Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: hori...@packages.debian.org Control: affects -1 + src:horizon
Dear Stable release team, Horizon in Bookworm is impacted by CVE-2022-45582: Open redirect / phishing attack via "success_url" parameter. See: https://bugs.debian.org/1050518 This version of the package includes the upstream patch to fix the problem. [ Impact ] See https://bugs.debian.org/1050518: open redirect in snapshots edition. [ Tests ] The package runs extensive unit tests, and upstream runs extensive functional tests, so I'm confident nothing broke. [ Risks ] Minimal. See above. Plus the patch is very limited in scope. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Please allow me to upload horizon_23.0.0-5+deb12u1 to bookworm for inclusion in the next point release. Cheers, Thomas Goirand (zigo)
diff -Nru horizon-23.0.0/debian/changelog horizon-23.0.0/debian/changelog --- horizon-23.0.0/debian/changelog 2022-12-31 13:56:48.000000000 +0100 +++ horizon-23.0.0/debian/changelog 2023-09-05 11:31:00.000000000 +0200 @@ -1,3 +1,11 @@ +horizon (3:23.0.0-5+deb12u1) bookworm; urgency=medium + + * CVE-2022-45582: Open redirect/phishing attack via "success_url" parameter, + add upstream patch: "Fix success_url parameter issue for Edit Snapshot" + (Closes: #1050518). + + -- Thomas Goirand <z...@debian.org> Tue, 05 Sep 2023 11:31:00 +0200 + horizon (3:23.0.0-5) unstable; urgency=medium * Ignore openstack_dashboard/dashboards/project/backups/tests.py, see diff -Nru horizon-23.0.0/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch horizon-23.0.0/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch --- horizon-23.0.0/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch 1970-01-01 01:00:00.000000000 +0100 +++ horizon-23.0.0/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch 2023-09-05 11:31:00.000000000 +0200 @@ -0,0 +1,51 @@ +Author: manchandavishal <manchandavishal...@gmail.com> +Date: Wed, 14 Sep 2022 22:17:58 +0530 +Description: CVE-2022-45582 Fix success_url parameter issue for Edit Snapshot + The "success_url" param is used when updating the project snapshot + [1] and it lacks sanitizing the input URL that allows an attacker to + redirect the user to another website. This patch update 'Updateview' + class to not use the "sucess_url" method. +Bug: https://launchpad.net/bugs/1982676 +Bug-Debian: https://bugs.debian.org/1050518 +Origin: upstream, https://review.opendev.org/c/openstack/horizon/+/862899 +Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b +Last-Update: 2023-09-05 + +diff --git a/openstack_dashboard/dashboards/project/snapshots/views.py b/openstack_dashboard/dashboards/project/snapshots/views.py +index 7efc4a8..faf7279 100644 +--- a/openstack_dashboard/dashboards/project/snapshots/views.py ++++ b/openstack_dashboard/dashboards/project/snapshots/views.py +@@ -12,7 +12,6 @@ + + from django.urls import reverse + from django.urls import reverse_lazy +-from django.utils.http import urlencode + from django.utils.translation import gettext_lazy as _ + + from horizon import exceptions +@@ -104,11 +103,8 @@ + def get_context_data(self, **kwargs): + context = super().get_context_data(**kwargs) + context['snapshot'] = self.get_object() +- success_url = self.request.GET.get('success_url', "") + args = (self.kwargs['snapshot_id'],) +- params = urlencode({"success_url": success_url}) +- context['submit_url'] = "?".join([reverse(self.submit_url, args=args), +- params]) ++ context['submit_url'] = reverse(self.submit_url, args=args) + return context + + def get_initial(self): +@@ -117,12 +113,6 @@ + 'name': snapshot.name, + 'description': snapshot.description} + +- def get_success_url(self): +- success_url = self.request.GET.get( +- "success_url", +- reverse_lazy("horizon:project:snapshots:index")) +- return success_url +- + + class DetailView(tabs.TabView): + tab_group_class = vol_snapshot_tabs.SnapshotDetailTabs diff -Nru horizon-23.0.0/debian/patches/series horizon-23.0.0/debian/patches/series --- horizon-23.0.0/debian/patches/series 2022-12-31 13:56:48.000000000 +0100 +++ horizon-23.0.0/debian/patches/series 2023-09-05 11:31:00.000000000 +0200 @@ -6,3 +6,4 @@ django-4.x-csrf-reasons.patch Make-site_branding-tag-work-with-Django-4.0.patch remove-test_rbac_panels.patch +CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch