File: upstream_4.4.6_cve%3A_patchset_2023-09-26.diff

package info (click to toggle)
request-tracker4 4.4.6%2Bdfsg-1.1%2Bdeb12u3
  • links: PTS, VCS
  • area: main
  • in suites: bookworm-proposed-updates
  • size: 63,472 kB
  • sloc: javascript: 130,444; perl: 65,299; sh: 1,322; makefile: 471; python: 37; php: 30
file content (129 lines) | stat: -rw-r--r-- 4,876 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
 
From 5d541829b880e4779a957095d0a7a07232a4b353 Mon Sep 17 00:00:00 2001
From: Andrew Ruthven <andrew@etc.gen.nz>
Date: Sun, 8 Oct 2023 21:28:10 +1300
Subject: Fix two security issues in RT.

* RT is vulnerable to unvalidated email headers in incoming email and the
  mail-gateway REST interface. This vulnerability is assigned CVE-2023-41259.
* RT is vulnerable to information leakage via response messages returned from
  requests sent via the mail-gateway REST interface. This vulnerability is
  assigned CVE-2023-41260.

Patch-Name: upstream_4.4.6_cve:_patchset_2023-09-26.diff
Author: Best Practical <support@bestpractical.com>
Forwarded: not-needed
Applied: 4.4.7
---
 docs/web_deployment.pod                 | 24 ++++++++++++++++++++++++
 lib/RT/Interface/Email.pm               |  4 ++++
 lib/RT/Interface/Email/Crypt.pm         |  5 +++--
 share/html/REST/1.0/NoAuth/mail-gateway | 13 ++++++++++++-
 4 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/docs/web_deployment.pod b/docs/web_deployment.pod
index d4d6a431..3177d2ab 100644
--- a/docs/web_deployment.pod
+++ b/docs/web_deployment.pod
@@ -171,6 +171,30 @@ B<WARNING: mod_perl 1.99_xx is not supported.>
 To run RT using mod_perl 1.xx please see L<Plack::Handler::Apache1> for
 configuration examples.
 
+=head3 Restricting the REST 1.0 mail-gateway
+
+RT processes email via a REST 1.0 endpoint. If you accept email on the same
+server as your running RT, you can restrict this endpoint to localhost only
+with a configuration like the following:
+
+    # Accept requests only from localhost
+    <Location /REST/1.0/NoAuth/mail-gateway>
+        Require local
+    </Location>
+
+If you run C<bin/rt-mailgate> on a separate server, you can update
+the above to allow additional IP addresses.
+
+    <Location /REST/1.0/NoAuth/mail-gateway>
+        Require ip 127.0.0.1 ::1 192.0.2.0  # Add you actual IPs
+    </Location>
+
+See the L<Apache documentation|https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html>
+for additional configuration options.
+
+After adding this configuration, test receiving email and confirm
+your C<bin/rt-mailgate> utility and C</etc/aliases> configurations
+can successfully submit email to RT.
 
 =head2 nginx
 
diff --git a/lib/RT/Interface/Email.pm b/lib/RT/Interface/Email.pm
index 159e7758..7ded8b73 100644
--- a/lib/RT/Interface/Email.pm
+++ b/lib/RT/Interface/Email.pm
@@ -159,6 +159,10 @@ sub Gateway {
         );
     }
 
+    # Clean up sensitive headers. Crypt related headers are cleaned up in RT::Interface::Email::Crypt::VerifyDecrypt
+    my @headers = qw( RT-Attach RT-Send-Cc RT-Send-Bcc RT-Message-ID RT-DetectedAutoGenerated RT-Squelch-Replies-To );
+    $Message->head->delete($_) for @headers;
+
     #Set up a queue object
     my $SystemQueueObj = RT::Queue->new( RT->SystemUser );
     $SystemQueueObj->Load( $args{'queue'} );
diff --git a/lib/RT/Interface/Email/Crypt.pm b/lib/RT/Interface/Email/Crypt.pm
index f4eab019..a8b0ea3f 100644
--- a/lib/RT/Interface/Email/Crypt.pm
+++ b/lib/RT/Interface/Email/Crypt.pm
@@ -73,13 +73,14 @@ sub VerifyDecrypt {
     );
 
     # we clean all possible headers
-    my @headers =
+    my @headers = (
         qw(
             X-RT-Incoming-Encryption
             X-RT-Incoming-Signature X-RT-Privacy
             X-RT-Sign X-RT-Encrypt
         ),
-        map "X-RT-$_-Status", RT::Crypt->Protocols;
+        map "X-RT-$_-Status", RT::Crypt->Protocols
+    );
     foreach my $p ( $args{'Message'}->parts_DFS ) {
         $p->head->delete($_) for @headers;
     }
diff --git a/share/html/REST/1.0/NoAuth/mail-gateway b/share/html/REST/1.0/NoAuth/mail-gateway
index 328be91b..107d7858 100644
--- a/share/html/REST/1.0/NoAuth/mail-gateway
+++ b/share/html/REST/1.0/NoAuth/mail-gateway
@@ -59,9 +59,18 @@ use RT::Interface::Email;
 $r->content_type('text/plain; charset=utf-8');
 $m->error_format('text');
 my ( $status, $error, $Ticket ) = RT::Interface::Email::Gateway( \%ARGS );
+
+# Obscure the message to avoid any information disclosure unless
+# in DevelMode.
+my $log_error;
+unless ( RT->Config->Get('DevelMode') ) {
+    $log_error = $error;
+    $error = 'operation unsuccessful';
+}
+
 if ( $status == 1 ) {
   $m->out("ok\n");
-  if ( $Ticket && $Ticket->Id ) {
+  if ( $Ticket && $Ticket->Id && RT->Config->Get('DevelMode') ) {
     $m->out( 'Ticket: '  . ($Ticket->Id             || '') . "\n" );
     $m->out( 'Queue: '   . ($Ticket->QueueObj->Name || '') . "\n" );
     $m->out( 'Owner: '   . ($Ticket->OwnerObj->Name || '') . "\n" );
@@ -73,9 +82,11 @@ if ( $status == 1 ) {
 }
 else {
   if ( $status == -75 ) {
+    RT->Logger->error("mail-gateway returned status -75: $log_error") if $log_error;
     $m->out( "temporary failure - $error\n" );
   }
   else {
+    RT->Logger->error("mail-gateway error: $log_error") if $log_error;
     $m->out( "not ok - $error\n" );
   }
 }