Ubuntu
trac-mastertickets package

Dependency graph does not check ticket view permissions

Bug #974909 reported by Wichert Akkerman
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
trac-mastertickets (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

The dependency graph view of a ticket does not do any permission checks. This is a security problem on private trac sites since it creates a channel through which sensitive information about tickets (existence, dependencies and ticket titles) is revealed.

This has been reported upstream as well: both in the github issue tracker (see https://github.com/coderanger/trac-mastertickets/issues/4 ) and in the trac-hacks issue tracker (see https://trac-hacks.org/ticket/9944 )

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: trac-mastertickets 3.0.2+20111224-1
ProcVersionSignature: Ubuntu 3.2.0-21.34-generic 3.2.13
Uname: Linux 3.2.0-21-generic x86_64
ApportVersion: 2.0-0ubuntu4
Architecture: amd64
Date: Fri Apr 6 09:56:28 2012
InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Beta amd64 (20120327)
PackageArchitecture: all
SourcePackage: trac-mastertickets
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Wichert Akkerman (wichert) wrote :
visibility: private → public
Revision history for this message
Wichert Akkerman (wichert) wrote :

I've made this ticket public since the issue was reported a year ago already in the github issue tracker, which is public.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in trac-mastertickets (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.