IMPORTANT: security issue with 2.0.x WebRT permissions caching

RT Developers
1

RT 2.0.x, up to and including 2.0.6 has a possible security hole, whereby
if the ticket owner views a ticket and then another privileged user looks
at the same ticket within the same server process, a variable scoping bug
may let the second user access data that he shouldn’t be able to.

The fix is a simple change to RT::User::_HasRight, as appears in the diff
below. No matter what, this bug doesn’t open your RT database up to end-user
requestors, because the web interface imposes an extra check for them.

RT 2.0.7 will be out shortly and will correct this bug. In the meantime,
the change below is exactly what I’m dropping into the source.

Index: lib/RT/User.pm
RCS file: /raid/cvsroot/rt/lib/RT/Attic/User.pm,v
retrieving revision 1.1.2.90
diff -r1.1.2.90 User.pm
584c584
< my ($Requestor, $Cc, $AdminCc);

my ($IsRequestor, $IsCc, $IsAdminCc, $IsOwner);

http://www.bestpractical.com/products/rt – Trouble Ticketing. Free.

rt-announce mailing list
rt-announce@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-announce

2

Not to put /ANY/ pressure on anyone, but…

Define “shortly”.

:stuck_out_tongue:

At 02:04 AM 9/10/2001 -0400, you wrote:

RT 2.0.7 will be out shortly and will correct this bug. In the meantime,
the change below is exactly what I’m dropping into the source.

Russ Johnson
Stargate Online

telnet://telnet.dimstar.net
ICQ: 3739685

3

I rolled a test release and am waiting for positive install reports before blessing it.On Mon, Sep 10, 2001 at 05:05:06PM -0700, Russ Johnson wrote:

Not to put /ANY/ pressure on anyone, but…

Define “shortly”.

:stuck_out_tongue:

At 02:04 AM 9/10/2001 -0400, you wrote:

RT 2.0.7 will be out shortly and will correct this bug. In the meantime,
the change below is exactly what I’m dropping into the source.

Russ Johnson
Stargate Online

http://www.dimstar.net
telnet://telnet.dimstar.net
ICQ: 3739685

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

http://www.bestpractical.com/products/rt – Trouble Ticketing. Free.