Re: Wheezy update of twisted?
Guido Günther writes: > Thanks for having a look! I've added twisted-web to dla-needed.txt as > well (Salvatore already updated data/CVE/list). My conclusions (for wheezy-security) are that: * Neither twisted or twisted-web actually have a vulnerability. * It is possible applications that depend on twisted or twisted-web do have this vulnerability, however I do not consider it worthwhile use of my time trying to check or test each dependancy to find out. * Upstream chose to mitigate this by removing the twcgi file, required for CGI support. * The CGI support is required for non-python languages, such as PHP/Perl/CGI. * If nothing using this CGI interface we are not vulnerable, there is no need to make any changes. * If something does use this CGI interface, and we haven't removed this code, we are vulnerable. Vulnerable to a "minor" security threat. * If something does use this CGI interface, and we have remove this code, we not not vulnerable because the application is now (most likely) completely broken. Note: this code that uses CGI may not be in the Debian archive. It could be installed locally or created locally. As such, I tend to feel the risks of removing this code exceed the risks of not removing it. I am going to do the same thing as the security team and mark this as no-dsa. -- Brian May
Re: Wheezy update of twisted?
On Tue, Aug 09, 2016 at 06:24:40PM +1000, Brian May wrote: > Salvatore Bonaccorso writes: > > > Hi, > > > > Just a quick comment on: > > > > On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote: > >> I am inclined to say that no version of twisted, by itself, has this > >> vulnerability. However like I said earlier it is possible that > >> applications that use twisted have this vulnerability. > > > > Looking at the upstream ticket > > https://twistedmatrix.com/trac/ticket/8623 I suspect that Twisted > > 16.3.1 will have something to help mitigating the issue in application > > that use twisted. > > I believe this is the upstream patch: > > https://github.com/twisted/twisted/commit/bcac75e6180c9eee4337322c109eb5d1cac51165 > > Looks like it removes CGI support. > > Hmmm. My test was flawed, I don't think I tested CGI. I imagine the > results would be the same however. > > > For Jessie, we do not plan to release any DSA related to this for > > src:twisted. Don't know if you want to follow that on LTS side. > > Yes, I tend to agree. Don't much like the idea of removing a feature in > what is suppose to be a stable distribution. > > Then again, scratch that, looks like none of the files patched exist in > the wheezy version anyway... > > But there is a reference to twisted/web/twcgi.py in ./ChangeLog.Old - > and twisted/web/twcgi.py is in the upstream git repository for the > twisted-12.0.0 tag. > > Oh, I see, it looks like the source was split up for the Debian > packaging. So the twisted-web source contains the file in question, not > the twisted package. Thanks for having a look! I've added twisted-web to dla-needed.txt as well (Salvatore already updated data/CVE/list). Cheers, -- Guido
Re: Wheezy update of twisted?
Hi, On Tue, Aug 09, 2016 at 06:24:40PM +1000, Brian May wrote: > But there is a reference to twisted/web/twcgi.py in ./ChangeLog.Old - > and twisted/web/twcgi.py is in the upstream git repository for the > twisted-12.0.0 tag. > > Oh, I see, it looks like the source was split up for the Debian > packaging. So the twisted-web source contains the file in question, not > the twisted package. Yes this might be true for wheezy. But for jessie and above the file looks is again in src:twisted. I have added now the twisted-web source package as well for the entry. Regards, Salvatore
Re: Wheezy update of twisted?
Salvatore Bonaccorso writes: > Hi, > > Just a quick comment on: > > On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote: >> I am inclined to say that no version of twisted, by itself, has this >> vulnerability. However like I said earlier it is possible that >> applications that use twisted have this vulnerability. > > Looking at the upstream ticket > https://twistedmatrix.com/trac/ticket/8623 I suspect that Twisted > 16.3.1 will have something to help mitigating the issue in application > that use twisted. I believe this is the upstream patch: https://github.com/twisted/twisted/commit/bcac75e6180c9eee4337322c109eb5d1cac51165 Looks like it removes CGI support. Hmmm. My test was flawed, I don't think I tested CGI. I imagine the results would be the same however. > For Jessie, we do not plan to release any DSA related to this for > src:twisted. Don't know if you want to follow that on LTS side. Yes, I tend to agree. Don't much like the idea of removing a feature in what is suppose to be a stable distribution. Then again, scratch that, looks like none of the files patched exist in the wheezy version anyway... But there is a reference to twisted/web/twcgi.py in ./ChangeLog.Old - and twisted/web/twcgi.py is in the upstream git repository for the twisted-12.0.0 tag. Oh, I see, it looks like the source was split up for the Debian packaging. So the twisted-web source contains the file in question, not the twisted package. -- Brian May
Re: Wheezy update of twisted?
