Bug#969362: python-flask-cors: CVE-2020-25032
Hi Bastian, On Wed, Oct 14, 2020 at 05:39:00PM +0200, Salvatore Bonaccorso wrote: > Hi Bastian, > > On Tue, Oct 13, 2020 at 11:36:40PM +0200, Bastian Germann wrote: > > Hi Salvatore, > > > > Thanks for your hints. > > > > Am 10.10.20 um 23:02 schrieb Salvatore Bonaccorso: > > > Hi Bastian, > > > > > > [Please do send such requests always to team@s.d.o, dev-ref gives as > > > well some further hints at > > > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#handling-security-related-bugs] > > > > > > On Thu, Oct 08, 2020 at 04:25:55PM +0200, Bastian Germann wrote: > > >> On Tue, 01 Sep 2020 10:51:48 +0200 Salvatore Bonaccorso > > >> wrote: > > >>> The following vulnerability was published for python-flask-cors. > > >>> > > >>> CVE-2020-25032[0]: > > >>> | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) > > >>> | before 3.0.9. It allows ../ directory traversal to access private > > >>> | resources because resource matching does not ensure that pathnames are > > >>> | in a canonical format. > > >>> > > >>> > > >>> If you fix the vulnerability please also make sure to include the > > >>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > >>> > > >>> For further information see: > > >>> > > >>> [0] https://security-tracker.debian.org/tracker/CVE-2020-25032 > > >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25032 > > >>> [1] > > >>> https://github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895 > > >> > > >> I have prepared a buster-security release at > > >> > > >> https://salsa.debian.org/python-team/packages/python-flask-cors/-/tags/debian%2F3.0.7-2 > > > > > > As for the update, please do send always as a debdiff from a built > > > (and tested) package (this request is similarly to what stable release > > > managers would expect for point release updates, it helps us as well > > > to archive discussion and debdiffs to review). > > > > The debdiff is enclosed. Also available at: > > https://salsa.debian.org/python-team/packages/python-flask-cors/-/tags/debian%2F3.0.7-1+deb10u1 > > > > > > But I can give already a first feedback: debian/changelog uses 3.0.7-2 > > > as version. Even though 3.0.7-2 might never have been seen in the > > > archive, please do use 3.0.7-1+deb10u1 instead following the usual > > > convention. While at it use urgency=high (for consistency in security > > > updates). > > > > > > For the bug closer I think you will need to use "Closes: #969362)". > > > > I applied all suggestions. > > > > > Furthermore: what kind of testing did the update recieve, were you > > > able to test the update in production environments, are there any > > > problems spotted? I'm asking in particular as the modfied tests seem > > > to pass ok as well without the patch (but I only quickly gave it a > > > test from the git repository, might be something else strange here). > > > > I ran the built package on buster but did not try to confirm that the > > security issue is closed as claimed by upstream. No problems spotted. > > Ack thanks for confirming. I have uploadd the package to > security-master and we will release DSA soon when time permits. DSA 4775-1 has been released now for it. > I think it's okay to not have patched as well the example (wher the > call was fixed accordingly including /api/ in the target URL, anybody > searching for examples will probably look online anyway). > > > >> The new upstream release is waiting in the master branch to be published > > >> in sid. > > > > > > Ok, although not required, if you have that already ok to be uploaded > > > I would say to go ahead with the unstable upload and have the fixes > > > exposed there already. > > > > I cannot upload because I am not a DD. It would be nice if someone could > > sponsor the new version. It also closes a FTBFS, which got me interested > > in the package in the first place. > > Can you ask anybody in the team to do that? This still would be needed. Regards, Salvatore
Bug#969362: python-flask-cors: CVE-2020-25032
Hi Bastian, On Tue, Oct 13, 2020 at 11:36:40PM +0200, Bastian Germann wrote: > Hi Salvatore, > > Thanks for your hints. > > Am 10.10.20 um 23:02 schrieb Salvatore Bonaccorso: > > Hi Bastian, > > > > [Please do send such requests always to team@s.d.o, dev-ref gives as > > well some further hints at > > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#handling-security-related-bugs] > > > > On Thu, Oct 08, 2020 at 04:25:55PM +0200, Bastian Germann wrote: > >> On Tue, 01 Sep 2020 10:51:48 +0200 Salvatore Bonaccorso > >> wrote: > >>> The following vulnerability was published for python-flask-cors. > >>> > >>> CVE-2020-25032[0]: > >>> | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) > >>> | before 3.0.9. It allows ../ directory traversal to access private > >>> | resources because resource matching does not ensure that pathnames are > >>> | in a canonical format. > >>> > >>> > >>> If you fix the vulnerability please also make sure to include the > >>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > >>> > >>> For further information see: > >>> > >>> [0] https://security-tracker.debian.org/tracker/CVE-2020-25032 > >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25032 > >>> [1] > >>> https://github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895 > >> > >> I have prepared a buster-security release at > >> > >> https://salsa.debian.org/python-team/packages/python-flask-cors/-/tags/debian%2F3.0.7-2 > > > > As for the update, please do send always as a debdiff from a built > > (and tested) package (this request is similarly to what stable release > > managers would expect for point release updates, it helps us as well > > to archive discussion and debdiffs to review). > > The debdiff is enclosed. Also available at: > https://salsa.debian.org/python-team/packages/python-flask-cors/-/tags/debian%2F3.0.7-1+deb10u1 > > > > But I can give already a first feedback: debian/changelog uses 3.0.7-2 > > as version. Even though 3.0.7-2 might never have been seen in the > > archive, please do use 3.0.7-1+deb10u1 instead following the usual > > convention. While at it use urgency=high (for consistency in security > > updates). > > > > For the bug closer I think you will need to use "Closes: #969362)". > > I applied all suggestions. > > > Furthermore: what kind of testing did the update recieve, were you > > able to test the update in production environments, are there any > > problems spotted? I'm asking in particular as the modfied tests seem > > to pass ok as well without the patch (but I only quickly gave it a > > test from the git repository, might be something else strange here). > > I ran the built package on buster but did not try to confirm that the > security issue is closed as claimed by upstream. No problems spotted. Ack thanks for confirming. I have uploadd the package to security-master and we will release DSA soon when time permits. I think it's okay to not have patched as well the example (wher the call was fixed accordingly including /api/ in the target URL, anybody searching for examples will probably look online anyway). > >> The new upstream release is waiting in the master branch to be published > >> in sid. > > > > Ok, although not required, if you have that already ok to be uploaded > > I would say to go ahead with the unstable upload and have the fixes > > exposed there already. > > I cannot upload because I am not a DD. It would be nice if someone could > sponsor the new version. It also closes a FTBFS, which got me interested > in the package in the first place. Can you ask anybody in the team to do that? Thanks for your work! Regards, Salvatore
Bug#969362: python-flask-cors: CVE-2020-25032
Hi Salvatore,
Thanks for your hints.
Am 10.10.20 um 23:02 schrieb Salvatore Bonaccorso:
> Hi Bastian,
>
> [Please do send such requests always to team@s.d.o, dev-ref gives as
> well some further hints at
> https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#handling-security-related-bugs]
>
> On Thu, Oct 08, 2020 at 04:25:55PM +0200, Bastian Germann wrote:
>> On Tue, 01 Sep 2020 10:51:48 +0200 Salvatore Bonaccorso
>> wrote:
>>> The following vulnerability was published for python-flask-cors.
>>>
>>> CVE-2020-25032[0]:
>>> | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask)
>>> | before 3.0.9. It allows ../ directory traversal to access private
>>> | resources because resource matching does not ensure that pathnames are
>>> | in a canonical format.
>>>
>>>
>>> If you fix the vulnerability please also make sure to include the
>>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>>
>>> For further information see:
>>>
>>> [0] https://security-tracker.debian.org/tracker/CVE-2020-25032
>>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25032
>>> [1]
>>> https://github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895
>>
>> I have prepared a buster-security release at
>>
>> https://salsa.debian.org/python-team/packages/python-flask-cors/-/tags/debian%2F3.0.7-2
>
> As for the update, please do send always as a debdiff from a built
> (and tested) package (this request is similarly to what stable release
> managers would expect for point release updates, it helps us as well
> to archive discussion and debdiffs to review).
The debdiff is enclosed. Also available at:
https://salsa.debian.org/python-team/packages/python-flask-cors/-/tags/debian%2F3.0.7-1+deb10u1
>
> But I can give already a first feedback: debian/changelog uses 3.0.7-2
> as version. Even though 3.0.7-2 might never have been seen in the
> archive, please do use 3.0.7-1+deb10u1 instead following the usual
> convention. While at it use urgency=high (for consistency in security
> updates).
>
> For the bug closer I think you will need to use "Closes: #969362)".
I applied all suggestions.
> Furthermore: what kind of testing did the update recieve, were you
> able to test the update in production environments, are there any
> problems spotted? I'm asking in particular as the modfied tests seem
> to pass ok as well without the patch (but I only quickly gave it a
> test from the git repository, might be something else strange here).
I ran the built package on buster but did not try to confirm that the
security issue is closed as claimed by upstream. No problems spotted.
>> The new upstream release is waiting in the master branch to be published
>> in sid.
>
> Ok, although not required, if you have that already ok to be uploaded
> I would say to go ahead with the unstable upload and have the fixes
> exposed there already.
I cannot upload because I am not a DD. It would be nice if someone could
sponsor the new version. It also closes a FTBFS, which got me interested
in the package in the first place.
