[Python-apps-team] Bug#618026: ibid: Ibid 0.1.1 contains 3 security fixes
Stefano Rivera
stefanor at debian.org
Wed Sep 7 20:07:16 UTC 2011
reassign 618026 release.debian.org
severity 618026 normal
user release.debian.org at packages.debian.org
usertags 618026 pu
thanks
> Ibid 0.1.1 fixes 3 security issues [0]. They aren't particularly serious, but
> should probably be addressed.
Right, clearly not significant enough for the usual security route.
Here's a stable targeted debdiff, with an additional fix.
Meh, should have done this months ago...
SR
--
Stefano Rivera
http://tumbleweed.org.za/
H: +27 21 465 6908 C: +27 72 419 8559 UCT: x3127
-------------- next part --------------
diff -Nru ibid-0.1.0+dfsg/debian/changelog ibid-0.1.0+dfsg/debian/changelog
--- ibid-0.1.0+dfsg/debian/changelog 2010-06-17 19:23:31.000000000 +0200
+++ ibid-0.1.0+dfsg/debian/changelog 2011-09-07 22:06:04.000000000 +0200
@@ -1,3 +1,18 @@
+ibid (0.1.0+dfsg-2+squeeze1) stable; urgency=medium
+
+ * Fix the following security issues. Fixes backported from 0.1.1 bugfix
+ release (Closes: #618026):
+ - perms-705860.patch: Enforce access-restriction on handlers without
+ @match patterns. (LP: #705860)
+ - logfile-visibility-567576.patch: Channels must be explicitly configured
+ to have publicly readable logs. (LP: #567576)
+ - meeting-privacy-649383.patch: Don't report private messages from the bot
+ in meeting minutes. (LP: #649383)
+ * http-features-fix-545168.patch: Fix the breakage of the http source
+ (LP: #545168)
+
+ -- Stefano Rivera <stefanor at debian.org> Wed, 07 Sep 2011 22:06:04 +0200
+
ibid (0.1.0+dfsg-2) unstable; urgency=low
* Don't leak uid and umask into source tarball.
diff -Nru ibid-0.1.0+dfsg/debian/control ibid-0.1.0+dfsg/debian/control
--- ibid-0.1.0+dfsg/debian/control 2010-06-17 16:17:56.000000000 +0200
+++ ibid-0.1.0+dfsg/debian/control 2011-09-07 21:58:14.000000000 +0200
@@ -2,7 +2,7 @@
Section: net
Priority: optional
Maintainer: Debian Python Modules Team <python-modules-team at lists.alioth.debian.org>
-Uploaders: Stefano Rivera <stefano at rivera.za.net>
+Uploaders: Stefano Rivera <stefano at debian.org>
Build-Depends: debhelper (>= 7.0.50~), python-central (>= 0.6.7~),
python-all, python-beautifulsoup, python-configobj (>= 4.7), python-dateutil,
python-html5lib, python-jinja, python-pkg-resources, python-setuptools,
diff -Nru ibid-0.1.0+dfsg/debian/patches/http-features-fix-545168.patch ibid-0.1.0+dfsg/debian/patches/http-features-fix-545168.patch
--- ibid-0.1.0+dfsg/debian/patches/http-features-fix-545168.patch 1970-01-01 02:00:00.000000000 +0200
+++ ibid-0.1.0+dfsg/debian/patches/http-features-fix-545168.patch 2011-09-07 21:46:31.000000000 +0200
@@ -0,0 +1,27 @@
+Description: Fix HTTP source
+ Update HTTP source for multiple features per processor.
+ This was a change just befor 0.1.0, which broke http.
