Bug#696816: jenkins: Security issues were found in Jenkins core

2013-01-29 Thread James Page 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi Steve

On 25/01/13 15:18, Steven McDonald wrote:
> The issue was raised on debian-devel[0] that this bug still
> affects unstable and is causing jenkins to be a candidate for
> removal from wheezy. I have backported the fixes for these issues
> from upstream git; they are attached to this e-mail as separate
> quilt patches for the sake of cleanliness.

Thanks for the patches.

> I have also uploaded a source NMU package[1] to
> mentors.debian.net, which I intend to seek sponsorship for if I
> don't get a reply to this bug report within 72 hours (as the
> deadline given by the Release Team for removal from testing is 31st
> January).

I'll get a new version uploaded to unstable today; note that jenkins
is also effected by another security vulnerability (see [0]) which I
am currently waiting on upstream for a backported fix (its big).

Thanks

James

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697617

- -- 
James Page
Ubuntu Core Developer
Debian Maintainer
james.p...@ubuntu.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJRB7wfAAoJEL/srsug59jDnX8P/1JftdCtKAeVDocwyoz9vzWZ
TkPurLAds5tU1lfp3adn41BpVnvzkuzDkT09yfYZlupqT8I14DfY0jSyCdCx/IrB
q2D9Rl7if3OQTq5cNgVAAzdg9LLyo9b2Pyj97N1B0zUTjDZTYwSlYE+alj7AuXcq
ahdDxNXCE46ZWfqwD+jpBjo4LRcdk/wL8zodu4rvBNFT6bfYV61yWNcrHg8g0eRm
abQHngL3C/yM6hUKSXWp/nurQmZLa/8gG4V1TV8Oal1JbhHakCyUDtxDMTjupmbU
J4QpN6wAdGndkzx+r85FoM4NqvoWRCUB8RCN4JOWF9zsK2hAVPceCMaf20+zH71j
+Ro42JytCbis9vlJfKkJqQnNaHcx7QL8xAykgSlIRdmDx9AdbGAWB7M5CMMtGJvW
3LXcFvcWHBKltqsvbG4/gwn/BR7bN0tZXQoquzYzjpT9qsiPf9oXt3KhPcFI0NO0
TtEltRdQ3NkT5cEBFVd0Cjz4qrsLIgRehJ0Tn+DK+TaCfXOarwExdqx1KrxwN0oO
IR0OMcW+nsxBI6IBCQkxtJ+MS+KNlQQA79XnYEnu1QyG5uJF6ibiV3+NJ1O3Aa4G
6Cq9ghV1lNwzj12CAoOkIZ+em+U2BZ2aHkC5LNC7gD4cMG78mgB5oQiuX26Lu5nc
8GE5eDO4br+DTV6Qdz3g
=jvHr
-END PGP SIGNATURE-

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#696816: jenkins: Security issues were found in Jenkins core

2013-01-25 Thread Steven McDonald 
Hi there,

The issue was raised on debian-devel[0] that this bug still affects
unstable and is causing jenkins to be a candidate for removal from
wheezy. I have backported the fixes for these issues from upstream git;
they are attached to this e-mail as separate quilt patches for the sake
of cleanliness.

I have also uploaded a source NMU package[1] to mentors.debian.net,
which I intend to seek sponsorship for if I don't get a reply to this
bug report within 72 hours (as the deadline given by the Release Team
for removal from testing is 31st January).

Please let me know if you need anything further from me.

Thanks,
Steven.

[0] Thread "Candidates for removal from testing (2013-01-24)", which
doesn't seem to be in the web archives yet.

[1] http://mentors.debian.net/package/jenkins
Description: Cherry-picked fix from 1.480.1
 Security issue:
   - CVE-2012-6073 open redirect
Origin: Upstream, commit ab0ac1ac499f734892c2203edc508a6dbf5fa42d
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696816
--- a/core/src/main/java/hudson/Util.java
+++ b/core/src/main/java/hudson/Util.java
@@ -1173,6 +1173,31 @@
 }
 
 /**
+ * Return true if the systemId denotes an absolute URI .
+ *
+ * The same algorithm can be seen in {@link URI}, but
+ * implementing this by ourselves allow it to be more lenient about
+ * escaping of URI.
+ */
+public static boolean isAbsoluteUri(String uri) {
+int idx = uri.indexOf(':');
+if (idx<0)  return false;   // no ':'. can't be absolute
+
+// #, ?, and / must not be before ':'
+return idx<_indexOf(uri, '#') && idx<_indexOf(uri,'?') && idx<_indexOf(uri,'/');
+}
+
+/**
+ * Works like {@link String#indexOf(int)} but 'not found' is returned as s.length(), not -1.
+ * This enables more straight-forward comparison.
+ */
+private static int _indexOf(String s, char ch) {
+int idx = s.indexOf(ch);
+if (idx<0)  return s.length();
+return idx;
+}
+
+/**
  * Loads a key/value pair string as {@link Properties}
  * @since 1.392
  */
--- a/core/src/main/java/hudson/model/DirectoryBrowserSupport.java
+++ b/core/src/main/java/hudson/model/DirectoryBrowserSupport.java
@@ -137,7 +137,7 @@
 String pattern = req.getParameter("pattern");
 if(pattern==null)
 pattern = req.getParameter("path"); // compatibility with Hudson<1.129
-if(pattern!=null) {
+if(pattern!=null && !Util.isAbsoluteUri(pattern)) {// avoid open redirect
 rsp.sendRedirect2(pattern);
 return;
 }
--- a/core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java
+++ b/core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java
@@ -31,6 +31,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import hudson.Util;
 import org.acegisecurity.AuthenticationException;
 import org.acegisecurity.ui.webapp.AuthenticationProcessingFilter;
 
@@ -50,6 +51,9 @@
 if (targetUrl == null)
 return getDefaultTargetUrl();
 
+if (Util.isAbsoluteUri(targetUrl))
+return "."; // avoid open redirect
+
 // URL returned from determineTargetUrl() is resolved against the context path,
 // whereas the "from" URL is resolved against the top of the website, so adjust this.
 if(targetUrl.startsWith(request.getContextPath()))
--- a/core/src/test/java/hudson/UtilTest.java
+++ b/core/src/test/java/hudson/UtilTest.java
@@ -230,4 +230,14 @@
 			}
 		}
 }
+
+public void testIsAbsoluteUri() {
+assertTrue(Util.isAbsoluteUri("http://foobar/";));
+assertTrue(Util.isAbsoluteUri("mailto:k...@kohsuke.org"));
+assertTrue(Util.isAbsoluteUri("d123://test/"));
+assertFalse(Util.isAbsoluteUri("foo/bar/abc:def"));
+assertFalse(Util.isAbsoluteUri("foo?abc:def"));
+assertFalse(Util.isAbsoluteUri("foo#abc:def"));
+assertFalse(Util.isAbsoluteUri("foo/bar"));
+}
 }
Description: Cherry-picked fix from 1.480.1
 Security issue:
   - CVE-2012-6074 cross-site scripting vulnerability
Origin: Upstream, commit 1d48e7bf8254349a19328d56bd8006635a95866d
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696816
--- a/core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly
+++ b/core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly
@@ -68,7 +68,7 @@
 
   
   
-
+
   
 
   


signature.asc
Description: PGP signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Re: Bug#696816: jenkins: Security issues were found in Jenkins core

2012-12-29 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> clone 696816 -1
Bug #696816 [jenkins] jenkins: Security issues were found in Jenkins core
Bug 696816 cloned as bug 696974
> reassign -1 jenkins-winstone 0.9.10-jenkins-37+dfsg-1
Bug #696974 [jenkins] jenkins: Security issues were found in Jenkins core
Bug reassigned from package 'jenkins' to 'jenkins-winstone'.
No longer marked as found in versions jenkins/1.447.2+dfsg-2.
Ignoring request to alter fixed versions of bug #696974 to the same values 
previously set
Bug #696974 [jenkins-winstone] jenkins: Security issues were found in Jenkins 
core
There is no source info for the package 'jenkins-winstone' at version 
'0.9.10-jenkins-37+dfsg-1' with architecture ''
Unable to make a source version for version '0.9.10-jenkins-37+dfsg-1'
Marked as found in versions 0.9.10-jenkins-37+dfsg-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
696816: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696816
696974: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696974
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#696816: jenkins: Security issues were found in Jenkins core

2012-12-29 Thread Nobuhiro Ban 
clone 696816 -1
reassign -1 jenkins-winstone 0.9.10-jenkins-37+dfsg-1
thanks

Dear Maintainer,

I found upstream "SECURITY-44" (aka CVE-2012-6072) was from Winstone,
and it might be fixed in 0.9.10-jenkins-40.


https://github.com/jenkinsci/jenkins/commit/ad084edb571555e7c5a9bc5b27aba09aac8da98d
>[FIXED SECURITY-44]
> Picked up a new version of Winstone

https://github.com/jenkinsci/winstone/commit/62e890b9589a844553d837d91b5f68eb3dba334e
>[FIXED SECURITY-44]
> Do not allow the webapp to split HTTP header values into multiple lines. 
> Since there's no obvious escaping semantics here, we just drop those 
> characters, which is what Jetty does.


Regards,
Nobuhiro

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#696816: jenkins: Security issues were found in Jenkins core

2012-12-28 Thread Salvatore Bonaccorso 
Hi

On Fri, Dec 28, 2012 at 01:17:46AM +0900, Nobuhiro Ban wrote:
> Package: jenkins
> Version: 1.447.2+dfsg-2
> Severity: grave
> Tags: security
> 
> Dear Maintainer,
> 
> The upstream vendor announced a security advisory, that is rated high 
> severity.
> 
> See: 
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20

Moritz requested CVE's for these three vulnerabilities[1].
CVE-2012-6072[2], CVE-2012-6073[3] and CVE-2012-6072[4] where
assigned.

Please also include the CVE (Common Vulnerabilities & Exposures) ids
in your changelog entry when fixing these.

 [1]: http://www.openwall.com/lists/oss-security/2012/12/28/1
 [2]: https://security-tracker.debian.org/tracker/CVE-2012-6072
 [3]: https://security-tracker.debian.org/tracker/CVE-2012-6073
 [4]: https://security-tracker.debian.org/tracker/CVE-2012-6074

Regards,
Salvatore


signature.asc
Description: Digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.