Version in base suite: 4.4.4+dfsg-2+deb11u1

Base version: request-tracker4_4.4.4+dfsg-2+deb11u1
Target version: request-tracker4_4.4.4+dfsg-2+deb11u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/request-tracker4/request-tracker4_4.4.4+dfsg-2+deb11u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/r/request-tracker4/request-tracker4_4.4.4+dfsg-2+deb11u2.dsc

 .git-dpm                                             |    4 
 changelog                                            |   13 +
 patches/series                                       |    1 
 patches/upstream_4.4.4_cve:_patchset_2022-06-29.diff |  180 +++++++++++++++++++
 4 files changed, 196 insertions(+), 2 deletions(-)

diff -Nru request-tracker4-4.4.4+dfsg/debian/.git-dpm request-tracker4-4.4.4+dfsg/debian/.git-dpm
--- request-tracker4-4.4.4+dfsg/debian/.git-dpm	2021-09-29 10:28:05.000000000 +0000
+++ request-tracker4-4.4.4+dfsg/debian/.git-dpm	2022-07-03 08:09:25.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-e3de3eccb556f77daf21be8f900c7f9359879472
-e3de3eccb556f77daf21be8f900c7f9359879472
+20b33358c4aa0710aa415bbee9a440707d88752c
+20b33358c4aa0710aa415bbee9a440707d88752c
 47d4fe68f38e9517210c5c518c2cb0e7e7a13bfb
 47d4fe68f38e9517210c5c518c2cb0e7e7a13bfb
 request-tracker4_4.4.4+dfsg.orig.tar.gz
diff -Nru request-tracker4-4.4.4+dfsg/debian/changelog request-tracker4-4.4.4+dfsg/debian/changelog
--- request-tracker4-4.4.4+dfsg/debian/changelog	2021-09-29 10:28:05.000000000 +0000
+++ request-tracker4-4.4.4+dfsg/debian/changelog	2022-07-03 08:09:25.000000000 +0000
@@ -1,3 +1,16 @@
+request-tracker4 (4.4.4+dfsg-2+deb11u2) bullseye-security; urgency=medium
+
+  * Apply upstream patch which fixes several security vulnerabilities.
+    - A cross-site scripting (XSS) issue when displaying attachment content
+      with fraudulent content types. This vulnerability is assigned
+      CVE-2022-25802.
+    - Not performing full rights checks on access to file or image type
+      custom fields, possibly allowing access to these custom fields by
+      users without rights to access to the associated objects (like the
+      ticket it is associated with).
+
+ -- Andrew Ruthven <andrew@etc.gen.nz>  Sun, 03 Jul 2022 20:09:25 +1200
+
 request-tracker4 (4.4.4+dfsg-2+deb11u1) bullseye; urgency=medium
 
   * Apply upstream patch which fixes a security vulnerability that involves a
diff -Nru request-tracker4-4.4.4+dfsg/debian/patches/series request-tracker4-4.4.4+dfsg/debian/patches/series
--- request-tracker4-4.4.4+dfsg/debian/patches/series	2021-09-29 10:28:05.000000000 +0000
+++ request-tracker4-4.4.4+dfsg/debian/patches/series	2022-07-03 08:09:25.000000000 +0000
@@ -30,3 +30,4 @@
 upstream_4.4-trunk_gpg:_add_extra_ignored_keywords.diff
 upstream_4.4-trunk_gpg:_default_cert-digest_algo_SHA256.diff
 upstream_4.4-trunk_cve:_avoid_time_side_channel_attack.diff
+upstream_4.4.4_cve:_patchset_2022-06-29.diff
diff -Nru request-tracker4-4.4.4+dfsg/debian/patches/upstream_4.4.4_cve:_patchset_2022-06-29.diff request-tracker4-4.4.4+dfsg/debian/patches/upstream_4.4.4_cve:_patchset_2022-06-29.diff
--- request-tracker4-4.4.4+dfsg/debian/patches/upstream_4.4.4_cve:_patchset_2022-06-29.diff	1970-01-01 00:00:00.000000000 +0000
+++ request-tracker4-4.4.4+dfsg/debian/patches/upstream_4.4.4_cve:_patchset_2022-06-29.diff	2022-07-03 08:09:25.000000000 +0000
@@ -0,0 +1,180 @@
+From 20b33358c4aa0710aa415bbee9a440707d88752c Mon Sep 17 00:00:00 2001
+From: Andrew Ruthven <andrew@etc.gen.nz>
+Date: Sun, 3 Jul 2022 11:59:54 +1200
+Subject: Fix two security issues in RT4
+
+* RT is vulnerable to cross-site scripting (XSS) when displaying attachment
+  content with fraudulent content types. This vulnerability is assigned
+  CVE-2022-25802.
+* RT did not perform full rights checks on accesses to file or image type
+  custom fields, possibly allowing access to these custom fields by users
+  without rights to access to the associated objects (like the ticket it is
+  associated with).
+
+Patch-Name: upstream_4.4.4_cve:_patchset_2022-06-29.diff
+Author: Best Practical <support@bestpractical.com>
+Forwarded: not-needed
+---
+ etc/RT_Config.pm                              | 12 +++++++
+ lib/RT/ObjectCustomFieldValue.pm              | 32 +++++++++++++++++--
+ lib/RT/ObjectCustomFieldValues.pm             |  9 ++++++
+ lib/RT/Record.pm                              |  3 +-
+ lib/RT/System.pm                              |  3 +-
+ share/html/Download/CustomFieldValue/dhandler |  3 ++
+ share/html/Ticket/Attachment/dhandler         |  1 +
+ 7 files changed, 58 insertions(+), 5 deletions(-)
+
+diff --git a/etc/RT_Config.pm b/etc/RT_Config.pm
+index e579e8ba..4eee95e6 100644
+--- a/etc/RT_Config.pm
++++ b/etc/RT_Config.pm
+@@ -2520,6 +2520,18 @@ if there are other query arguments.
+ 
+ Set( %ReferrerComponents );
+ 
++=item C<$StrictContentTypes>
++
++If set to 0, the C<X-Content-Type-Options: nosniff> header will be omitted on
++attachments.  Because RT does not filter HTML content in unknown content types,
++disabling this opens RT up to cross-site scripting (XSS) attacks by allowing
++the execution of arbitrary Javascript when the browser detects HTML-looking
++data in an attachment with an unknown content type.
++
++=cut
++
++Set($StrictContentTypes, 1);
++
+ =item C<$BcryptCost>
+ 
+ This sets the default cost parameter used for the C<bcrypt> key
+diff --git a/lib/RT/ObjectCustomFieldValue.pm b/lib/RT/ObjectCustomFieldValue.pm
+index 88740fc1..c16a2e06 100644
+--- a/lib/RT/ObjectCustomFieldValue.pm
++++ b/lib/RT/ObjectCustomFieldValue.pm
+@@ -523,9 +523,9 @@ Get the OCFV cache key for this object
+ 
+ sub GetOCFVCacheKey {
+     my $self = shift;
+-    my $ocfv_key = "CustomField-" . $self->CustomField
+-        . '-ObjectType-' . $self->ObjectType
+-        . '-ObjectId-' . $self->ObjectId;
++    my $ocfv_key = "CustomField-" . $self->__Value('CustomField')
++        . '-ObjectType-' . $self->__Value('ObjectType')
++        . '-ObjectId-' . $self->__Value('ObjectId');
+     return $ocfv_key;
+ }
+ 
+@@ -806,6 +806,32 @@ sub ExternalStoreDigest {
+     return $self->_Value( 'LargeContent' );
+ }
+ 
++=head2 CurrentUserCanSee
++
++Returns true if user has "SeeCustomField" on the associated CustomField
++object, otherwise false.
