[rt-users] [rt-announce] RT 2.0.8_01 - CRITICAL SECURITY FIX

Wed Oct 31 01:34:07 EST 2001

Earlier today, I was alerted to a security vulnerability in RT's command
line administration tool, rtadmin by Jay Kramer at Mojomole.com.

The vulnerability, as Jay discovered, allows _local_ shell users to access
RT's commandline administrative tool with RT superuser permissions. If you
have local shell users who have access to execute the RT binaries but who are 
not trusted administrators, you MUST upgrade to RT 2.0.8_01 as soon as humanly
possible.

Until you upgrade, we recommend that you disable the rtadmin program by
executing the following command:

	chmod 000 /path/to/rt/bin/rtadmin

RT 2.0.8_01 is immediately available from:

	ftp://ftp.fsck.com/pub/rt/release/rt-2-0-8_01.tar.gz

A diff between RT 2.0.8 and RT 2.0.8_01 is attached to this message.

Thanks very much to Jay Kramer for his quick and professional handling of 
this vulnerability report.

	Jesse Vincent
	Best Practical Solutions, LLC


-- 
http://www.bestpractical.com/products/rt  -- Trouble Ticketing. Free.
-------------- next part --------------
Index: Makefile
===================================================================
RCS file: /raid/cvsroot/rt/Makefile,v
retrieving revision 1.90.2.262
diff -u -r1.90.2.262 Makefile

--- Makefile	2001/10/04 06:01:10	1.90.2.262
+++ Makefile	2001/10/31 05:50:09
@@ -6,7 +6,7 @@
 
 RT_VERSION_MAJOR	=	2
 RT_VERSION_MINOR	=	0
-RT_VERSION_PATCH	=	8
+RT_VERSION_PATCH	=	8-01
 
 
 RT_VERSION =	$(RT_VERSION_MAJOR).$(RT_VERSION_MINOR).$(RT_VERSION_PATCH)
Index: bin/rt
===================================================================
RCS file: /raid/cvsroot/rt/bin/Attic/rt,v
retrieving revision 1.1.2.35
diff -u -r1.1.2.35 rt
--- bin/rt	2001/10/01 03:03:57	1.1.2.35
+++ bin/rt	2001/10/31 05:50:10
@@ -28,6 +28,10 @@
 #Get the current user all loaded
 my $CurrentUser = GetCurrentUser();
 
+unless ($CurrentUser->Id) {
+	print "No RT user found. Please consult your RT administrator.\n";
+	exit(1);
+}
 
 
 # {{{ commandline flags 
Index: bin/rt-mailgate
===================================================================
RCS file: /raid/cvsroot/rt/bin/Attic/rt-mailgate,v
retrieving revision 1.1.2.19
diff -u -r1.1.2.19 rt-mailgate
--- bin/rt-mailgate	2001/08/23 23:49:18	1.1.2.19
+++ bin/rt-mailgate	2001/10/31 05:50:10
@@ -93,6 +93,12 @@
 #Get us a current user object.
 my $CurrentUser = GetCurrentUser($head, $entity, $ErrorsTo);
 
+# We've already performed a warning and sent the mail off to somewhere safe ($RTOwner).
+#  this is _exceedingly_ unlikely but we don't want to keep going if we don't have a current user
+
+unless ($CurrentUser->Id) {
+	exit(1);
+}
 
 my $MessageId = $head->get('Message-Id') || 
   "<no-message-id-".time.rand(2000)."\@.$RT::rtname>";
Index: bin/rtadmin
===================================================================
RCS file: /raid/cvsroot/rt/bin/Attic/rtadmin,v
retrieving revision 1.1.2.18
diff -u -r1.1.2.18 rtadmin
--- bin/rtadmin	2001/08/22 03:17:26	1.1.2.18
+++ bin/rtadmin	2001/10/31 05:50:11
@@ -28,6 +28,13 @@
 #Get the current user all loaded
 my $CurrentUser = GetCurrentUser();
 
+unless ($CurrentUser->Id) {
+        print "No RT user found. Please consult your RT administrator.\n";   
+        exit(1);
+}
+
+
+
 
 PickMode();
 
Index: lib/RT/Interface/CLI.pm
===================================================================
RCS file: /raid/cvsroot/rt/lib/RT/Interface/Attic/CLI.pm,v
retrieving revision 1.1.2.6
diff -u -r1.1.2.6 CLI.pm
--- lib/RT/Interface/CLI.pm	2001/07/12 03:16:38	1.1.2.6
+++ lib/RT/Interface/CLI.pm	2001/10/31 05:50:11
@@ -124,8 +124,7 @@
     $CurrentUser->LoadByGecos($Gecos);
     
     unless ($CurrentUser->Id) {
-	$CurrentUser = $RT::Nobody;
-	$RT::Logger->debug("No user with a unix login of '$Gecos' was found. Continuing in unprivileged mode.\n");
+	$RT::Logger->debug("No user with a unix login of '$Gecos' was found. ");
     }
     return($CurrentUser);
 }
Index: lib/RT/Interface/Email.pm
===================================================================
RCS file: /raid/cvsroot/rt/lib/RT/Interface/Attic/Email.pm,v
retrieving revision 1.1.2.53
diff -u -r1.1.2.53 Email.pm
--- lib/RT/Interface/Email.pm	2001/10/01 06:42:30	1.1.2.53
+++ lib/RT/Interface/Email.pm	2001/10/31 05:50:11
@@ -372,12 +372,10 @@
 	    
 	    my $Message = "Sender's email address was not found in the user database.";
 
-	    $CurrentUser->Load($RT::Nobody->Id);
-
 	    # {{{  This code useful only if you've defined an AutoRejectRequest template
 	    
 	    require RT::Template;
-	    my $template = new RT::Template($CurrentUser);
+	    my $template = new RT::Template($RT::Nobody);
 	    $template->Load('AutoRejectRequest');
 	    $Message = $template->Content || $Message;
 	    
@@ -421,10 +419,14 @@
 	$CurrentUser->LoadByEmail($Address);
 	
 	unless ($CurrentUser->id) {
-	    $RT::Logger->warning("Couldn't load user '$Address'.".
-				 " Defaulting to nobody\n");
+	    $RT::Logger->warning("Couldn't load user '$Address'.".  "giving up");
+		MailError( To => $ErrorsTo,
+			   Subject => "User could not be loaded",
+			   Explanation => "User  '$Address' could not be loaded in the mail gateway",
+			   MIMEObj => $entity,
+			   LogLevel => 'crit'
+			 );
 	    
-	    $CurrentUser->Load($RT::Nobody->Id);
 	}
     }
  