+Origin: upstream, https://code.launchpad.net/~mgorven/ibid/http-features-fix/+merge/21945
+Bug-Upstream: https://bugs.launchpad.net/ibid/+bug/545168
+Last-Update: 2011-09-07
+
+--- a/ibid/plugins/__init__.py
++++ b/ibid/plugins/__init__.py
+@@ -262,7 +262,7 @@
+ isLeaf = True
+
+ def __init__(self):
+- ibid.rpc[self.feature] = self
++ ibid.rpc[self.feature[0]] = self
+ self.form = templates.get_template('plugin_form.html')
+ self.list = templates.get_template('plugin_functions.html')
+
+@@ -309,7 +309,7 @@
+ if name.startswith('remote_'):
+ functions.append(name.replace('remote_', '', 1))
+
+- return self.list.render(object=self.feature, functions=functions) \
++ return self.list.render(object=self.feature[0], functions=functions) \
+ .encode('utf-8')
+
+ args, varargs, varkw, defaults = getargspec(function)
diff -Nru ibid-0.1.0+dfsg/debian/patches/logfile-visibility-567576.patch ibid-0.1.0+dfsg/debian/patches/logfile-visibility-567576.patch
--- ibid-0.1.0+dfsg/debian/patches/logfile-visibility-567576.patch 1970-01-01 02:00:00.000000000 +0200
+++ ibid-0.1.0+dfsg/debian/patches/logfile-visibility-567576.patch 2011-09-07 21:39:38.000000000 +0200
@@ -0,0 +1,85 @@
+Description: Channels must be explicitly configured to have publicly readable logs.
+ Occasionally insecure permissions on log files. When the bot spoke first
+ (creating a new log file), the log file would be publicly readable, even if
+ the message was sent in private.
+ .
+ Resolution: Now channels must be explicitly configured to have publicly
+ readable logs.
+Bug-Upstream: https://bugs.launchpad.net/ibid/+bug/567576
+Origin: upstream, https://code.launchpad.net/~stefanor/ibid/logfile-visibility-567576-0.1/+merge/36937
+Last-Update: 2011-03-13
+
+--- a/ibid/plugins/log.py
++++ b/ibid/plugins/log.py
+@@ -4,6 +4,8 @@
+ """Logs messages sent and received."""
+
+ from datetime import datetime
++import fnmatch
++import logging
+ from os.path import dirname, join, expanduser
+ from os import chmod, makedirs
+
+@@ -11,9 +13,11 @@
+
+ import ibid
+ from ibid.plugins import Processor, handler
+-from ibid.config import Option, BoolOption
++from ibid.config import Option, BoolOption, ListOption
+ from ibid.event import Event
+
++log = logging.getLogger('plugins.log')
++
+ class Log(Processor):
+
+ addressed = False
+@@ -38,6 +42,9 @@
+ rename_format = Option('rename_format', 'Format string for rename events',
+ u'%(timestamp)s %(sender_nick)s (%(sender_connection)s) has renamed to %(new_nick)s')
+
++ public_logs = ListOption('public_logs',
++ u'List of source:channel globs for channels which should have public logs',
++ [])
+ public_mode = Option('public_mode',
+ u'File Permissions mode for public channels, in octal', '644')
+ private_mode = Option('private_mode',
+@@ -47,6 +54,21 @@
+
+ logs = {}
+
++ def setup(self):
++ sources = list(set(ibid.config.sources.keys())
++ | set(ibid.sources.keys()))
++ for glob in self.public_logs:
++ if u':' not in glob:
++ log.warning(u"public_logs configuration values must follow the "
++ u"format source:channel. \"%s\" doesn't contain a "
++ u"colon.", glob)
++ continue
++ source_glob = glob.split(u':', 1)[0]
++ if not fnmatch.filter(sources, source_glob):
++ log.warning(u'public_logs includes "%s", but there is no '
++ u'configured source matching "%s"',
++ glob, source_glob)
++
+ def get_logfile(self, event):
+ when = event.time
+ if not self.date_utc:
+@@ -70,8 +92,15 @@
+
+ file = open(filename, 'a')
+ self.logs[filename] = file
+- if event.get('public', True):
+- chmod(filename, int(self.public_mode, 8))
++
++ for glob in self.public_logs:
++ if u':' not in glob:
++ continue
++ source_glob, channel_glob = glob.split(u':', 1)
++ if (fnmatch.fnmatch(event.source, source_glob)
++ and fnmatch.fnmatch(event.channel, channel_glob)):
++ chmod(filename, int(self.public_mode, 8))
++ break
+ else:
+ chmod(filename, int(self.private_mode, 8))
+
diff -Nru ibid-0.1.0+dfsg/debian/patches/meeting-privacy-649383.patch ibid-0.1.0+dfsg/debian/patches/meeting-privacy-649383.patch
--- ibid-0.1.0+dfsg/debian/patches/meeting-privacy-649383.patch 1970-01-01 02:00:00.000000000 +0200
+++ ibid-0.1.0+dfsg/debian/patches/meeting-privacy-649383.patch 2011-09-07 21:39:38.000000000 +0200
@@ -0,0 +1,21 @@
+Description: Don't report private messages from the bot in meeting minutes.