++
++=cut
++
++sub CurrentUserCanSee {
++    my $self = shift;
++    return $self->CustomFieldObj->CurrentUserHasRight('SeeCustomField');
++}
++
++sub _Value {
++    my $self  = shift;
++    return undef unless $self->id;
++
++    unless ( $self->CurrentUserCanSee ) {
++        $RT::Logger->debug(
++            "Permission denied. User #". $self->CurrentUser->id
++            ." has no SeeCustomField right on CF #". $self->__Value('CustomField')
++        );
++        return undef;
++    }
++    return $self->SUPER::_Value(@_);
++}
++
+ RT::Base->_ImportOverlays();
+ 
+ 1;
+diff --git a/lib/RT/ObjectCustomFieldValues.pm b/lib/RT/ObjectCustomFieldValues.pm
+index 1f617633..97d8b631 100644
+--- a/lib/RT/ObjectCustomFieldValues.pm
++++ b/lib/RT/ObjectCustomFieldValues.pm
+@@ -230,6 +230,15 @@ sub _DoCount {
+     return $self->SUPER::_DoCount(@_);
+ }
+ 
++
++sub AddRecord {
++    my $self = shift;
++    my ($record) = @_;
++
++    return unless $record->CurrentUserCanSee;
++    return $self->SUPER::AddRecord($record);
++}
++
+ RT::Base->_ImportOverlays();
+ 
+ # Clear the OCVF cache on exit to release connected RT::Ticket objects.
+diff --git a/lib/RT/Record.pm b/lib/RT/Record.pm
+index 0cc18846..3b6d61e5 100644
+--- a/lib/RT/Record.pm
++++ b/lib/RT/Record.pm
+@@ -2041,7 +2041,8 @@ sub _AddCustomFieldValue {
+               );
+         }
+ 
+-        my $new_content = $new_value->Content;
++        # Fall back to '' in case current user doesn't have rights.
++        my $new_content = $new_value->Content // '';
+ 
+         # For datetime, we need to display them in "human" format in result message
+         #XXX TODO how about date without time?
+diff --git a/lib/RT/System.pm b/lib/RT/System.pm
+index 05ef8473..3fdd0ae3 100644
+--- a/lib/RT/System.pm
++++ b/lib/RT/System.pm
+@@ -386,7 +386,8 @@ sub ExternalStorageURLFor {
+     # external storage direct links disabled
+     return undef if !RT->Config->Get('ExternalStorageDirectLink');
+ 
+-    return undef unless $Object->ContentEncoding eq 'external';
++    # If current user doesn't have rights, ContentEncoding is undef
++    return undef unless ( $Object->ContentEncoding // '' ) eq 'external';
+ 
+     return $self->ExternalStorage->DownloadURLFor($Object);
+ }
+diff --git a/share/html/Download/CustomFieldValue/dhandler b/share/html/Download/CustomFieldValue/dhandler
+index e90baeba..cdc4f1bf 100644
+--- a/share/html/Download/CustomFieldValue/dhandler
++++ b/share/html/Download/CustomFieldValue/dhandler
+@@ -61,6 +61,8 @@ unless ($OCFV->id) {
+     Abort("Bad OCFV id. Couldn't find OCFV '$id'\n");
+ }
+ 
++Abort( loc('Permission Denied'), Code => HTTP::Status::HTTP_FORBIDDEN ) unless $OCFV->CurrentUserCanSee;
++
+ my $content_type = $OCFV->ContentType || 'text/plain; charset=utf-8';
+     
+ if (RT->Config->Get('AlwaysDownloadAttachments')) {
+@@ -70,6 +72,7 @@ elsif (!RT->Config->Get('TrustHTMLAttachments')) {
+     $content_type = 'text/plain; charset=utf-8' if ($content_type =~ /^text\/html/i);
+ }
+ 
++$r->headers_out->{'X-Content-Type-Options'} = 'nosniff' if RT->Config->Get('StrictContentTypes');
+ $r->content_type( $content_type );
+ $m->clear_buffer();
+ $m->out($OCFV->LargeContent);
+diff --git a/share/html/Ticket/Attachment/dhandler b/share/html/Ticket/Attachment/dhandler
+index 90d412d5..69aba168 100644
+--- a/share/html/Ticket/Attachment/dhandler
++++ b/share/html/Ticket/Attachment/dhandler
+@@ -96,6 +96,7 @@ unless ( $mimetype && $mimetype->isBinary ) {
+     $content_type .= ";charset=$iana";
+ }
+ 
++$r->headers_out->{'X-Content-Type-Options'} = 'nosniff' if RT->Config->Get('StrictContentTypes');
+ $r->content_type($content_type);
+ $m->clear_buffer();
+ $m->out($content);