--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package elog/2.9.2+2014.05.11git44800a7-2+deb8u1
- From: Roger Kalt <roger.kalt@gmail.com>
- Date: Sun, 26 Feb 2017 21:38:45 +0100
- Message-id: <20170226203845.2923.71625.reportbug@x200.kalt>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Update closes bug https://bugs.debian.org/851909 which allows no login except
admin user.
-- System Information:
Debian Release: 8.7
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
diff -Nru elog-2.9.2+2014.05.11git44800a7/debian/changelog elog-2.9.2+2014.05.11git44800a7/debian/changelog
--- elog-2.9.2+2014.05.11git44800a7/debian/changelog 2016-09-17 23:32:15.000000000 +0200
+++ elog-2.9.2+2014.05.11git44800a7/debian/changelog 2017-02-12 20:20:33.000000000 +0100
@@ -1,3 +1,10 @@
+elog (2.9.2+2014.05.11git44800a7-2+deb8u2) jessie; urgency=medium
+
+ * update patch 0005_elogd_CVE-2016-6342_fix to grant access
+ to logbooks also as normal login user (Closes: #851909)
+
+ -- Roger Kalt <roger.kalt@gmail.com> Thu, 19 Jan 2017 22:45:52 +0100
+
elog (2.9.2+2014.05.11git44800a7-2+deb8u1) jessie; urgency=medium
* Added patch 0005_elogd_CVE-2016-6342_fix to fix posting entry as
diff -Nru elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix
--- elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix 2016-09-03 22:12:44.000000000 +0200
+++ elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix 2017-02-02 21:28:38.000000000 +0100
@@ -42,7 +42,7 @@
if (lbs->top_group[0] && (!top_group || strieq(top_group, "global"))) {
- if (is_admin_user("global", getparam("unm"))) {
-+ if (is_admin_user(lbs, getparam("unm"))) {
++ if (is_admin_user(NULL, getparam("unm"))) {
if (lbs->top_group[0]) {
sprintf(str, "global %s", lbs->top_group);
@@ -51,7 +51,7 @@
if (is_group("global") && !strieq(top_group, "global")) {
- if (is_admin_user("global", getparam("unm"))) {
-+ if (is_admin_user(lbs, getparam("unm"))) {
++ if (is_admin_user(NULL, getparam("unm"))) {
rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Delete this logbook"));
rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Rename this logbook"));
rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Create new logbook"));
@@ -139,7 +139,7 @@
strcat(menu_str, "GetPwdFile, ");
- if (is_admin_user("global", getparam("unm"))) {
-+ if (is_admin_user(lbs, getparam("unm"))) {
++ if (is_admin_user(NULL, getparam("unm"))) {
if (lbs->top_group[0]) {
sprintf(str, "Change [global %s]", lbs->top_group);
@@ -175,7 +175,7 @@
strcat(menu_str, "GetPwdFile, ");
- if (is_admin_user("global", getparam("unm"))) {
-+ if (is_admin_user(lbs, getparam("unm"))) {
++ if (is_admin_user(NULL, getparam("unm"))) {
if (lbs->top_group[0]) {
sprintf(str, "Change [global %s]", lbs->top_group);
@@ -276,17 +276,7 @@
getcfg(lbs->name, "Password file", str, sizeof(str));
-@@ -25438,16 +25455,27 @@
- if (i == n)
- return FALSE;
- }
-+
-+ /* make sure user is logged in */
-+ if (!logged_in(lbs))
-+ return FALSE;
-+
- return TRUE;
- }
+@@ -25443,11 +25460,17 @@
/*------------------------------------------------------------------*/
@@ -305,18 +295,18 @@
/* Removed user[0] for cloning, have to check implications, same below.
if (getcfg(logbook, "Admin user", str, sizeof(str)) && user[0]) { */
-@@ -25464,6 +25492,10 @@
+@@ -25464,6 +25487,10 @@
if (i == n)
return FALSE;
}
+ /* make sure user is logged in */
-+ if (!logged_in(lbs))
++ if (lbs && !logged_in(lbs))
+ return FALSE;
+
return TRUE;
}
-@@ -25487,6 +25519,7 @@
+@@ -25487,6 +25514,7 @@
if (i == n)
return FALSE;
}
@@ -324,6 +314,15 @@
return TRUE;
}
+@@ -25988,7 +26016,7 @@
+ if (getcfg("global", "mirror server", str, sizeof(str))) {
+
+ /* only admin user sees synchronization link */
+- if (is_admin_user("global", getparam("unm"))) {
++ if (is_admin_user(NULL, getparam("unm"))) {
+ rsprintf("<tr>\n");
+ rsprintf("<td colspan=13 class=\"seltitle\">\n");
+ rsprintf("<a href=\"?cmd=Synchronize\">%s</a></td>\n", loc("Synchronize all logbooks"));
--- a/src/elogd.h
+++ b/src/elogd.h
@@ -292,7 +292,7 @@
--- End Message ---