[perl-RT-Authen-ExternalAuth/el5] CVE-2012-2770

Xavier Bachelot xavierb at fedoraproject.org
Mon Jul 30 20:55:36 UTC 2012 

commit d33e0416eaeacfe33d08624553e35ebe972956aa
Author: Xavier Bachelot <xavier at bachelot.org>
Date:   Mon Jul 30 22:54:31 2012 +0200

    CVE-2012-2770

 ...RT-Authen-ExternalAuth-0.08-CVE-2012-2770.patch |   55 ++++++++++++++++++++
 perl-RT-Authen-ExternalAuth.spec                   |    9 +++-
 2 files changed, 63 insertions(+), 1 deletions(-)
---
diff --git a/perl-RT-Authen-ExternalAuth-0.08-CVE-2012-2770.patch b/perl-RT-Authen-ExternalAuth-0.08-CVE-2012-2770.patch
new file mode 100644
index 0000000..dba8be6
--- /dev/null
+++ b/perl-RT-Authen-ExternalAuth-0.08-CVE-2012-2770.patch
@@ -0,0 +1,55 @@
+This file updates RT::Authen::ExternalAuth version 0.08 to patch the
+security vulnerability otherwise addressed in RT::Authen::ExternalAuth
+0.11.  It need only be applied if you are running RT 3.8.1, and thus
+cannot install a more recent version of RT::Authen::ExternalAuth.
+
+If you are running RT 3.8.1 and a version of RT::Authen::ExternalAuth
+prior to 0.08, you should first upgrade to 0.08, then continue with the
+patching instructions below.  Version 0.08 can be downloaded from:
+http://cpan.metacpan.org/authors/id/Z/ZO/ZORDRAK/RT-Authen-ExternalAuth-0.08.tar.gz
+
+This patch should be applied via:
+
+   patch -p1 -d /opt/rt4 < /path/to/this/file.patch
+
+You should then restart your webserver.
+
+diff --git a/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm b/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
+index 948939a..d4da020 100644
+--- a/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
++++ b/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
+@@ -166,12 +166,12 @@ sub DoAuth {
+     # If we got here and don't have a user loaded we must have failed to
+     # get a full, valid user from an authoritative external source.
+     unless ($session->{'CurrentUser'} && $session->{'CurrentUser'}->Id) {
+-        delete $session->{'CurrentUser'};
++        $session->{'CurrentUser'} = RT::CurrentUser->new;
+         return (0, "No User");
+     }
+ 
+     unless($success) {
+-        delete $session->{'CurrentUser'};
++        $session->{'CurrentUser'} = RT::CurrentUser->new;
+ 	return (0, "Password Invalid");
+     }
+     
+@@ -206,7 +206,7 @@ sub DoAuth {
+         # Now that we definitely have up-to-date user information,
+         # if the user is disabled, kick them out. Now!
+         if ($session->{'CurrentUser'}->UserObj->Disabled) {
+-            delete $session->{'CurrentUser'};
++            $session->{'CurrentUser'} = RT::CurrentUser->new;
+             return (0, "User account disabled, login denied");
+         }
+     }
+@@ -223,8 +223,8 @@ sub DoAuth {
+             # Do not delete the session. User stays logged in and
+             # autohandler will not check the password again
+     } else {
+-            # Make SURE the session is deleted.
+-            delete $session->{'CurrentUser'};
++            # Make SURE the session is purged to an empty user.
++            $session->{'CurrentUser'} = RT::CurrentUser->new;
+             return (0, "Failed to authenticate externally");
+             # This will cause autohandler to request IsPassword 
+             # which will in turn call IsExternalPassword
diff --git a/perl-RT-Authen-ExternalAuth.spec b/perl-RT-Authen-ExternalAuth.spec
index e220868..da5d0c4 100644
--- a/perl-RT-Authen-ExternalAuth.spec
+++ b/perl-RT-Authen-ExternalAuth.spec
@@ -1,11 +1,14 @@
 Name:           perl-RT-Authen-ExternalAuth
 Version:        0.08
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        RT Authentication using External Sources
 License:        GPLv2+
 Group:          Development/Libraries
 URL:            http://search.cpan.org/dist/RT-Authen-ExternalAuth/
 Source0:        http://www.cpan.org/modules/by-module/RT/RT-Authen-ExternalAuth-%{version}.tar.gz
+# Patch for CVE-2012-2770
+# http://download.bestpractical.com/pub/rt/release/rt-authen-externalauth-0.08.patch
+Patch0:         perl-RT-Authen-ExternalAuth-0.08-CVE-2012-2770.patch 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch:      noarch
 BuildRequires:  rt3
@@ -23,6 +26,7 @@ for any database with an installed DBI driver.
 
 %prep
 %setup -q -n RT-Authen-ExternalAuth-%{version}
+%patch0 -p4
 sed -i -e 's/\r//' lib/RT/Authen/ExternalAuth/DBI.pm
 sed -i -e 's/\r//' lib/RT/Authen/ExternalAuth/LDAP.pm
 chmod a-x ChangeLog LICENSE README html/Callbacks/ExternalAuth/autohandler/Auth
@@ -60,5 +64,8 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Mon Jul 30 2012 Xavier Bachelot <xavier at bachelot.org> 0.08-2
+- Add patch for CVE-2012-2770.
+
 * Tue May 15 2012 Xavier Bachelot <xavier at bachelot.org> 0.08-1
 - Initial EL5 import.

More information about the scm-commits mailing list