+ If someone received a private message from the bot during a public meeting,
+ the message could appear in the meeting minutes.
+Origin: upstream, https://code.launchpad.net/~max-rabkin/ibid/meeting-privacy-649383-0.1/+merge/36810
+Bug-Upstream: https://bugs.launchpad.net/ibid/+bug/649383
+Last-Update: 2011-03-13
+
+--- a/ibid/plugins/meetings.py
++++ b/ibid/plugins/meetings.py
+@@ -259,7 +259,10 @@
+ 'message': message,
+ 'time': event.time,
+ })
+- for response in event.responses:
++ for response in event.responses:
++ if (response['source'], response['target']) in meetings:
++ meeting = meetings[(response['source'], response['target'])]
++
+ type = 'message'
+ if response.get('action', False):
+ type = 'action'
diff -Nru ibid-0.1.0+dfsg/debian/patches/perms-705860.patch ibid-0.1.0+dfsg/debian/patches/perms-705860.patch
--- ibid-0.1.0+dfsg/debian/patches/perms-705860.patch 1970-01-01 02:00:00.000000000 +0200
+++ ibid-0.1.0+dfsg/debian/patches/perms-705860.patch 2011-09-07 21:39:38.000000000 +0200
@@ -0,0 +1,38 @@
+Description: Enforce access-restriction on handlers without @match patterns.
+ Permissions were ignored for handlers not using @match. This allowed users to
+ perform actions they were not authorised to.
+Bug-Upstream: https://bugs.launchpad.net/ibid/+bug/705860
+Origin: upstream, https://code.launchpad.net/~max-rabkin/ibid/perms-705860/+merge/47037
+Last-Update: 2011-03-13
+
+--- a/ibid/plugins/__init__.py
++++ b/ibid/plugins/__init__.py
+@@ -131,19 +131,22 @@
+
+ found = False
+ for method in self._get_event_handlers():
++ args = None
+ if not hasattr(method, 'pattern'):
+ found = True
+- method(event)
++ args = ()
+ elif hasattr(event, 'message'):
+ found = True
+ match = method.pattern.search(
+ event.message[method.message_version])
+ if match is not None:
+- if (not getattr(method, 'auth_required', False)
+- or auth_responses(event, self.permission)):
+- method(event, *match.groups())
+- elif not getattr(method, 'auth_fallthrough', True):
+- event.processed = True
++ args = match.groups()
++ if args is not None:
++ if (not getattr(method, 'auth_required', False)
++ or auth_responses(event, self.permission)):
++ method(event, *args)
++ elif not getattr(method, 'auth_fallthrough', True):
++ event.processed = True
+
+ if not found:
+ raise RuntimeError(u'No handlers found in %s' % self)
diff -Nru ibid-0.1.0+dfsg/debian/patches/series ibid-0.1.0+dfsg/debian/patches/series
--- ibid-0.1.0+dfsg/debian/patches/series 2010-06-17 11:48:50.000000000 +0200
+++ ibid-0.1.0+dfsg/debian/patches/series 2011-09-07 21:45:15.000000000 +0200
@@ -3,3 +3,7 @@
docs.diff
separate-data.diff
fortune-path.diff
+perms-705860.patch
+logfile-visibility-567576.patch
+meeting-privacy-649383.patch
+http-features-fix-545168.patch
More information about the Python-apps-team
mailing list