Bug#702669: marked as done (TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core (CVE-2013-1842, CVE-2013-1843))

Debian Bug Tracking System Sun, 17 Mar 2013 04:06:29 -0700

Your message dated Sun, 17 Mar 2013 11:02:45 +0000
with message-id <e1uhbmt-00083c...@franck.debian.org>
and subject line Bug#702574: fixed in typo3-src 4.3.9+dfsg1-1+squeeze8
has caused the Debian Bug report #702574,
regarding TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 
Core (CVE-2013-1842, CVE-2013-1843)
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
702574: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702574
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: typo3
Version: 4.3.9+dfsg1-1+squeeze7
Severity: grave
Tags: security, upstream


Hi,


It has been discovered that TYPO3 Core is susceptible to SQL Injection
and Open Redirection.

Here is the relevant information:

https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-001/

A CVE number was asked at: http://seclists.org/oss-sec/2013/q1/611



The patch that fixes the SQL Injection is the following:

http://git.typo3.org/TYPO3v4/CoreProjects/MVC/extbase.git/commitdiff/d00f4b6523507db3c4c7601cf7758333c8290c1d

However, to make it apply over the older typo3 at Squeeze you have to
apply it first the following ones:

http://git.typo3.org/TYPO3v4/CoreProjects/MVC/extbase.git/commitdiff/76f0c979dd5d221807c086cb7a4eb912055d8318

http://git.typo3.org/TYPO3v4/CoreProjects/MVC/extbase.git/commitdiff/68a2f3d653d77d8ed9a283e30f07e6f718c18f19


I'm attaching the file 10-SecBull-TYPO3-CORE-SA-2013-001.patch that is
ready to drop on debian/patches that is the result of applying, in
order, the above commits:

* 76f0c979dd5d221807c086cb7a4eb912055d8318
* 68a2f3d653d77d8ed9a283e30f07e6f718c18f19
* d00f4b6523507db3c4c7601cf7758333c8290c1d


For the another issue of the security bulletin (open redirection issue),
the relevant commit seems to be
http://git.typo3.org/TYPO3v4/Core.git/commit/71135d82ccb74b3ccf8673ce197cd8c4340d5163
but I don't have a backport of it to squeeze.


Typo3 at squeeze-backports and wheezy is also affected.


Regards!

--- a/typo3/sysext/extbase/Classes/Persistence/Storage/Typo3DbBackend.php
+++ b/typo3/sysext/extbase/Classes/Persistence/Storage/Typo3DbBackend.php
@@ -494,18 +494,17 @@
 				$typeOfRelation = $columnMap->getTypeOfRelation();
 				if ($typeOfRelation === Tx_Extbase_Persistence_Mapper_ColumnMap::RELATION_HAS_AND_BELONGS_TO_MANY) {
 					$relationTableName = $columnMap->getRelationTableName();
-					$sql['where'][] = $tableName . '.uid IN (SELECT ' . $columnMap->getParentKeyFieldName() . ' FROM ' . $relationTableName . ' WHERE ' . $columnMap->getChildKeyFieldName() . '=' . $this->getPlainValue($operand2) . ')';
+					$sql['where'][] = $tableName . '.uid IN (SELECT ' . $columnMap->getParentKeyFieldName() . ' FROM ' . $relationTableName . ' WHERE ' . $columnMap->getChildKeyFieldName() . '=?)';
+					$parameters[] = intval($this->getPlainValue($operand2));
 				} elseif ($typeOfRelation === Tx_Extbase_Persistence_Mapper_ColumnMap::RELATION_HAS_MANY) {
 					$parentKeyFieldName = $columnMap->getParentKeyFieldName();
 					if (isset($parentKeyFieldName)) {
-						$columnName = $this->dataMapper->convertPropertyNameToColumnName($operand1->getPropertyName(), $source->getNodeTypeName());
 						$childTableName = $columnMap->getChildTableName();
-						$sql['where'][] = $tableName . '.uid=(SELECT ' . $childTableName . '.' . $parentKeyFieldName . ' FROM ' . $childTableName . ' WHERE ' . $childTableName . '.uid=' . $this->getPlainValue($operand2) . ')';
+						$sql['where'][] = $tableName . '.uid=(SELECT ' . $childTableName . '.' . $parentKeyFieldName . ' FROM ' . $childTableName . ' WHERE ' . $childTableName . '.uid=?)';
+						$parameters[] = intval($this->getPlainValue($operand2));
 					} else {
-						$statement = '(' . $tableName . '.' . $operand1->getPropertyName() . ' LIKE \'%,' . $this->getPlainValue($operand2) . ',%\'';
-						$statement .= ' OR ' . $tableName . '.' . $operand1->getPropertyName() . ' LIKE \'%,' . $this->getPlainValue($operand2) . '\'';
-						$statement .= ' OR ' . $tableName . '.' . $operand1->getPropertyName() . ' LIKE \'' . $this->getPlainValue($operand2) . ',%\')';
-						$sql['where'][] = $statement;
+						$sql['where'][] = 'FIND_IN_SET(?,' . $tableName . '.' . $columnName . ')';
+						$parameters[] = intval($this->getPlainValue($operand2));
 					}
 				} else {
 					throw new Tx_Extbase_Persistence_Exception_RepositoryException('Unsupported relation for contains().', 1267832524);
@@ -830,9 +829,9 @@
 	 */
 	protected function parseLimitAndOffset($limit, $offset, array &$sql) {
 		if ($limit !== NULL && $offset !== NULL) {
-			$sql['limit'] = $offset . ', ' . $limit;
+			$sql['limit'] = intval($offset) . ', ' . intval($limit);
 		} elseif ($limit !== NULL) {
-			$sql['limit'] = $limit;
+			$sql['limit'] = intval($limit);
 		}
 	}

signature.asc
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

Source: typo3-src
Source-Version: 4.3.9+dfsg1-1+squeeze8

We believe that the bug you reported is fixed in the latest version of
typo3-src, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Welzel <gaw...@camlann.de> (supplier of updated typo3-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 09 Mar 2013 21:40:09 +0100
Source: typo3-src
Binary: typo3-src-4.3 typo3-database typo3
Architecture: source all
Version: 4.3.9+dfsg1-1+squeeze8
Distribution: squeeze-security
Urgency: high
Maintainer: Christian Welzel <gaw...@camlann.de>
Changed-By: Christian Welzel <gaw...@camlann.de>
Description: 
 typo3      - The enterprise level open source WebCMS (Meta)
 typo3-database - TYPO3 - The enterprise level open source WebCMS (Database)
 typo3-src-4.3 - TYPO3 - The enterprise level open source WebCMS (Core)
Closes: 702574
Changes: 
 typo3-src (4.3.9+dfsg1-1+squeeze8) squeeze-security; urgency=high
 .
   * Security patch backported from new upstream release 4.5.24 and 4.5.25:
     - fixes: "TYPO3 Security Bulletin TYPO3-CORE-SA-2013-001:
       Several Vulnerabilities in TYPO3 Core" (Closes: 702574)
     - fixes CVE-2013-1842 (SQL injection) and CVE-2013-1843 (Open redirection)
Checksums-Sha1: 
 13020865de3dc9cbbd3ad609670926f70bdf5580 1402 
typo3-src_4.3.9+dfsg1-1+squeeze8.dsc
 abcb52f739d01002614322888102c00adad62b72 144353 
typo3-src_4.3.9+dfsg1-1+squeeze8.debian.tar.gz
 1fa2f653362bf7ad5afc2e4587ed9c092b3697c3 11302900 
typo3-src-4.3_4.3.9+dfsg1-1+squeeze8_all.deb
 11615219725eaaf99aef14782fa110a2672ea144 202662 
typo3-database_4.3.9+dfsg1-1+squeeze8_all.deb
 0f154a259cdf76946073bdaff385965a85841c52 1258 
typo3_4.3.9+dfsg1-1+squeeze8_all.deb
Checksums-Sha256: 
 365084ad72d078a0393150e631cae1cd17aace3e0b99f0fc5f22da77b05e2c49 1402 
typo3-src_4.3.9+dfsg1-1+squeeze8.dsc
 374708b5721f231702046d80519cf569328df08fc17423890b0adaab6702b0c5 144353 
typo3-src_4.3.9+dfsg1-1+squeeze8.debian.tar.gz
 2dee997166b055e6a9ae3bb78f1f84ad5fadeb739f4feb9e78101a205cd8da0a 11302900 
typo3-src-4.3_4.3.9+dfsg1-1+squeeze8_all.deb
 76ee3f151217d66fb660fd4d6f5dcd2f17645d384dc752c52d1e68b9bae99b62 202662 
typo3-database_4.3.9+dfsg1-1+squeeze8_all.deb
 7786d55e4efeccc22f0bfaf2d4e24d381e8d7ee3cff639ef4c05af1a6c2bbe47 1258 
typo3_4.3.9+dfsg1-1+squeeze8_all.deb
Files: 
 9c36f8d9d0701bab824d7320f793d3cc 1402 web optional 
typo3-src_4.3.9+dfsg1-1+squeeze8.dsc
 bffcdb8ee756594d15da4beda1c5a65d 144353 web optional 
typo3-src_4.3.9+dfsg1-1+squeeze8.debian.tar.gz
 c2e6d43658ffdb20da706a469db4d111 11302900 web optional 
typo3-src-4.3_4.3.9+dfsg1-1+squeeze8_all.deb
 de214d868c5062cb8657fc76b2b5b219 202662 web optional 
typo3-database_4.3.9+dfsg1-1+squeeze8_all.deb
 427ac00372e00e27599bce8302eb73a3 1258 web optional 
typo3_4.3.9+dfsg1-1+squeeze8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBCgAGBQJRQ1JQAAoJEG3bU/KmdcClh0gIAI0osGOKZirNZxe0auyZ0Qa6
9YfRpOAbPdz9mX9y97ikJz4iqVu9gsxvj2+031uUq0IjMzvz9jaQ371UMj5qtqpC
1LFQoyBXnmm4mj6Cn4re+auMCb4DIkZszpFK7gwyB+GusaKhL62MKjA48SDU8EE1
Slst5nmh28FtMLL2y84eEJ58+nneuzjO7C3hlSUgRLA4IJvUwOuJUNXwayvNjgtn
HbQQY5SXWB45U/Kiofaurbf+6WXehGBddBlX/3AWY5gz8y2VXmfBayZI3lALyp+T
1KzDvXoyjl1oW4QqHGLCL6NF9NyyRrzrucMd7mvWGisKleViT+CImd1qjlVvzic=
=YbjZ
-----END PGP SIGNATURE-----

--- End Message ---

Bug#702669: marked as done (TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core (CVE-2013-1842, CVE-2013-1843))

Reply via email to