Freeze exception request for gforge 4.7~rc2-5

To: debian-release@lists.debian.org
Subject: Freeze exception request for gforge 4.7~rc2-5
From: Roland Mas <lolando@debian.org>
Date: Mon, 06 Oct 2008 17:17:14 +0200
Message-id: <87abdhg3d1.fsf@mirexpress.internal.placard.fr.eu.org>

Hi release team,

  I would like to request a freeze exception for the gforge package.
Version currently in lenny is 4.7~rc2-4, and 4.7~rc2-5 has been
uploaded to unstable with the following debdiff:

,----
| diff -u gforge-4.7~rc2/debian/changelog gforge-4.7~rc2/debian/changelog
| --- gforge-4.7~rc2/debian/changelog
| +++ gforge-4.7~rc2/debian/changelog
| @@ -1,3 +1,10 @@
| +gforge (4.7~rc2-5) unstable; urgency=high
| +
| +  * Fix several SQL injection vulnerabilities due to insufficient input
| +    sanitizing.
| +
| + -- Roland Mas <lolando@debian.org>  Mon, 06 Oct 2008 16:12:50 +0200
| +
|  gforge (4.7~rc2-4) unstable; urgency=low
|  
|    * gforge-plugin-scmsvn: display SVN instructions corresponding to the
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/www/frs/shownotes.php
| +++ gforge-4.7~rc2/www/frs/shownotes.php
| @@ -35,7 +35,6 @@
|  		frs_release.preformatted,frs_release.name,frs_package.group_id,frs_package.is_public
|  		FROM frs_release,frs_package 
|  		WHERE frs_release.package_id=frs_package.package_id 
| -		$pub_sql
|  		AND frs_release.release_id='$release_id'");
|  
|  if (!$result || db_numrows($result) < 1) {
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/www/include/logger.php
| +++ gforge-4.7~rc2/www/include/logger.php
| @@ -13,13 +13,17 @@
|  	Determine group
|  */
|  
| -if (isset($group_id) && $group_id) {
| +if (isset($group_id) && is_numeric($group_id) && $group_id) {
|  	$log_group=$group_id;
| -} else if (isset($form_grp) && $form_grp) {
| +} else if (isset($form_grp) && is_numeric($form_grp) && $form_grp) {
|  	$log_group=$form_grp;
|  } else if (isset($group_name) && $group_name) {
|  	$group =& group_get_object_by_name($group_name);
| -	if ($group) $log_group=$group->getID();
| +	if ($group) {
| +		$log_group=$group->getID();
| +	} else {
| +		$log_group=0;
| +	}
|  } else {
|  	//
|  	//
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/www/people/skills_utils.php
| +++ gforge-4.7~rc2/www/people/skills_utils.php
| @@ -101,9 +101,9 @@
|  function handle_multi_edit($skill_ids) {
|  	global $HTML;
|  	$numSkills = count($skill_ids);
| -	$SQL = "select * from skills_data where skills_data_id in(".$skill_ids[0];
| +	$SQL = "select * from skills_data where skills_data_id in(".(int)$skill_ids[0];
|  	for($i = 1; $i < $numSkills; $i++) {
| -		$SQL .= ", ".$skill_ids[$i];
| +		$SQL .= ", ".(int)$skill_ids[$i];
|  	}
|  	$SQL .= ")";
|  	
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/www/new/index.php
| +++ gforge-4.7~rc2/www/new/index.php
| @@ -19,7 +19,7 @@
|  
|  $offset = getIntFromRequest('offset');
|  
| -if ( !$offset || $offset < 0 ) {
| +if ( !$offset || $offset < 0 || !is_numeric($offset) ) {
|  	$offset = 0;
|  }
|  
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/www/news/index.php
| +++ gforge-4.7~rc2/www/news/index.php
| @@ -41,13 +41,22 @@
|  /*
|  	Put the result set (list of forums for this group) into a column with folders
|  */
| +if ( !$group_id || $group_id < 0 || !is_numeric($group_id) ) {
| +	$group_id = 0;
| +}
|  if ($group_id && ($group_id != $sys_news_group)) {
|  	$sql="SELECT * FROM news_bytes WHERE group_id='$group_id' AND is_approved <> '4' ORDER BY post_date DESC";
|  } else {
|  	$sql="SELECT * FROM news_bytes WHERE is_approved='1' ORDER BY post_date DESC";
|  }
|  
| -if (!$limit || $limit>50) $limit=50;
| +if ( !$offset || $offset < 0 || !is_numeric($offset) ) {
| +	$offset = 0;
| +}
| +if ( !$limit || $limit < 0 || $limit > 50 || !is_numeric($limit) ) {
| +	$limit = 50;
| +}
| +
|  $result=db_query($sql,$limit+1,$offset);
|  $rows=db_numrows($result);
|  $more=0;
| only in patch2:
| unchanged:
| --- gforge-4.7~rc2.orig/common/include/database-pgsql.php
| +++ gforge-4.7~rc2/common/include/database-pgsql.php
| @@ -119,8 +119,11 @@
|  	global $QUERY_COUNT;
|  	$QUERY_COUNT++;
|  
| +	if (!$limit || !is_numeric($limit) || $limit < 0) {
| +		$limit=0;
| +	}
|  	if ($limit > 0) {
| -		if (!$offset || $offset < 0) {
| +		if (!$offset || !is_numeric($offset) || $offset < 0) {
|  			$offset=0;
|  		}
|  		$qstring=$qstring." LIMIT $limit OFFSET $offset";
`----

  This is a straightforward port of several fixes for SQL injection
vulnerabilities due to insufficient input sanitizing.

  Thanks,

Roland.
-- 
Roland Mas

When I eat a biscuit, it stays eaten!
  -- Arthur Dent, in So Long, and Thanks for All the Fish (Douglas Adams)

Reply to:

Follow-Ups:
- Re: Freeze exception request for gforge 4.7~rc2-5
  - From: Luk Claes <luk@debian.org>

Prev by Date: Re: approval for upload of openoffice.org 1:2.4.1-10
Next by Date: please include pdl 1:2.4.3-8 in lenny release
Previous by thread: please accept blosxom 2.0-14+etch1 into stable
Next by thread: Re: Freeze exception request for gforge 4.7~rc2-5
Index(es):
- Date
- Thread