Regards,
Bastian
diff -Nru python-flask-cors-3.0.7/debian/changelog
python-flask-cors-3.0.7/debian/changelog
--- python-flask-cors-3.0.7/debian/changelog2018-12-05 21:51:05.0
+0100
+++ python-flask-cors-3.0.7/debian/changelog2020-10-08 21:40:11.0
+0200
@@ -1,3 +1,10 @@
+python-flask-cors (3.0.7-1+deb10u1) buster-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2020-25032 (Closes: #969362) with upstream patch
+
+ -- Bastian Germann Thu, 08 Oct 2020 21:40:11
+0200
+
python-flask-cors (3.0.7-1) unstable; urgency=medium
* Initial release (Closes: #915789)
diff -Nru python-flask-cors-3.0.7/debian/patches/cve-2020-25032
python-flask-cors-3.0.7/debian/patches/cve-2020-25032
--- python-flask-cors-3.0.7/debian/patches/cve-2020-25032 1970-01-01
01:00:00.0 +0100
+++ python-flask-cors-3.0.7/debian/patches/cve-2020-25032 2020-10-08
21:40:11.0 +0200
@@ -0,0 +1,34 @@
+Origin:
https://github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895
+From: Cory Dolphin
+Date: Sun, 30 Aug 2020 15:32:54 -0600
+Subject: Fix request path normalization (#272)
+
+* Normalize path before evaluating resource rules
+---
+diff --git a/flask_cors/extension.py b/flask_cors/extension.py
+index 6a585aa..466869e 100644
+--- a/flask_cors/extension.py
b/flask_cors/extension.py
+@@ -10,6 +10,10 @@
+ """
+ from flask import request
+ from .core import *
++try:
++from urllib.parse import unquote_plus
++except ImportError:
++from urllib import unquote_plus
+
+ LOG = logging.getLogger(__name__)
+
+@@ -173,9 +177,9 @@ def cors_after_request(resp):
+ if resp.headers is not None and resp.headers.get(ACL_ORIGIN):
+ LOG.debug('CORS have been already evaluated, skipping')
+ return resp
+-
++normalized_path = unquote_plus(request.path)
+ for
Bug#969362: python-flask-cors: CVE-2020-25032
Hi Bastian, [Please do send such requests always to team@s.d.o, dev-ref gives as well some further hints at https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#handling-security-related-bugs] On Thu, Oct 08, 2020 at 04:25:55PM +0200, Bastian Germann wrote: > On Tue, 01 Sep 2020 10:51:48 +0200 Salvatore Bonaccorso > wrote: > > The following vulnerability was published for python-flask-cors. > > > > CVE-2020-25032[0]: > > | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) > > | before 3.0.9. It allows ../ directory traversal to access private > > | resources because resource matching does not ensure that pathnames are > > | in a canonical format. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2020-25032 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25032 > > [1] > > https://github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895 > > I have prepared a buster-security release at > > https://salsa.debian.org/python-team/packages/python-flask-cors/-/tags/debian%2F3.0.7-2 As for the update, please do send always as a debdiff from a built (and tested) package (this request is similarly to what stable release managers would expect for point release updates, it helps us as well to archive discussion and debdiffs to review). But I can give already a first feedback: debian/changelog uses 3.0.7-2 as version. Even though 3.0.7-2 might never have been seen in the archive, please do use 3.0.7-1+deb10u1 instead following the usual convention. While at it use urgency=high (for consistency in security updates). For the bug closer I think you will need to use "Closes: #969362)". Furthermore: what kind of testing did the update recieve, were you able to test the update in production environments, are there any problems spotted? I'm asking in particular as the modfied tests seem to pass ok as well without the patch (but I only quickly gave it a test from the git repository, might be something else strange here). > The new upstream release is waiting in the master branch to be published > in sid. Ok, although not required, if you have that already ok to be uploaded I would say to go ahead with the unstable upload and have the fixes exposed there already. Regards, Salvatore
Bug#969362: python-flask-cors: CVE-2020-25032
On Tue, 01 Sep 2020 10:51:48 +0200 Salvatore Bonaccorso wrote: > The following vulnerability was published for python-flask-cors. > > CVE-2020-25032[0]: > | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) > | before 3.0.9. It allows ../ directory traversal to access private > | resources because resource matching does not ensure that pathnames are > | in a canonical format. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2020-25032 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25032 > [1] > https://github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895 I have prepared a buster-security release at https://salsa.debian.org/python-team/packages/python-flask-cors/-/tags/debian%2F3.0.7-2 The new upstream release is waiting in the master branch to be published in sid.
Bug#969362: python-flask-cors: CVE-2020-25032
Source: python-flask-cors Version: 3.0.8-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 3.0.7-1 Hi, The following vulnerability was published for python-flask-cors. CVE-2020-25032[0]: | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) | before 3.0.9. It allows ../ directory traversal to access private | resources because resource matching does not ensure that pathnames are | in a canonical format. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-25032 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25032 [1] https://github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895 Regards, Salvatore
