[perl-RT-Authen-ExternalAuth/el5] CVE-2012-2770
Xavier Bachelot
xavierb at fedoraproject.org
Mon Jul 30 20:55:36 UTC 2012
commit d33e0416eaeacfe33d08624553e35ebe972956aa
Author: Xavier Bachelot <xavier at bachelot.org>
Date: Mon Jul 30 22:54:31 2012 +0200
CVE-2012-2770
...RT-Authen-ExternalAuth-0.08-CVE-2012-2770.patch | 55 ++++++++++++++++++++
perl-RT-Authen-ExternalAuth.spec | 9 +++-
2 files changed, 63 insertions(+), 1 deletions(-)
---
diff --git a/perl-RT-Authen-ExternalAuth-0.08-CVE-2012-2770.patch b/perl-RT-Authen-ExternalAuth-0.08-CVE-2012-2770.patch
new file mode 100644
index 0000000..dba8be6
--- /dev/null
+++ b/perl-RT-Authen-ExternalAuth-0.08-CVE-2012-2770.patch
@@ -0,0 +1,55 @@
+This file updates RT::Authen::ExternalAuth version 0.08 to patch the
+security vulnerability otherwise addressed in RT::Authen::ExternalAuth
+0.11. It need only be applied if you are running RT 3.8.1, and thus
+cannot install a more recent version of RT::Authen::ExternalAuth.
+
+If you are running RT 3.8.1 and a version of RT::Authen::ExternalAuth
+prior to 0.08, you should first upgrade to 0.08, then continue with the
+patching instructions below. Version 0.08 can be downloaded from:
+http://cpan.metacpan.org/authors/id/Z/ZO/ZORDRAK/RT-Authen-ExternalAuth-0.08.tar.gz
+
+This patch should be applied via:
+
+ patch -p1 -d /opt/rt4 < /path/to/this/file.patch
+
+You should then restart your webserver.
+
+diff --git a/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm b/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
+index 948939a..d4da020 100644
+--- a/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
++++ b/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
+@@ -166,12 +166,12 @@ sub DoAuth {
+ # If we got here and don't have a user loaded we must have failed to
+ # get a full, valid user from an authoritative external source.
+ unless ($session->{'CurrentUser'} && $session->{'CurrentUser'}->Id) {
+- delete $session->{'CurrentUser'};
++ $session->{'CurrentUser'} = RT::CurrentUser->new;
+ return (0, "No User");
+ }
+
+ unless($success) {
+- delete $session->{'CurrentUser'};
++ $session->{'CurrentUser'} = RT::CurrentUser->new;
+ return (0, "Password Invalid");
+ }
+
+@@ -206,7 +206,7 @@ sub DoAuth {
+ # Now that we definitely have up-to-date user information,
+ # if the user is disabled, kick them out. Now!
+ if ($session->{'CurrentUser'}->UserObj->Disabled) {
+- delete $session->{'CurrentUser'};
++ $session->{'CurrentUser'} = RT::CurrentUser->new;
+ return (0, "User account disabled, login denied");
+ }
+ }
+@@ -223,8 +223,8 @@ sub DoAuth {
+ # Do not delete the session. User stays logged in and
+ # autohandler will not check the password again
+ } else {
+- # Make SURE the session is deleted.
+- delete $session->{'CurrentUser'};
++ # Make SURE the session is purged to an empty user.
++ $session->{'CurrentUser'} = RT::CurrentUser->new;
+ return (0, "Failed to authenticate externally");
+ # This will cause autohandler to request IsPassword
+ # which will in turn call IsExternalPassword
diff --git a/perl-RT-Authen-ExternalAuth.spec b/perl-RT-Authen-ExternalAuth.spec
index e220868..da5d0c4 100644
--- a/perl-RT-Authen-ExternalAuth.spec
+++ b/perl-RT-Authen-ExternalAuth.spec
@@ -1,11 +1,14 @@
Name: perl-RT-Authen-ExternalAuth
Version: 0.08
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: RT Authentication using External Sources
License: GPLv2+
Group: Development/Libraries
URL: http://search.cpan.org/dist/RT-Authen-ExternalAuth/
Source0: http://www.cpan.org/modules/by-module/RT/RT-Authen-ExternalAuth-%{version}.tar.gz
+# Patch for CVE-2012-2770
+# http://download.bestpractical.com/pub/rt/release/rt-authen-externalauth-0.08.patch
+Patch0: perl-RT-Authen-ExternalAuth-0.08-CVE-2012-2770.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
BuildRequires: rt3
@@ -23,6 +26,7 @@ for any database with an installed DBI driver.
%prep
%setup -q -n RT-Authen-ExternalAuth-%{version}
+%patch0 -p4
sed -i -e 's/\r//' lib/RT/Authen/ExternalAuth/DBI.pm
sed -i -e 's/\r//' lib/RT/Authen/ExternalAuth/LDAP.pm
chmod a-x ChangeLog LICENSE README html/Callbacks/ExternalAuth/autohandler/Auth
@@ -60,5 +64,8 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Mon Jul 30 2012 Xavier Bachelot <xavier at bachelot.org> 0.08-2
+- Add patch for CVE-2012-2770.
+
* Tue May 15 2012 Xavier Bachelot <xavier at bachelot.org> 0.08-1
- Initial EL5 import.
More information about the scm-commits
mailing list