Hi, Just a quick comment on: On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote: > I am inclined to say that no version of twisted, by itself, has this > vulnerability. However like I said earlier it is possible that > applications that use twisted have this vulnerability. Looking at the upstream ticket https://twistedmatrix.com/trac/ticket/8623 I suspect that Twisted 16.3.1 will have something to help mitigating the issue in application that use twisted. For Jessie, we do not plan to release any DSA related to this for src:twisted. Don't know if you want to follow that on LTS side. Regards, Salvatore
Re: Wheezy update of twisted?
Free Ekanayaka writes: > I had a quick look at the code too (both in wheezy and jessie), but I > couldn't find the offending bits. Perhaps it'd be good to put together a > small web server and see what happens when you pass the 'Proxy' > header. So I created the following code: === cut === from twisted.internet import reactor from twisted.web.server import Site from twisted.web.resource import Resource import time import os class ClockPage(Resource): isLeaf = True def render_GET(self, request): print(os.environ) return "%s" % (time.ctime(),) resource = ClockPage() factory = Site(resource) reactor.listenTCP(8880, factory) reactor.run() === cut === Then I attempted to run from wheezy. In particular, I used the following command: curl -H "Proxy: http://meow/"; http://localhost:8880/ I inspected the console output, but could not find any references to meow or HTTP_PROXY: {'TERM': 'xterm-256color', 'SHELL': '/bin/bash', 'SCHROOT_UID': '1000', 'SCHROOT_COMMAND': '-bash', 'SHLVL': '1', 'OLDPWD': '/root', 'SCHROOT_CHROOT_NAME': 'wheezy-amd64-default', 'PWD': '/home/brian/tree/debian/debian-lts/wheezy/twisted/test', 'SCHROOT_SESSION_ID': 'wheezy-amd64-default-76337752-1661-47c2-b322-f2a73ff7314b', 'SCHROOT_USER': 'brian', 'USER': 'root', 'HOME': '/root', 'SCHROOT_GID': '1000', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'LOGNAME': 'root', 'SCHROOT_GROUP': 'brian', 'SCHROOT_ALIAS_NAME': 'wheezy-amd64-default', '_': '/usr/bin/python'} I get similar results when testing on stretch. It looks like sid is the same version 16.3.0-1. I am inclined to say that no version of twisted, by itself, has this vulnerability. However like I said earlier it is possible that applications that use twisted have this vulnerability. -- Brian May
Re: Wheezy update of twisted?
Hi, I had a quick look at the code too (both in wheezy and jessie), but I couldn't find the offending bits. Perhaps it'd be good to put together a small web server and see what happens when you pass the 'Proxy' header. Free On 5 August 2016 at 10:26, Brian May wrote: > This security vulnerability is described here: > > https://bugzilla.redhat.com/show_bug.cgi?id=1357345 > > as: > > "sets environmental variable based on user supplied Proxy request > header" > > In particular it is talking about HTTP_PROXY, and it only a problem if > the server makes an outgoing HTTP request using this value. > > Looking at this, I am inclined to say this isn't a security issue in > twisted itself, rather some unspecified applications that use twisted. > > Just trying to double check this. I can't find any references > (case-insensitive) of "HTTP_PROXY" in the twisted source however. > > This appears to be confirmed by the first sentence in the redhat bug > report: > > "Many software projects and vendors have implemented support for the > “Proxy” request header in their respective CGI implementations and > languages by creating the “HTTP_PROXY” environmental variable based on > the header value." > > There are a number of projects in Debian that use twisted, should we > check each one? > > Sure would be good if I had an example application that was confirmed > vulnerable. > -- > Brian May >
Re: Wheezy update of twisted?
This security vulnerability is described here: https://bugzilla.redhat.com/show_bug.cgi?id=1357345 as: "sets environmental variable based on user supplied Proxy request header" In particular it is talking about HTTP_PROXY, and it only a problem if the server makes an outgoing HTTP request using this value. Looking at this, I am inclined to say this isn't a security issue in twisted itself, rather some unspecified applications that use twisted. Just trying to double check this. I can't find any references (case-insensitive) of "HTTP_PROXY" in the twisted source however. This appears to be confirmed by the first sentence in the redhat bug report: "Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value." There are a number of projects in Debian that use twisted, should we check each one? Sure would be good if I had an example application that was confirmed vulnerable. -- Brian May
Re: Wheezy update of twisted?
Hello, I'm going on vacation shortly, and likely won't have time to address the bug timely enough. So unless Matthias has cycles to work on it, I'd say yes go ahead please. Thanks Free On 28 July 2016 at 22:37, Thorsten Alteholz wrote: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of twisted: > https://security-tracker.debian.org/tracker/CVE-2016-1000111 > > Would you like to take care of this yourself? > > If yes, please follow the workflow we have defined here: > https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. > > Thank you very much. > > Thorsten Alteholz, > on behalf of the Debian LTS team. > > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > > https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup > > >
Wheezy update of twisted?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of twisted: https://security-tracker.debian.org/tracker/CVE-2016-1000111 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Thorsten Alteholz, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup