Regex         = "$Protocol?$UserPart\@$DomainPart";
+    my $Regex        = "$Protocol?$UserPart\@$DomainPart";
 
-    if ($Param{FromEmail} !~ /^$Regex$/) {
-        $Output = Header(Title => 'Error!');
-        $Output .= Error(Message => "Your email '$Param{FromEmail}' is invalid!");
+    if ( $Param{FromEmail} !~ /^$Regex$/ ) {
+        my $Output = Header( Title => 'Error!' );
+        $Output .= Error( Message => "Your email '$Param{FromEmail}' is invalid!" );
         $Output .= Footer();
         print $Output;
         return;
     }
+
+    # quoting (take care to not injection any other header)
+    for my $Key (qw(From FromEmail Topic Subject Topic)) {
+        $Param{$Key} =~ s/(\n|\r)//g;
+    }
+
     # build email
     my @Mail = ("From: $Param{From} <$Param{FromEmail}>\n");
     push @Mail, "To: $Param{Topic} <$OTRSEmail>\n";
@@ -228,22 +261,36 @@
     push @Mail, "\n";
 
     # send mail
-    $Param{From} =~ s/"|;|'|<|>|\|| //ig;
-    if (open(MAIL, "|$Sendmail $Param{From} ")) {
-        print MAIL @Mail;
-        close(MAIL);
+    my $FromEmail = $Param{FromEmail};
+    $FromEmail =~ s/"|;|'|<|>|\||\s|\r|\n|\t|`//ig;
+    $FromEmail = quotemeta $FromEmail;
+    if ( open my $Mail, '|-', "$Sendmail $FromEmail" ) {
+        print $Mail @Mail;
+        close $Mail;
 
         # thanks!
-        $Output = Header(Title => 'Thanks!');
+        my $Output = Header( Title => 'Thanks!' );
         $Output .= Thanks(%Param);
         $Output .= Footer();
         print $Output;
     }
     else {
+
         # error
-        $Output = Header(Title => 'Error!');
-        $Output .= Error(Message => "Can't send email: $!");
+        my $Output = Header( Title => 'Error!' );
+        $Output .= Error( Message => "Can't send email: $!" );
         $Output .= Footer();
         print $Output;
     }
 }
+
+sub _Ascii2Html {
+    my $Text = shift;
+
+    $Text =~ s/&/&/g;
+    $Text =~ s//>/g;
+    $Text =~ s/"/"/g;
+
+    return $Text;
+}

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

-- 
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org

    

commit otrs for openSUSE:11.2

root＠hilbert.suse.de