Bug#1001849: Acknowledgement (bullseye-pu: package glewlwyd/2.5.2-2+deb11u1)
Also, the bug is only for 2.x versions. The package glewlwyd 1.4.9-1 in oldstable isn't vulnerable
Bug#1001849: Acknowledgement (bullseye-pu: package glewlwyd/2.5.2-2+deb11u1)
Hello, On Fri, 24 Dec 2021 14:39:14 -0500 Nicolas Mora wrote: Hello Salvatore, Le 2021-12-24 à 14 h 36, Salvatore Bonaccorso a écrit : > > Any news on the CVE assignment? Did MITRE respond? > The CVE has been attributed for this bug: CVE-2021-45379
Bug#1001849: Acknowledgement (bullseye-pu: package glewlwyd/2.5.2-2+deb11u1)
Hello Salvatore, Le 2021-12-24 à 14 h 36, Salvatore Bonaccorso a écrit : Any news on the CVE assignment? Did MITRE respond? Not yet, still waiting for the submission to be reviewed according to the mitre... /Nicolas
Bug#1001849: Acknowledgement (bullseye-pu: package glewlwyd/2.5.2-2+deb11u1)
Hi Nicolas, On Sat, Dec 18, 2021 at 10:05:20AM +0100, Salvatore Bonaccorso wrote: > Hi, > > On Sat, Dec 18, 2021 at 10:03:51AM +0100, Salvatore Bonaccorso wrote: > > Hi Nicolas, > > > > On Fri, Dec 17, 2021 at 08:25:38PM -0500, Nicolas Mora wrote: > > > See attached debdiff > > > > > diff -Nru glewlwyd-2.5.2/debian/changelog glewlwyd-2.5.2/debian/changelog > > > --- glewlwyd-2.5.2/debian/changelog 2021-09-22 08:42:59.0 > > > -0400 > > > +++ glewlwyd-2.5.2/debian/changelog 2021-12-17 07:51:46.0 > > > -0500 > > > @@ -1,3 +1,9 @@ > > > +glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium > > > + > > > + * d/patches: Fix possible privilege escalation (Closes: #1001849) > > > > This should ot close the release.d.o filled bug, but the bug in the > > BTS associates with glewlwyd if one exists. Related question: is there > > a CVE and details on the issue? > > Answering the last question to myself: As you stated the CVE was > requested :) Any news on the CVE assignment? Did MITRE respond? Regards, Salvatore
Bug#1001849: Acknowledgement (bullseye-pu: package glewlwyd/2.5.2-2+deb11u1)
Hi, On Sat, Dec 18, 2021 at 10:03:51AM +0100, Salvatore Bonaccorso wrote: > Hi Nicolas, > > On Fri, Dec 17, 2021 at 08:25:38PM -0500, Nicolas Mora wrote: > > See attached debdiff > > > diff -Nru glewlwyd-2.5.2/debian/changelog glewlwyd-2.5.2/debian/changelog > > --- glewlwyd-2.5.2/debian/changelog 2021-09-22 08:42:59.0 -0400 > > +++ glewlwyd-2.5.2/debian/changelog 2021-12-17 07:51:46.0 -0500 > > @@ -1,3 +1,9 @@ > > +glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium > > + > > + * d/patches: Fix possible privilege escalation (Closes: #1001849) > > This should ot close the release.d.o filled bug, but the bug in the > BTS associates with glewlwyd if one exists. Related question: is there > a CVE and details on the issue? Answering the last question to myself: As you stated the CVE was requested :) Regards, Salvatore
Bug#1001849: Acknowledgement (bullseye-pu: package glewlwyd/2.5.2-2+deb11u1)
Hi Nicolas, On Fri, Dec 17, 2021 at 08:25:38PM -0500, Nicolas Mora wrote: > See attached debdiff > diff -Nru glewlwyd-2.5.2/debian/changelog glewlwyd-2.5.2/debian/changelog > --- glewlwyd-2.5.2/debian/changelog 2021-09-22 08:42:59.0 -0400 > +++ glewlwyd-2.5.2/debian/changelog 2021-12-17 07:51:46.0 -0500 > @@ -1,3 +1,9 @@ > +glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium > + > + * d/patches: Fix possible privilege escalation (Closes: #1001849) This should ot close the release.d.o filled bug, but the bug in the BTS associates with glewlwyd if one exists. Related question: is there a CVE and details on the issue? Regards, Salvatore
Bug#1001849: Acknowledgement (bullseye-pu: package glewlwyd/2.5.2-2+deb11u1)
See attached debdiff diff -Nru glewlwyd-2.5.2/debian/changelog glewlwyd-2.5.2/debian/changelog --- glewlwyd-2.5.2/debian/changelog 2021-09-22 08:42:59.0 -0400 +++ glewlwyd-2.5.2/debian/changelog 2021-12-17 07:51:46.0 -0500 @@ -1,3 +1,9 @@ +glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium + + * d/patches: Fix possible privilege escalation (Closes: #1001849) + + -- Nicolas Mora Fri, 17 Dec 2021 07:51:46 -0500 + glewlwyd (2.5.2-2+deb11u1) bullseye; urgency=medium * d/patches: Fix CVE-2021-40818 diff -Nru glewlwyd-2.5.2/debian/patches/auth.patch glewlwyd-2.5.2/debian/patches/auth.patch --- glewlwyd-2.5.2/debian/patches/auth.patch1969-12-31 19:00:00.0 -0500 +++ glewlwyd-2.5.2/debian/patches/auth.patch2021-12-17 07:51:46.0 -0500 @@ -0,0 +1,16 @@ +Description: Fix escalation privilege +Author: Nicolas Mora +Forwarded: not-needed +--- a/src/webservice.c b/src/webservice.c +@@ -259,10 +259,6 @@ + if (check_result_value(j_result, G_ERROR_UNAUTHORIZED)) { + y_log_message(Y_LOG_LEVEL_WARNING, "Security - Authorization invalid for username %s at IP Address %s", json_string_value(json_object_get(j_param, "username")), ip_source); + } +-if ((session_uid = get_session_id(config, request)) != NULL && user_session_update(config, session_uid, u_map_get_case(request->map_header, "user-agent"), issued_for, json_string_value(json_object_get(j_param, "username")), NULL, 1) != G_OK) { +- y_log_message(Y_LOG_LEVEL_ERROR, "callback_glewlwyd_user_auth - Error user_session_update (2)"); +-} +-o_free(session_uid); + response->status = 401; + } + json_decref(j_result); diff -Nru glewlwyd-2.5.2/debian/patches/series glewlwyd-2.5.2/debian/patches/series --- glewlwyd-2.5.2/debian/patches/series2021-09-22 08:42:59.0 -0400 +++ glewlwyd-2.5.2/debian/patches/series2021-12-17 07:51:46.0 -0500 @@ -1,2 +1,3 @@ #webpack.patch webauthn.patch +auth.patch