Bug#942524: marked as done (buster-pu: package graphite-web/1.1.4-3 CVE-2017-18638)

Sat, 16 Nov 2019 02:15:20 -0800 

Your message dated Sat, 16 Nov 2019 10:08:47 +0000
with message-id 
<83c9ffab6f08361485f70dda4733a7a24aeec09b.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 10.2 point release fixes
has caused the Debian Bug report #942524,
regarding buster-pu: package graphite-web/1.1.4-3 CVE-2017-18638
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
942524: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942524
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu

Dear release team,

We would like to update graphite-web to fix 2 issues: the first one is
a message sent every hour if there's no whisper db, and is debian
specific. The 2nd one is a fix for CVE-2017-18638, where there is
an SSRF possible attack against graphite-web (the patch just removes
the send_email route and associated code.

The debdiff is attached to this message.
Sid has already been updated.

Please let us update graphite-web/1.1.4-3 in Buster,
Cheers,

Thomas Goirand (zigo)

diff -Nru graphite-web-1.1.4/debian/bin/graphite-build-search-index 
graphite-web-1.1.4/debian/bin/graphite-build-search-index
--- graphite-web-1.1.4/debian/bin/graphite-build-search-index   2019-06-07 
09:39:24.000000000 +0200
+++ graphite-web-1.1.4/debian/bin/graphite-build-search-index   2019-10-17 
02:17:35.000000000 +0200
@@ -9,12 +9,14 @@
 WHISPER_DIR="/var/lib/graphite/whisper"
 
 
-cd ${WHISPER_DIR} && find -L . -name '*.wsp' | sed \
-       -e 's@\.wsp$@@' \
-       -e 's@^\./@@' \
-       -e 's@/@.@g' > ${INDEX_FILE_TMP}
+if [ -d ${WHISPER_DIR} ]; then
+    cd ${WHISPER_DIR} && find -L . -name '*.wsp' | sed \
+        -e 's@\.wsp$@@' \
+        -e 's@^\./@@' \
+        -e 's@/@.@g' > ${INDEX_FILE_TMP}
 
-chmod 0640 ${INDEX_FILE_TMP}
-chown _graphite:_graphite ${INDEX_FILE_TMP}
+    chmod 0640 ${INDEX_FILE_TMP}
+    chown _graphite:_graphite ${INDEX_FILE_TMP}
 
-mv -f ${INDEX_FILE_TMP} ${INDEX_FILE}
+    mv -f ${INDEX_FILE_TMP} ${INDEX_FILE}
+fi
diff -Nru graphite-web-1.1.4/debian/changelog 
graphite-web-1.1.4/debian/changelog
--- graphite-web-1.1.4/debian/changelog 2019-06-07 09:39:24.000000000 +0200
+++ graphite-web-1.1.4/debian/changelog 2019-10-17 02:17:35.000000000 +0200
@@ -1,3 +1,16 @@
+graphite-web (1.1.4-3+deb10u1) buster; urgency=high
+
+  [ Utkarsh Gupta ]
+  * Add patch to remove the 'send_email' function to avoid SSRF attack.
+    This was insecure, not used in the code, and was undocumented as well.
+    (Fixes: CVE-2017-18638)
+
+  [ Thomas Goirand ]
+  * Avoid hourly error in cron with no whisper db (Closes: #940554). Thanks to
+    Alexandre Rossi <[email protected]> for the patch.
+
+ -- Thomas Goirand <[email protected]>  Thu, 17 Oct 2019 05:47:35 +0530
+
 graphite-web (1.1.4-3) unstable; urgency=medium
 
   * Fix shebang of /usr/bin/graphite-manage. (Closes: #925240)
diff -Nru graphite-web-1.1.4/debian/patches/CVE-2017-18638.patch 
graphite-web-1.1.4/debian/patches/CVE-2017-18638.patch
--- graphite-web-1.1.4/debian/patches/CVE-2017-18638.patch      1970-01-01 
01:00:00.000000000 +0100
+++ graphite-web-1.1.4/debian/patches/CVE-2017-18638.patch      2019-10-17 
02:17:35.000000000 +0200
@@ -0,0 +1,83 @@
+Description: This patch removes the 'send_email' function.
+ graphite.composer.views.send_email was vulnerable to SSRF.
+ This was insecure, not used in the code, and was undocumented as well.
+Author: Utkarsh Gupta <[email protected]>
+Origin: https://github.com/graphite-project/graphite-web/pull/2499
+Bug: https://github.com/graphite-project/graphite-web/issues/2008
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2017-18638
+Last-Update: 2019-10-16
+
+--- a/webapp/graphite/composer/urls.py
++++ b/webapp/graphite/composer/urls.py
+@@ -16,7 +16,6 @@
+ from . import views
+ 
+ urlpatterns = [
+-    url(r'^/send_email', views.send_email, name='composer_send_email'),
+     url(r'^/mygraph', views.mygraph, name='composer_mygraph'),
+     url(r'^/?$', views.composer, name='composer'),
+ ]
+--- a/webapp/graphite/composer/views.py
++++ b/webapp/graphite/composer/views.py
+@@ -13,15 +13,6 @@
+ limitations under the License."""
+ 
+ import os
+-from smtplib import SMTP
+-from socket import gethostname
+-from email.mime.multipart import MIMEMultipart
+-from email.mime.text import MIMEText
+-from email.mime.image import MIMEImage
+-from six.moves.http_client import HTTPConnection
+-from six.moves.urllib.parse import urlsplit
+-from time import ctime, strftime
+-from traceback import format_exc
+ from graphite.user_util import getProfile
+ from graphite.logger import log
+ from graphite.account.models import MyGraph
+@@ -90,35 +81,3 @@
+ 
+   else:
+     return HttpResponse("Invalid operation '%s'" % action)
+-
+-
+-def send_email(request):
+-  try:
+-    recipients = request.GET['to'].split(',')
+-    url = request.GET['url']
+-    proto, server, path, query, frag = urlsplit(url)
+-    if query: path += '?' + query
+-    conn = HTTPConnection(server)
+-    conn.request('GET',path)
+-    try: # Python 2.7+, use buffering of HTTP responses
+-      resp = conn.getresponse(buffering=True)
+-    except TypeError:  # Python 2.6 and older
+-      resp = conn.getresponse()
+-    assert resp.status == 200, "Failed HTTP response %s %s" % (resp.status, 
resp.reason)
+-    rawData = resp.read()
+-    conn.close()
+-    message = MIMEMultipart()
+-    message['Subject'] = "Graphite Image"
+-    message['To'] = ', '.join(recipients)
+-    message['From'] = 'composer@%s' % gethostname()
+-    text = MIMEText( "Image generated by the following graphite URL at 
%s\r\n\r\n%s" % (ctime(),url) )
+-    image = MIMEImage( rawData )
+-    image.add_header('Content-Disposition', 'attachment', 
filename="composer_" + strftime("%b%d_%I%M%p.png"))
+-    message.attach(text)
+-    message.attach(image)
+-    s = SMTP(settings.SMTP_SERVER)
+-    s.sendmail('composer@%s' % gethostname(),recipients,message.as_string())
+-    s.quit()
+-    return HttpResponse( "OK" )
+-  except Exception:
+-    return HttpResponse(format_exc())
+--- a/webapp/graphite/settings.py
++++ b/webapp/graphite/settings.py
+@@ -126,7 +126,6 @@
+ REMOTE_RENDER_CONNECT_TIMEOUT = 1.0
+ 
+ #Miscellaneous settings
+-SMTP_SERVER = "localhost"
+ DOCUMENTATION_VERSION = 'latest' if 'dev' in WEBAPP_VERSION else 
WEBAPP_VERSION
+ DOCUMENTATION_URL = 
'https://graphite.readthedocs.io/en/{}/'.format(DOCUMENTATION_VERSION)
+ ALLOW_ANONYMOUS_CLI = True
diff -Nru graphite-web-1.1.4/debian/patches/series 
graphite-web-1.1.4/debian/patches/series
--- graphite-web-1.1.4/debian/patches/series    2019-06-07 09:39:24.000000000 
+0200
+++ graphite-web-1.1.4/debian/patches/series    2019-10-17 02:17:35.000000000 
+0200
@@ -1,2 +1,3 @@
 local_settings.patch
 settings_debian.patch
+CVE-2017-18638.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.2

Hi,

The fixes referenced by these bugs were included in today's 10.2 stable
point release.

Regards,

Adam

--- End Message ---

Reply via email to