Freeze exception request for gforge 4.7~rc2-5
Hi release team,
I would like to request a freeze exception for the gforge package.
Version currently in lenny is 4.7~rc2-4, and 4.7~rc2-5 has been
uploaded to unstable with the following debdiff:
,----
| diff -u gforge-4.7~rc2/debian/changelog gforge-4.7~rc2/debian/changelog
| --- gforge-4.7~rc2/debian/changelog
| +++ gforge-4.7~rc2/debian/changelog
| @@ -1,3 +1,10 @@
| +gforge (4.7~rc2-5) unstable; urgency=high
| +
| + * Fix several SQL injection vulnerabilities due to insufficient input
| + sanitizing.
| +
| + -- Roland Mas <lolando@debian.org> Mon, 06 Oct 2008 16:12:50 +0200
| +
| gforge (4.7~rc2-4) unstable; urgency=low
|
| * gforge-plugin-scmsvn: display SVN instructions corresponding to the
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/www/frs/shownotes.php
| +++ gforge-4.7~rc2/www/frs/shownotes.php
| @@ -35,7 +35,6 @@
| frs_release.preformatted,frs_release.name,frs_package.group_id,frs_package.is_public
| FROM frs_release,frs_package
| WHERE frs_release.package_id=frs_package.package_id
| - $pub_sql
| AND frs_release.release_id='$release_id'");
|
| if (!$result || db_numrows($result) < 1) {
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/www/include/logger.php
| +++ gforge-4.7~rc2/www/include/logger.php
| @@ -13,13 +13,17 @@
| Determine group
| */
|
| -if (isset($group_id) && $group_id) {
| +if (isset($group_id) && is_numeric($group_id) && $group_id) {
| $log_group=$group_id;
| -} else if (isset($form_grp) && $form_grp) {
| +} else if (isset($form_grp) && is_numeric($form_grp) && $form_grp) {
| $log_group=$form_grp;
| } else if (isset($group_name) && $group_name) {
| $group =& group_get_object_by_name($group_name);
| - if ($group) $log_group=$group->getID();
| + if ($group) {
| + $log_group=$group->getID();
| + } else {
| + $log_group=0;
| + }
| } else {
| //
| //
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/www/people/skills_utils.php
| +++ gforge-4.7~rc2/www/people/skills_utils.php
| @@ -101,9 +101,9 @@
| function handle_multi_edit($skill_ids) {
| global $HTML;
| $numSkills = count($skill_ids);
| - $SQL = "select * from skills_data where skills_data_id in(".$skill_ids[0];
| + $SQL = "select * from skills_data where skills_data_id in(".(int)$skill_ids[0];
| for($i = 1; $i < $numSkills; $i++) {
| - $SQL .= ", ".$skill_ids[$i];
| + $SQL .= ", ".(int)$skill_ids[$i];
| }
| $SQL .= ")";
|
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/www/new/index.php
| +++ gforge-4.7~rc2/www/new/index.php
| @@ -19,7 +19,7 @@
|
| $offset = getIntFromRequest('offset');
|
| -if ( !$offset || $offset < 0 ) {
| +if ( !$offset || $offset < 0 || !is_numeric($offset) ) {
| $offset = 0;
| }
|
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/www/news/index.php
| +++ gforge-4.7~rc2/www/news/index.php
| @@ -41,13 +41,22 @@
| /*
| Put the result set (list of forums for this group) into a column with folders
| */
| +if ( !$group_id || $group_id < 0 || !is_numeric($group_id) ) {
| + $group_id = 0;
| +}
| if ($group_id && ($group_id != $sys_news_group)) {
| $sql="SELECT * FROM news_bytes WHERE group_id='$group_id' AND is_approved <> '4' ORDER BY post_date DESC";
| } else {
| $sql="SELECT * FROM news_bytes WHERE is_approved='1' ORDER BY post_date DESC";
| }
|
| -if (!$limit || $limit>50) $limit=50;
| +if ( !$offset || $offset < 0 || !is_numeric($offset) ) {
| + $offset = 0;
| +}
| +if ( !$limit || $limit < 0 || $limit > 50 || !is_numeric($limit) ) {
| + $limit = 50;
| +}
| +
| $result=db_query($sql,$limit+1,$offset);
| $rows=db_numrows($result);
| $more=0;
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/common/include/database-pgsql.php
| +++ gforge-4.7~rc2/common/include/database-pgsql.php
| @@ -119,8 +119,11 @@
| global $QUERY_COUNT;
| $QUERY_COUNT++;
|
| + if (!$limit || !is_numeric($limit) || $limit < 0) {
| + $limit=0;
| + }
| if ($limit > 0) {
| - if (!$offset || $offset < 0) {
| + if (!$offset || !is_numeric($offset) || $offset < 0) {
| $offset=0;
| }
| $qstring=$qstring." LIMIT $limit OFFSET $offset";
`----
This is a straightforward port of several fixes for SQL injection
vulnerabilities due to insufficient input sanitizing.
Thanks,
Roland.
--
Roland Mas
When I eat a biscuit, it stays eaten!
-- Arthur Dent, in So Long, and Thanks for All the Fish (Douglas Adams)
Reply to: