Bug#1051257: bookworm-pu: package horizon/src:horizon (CVE-2022-45582)

2023-09-05 Thread Jonathan Wiltshire 
Control: tag -1 confirmed

On Tue, Sep 05, 2023 at 11:57:39AM +0200, Thomas Goirand wrote:
> Horizon in Bookworm is impacted by CVE-2022-45582: Open redirect /
> phishing attack via "success_url" parameter. See:

Please go ahead.

Thanks,


-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Processed: Re: Bug#1051257: bookworm-pu: package horizon/src:horizon (CVE-2022-45582)

2023-09-05 Thread Debian Bug Tracking System 
Processing control commands:

> tag -1 confirmed
Bug #1051257 [release.debian.org] bookworm-pu: package 
horizon/3:23.0.0-5+deb12u1
Added tag(s) confirmed.

-- 
1051257: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051257
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1051257: bookworm-pu: package horizon/src:horizon (CVE-2022-45582)

2023-09-05 Thread Thomas Goirand 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: hori...@packages.debian.org
Control: affects -1 + src:horizon

Dear Stable release team,

Horizon in Bookworm is impacted by CVE-2022-45582: Open redirect /
phishing attack via "success_url" parameter. See:

https://bugs.debian.org/1050518

This version of the package includes the upstream patch to fix
the problem.

[ Impact ]
See https://bugs.debian.org/1050518: open redirect in
snapshots edition.

[ Tests ]
The package runs extensive unit tests, and upstream runs extensive
functional tests, so I'm confident nothing broke.

[ Risks ]
Minimal. See above. Plus the patch is very limited in scope.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Please allow me to upload horizon_23.0.0-5+deb12u1 to bookworm for
inclusion in the next point release.

Cheers,

Thomas Goirand (zigo)
diff -Nru horizon-23.0.0/debian/changelog horizon-23.0.0/debian/changelog
--- horizon-23.0.0/debian/changelog 2022-12-31 13:56:48.0 +0100
+++ horizon-23.0.0/debian/changelog 2023-09-05 11:31:00.0 +0200
@@ -1,3 +1,11 @@
+horizon (3:23.0.0-5+deb12u1) bookworm; urgency=medium
+
+  * CVE-2022-45582: Open redirect/phishing attack via "success_url" parameter,
+add upstream patch: "Fix success_url parameter issue for Edit Snapshot"
+(Closes: #1050518).
+
+ -- Thomas Goirand   Tue, 05 Sep 2023 11:31:00 +0200
+
 horizon (3:23.0.0-5) unstable; urgency=medium
 
   * Ignore openstack_dashboard/dashboards/project/backups/tests.py, see
diff -Nru 
horizon-23.0.0/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch
 
horizon-23.0.0/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch
--- 
horizon-23.0.0/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch
1970-01-01 01:00:00.0 +0100
+++ 
horizon-23.0.0/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch
2023-09-05 11:31:00.0 +0200
@@ -0,0 +1,51 @@
+Author: manchandavishal 
+Date: Wed, 14 Sep 2022 22:17:58 +0530
+Description: CVE-2022-45582 Fix success_url parameter issue for Edit Snapshot
+ The "success_url" param is used when updating the project snapshot
+ [1] and it lacks sanitizing the input URL that allows an attacker to
+ redirect the user to another website. This patch update 'Updateview'
+ class to not use the "sucess_url" method.
+Bug: https://launchpad.net/bugs/1982676
+Bug-Debian: https://bugs.debian.org/1050518
+Origin: upstream, https://review.opendev.org/c/openstack/horizon/+/862899
+Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b
+Last-Update: 2023-09-05
+
+diff --git a/openstack_dashboard/dashboards/project/snapshots/views.py 
b/openstack_dashboard/dashboards/project/snapshots/views.py
+index 7efc4a8..faf7279 100644
+--- a/openstack_dashboard/dashboards/project/snapshots/views.py
 b/openstack_dashboard/dashboards/project/snapshots/views.py
+@@ -12,7 +12,6 @@
+ 
+ from django.urls import reverse
+ from django.urls import reverse_lazy
+-from django.utils.http import urlencode
+ from django.utils.translation import gettext_lazy as _
+ 
+ from horizon import exceptions
+@@ -104,11 +103,8 @@
+ def get_context_data(self, **kwargs):
+ context = super().get_context_data(**kwargs)
+ context['snapshot'] = self.get_object()
+-success_url = self.request.GET.get('success_url', "")
+ args = (self.kwargs['snapshot_id'],)
+-params = urlencode({"success_url": success_url})
+-context['submit_url'] = "?".join([reverse(self.submit_url, args=args),
+-  params])
++context['submit_url'] = reverse(self.submit_url, args=args)
+ return context
+ 
+ def get_initial(self):
+@@ -117,12 +113,6 @@
+ 'name': snapshot.name,
+ 'description': snapshot.description}
+ 
+-def get_success_url(self):
+-success_url = self.request.GET.get(
+-"success_url",
+-reverse_lazy("horizon:project:snapshots:index"))
+-return success_url
+-
+ 
+ class DetailView(tabs.TabView):
+ tab_group_class = vol_snapshot_tabs.SnapshotDetailTabs
diff -Nru horizon-23.0.0/debian/patches/series 
horizon-23.0.0/debian/patches/series
--- horizon-23.0.0/debian/patches/series2022-12-31 13:56:48.0 
+0100
+++ horizon-23.0.0/debian/patches/series2023-09-05 11:31:00.0 
+0200
@@ -6,3 +6,4 @@
 django-4.x-csrf-reasons.patch
 Make-site_branding-tag-work-with-Django-4.0.patch
 remove-test_rbac_panels.patch
+CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch