[rt-devel] [rt-announce] RT 2.0.8_01 - CRITICAL SECURITY FIX
Jesse Vincent
jesse at bestpractical.com
Wed Oct 31 01:34:07 EST 2001
Earlier today, I was alerted to a security vulnerability in RT's command
line administration tool, rtadmin by Jay Kramer at Mojomole.com.
The vulnerability, as Jay discovered, allows _local_ shell users to access
RT's commandline administrative tool with RT superuser permissions. If you
have local shell users who have access to execute the RT binaries but who are
not trusted administrators, you MUST upgrade to RT 2.0.8_01 as soon as humanly
possible.
Until you upgrade, we recommend that you disable the rtadmin program by
executing the following command:
chmod 000 /path/to/rt/bin/rtadmin
RT 2.0.8_01 is immediately available from:
ftp://ftp.fsck.com/pub/rt/release/rt-2-0-8_01.tar.gz
A diff between RT 2.0.8 and RT 2.0.8_01 is attached to this message.
Thanks very much to Jay Kramer for his quick and professional handling of
this vulnerability report.
Jesse Vincent
Best Practical Solutions, LLC
--
http://www.bestpractical.com/products/rt -- Trouble Ticketing. Free.
-------------- next part --------------
Index: Makefile
===================================================================
RCS file: /raid/cvsroot/rt/Makefile,v
retrieving revision 1.90.2.262
diff -u -r1.90.2.262 Makefile
--- Makefile 2001/10/04 06:01:10 1.90.2.262
+++ Makefile 2001/10/31 05:50:09
@@ -6,7 +6,7 @@
RT_VERSION_MAJOR = 2
RT_VERSION_MINOR = 0
-RT_VERSION_PATCH = 8
+RT_VERSION_PATCH = 8-01
RT_VERSION = $(RT_VERSION_MAJOR).$(RT_VERSION_MINOR).$(RT_VERSION_PATCH)
Index: bin/rt
===================================================================
RCS file: /raid/cvsroot/rt/bin/Attic/rt,v
retrieving revision 1.1.2.35
diff -u -r1.1.2.35 rt
--- bin/rt 2001/10/01 03:03:57 1.1.2.35
+++ bin/rt 2001/10/31 05:50:10
@@ -28,6 +28,10 @@
#Get the current user all loaded
my $CurrentUser = GetCurrentUser();
+unless ($CurrentUser->Id) {
+ print "No RT user found. Please consult your RT administrator.\n";
+ exit(1);
+}
# {{{ commandline flags
Index: bin/rt-mailgate
===================================================================
RCS file: /raid/cvsroot/rt/bin/Attic/rt-mailgate,v
retrieving revision 1.1.2.19
diff -u -r1.1.2.19 rt-mailgate
--- bin/rt-mailgate 2001/08/23 23:49:18 1.1.2.19
+++ bin/rt-mailgate 2001/10/31 05:50:10
@@ -93,6 +93,12 @@
#Get us a current user object.
my $CurrentUser = GetCurrentUser($head, $entity, $ErrorsTo);
+# We've already performed a warning and sent the mail off to somewhere safe ($RTOwner).
+# this is _exceedingly_ unlikely but we don't want to keep going if we don't have a current user
+
+unless ($CurrentUser->Id) {
+ exit(1);
+}
my $MessageId = $head->get('Message-Id') ||
"<no-message-id-".time.rand(2000)."\@.$RT::rtname>";
Index: bin/rtadmin
===================================================================
RCS file: /raid/cvsroot/rt/bin/Attic/rtadmin,v
retrieving revision 1.1.2.18
diff -u -r1.1.2.18 rtadmin
--- bin/rtadmin 2001/08/22 03:17:26 1.1.2.18
+++ bin/rtadmin 2001/10/31 05:50:11
@@ -28,6 +28,13 @@
#Get the current user all loaded
my $CurrentUser = GetCurrentUser();
+unless ($CurrentUser->Id) {
+ print "No RT user found. Please consult your RT administrator.\n";
+ exit(1);
+}
+
+
+
PickMode();
Index: lib/RT/Interface/CLI.pm
===================================================================
RCS file: /raid/cvsroot/rt/lib/RT/Interface/Attic/CLI.pm,v
retrieving revision 1.1.2.6
diff -u -r1.1.2.6 CLI.pm
--- lib/RT/Interface/CLI.pm 2001/07/12 03:16:38 1.1.2.6
+++ lib/RT/Interface/CLI.pm 2001/10/31 05:50:11
@@ -124,8 +124,7 @@
$CurrentUser->LoadByGecos($Gecos);
unless ($CurrentUser->Id) {
- $CurrentUser = $RT::Nobody;
- $RT::Logger->debug("No user with a unix login of '$Gecos' was found. Continuing in unprivileged mode.\n");
+ $RT::Logger->debug("No user with a unix login of '$Gecos' was found. ");
}
return($CurrentUser);
}
Index: lib/RT/Interface/Email.pm
===================================================================
RCS file: /raid/cvsroot/rt/lib/RT/Interface/Attic/Email.pm,v
retrieving revision 1.1.2.53
diff -u -r1.1.2.53 Email.pm
--- lib/RT/Interface/Email.pm 2001/10/01 06:42:30 1.1.2.53
+++ lib/RT/Interface/Email.pm 2001/10/31 05:50:11
@@ -372,12 +372,10 @@
my $Message = "Sender's email address was not found in the user database.";
- $CurrentUser->Load($RT::Nobody->Id);
-
# {{{ This code useful only if you've defined an AutoRejectRequest template
require RT::Template;
- my $template = new RT::Template($CurrentUser);
+ my $template = new RT::Template($RT::Nobody);
$template->Load('AutoRejectRequest');
$Message = $template->Content || $Message;
@@ -421,10 +419,14 @@
$CurrentUser->LoadByEmail($Address);
unless ($CurrentUser->id) {
- $RT::Logger->warning("Couldn't load user '$Address'.".
- " Defaulting to nobody\n");
+ $RT::Logger->warning("Couldn't load user '$Address'.". "giving up");
+ MailError( To => $ErrorsTo,
+ Subject => "User could not be loaded",
+ Explanation => "User '$Address' could not be loaded in the mail gateway",
+ MIMEObj => $entity,
+ LogLevel => 'crit'
+ );
- $CurrentUser->Load($RT::Nobody->Id);
}
}
More information about the Rt-devel
mailing list