From owner-svn-ports-branches@freebsd.org Fri Jun 16 14:32:29 2017 Return-Path: Delivered-To: svn-ports-branches@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5284C0A5C8; Fri, 16 Jun 2017 14:32:29 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 828AA82127; Fri, 16 Jun 2017 14:32:29 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v5GEWSc2003662; Fri, 16 Jun 2017 14:32:28 GMT (envelope-from matthew@FreeBSD.org) Received: (from matthew@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v5GEWRsj003652; Fri, 16 Jun 2017 14:32:27 GMT (envelope-from matthew@FreeBSD.org) Message-Id: <201706161432.v5GEWRsj003652@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: matthew set sender to matthew@FreeBSD.org using -f From: Matthew Seaman Date: Fri, 16 Jun 2017 14:32:27 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r443704 - in branches/2017Q2/www/rt42: . files X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-branches@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for all the branches of the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jun 2017 14:32:29 -0000 Author: matthew Date: Fri Jun 16 14:32:27 2017 New Revision: 443704 URL: https://svnweb.freebsd.org/changeset/ports/443704 Log: MFH: r443668 r443686 Security Update: Add security patches from BestPractical. See http://lists.bestpractical.com/pipermail/rt-announce/\ 2017-June/000297.html Security: 7a92e958-5207-11e7-8d7c-6805ca0b3d42 Revert patch-config.layout to r354074 -- 'make makepatch' wiped out the %%PREFIX%% substitution token. Pointyhat to me. This, along with r443668 needs MFH to 2017Q2 Approved by: ports-secteam (zi) Added: branches/2017Q2/www/rt42/files/patch-lib_RT.pm - copied unchanged from r443668, head/www/rt42/files/patch-lib_RT.pm branches/2017Q2/www/rt42/files/patch-lib_RT_Config.pm - copied unchanged from r443668, head/www/rt42/files/patch-lib_RT_Config.pm branches/2017Q2/www/rt42/files/patch-lib_RT_Interface_Web.pm - copied unchanged from r443668, head/www/rt42/files/patch-lib_RT_Interface_Web.pm branches/2017Q2/www/rt42/files/patch-lib_RT_User.pm - copied unchanged from r443668, head/www/rt42/files/patch-lib_RT_User.pm branches/2017Q2/www/rt42/files/patch-lib_RT_Util.pm - copied unchanged from r443668, head/www/rt42/files/patch-lib_RT_Util.pm branches/2017Q2/www/rt42/files/patch-sbin_rt-test-dependencies - copied unchanged from r443668, head/www/rt42/files/patch-sbin_rt-test-dependencies branches/2017Q2/www/rt42/files/patch-share_html_Dashboards_Subscription.html - copied unchanged from r443668, head/www/rt42/files/patch-share_html_Dashboards_Subscription.html branches/2017Q2/www/rt42/files/patch-share_html_Ticket_Attachment_dhandler - copied unchanged from r443668, head/www/rt42/files/patch-share_html_Ticket_Attachment_dhandler Modified: branches/2017Q2/www/rt42/Makefile branches/2017Q2/www/rt42/files/patch-config.layout Directory Properties: branches/2017Q2/ (props changed) Modified: branches/2017Q2/www/rt42/Makefile ============================================================================== --- branches/2017Q2/www/rt42/Makefile Fri Jun 16 14:26:11 2017 (r443703) +++ branches/2017Q2/www/rt42/Makefile Fri Jun 16 14:32:27 2017 (r443704) @@ -2,6 +2,7 @@ PORTNAME= rt DISTVERSION= 4.2.13 +PORTREVISION= 2 CATEGORIES= www MASTER_SITES= http://download.bestpractical.com/pub/rt/release/ PKGNAMESUFFIX= 42 Modified: branches/2017Q2/www/rt42/files/patch-config.layout ============================================================================== --- branches/2017Q2/www/rt42/files/patch-config.layout Fri Jun 16 14:26:11 2017 (r443703) +++ branches/2017Q2/www/rt42/files/patch-config.layout Fri Jun 16 14:32:27 2017 (r443704) @@ -1,11 +1,19 @@ ---- config.layout.orig 2016-06-08 21:49:02 UTC -+++ config.layout -@@ -110,24 +110,24 @@ +--- ./config.layout.orig 2014-05-06 17:59:04.000000000 +0100 ++++ ./config.layout 2014-05-14 15:26:37.717215779 +0100 +@@ -103,31 +103,31 @@ + + + +- prefix: /usr/local ++ prefix: %%PREFIX%% + exec_prefix: ${prefix} + bindir: ${exec_prefix}/bin + sbindir: ${exec_prefix}/sbin sysconfdir: ${prefix}/etc+ mandir: ${prefix}/man plugindir: ${prefix}/plugins - libdir: ${prefix}/lib+ -+ libdir: /usr/local/lib/perl5/site_perl ++ libdir: %%SITE_PERL%% datadir: ${prefix}/share+ htmldir: ${datadir}/html lexdir: ${datadir}/po Copied: branches/2017Q2/www/rt42/files/patch-lib_RT.pm (from r443668, head/www/rt42/files/patch-lib_RT.pm) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/www/rt42/files/patch-lib_RT.pm Fri Jun 16 14:32:27 2017 (r443704, copy of r443668, head/www/rt42/files/patch-lib_RT.pm) @@ -0,0 +1,13 @@ +--- lib/RT.pm.orig 2016-06-08 21:49:02 UTC ++++ lib/RT.pm +@@ -81,6 +81,10 @@ use vars qw($BasePath + $MasonDataDir + $MasonSessionDir); + ++# Set Email::Address module var before anything else loads. ++# This avoids an algorithmic complexity denial of service vulnerability. ++# See T#157608 and CVE-2015-7686 for more information. ++$Email::Address::COMMENT_NEST_LEVEL = 1; + + RT->LoadGeneratedData(); + Copied: branches/2017Q2/www/rt42/files/patch-lib_RT_Config.pm (from r443668, head/www/rt42/files/patch-lib_RT_Config.pm) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/www/rt42/files/patch-lib_RT_Config.pm Fri Jun 16 14:32:27 2017 (r443704, copy of r443668, head/www/rt42/files/patch-lib_RT_Config.pm) @@ -0,0 +1,17 @@ +--- lib/RT/Config.pm.orig 2016-06-08 21:49:02 UTC ++++ lib/RT/Config.pm +@@ -143,6 +143,14 @@ can be set for each config optin: + our %META; + %META = ( + # General user overridable options ++ RestrictReferrerLogin => { ++ PostLoadCheck => sub { ++ my $self = shift; ++ if (defined($self->Get('RestrictReferrerLogin'))) { ++ RT::Logger->error("The config option 'RestrictReferrerLogin' is incorrect, and should be 'RestrictLoginReferrer' instead."); ++ } ++ }, ++ }, + DefaultQueue => { + Section => 'General', + Overridable => 1, Copied: branches/2017Q2/www/rt42/files/patch-lib_RT_Interface_Web.pm (from r443668, head/www/rt42/files/patch-lib_RT_Interface_Web.pm) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/www/rt42/files/patch-lib_RT_Interface_Web.pm Fri Jun 16 14:32:27 2017 (r443704, copy of r443668, head/www/rt42/files/patch-lib_RT_Interface_Web.pm) @@ -0,0 +1,20 @@ +--- lib/RT/Interface/Web.pm.orig 2016-06-08 21:49:02 UTC ++++ lib/RT/Interface/Web.pm +@@ -1426,7 +1426,7 @@ sub IsCompCSRFWhitelisted { + # golden. This acts on the presumption that external forms may + # hardcode a username and password -- if a malicious attacker knew + # both already, CSRF is the least of your problems. +- my $AllowLoginCSRF = not RT->Config->Get('RestrictReferrerLogin'); ++ my $AllowLoginCSRF = not RT->Config->Get('RestrictLoginReferrer'); + if ($AllowLoginCSRF and defined($args{user}) and defined($args{pass})) { + my $user_obj = RT::CurrentUser->new(); + $user_obj->Load($args{user}); +@@ -1642,7 +1642,7 @@ sub MaybeShowInterstitialCSRFPage { + my $token = StoreRequestToken($ARGS); + $HTML::Mason::Commands::m->comp( + '/Elements/CSRF', +- OriginalURL => RT->Config->Get('WebPath') . $HTML::Mason::Commands::r->path_info, ++ OriginalURL => RT->Config->Get('WebBaseURL') . RT->Config->Get('WebPath') . $HTML::Mason::Commands::r->path_info, + Reason => HTML::Mason::Commands::loc( $msg, @loc ), + Token => $token, + ); Copied: branches/2017Q2/www/rt42/files/patch-lib_RT_User.pm (from r443668, head/www/rt42/files/patch-lib_RT_User.pm) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/www/rt42/files/patch-lib_RT_User.pm Fri Jun 16 14:32:27 2017 (r443704, copy of r443668, head/www/rt42/files/patch-lib_RT_User.pm) @@ -0,0 +1,87 @@ +--- lib/RT/User.pm.orig 2016-06-08 21:49:02 UTC ++++ lib/RT/User.pm +@@ -84,6 +84,7 @@ use RT::Principals; + use RT::ACE; + use RT::Interface::Email; + use Text::Password::Pronounceable; ++use RT::Util; + + sub _OverlayAccessible { + { +@@ -977,11 +978,17 @@ sub IsPassword { + # If it's a new-style (>= RT 4.0) password, it starts with a '!' + my (undef, $method, @rest) = split /!/, $stored; + if ($method eq "bcrypt") { +- return 0 unless $self->_GeneratePassword_bcrypt($value, @rest) eq $stored; ++ return 0 unless RT::Util::constant_time_eq( ++ $self->_GeneratePassword_bcrypt($value, @rest), ++ $stored ++ ); + # Upgrade to a larger number of rounds if necessary + return 1 unless $rest[0] < RT->Config->Get('BcryptCost'); + } elsif ($method eq "sha512") { +- return 0 unless $self->_GeneratePassword_sha512($value, @rest) eq $stored; ++ return 0 unless RT::Util::constant_time_eq( ++ $self->_GeneratePassword_sha512($value, @rest), ++ $stored ++ ); + } else { + $RT::Logger->warn("Unknown hash method $method"); + return 0; +@@ -991,16 +998,28 @@ sub IsPassword { + my $hash = MIME::Base64::decode_base64($stored); + # Decoding yields 30 byes; first 4 are the salt, the rest are substr(SHA256,0,26) + my $salt = substr($hash, 0, 4, ""); +- return 0 unless substr(Digest::SHA::sha256($salt . Digest::MD5::md5(Encode::encode( "UTF-8", $value))), 0, 26) eq $hash; ++ return 0 unless RT::Util::constant_time_eq( ++ substr(Digest::SHA::sha256($salt . Digest::MD5::md5(Encode::encode( "UTF-8", $value))), 0, 26), ++ $hash ++ ); + } elsif (length $stored == 32) { + # Hex nonsalted-md5 +- return 0 unless Digest::MD5::md5_hex(Encode::encode( "UTF-8", $value)) eq $stored; ++ return 0 unless RT::Util::constant_time_eq( ++ Digest::MD5::md5_hex(Encode::encode( "UTF-8", $value)), ++ $stored ++ ); + } elsif (length $stored == 22) { + # Base64 nonsalted-md5 +- return 0 unless Digest::MD5::md5_base64(Encode::encode( "UTF-8", $value)) eq $stored; ++ return 0 unless RT::Util::constant_time_eq( ++ Digest::MD5::md5_base64(Encode::encode( "UTF-8", $value)), ++ $stored ++ ); + } elsif (length $stored == 13) { + # crypt() output +- return 0 unless crypt(Encode::encode( "UTF-8", $value), $stored) eq $stored; ++ return 0 unless RT::Util::constant_time_eq( ++ crypt(Encode::encode( "UTF-8", $value), $stored), ++ $stored ++ ); + } else { + $RT::Logger->warning("Unknown password form"); + return 0; +@@ -1096,19 +1115,20 @@ sub GenerateAuthString { + + =head3 ValidateAuthString + +-Takes auth string and protected string. Returns true is protected string ++Takes auth string and protected string. Returns true if protected string + has been protected by user's L. See also L. + + =cut + + sub ValidateAuthString { + my $self = shift; +- my $auth_string = shift; ++ my $auth_string_to_validate = shift; + my $protected = shift; + + my $str = Encode::encode( "UTF-8", $self->AuthToken . $protected ); ++ my $valid_auth_string = substr(Digest::MD5::md5_hex($str),0,16); + +- return $auth_string eq substr(Digest::MD5::md5_hex($str),0,16); ++ return RT::Util::constant_time_eq( $auth_string_to_validate, $valid_auth_string ); + } + + =head2 SetDisabled Copied: branches/2017Q2/www/rt42/files/patch-lib_RT_Util.pm (from r443668, head/www/rt42/files/patch-lib_RT_Util.pm) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/www/rt42/files/patch-lib_RT_Util.pm Fri Jun 16 14:32:27 2017 (r443704, copy of r443668, head/www/rt42/files/patch-lib_RT_Util.pm) @@ -0,0 +1,70 @@ +--- lib/RT/Util.pm.orig 2016-06-08 21:49:02 UTC ++++ lib/RT/Util.pm +@@ -54,6 +54,8 @@ use warnings; + use base 'Exporter'; + our @EXPORT = qw/safe_run_child mime_recommended_filename/; + ++use Encode qw/encode/; ++ + sub safe_run_child (&) { + my $our_pid = $$; + +@@ -150,6 +152,58 @@ sub assert_bytes { + } + + ++=head2 C ++ ++Compares two strings for equality in constant-time. Replacement for the C ++operator designed to avoid timing side-channel vulnerabilities. Returns zero ++or one. ++ ++This is intended for use in cryptographic subsystems for comparing well-formed ++data such as hashes - not for direct use with user input or as a general ++replacement for the C operator. ++ ++The two string arguments B be of equal length. If the lengths differ, ++this function will call C, as proceeding with execution would create ++a timing vulnerability. Length is defined by characters, not bytes. ++ ++This code has been tested to do what it claims. Do not change it without ++thorough statistical timing analysis to validate the changes. ++ ++Added to resolve CVE-2017-5361 ++ ++For more on timing attacks, see this Wikipedia article: ++B ++ ++=cut ++ ++sub constant_time_eq { ++ my ($a, $b) = @_; ++ ++ my $result = 0; ++ ++ # generic error message avoids potential information leaks ++ my $generic_error = "Cannot compare values"; ++ die $generic_error unless defined $a and defined $b; ++ die $generic_error unless length $a == length $b; ++ die $generic_error if ref($a) or ref($b); ++ ++ for (my $i = 0; $i < length($a); $i++) { ++ my $a_char = substr($a, $i, 1); ++ my $b_char = substr($b, $i, 1); ++ ++ # encode() is set to die on malformed ++ my @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK)); ++ my @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK)); ++ die $generic_error if (scalar @a_octets) != (scalar @b_octets); ++ ++ for (my $j = 0; $j < scalar @a_octets; $j++) { ++ $result |= $a_octets[$j] ^ $b_octets[$j]; ++ } ++ } ++ return 0 + not $result; ++} ++ ++ + RT::Base->_ImportOverlays(); + + 1; Copied: branches/2017Q2/www/rt42/files/patch-sbin_rt-test-dependencies (from r443668, head/www/rt42/files/patch-sbin_rt-test-dependencies) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/www/rt42/files/patch-sbin_rt-test-dependencies Fri Jun 16 14:32:27 2017 (r443704, copy of r443668, head/www/rt42/files/patch-sbin_rt-test-dependencies) @@ -0,0 +1,11 @@ +--- sbin/rt-test-dependencies.orig 2017-06-15 22:12:17 UTC ++++ sbin/rt-test-dependencies +@@ -206,7 +206,7 @@ Devel::StackTrace 1.19 + Digest::base + Digest::MD5 2.27 + Digest::SHA +-Email::Address 1.897 ++Email::Address 1.908 + Email::Address::List 0.02 + Encode 2.64 + Errno Copied: branches/2017Q2/www/rt42/files/patch-share_html_Dashboards_Subscription.html (from r443668, head/www/rt42/files/patch-share_html_Dashboards_Subscription.html) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/www/rt42/files/patch-share_html_Dashboards_Subscription.html Fri Jun 16 14:32:27 2017 (r443704, copy of r443668, head/www/rt42/files/patch-share_html_Dashboards_Subscription.html) @@ -0,0 +1,11 @@ +--- share/html/Dashboards/Subscription.html.orig 2016-06-08 21:49:02 UTC ++++ share/html/Dashboards/Subscription.html +@@ -75,7 +75,7 @@ +
    + % for my $portlet (@portlets) { +
  1. +- <% loc($portlet->{description}, $fields{'Rows'}) %> ++ <% loc( RT::SavedSearch->EscapeDescription($portlet->{description}), $fields{'Rows'}) %> +
    2. + % } +
Copied: branches/2017Q2/www/rt42/files/patch-share_html_Ticket_Attachment_dhandler (from r443668, head/www/rt42/files/patch-share_html_Ticket_Attachment_dhandler) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/www/rt42/files/patch-share_html_Ticket_Attachment_dhandler Fri Jun 16 14:32:27 2017 (r443704, copy of r443668, head/www/rt42/files/patch-share_html_Ticket_Attachment_dhandler) @@ -0,0 +1,18 @@ +--- share/html/Ticket/Attachment/dhandler.orig 2016-06-08 21:49:02 UTC ++++ share/html/Ticket/Attachment/dhandler +@@ -68,11 +68,13 @@ unless ( $AttachmentObj->TransactionId() + my $content = $AttachmentObj->OriginalContent; + my $content_type = $AttachmentObj->ContentType || 'text/plain'; + +-if ( RT->Config->Get('AlwaysDownloadAttachments') ) { ++my $attachment_regex = qr{^(image/svg\+xml|application/pdf)}i; ++if ( RT->Config->Get('AlwaysDownloadAttachments') || ($content_type =~ $attachment_regex) ) { + $r->headers_out->{'Content-Disposition'} = "attachment"; + } + elsif ( !RT->Config->Get('TrustHTMLAttachments') ) { +- $content_type = 'text/plain' if ( $content_type =~ /^text\/html/i ); ++ my $text_plain_regex = qr{^(text/html|application/xhtml\+xml|text/xml|application/xml)}i; ++ $content_type = 'text/plain' if ( $content_type =~ $text_plain_regex ); + } + elsif (lc $content_type eq 'text/html') { + # If we're trusting and serving HTML for display not download, try to do