Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1
On Fri, 2018-11-09 at 06:55 +0100, Salvatore Bonaccorso wrote: > Hi Ludovico, > > On Sat, Feb 10, 2018 at 10:25:47AM +0100, Julien Cristau wrote: > > Control: tag -1 confirmed > > > > On Mon, Dec 25, 2017 at 21:26:58 +0100, Ludovico Cavedon wrote: > > > > > I would like to submit to your consideration an update to ntopng > > > in > > > stretch. > > > > > > The main bug that triggered this upload is #856048, which causes > > > the > > > user management and preferences section of the web interface to > > > be unusuable. > > > > > > The fix is already in version 2.4+dfsg1-4 in unstable. > > > > > > There are three additional important issues from 2.4+dfsg1-4 that > > > I > > > think it would make sense to include: > > > - #859653 which causes ntopng to crash if the mysql backend is > > > selected. > > > This change only affects mysql users. On the other side it is > > > an > > > obvious usage-after-free and out-of-bound memeory access > > > issues. > > > - #866721 and #866719, which are securirity-related issues. Do > > > you want > > > me to reach out to the security team about these first? Do we > > > need to > > > treat the whole update as a security one instead, or split it? > > > > > > > Assuming this has been properly tested in a stretch environment, > > please > > go ahead and upload. > > Friendly ping ;-) Re-ping. If nothing happens within a couple of weeks then I plan on closing this bug. Regards, Adam
Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1
Hi Ludovico, On Sat, Feb 10, 2018 at 10:25:47AM +0100, Julien Cristau wrote: > Control: tag -1 confirmed > > On Mon, Dec 25, 2017 at 21:26:58 +0100, Ludovico Cavedon wrote: > > > I would like to submit to your consideration an update to ntopng in > > stretch. > > > > The main bug that triggered this upload is #856048, which causes the > > user management and preferences section of the web interface to > > be unusuable. > > > > The fix is already in version 2.4+dfsg1-4 in unstable. > > > > There are three additional important issues from 2.4+dfsg1-4 that I > > think it would make sense to include: > > - #859653 which causes ntopng to crash if the mysql backend is selected. > > This change only affects mysql users. On the other side it is an > > obvious usage-after-free and out-of-bound memeory access issues. > > - #866721 and #866719, which are securirity-related issues. Do you want > > me to reach out to the security team about these first? Do we need to > > treat the whole update as a security one instead, or split it? > > > Assuming this has been properly tested in a stretch environment, please > go ahead and upload. Friendly ping ;-) Regards, Salvatore
Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1
Control: tag -1 confirmed On Mon, Dec 25, 2017 at 21:26:58 +0100, Ludovico Cavedon wrote: > I would like to submit to your consideration an update to ntopng in > stretch. > > The main bug that triggered this upload is #856048, which causes the > user management and preferences section of the web interface to > be unusuable. > > The fix is already in version 2.4+dfsg1-4 in unstable. > > There are three additional important issues from 2.4+dfsg1-4 that I > think it would make sense to include: > - #859653 which causes ntopng to crash if the mysql backend is selected. > This change only affects mysql users. On the other side it is an > obvious usage-after-free and out-of-bound memeory access issues. > - #866721 and #866719, which are securirity-related issues. Do you want > me to reach out to the security team about these first? Do we need to > treat the whole update as a security one instead, or split it? > Assuming this has been properly tested in a stretch environment, please go ahead and upload. Cheers, Julien
Processed: Re: Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1
Processing control commands: > tag -1 confirmed Bug #885183 [release.debian.org] stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1 Added tag(s) confirmed. -- 885183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885183 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1
Hi, On Wed, Dec 27, 2017 at 02:21:14PM +, Ludovico Cavedon wrote: > Hi Moritz, > > On Tue, Dec 26, 2017 at 12:18 PM Moritz Mühlenhoff wrote: > > > On Mon, Dec 25, 2017 at 09:26:58PM +0100, Ludovico Cavedon wrote: > > > - #866721 and #866719, which are securirity-related issues. Do you want > > > me to reach out to the security team about these first? > > > > Those are marked no-dsa for quite a while, so not needed > > > > Of course, sorry for missing that. > > I tried to search/read but I am not completely sure of what the next step > is: should I wait for feedback based on the attached debdiff, or should I > upload to pu first? Always wait first for an ack of the SRMs before doing an update to pu. This avoid turnarounds in case SRM are not happy yet with the debdiff, and packages would be rejected from pu-NEW. Regards and hope this helps, Salvatore
Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1
Hi Moritz, On Tue, Dec 26, 2017 at 12:18 PM Moritz Mühlenhoff wrote: > On Mon, Dec 25, 2017 at 09:26:58PM +0100, Ludovico Cavedon wrote: > > - #866721 and #866719, which are securirity-related issues. Do you want > > me to reach out to the security team about these first? > > Those are marked no-dsa for quite a while, so not needed > Of course, sorry for missing that. I tried to search/read but I am not completely sure of what the next step is: should I wait for feedback based on the attached debdiff, or should I upload to pu first? Thank you, Ludovico
Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1
On Mon, Dec 25, 2017 at 09:26:58PM +0100, Ludovico Cavedon wrote: > - #866721 and #866719, which are securirity-related issues. Do you want > me to reach out to the security team about these first? Those are marked no-dsa for quite a while, so not needed. Cheers, Moritz
Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, I would like to submit to your consideration an update to ntopng in stretch. The main bug that triggered this upload is #856048, which causes the user management and preferences section of the web interface to be unusuable. The fix is already in version 2.4+dfsg1-4 in unstable. There are three additional important issues from 2.4+dfsg1-4 that I think it would make sense to include: - #859653 which causes ntopng to crash if the mysql backend is selected. This change only affects mysql users. On the other side it is an obvious usage-after-free and out-of-bound memeory access issues. - #866721 and #866719, which are securirity-related issues. Do you want me to reach out to the security team about these first? Do we need to treat the whole update as a security one instead, or split it? debdiff attached. Thank you, Ludovico -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (470, 'unstable'), (460, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru ntopng-2.4+dfsg1/debian/changelog ntopng-2.4+dfsg1/debian/changelog --- ntopng-2.4+dfsg1/debian/changelog 2017-02-04 04:43:00.0 +0100 +++ ntopng-2.4+dfsg1/debian/changelog 2017-12-24 21:18:54.0 +0100 @@ -1,8 +1,22 @@ -ntopng (2.4+dfsg1-3) unstable; urgency=high +ntopng (2.4+dfsg1-3+deb9u1) stretch; urgency=medium + + * Update Check-for-presence-of-crsf-in-admin-scripts.patch to avoid the +'Missing CSRF parameter' error (Closes: #856048). + * Add CVE-2017-7458.patch to prevent an empty host to crash ntopng +(Closes: #866721, CVE-2017-7458). + * Add CVE-2017-7459.patch to prevent \r\n from being injected into HTTP URIs +(Closes: #866719, CVE-2017-7459). + * Add Avoid-access-after-free.patch and +Avoid-access-to-unintialized-memory.patch to fix crash with mysql (thanks +to Bernhard Übelacker, Closes: #859653). + + -- Ludovico Cavedon Sun, 24 Dec 2017 21:18:54 +0100 + +ntopng (2.4+dfsg1-3) unstable; urgency=medium * Import upstream patches fixing CVE-2017-5473. (Closes: #852109) - -- Ludovico Cavedon Fri, 03 Feb 2017 19:43:00 -0800 + -- Ludovico Cavedon Sun, 24 Dec 2017 21:14:54 +0100 ntopng (2.4+dfsg1-2) unstable; urgency=high diff -Nru ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch --- ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch 1970-01-01 01:00:00.0 +0100 +++ ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch 2017-12-24 21:17:07.0 +0100 @@ -0,0 +1,48 @@ +Description: Avoid access after free +Author: Bernhard Übelacker +Bug-Debian: https://bugs.debian.org/859653 +Applied-Upstream: yes + +Found while investigating for https://bugs.debian.org/859653 + +==10143== Invalid read of size 8 +==10143==at 0x616E301: mysql_num_rows (client.c:4561) +==10143==by 0x11C1AD: MySQLDB::exec_sql_query(st_mysql*, char*, bool, bool, bool) (MySQLDB.cpp:593) +==10143==by 0x11CF4F: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:295) +==10143==by 0x13F5EF: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133) +==10143==by 0x122041: Prefs::add_default_interfaces() (Prefs.cpp:1059) +==10143==by 0x1187D3: main (main.cpp:117) +==10143== Address 0x144527a8 is 8 bytes inside a block of size 208 free'd +==10143==at 0x4C2CDDB: free (vg_replace_malloc.c:530) +==10143==by 0x11C1A5: MySQLDB::exec_sql_query(st_mysql*, char*, bool, bool, bool) (MySQLDB.cpp:592) +==10143==by 0x11CF4F: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:295) +==10143==by 0x13F5EF: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133) +==10143==by 0x122041: Prefs::add_default_interfaces() (Prefs.cpp:1059) +==10143==by 0x1187D3: main (main.cpp:117) +==10143== Block was alloc'd at +==10143==at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) +==10143==by 0x61A7D95: my_malloc (my_malloc.c:101) +==10143==by 0x616C1D5: mysql_store_result (client.c:4094) +==10143==by 0x11C190: MySQLDB::exec_sql_query(st_mysql*, char*, bool, bool, bool) (MySQLDB.cpp:589) +==10143==by 0x11CF4F: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:295) +==10143==by 0x13F5EF: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133) +==10143==by 0x122041: Prefs::add_default_interfaces() (Prefs.cpp:1059) +==10143==by 0x1187D3: main (main.cpp:117) +--- + src/MySQLDB.cpp | 2 +- + 1 file changed, 1 insertion(+),