{"id":"MGASA-2017-0325","summary":"Updated rt/perl-Encode packages fix security vulnerability","details":"RT 4.0.0 and above are vulnerable to a limited privilege escalation leading to\nunauthorized modification of ticket data.  The DeleteTicket right and any\ncustom lifecycle transition rights may be bypassed by any user with\nModifyTicket (CVE-2012-4733).\n\nRT 3.8.0 and above include a version of bin/rt that uses semi-predictable\nnames when creating tempfiles.  This could possibly be exploited by a\nmalicious user to overwrite files with permissions of the user running bin/rt\n(CVE-2013-3368).\n\nRT 3.8.0 and above allow calling of arbitrary Mason components (without\ncontrol of arguments) for users who can see administration pages.  This could\nbe used by a malicious user to run private components which may have negative\nside-effects (CVE-2013-3369).\n\nRT 3.8.0 and above allow direct requests to private callback components.\nThough no callback components ship with RT, this could be used to exploit an\nextension or local callback which uses the arguments passed to it insecurely\n(CVE-2013-3370).\n\nRT 3.8.3 and above are vulnerable to cross-site scripting (XSS) via attachment\nfilenames.  The vector is difficult to exploit due to parsing requirements.\nAdditionally, RT 4.0.0 and above are vulnerable to XSS via maliciously-crafted\n\"URLs\" in ticket content when RT's \"MakeClicky\" feature is configured\n(CVE-2013-3371).\n\nRT 3.8.0 and above are vulnerable to an HTTP header injection limited to the\nvalue of the Content-Disposition header.  Injection of other arbitrary\nresponse headers is not possible.  Some (especially older) browsers may allow\nmultiple Content-Disposition values which could lead to XSS.  Newer browsers\ncontain security measures to prevent this (CVE-2013-3372).\n\nRT 3.8.0 and above are vulnerable to a MIME header injection in outgoing email\ngenerated by RT (CVE-2013-3373).\n\nRT 3.8.0 and above are vulnerable to limited session re-use when using the\nfile-based session store, Apache::Session::File.  RT's default session\nconfiguration only uses Apache::Session::File for Oracle (CVE-2013-3374).\n\nRT 3.0.0 and above, if running on Perl 5.14.0 or higher, are vulnerable to a\nremote denial-of-service via the email gateway; any installation which accepts\nmail from untrusted sources is vulnerable, regardless of the permissions\nconfiguration inside RT.  This denial-of-service may encompass both CPU and\ndisk usage, depending on RT's logging configuration (CVE-2014-9472).\n\nRT 3.8.8 and above are vulnerable to an information disclosure attack which\nmay reveal RSS feeds URLs, and thus ticket data (CVE-2015-1165).\n\nRSS feed URLs can also be leveraged to perform session hijacking, allowing a\nuser with the URL to log in as the user that created the feed (CVE-2015-1464).\n\nRT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack via\nthe user and group rights management pages (CVE-2015-5475).\n\nRT 4.2.0 and above are vulnerable to a cross-site scripting (XSS) attack\nvia the cryptography interface.  This vulnerability could allow an attacker\nwith a carefully-crafted key to inject JavaScript into RT's user interface.\nInstallations which use neither GnuPG nor S/MIME are unaffected.\n\nRT 4.0.0 and above are vulnerable to an information leak of cross-site request\nforgery (CSRF) verification tokens if a user visits a specific URL crafted by\nan attacker (CVE-2017-5943).\n\nRT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack if an\nattacker uploads a malicious file with a certain content type. Installations\nwhich use the AlwaysDownloadAttachments config setting are unaffected. This\nfix addresses all existant and future uploaded attachments (CVE-2016-6127).\n\nRT 4.0.0 and above are vulnerable to timing side-channel attacks for user\npasswords. By carefully measuring millions or billions of login attempts, an\nattacker could crack a user's password even over the internet. RT now uses a\nconstant-time comparison algorithm for secrets to thwart such attacks\n(CVE-2017-5361).\n\nRT's ExternalAuth feature is vulnerable to a similar timing side-channel\nattack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth\nextension, as well as the core ExternalAuth feature in RT 4.4 are vulnerable.\nInstallations which don't use ExternalAuth, or which use ExternalAuth for\nLDAP/ActiveDirectory authentication, or which use ExternalAuth for\ncookie-based authentication, are unaffected. Only ExternalAuth in DBI\n(database) mode is vulnerable.\n\nRT 4.0.0 and above are potentially vulnerable to a remote code execution\nattack in the dashboard subscription interface. A privileged attacker can\ncause unexpected code to be executed through carefully-crafted saved search\nnames. Though we have not been able to demonstrate an actual attack owing to\nother defenses in place, it could be possible (CVE-2017-5944).\n\nRT 4.0.0 and above have misleading documentation which could reduce system\nsecurity. The RestrictLoginReferrer config setting (which has security\nimplications) was inconsistent with its implementation, which checked for a\nslightly different variable name.\n\nNote that any custom email templates should be updated to ensure that values\ninterpolated into mail headers do not contain newlines, which will ensure\nthat they themselves are not vulnerable to a similar issue to CVE-2013-3373.\n","modified":"2026-02-02T03:03:11.035910Z","published":"2017-09-03T14:31:33Z","related":["CVE-2012-4733","CVE-2013-3368","CVE-2013-3369","CVE-2013-3370","CVE-2013-3371","CVE-2013-3372","CVE-2013-3373","CVE-2013-3374","CVE-2014-9472","CVE-2015-1165","CVE-2015-1464","CVE-2015-5475","CVE-2016-6127","CVE-2017-5361","CVE-2017-5943","CVE-2017-5944"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2017-0325.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=16665"},{"type":"REPORT","url":"http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html"},{"type":"REPORT","url":"http://lists.bestpractical.com/pipermail/rt-announce/2015-February/000273.html"},{"type":"REPORT","url":"http://lists.bestpractical.com/pipermail/rt-announce/2015-August/000279.html"},{"type":"REPORT","url":"http://lists.bestpractical.com/pipermail/rt-announce/2017-June/000297.html"}],"affected":[{"package":{"name":"rt","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/rt?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.0.25-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0325.json"}},{"package":{"name":"perl-Encode","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/perl-Encode?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.640.0-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0325.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}