Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

2017-09-14 Thread Dominic Hargreaves 
On Tue, Sep 12, 2017 at 09:30:19PM +0200, Salvatore Bonaccorso wrote:
> Hi Dominic,
> 
> On Tue, Sep 12, 2017 at 04:34:14PM +0100, Dominic Hargreaves wrote:
> > On Tue, Sep 12, 2017 at 06:33:02AM +0200, Salvatore Bonaccorso wrote:
> > > Control: retitle -1 wordpress-shibboleth: CVE-2017-14313: XSS due to 
> > > add_query_arg
> > > 
> > > Hi Dominic, Craig, Michael,
> > > 
> > > FTR, I requested a CVE for this issue and it got assigned
> > > CVE-2017-14313.
> > 
> > Thanks. I assume you would like a security upload? Here is the minimal
> > fix which should apply to stretch and jessie.
> > 
> > I am waiting for some real world testing from a colleague.
> > 
> > Let me know if I'm okay to upload.
> 
> Once you have got feedback from real world testing, can you finalize
> the changelogs and then please upload. Since both jessie-security and
> stretch-security share the same orig tarball, please do build the
> first one with -sa, upload, wait for the ACCEPTED mail after some
> minutes to you, then upload the second without -sa.
> 
> Thanks already. If you have a proposed DSA text, that would be
> welcome.

Now uploaded. You can use the same text as Chris Lamb wrote in the
LTS update.

Thanks,
Dominic.

Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

2017-09-12 Thread Salvatore Bonaccorso 
Hi Dominic,

On Tue, Sep 12, 2017 at 04:34:14PM +0100, Dominic Hargreaves wrote:
> On Tue, Sep 12, 2017 at 06:33:02AM +0200, Salvatore Bonaccorso wrote:
> > Control: retitle -1 wordpress-shibboleth: CVE-2017-14313: XSS due to 
> > add_query_arg
> > 
> > Hi Dominic, Craig, Michael,
> > 
> > FTR, I requested a CVE for this issue and it got assigned
> > CVE-2017-14313.
> 
> Thanks. I assume you would like a security upload? Here is the minimal
> fix which should apply to stretch and jessie.
> 
> I am waiting for some real world testing from a colleague.
> 
> Let me know if I'm okay to upload.

Once you have got feedback from real world testing, can you finalize
the changelogs and then please upload. Since both jessie-security and
stretch-security share the same orig tarball, please do build the
first one with -sa, upload, wait for the ACCEPTED mail after some
minutes to you, then upload the second without -sa.

Thanks already. If you have a proposed DSA text, that would be
welcome.

Regards,
Salvatore


signature.asc
Description: PGP signature

Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

2017-09-12 Thread Dominic Hargreaves 
On Tue, Sep 12, 2017 at 06:33:02AM +0200, Salvatore Bonaccorso wrote:
> Control: retitle -1 wordpress-shibboleth: CVE-2017-14313: XSS due to 
> add_query_arg
> 
> Hi Dominic, Craig, Michael,
> 
> FTR, I requested a CVE for this issue and it got assigned
> CVE-2017-14313.

Thanks. I assume you would like a security upload? Here is the minimal
fix which should apply to stretch and jessie.

I am waiting for some real world testing from a colleague.

Let me know if I'm okay to upload.

Cheers,
Dominic.
diff -u wordpress-shibboleth-1.4/debian/changelog 
wordpress-shibboleth-1.4/debian/changelog
--- wordpress-shibboleth-1.4/debian/changelog
+++ wordpress-shibboleth-1.4/debian/changelog
@@ -1,3 +1,9 @@
+wordpress-shibboleth (1.4-2+deb9u1) UNRELEASED; urgency=medium
+
+  * [CVE-2017-14313]: Fix XSS in login form (Closes: #874416)
+
+ -- Dominic Hargreaves   Tue, 12 Sep 2017 13:46:36 +0100
+
 wordpress-shibboleth (1.4-2) unstable; urgency=low
 
   * Add debian/watch file
only in patch2:
unchanged:
--- wordpress-shibboleth-1.4.orig/shibboleth.php
+++ wordpress-shibboleth-1.4/shibboleth.php
@@ -439,7 +439,7 @@
  */
 function shibboleth_login_form() {
$login_url = add_query_arg('action', 'shibboleth');
-   echo '' . 
__('Login with Shibboleth', 'shibboleth') . '';
+   echo '' 
. __('Login with Shibboleth', 'shibboleth') . '';
 }
 add_action('login_form', 'shibboleth_login_form');

Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

2017-09-12 Thread Dominic Hargreaves 
Great, thanks for confirming Michael.

Dominic.

On Mon, Sep 11, 2017 at 02:14:05PM +, Michael McNeill wrote:
> Dominic,
> 
> After reviewing, it does appear that 1.4 is vulnerable to the XSS attack
> and should be patched using the same patch made here:
> https://github.com/michaelryanmcneill/shibboleth/blob/1d65ad6786282d23ba1865f56e2fd19188e7c26a/shibboleth.php#L463
> 
> Please let me know if you have additional questions.
> 
> Best regards,
> Michael McNeill
> 
> On Mon, Sep 11, 2017 at 6:20 AM Dominic Hargreaves  wrote:
> 
> > On Mon, Sep 11, 2017 at 03:21:08AM +, Craig Small wrote:
> > > On Wed, 6 Sep. 2017, 07:03 Dominic Hargreaves  wrote:
> > >
> > > > I have just become aware of an old security issue that was fixed
> > > > in upstream:
> > > >
> > > >
> > > >
> > https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f5
> > > > 6e2fd19188e7c26a
> > > > <
> > https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f56e2fd19188e7c26a
> > >
> > > >
> > > >
> > > > Given that noone has noticed and reported this as an issue for a year
> > > > in the Debian package, and I'm not completely sure of how easy it is
> > > > to exploit, I'm not exactly sure of the correct severity or whether
> > > > this warrants a DSA or just a point release update. I'm CCing
> > > > the Wordpress maintainer in case they have any ideas.
> > > >
> > > > This bug will be fixed in unstable shortly.
> > > >
> > > Hi,
> > >   Probably a security team question but the un-patched plugin permits a
> > XSS
> > > attack so it should be a DSA I think.
> >
> > I'm just confirming the status of the bug in 1.4 with the upstream
> > maintainer prior to a fix. Also looping in the security team.
> >
> > Cheers,
> > Dominic.
> >

Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

2017-09-11 Thread Salvatore Bonaccorso 
Control: retitle -1 wordpress-shibboleth: CVE-2017-14313: XSS due to 
add_query_arg

Hi Dominic, Craig, Michael,

FTR, I requested a CVE for this issue and it got assigned
CVE-2017-14313.

Regards,
Salvatore

Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

2017-09-11 Thread Michael McNeill 
Dominic,

After reviewing, it does appear that 1.4 is vulnerable to the XSS attack
and should be patched using the same patch made here:
https://github.com/michaelryanmcneill/shibboleth/blob/1d65ad6786282d23ba1865f56e2fd19188e7c26a/shibboleth.php#L463

Please let me know if you have additional questions.

Best regards,
Michael McNeill

On Mon, Sep 11, 2017 at 6:20 AM Dominic Hargreaves  wrote:

> On Mon, Sep 11, 2017 at 03:21:08AM +, Craig Small wrote:
> > On Wed, 6 Sep. 2017, 07:03 Dominic Hargreaves  wrote:
> >
> > > I have just become aware of an old security issue that was fixed
> > > in upstream:
> > >
> > >
> > >
> https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f5
> > > 6e2fd19188e7c26a
> > > <
> https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f56e2fd19188e7c26a
> >
> > >
> > >
> > > Given that noone has noticed and reported this as an issue for a year
> > > in the Debian package, and I'm not completely sure of how easy it is
> > > to exploit, I'm not exactly sure of the correct severity or whether
> > > this warrants a DSA or just a point release update. I'm CCing
> > > the Wordpress maintainer in case they have any ideas.
> > >
> > > This bug will be fixed in unstable shortly.
> > >
> > Hi,
> >   Probably a security team question but the un-patched plugin permits a
> XSS
> > attack so it should be a DSA I think.
>
> I'm just confirming the status of the bug in 1.4 with the upstream
> maintainer prior to a fix. Also looping in the security team.
>
> Cheers,
> Dominic.
>

Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

2017-09-11 Thread Dominic Hargreaves 
On Mon, Sep 11, 2017 at 03:21:08AM +, Craig Small wrote:
> On Wed, 6 Sep. 2017, 07:03 Dominic Hargreaves  wrote:
> 
> > I have just become aware of an old security issue that was fixed
> > in upstream:
> >
> >
> > https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f5
> > 6e2fd19188e7c26a
> > 
> >
> >
> > Given that noone has noticed and reported this as an issue for a year
> > in the Debian package, and I'm not completely sure of how easy it is
> > to exploit, I'm not exactly sure of the correct severity or whether
> > this warrants a DSA or just a point release update. I'm CCing
> > the Wordpress maintainer in case they have any ideas.
> >
> > This bug will be fixed in unstable shortly.
> >
> Hi,
>   Probably a security team question but the un-patched plugin permits a XSS
> attack so it should be a DSA I think.

I'm just confirming the status of the bug in 1.4 with the upstream
maintainer prior to a fix. Also looping in the security team.

Cheers,
Dominic.

Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

2017-09-10 Thread Craig Small 
On Wed, 6 Sep. 2017, 07:03 Dominic Hargreaves  wrote:

> I have just become aware of an old security issue that was fixed
> in upstream:
>
>
> https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f5
> 6e2fd19188e7c26a
> 
>
>
> Given that noone has noticed and reported this as an issue for a year
> in the Debian package, and I'm not completely sure of how easy it is
> to exploit, I'm not exactly sure of the correct severity or whether
> this warrants a DSA or just a point release update. I'm CCing
> the Wordpress maintainer in case they have any ideas.
>
> This bug will be fixed in unstable shortly.
>
Hi,
  Probably a security team question but the un-patched plugin permits a XSS
attack so it should be a DSA I think.


 - Craig

> --
Craig Small https://dropbear.xyz/ csmall at : enc.com.au
Debian GNU/Linuxhttps://www.debian.org/   csmall at : debian.org
Mastodon: @smalls...@social.dropbear.xyz Twitter: @smallsees
GPG fingerprint:  5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Bug#874416: wordpress-shibboleth: XSS due to add_query_arg

2017-09-05 Thread Dominic Hargreaves 
Package: wordpress-shibboleth
Version: 1.4-2
Severity: important
X-Debbugs-Cc: csm...@debian.org
Tags: security

I have just become aware of an old security issue that was fixed
in upstream:

https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f5
6e2fd19188e7c26a

As far as I understand, this is 

https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_q
uery_arg-usage/

Given that noone has noticed and reported this as an issue for a year
in the Debian package, and I'm not completely sure of how easy it is
to exploit, I'm not exactly sure of the correct severity or whether
this warrants a DSA or just a point release update. I'm CCing
the Wordpress maintainer in case they have any ideas.

This bug will be fixed in unstable shortly.