Re: Golang packages
Ola Lundqvist writes: > In this case I think we should issue one DLA and tell all the packages that > have been updated at the same time. This require some rephrasing compared > to a standard DLA but I do not think we should have a lot of them. > > This considering that we have fixed all the packages that require re-build. > > I think it will be difficult to syncronize the fix of several > vulnerabilities. This could be done in some specific cases, but generally I > think we should accept that we have multiple uploads. I think the problem here, like you say, generally the fix to the library needs to be done first and uploaded first, before the dependency packages. During which time, people might complain that there was a package uploaded without a DLA. Which is fair enough. The big problem with trying to upload multiple packages at the same time is that the autobuilders could pick up the old library on some architectures (i.e. the library hasn't been built on that platform yet). Really need to make sure that the library has been uploaded and built on all platforms before you upload the dependencies. -- Brian May
Re: Golang packages
Ola Lundqvist writes: > I can also see a note in dla-needed for Thorsten working on automating go > updates. I did a bit of work trying to automate go updates on my system: * Identifying what packages need to be updated. * Downloading said packages. * Rebuilding. * Uploading. But there is still a lot of manual steps: * Confirm that it is OK at add dependencies to dla-needed.txt * Adding list of dependencies to dla-needed.txt, ensuring no conflicts. * Reserve DLA for each package uploaded. * Create DLA email for each package uploaded. * Add DLA to website. * Ping ftp-master when the upload fails. * etc And then what could happen (at least in theory) is that now I have resolved this vulnerability, I start investigating another security vulnerability that has a similar set of dependencies that require rebuilding. Uploading these again is not a good outcome. It would be better to fix all the root packages at once, and then upload the all the dependencies. Maybe we need a way of identifying all the dependencies at triage time, and somehow(?) manage them better at triage time. Although my gut feeling is we might be coming to the limits of what we can manage with a simple text based dla-needed.txt file. I am also a bit uneasy with the requirement for a separate DLA for each and every package that needs to be uploaded. Could create a lot of noise. Not sure I see any solutions though. I think in the future (if we are not already there) we could easily have a similar situation with rust - which I also believe likes to embed code also. -- Brian May
Support for insecure applications
Hello, I notice that the quality of our packages can vary significantly. Some get frequent security updates, while with others the author appears to be confused just what an SQL injection attack is and how to prevent it. Not going to name names here, because they have done a wonderful job in developing the software, publishing it as open source, and getting it into Debian. And they most likely are not-paid and doing this on their own time. I think that possibly there are a number of packages and different (possibly seriously time constrained) authors here. Plus Debian doesn't seem to have any requirement that packages should be vaguely secure before a new package in accepted (maybe this needs to change?). However, I was wondering if we should even try to support such software that obviously has not been written to have any level of security? As even if we patch one CVE - chances are there are many more security waiting to be found. We are providing a disservice to our users by pretending that all software is secure, when obviously it is not. Yes, this could also result in a flame war with the author too. Which I would rather avoid. Maybe though people who are keen enough, and have time, to enter a flame war, are also keep enough to help fix the problems. But I am not sure that treating all software as equal, when it obviously isn't, is a good thing for our users. Yes, users can look up our security trackers, not sure how much this helps though. A lot of these open security issues aren't necessarily serious issues that warrant concern. Any ideas, comments? Regards -- Brian May https://linuxpenguins.xyz/brian/
openjpeg2
Attached is security patches for openjpeg2 from stretch. In particular: CVE-2019-6988 - skipped, no upstream fix. CVE-2020-27814 - applied, both patches. 2nd patch applied by hand. CVE-2020-27823 - applied, by hand. CVE-2020-27824 - applied, by hand. Patch applies cleanly, but nop without patching the opj_dwt_getnorm_real also (existing function does the same thing), which I did. CVE-2020-27841 - applied, by hand. As far as I can tell most of the upstream patch is simply passing around the manager object, which is required for better error messages. I only applied the bits that look like they have a security impact, without the error messages. CVE-2020-27842 - skipped, no upstream fix. CVE-2020-27843 - skipped, no upstream fix. CVE-2020-27844 - skipped. Upstream patch replaces assert with if. Not sure how this helps. Unless maybe assert is a nop. In any case, can't find the code. Suspect we are not vulnerable. CVE-2020-27845 - applied, by hand, error messages removed. I note that this package doesn't seem to run tests on build. Which makes me a bit nervous. It does come with tests, but so far my attempts to run these tests have not been successful. -- Brian May diff -Nru openjpeg2-2.1.2/debian/changelog openjpeg2-2.1.2/debian/changelog --- openjpeg2-2.1.2/debian/changelog 2020-07-11 01:34:00.0 +1000 +++ openjpeg2-2.1.2/debian/changelog 2021-02-04 08:18:38.0 +1100 @@ -1,3 +1,18 @@ +openjpeg2 (2.1.2-1.1+deb9u6) stretch-security; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * Fix CVE-2020-27814: A heap-buffer overflow in the way openjpeg2 +handled certain PNG format files. + * Fix CVE-2020-27823: Wrong computation of x1,y1 if -d option is used, +resulting in heap buffer overflow. + * Fix CVE-2020-27824: avoid global buffer overflow on irreversible conversion when +too many decomposition levels are specified. + * Fix CVE-2020-27841: crafted input to be processed by the openjpeg encoder +could cause an out-of-bounds read. + * Fix CVE-2020-27845: crafted input can cause out-of-bounds-read. + + -- Brian May Thu, 04 Feb 2021 08:18:38 +1100 + openjpeg2 (2.1.2-1.1+deb9u5) stretch-security; urgency=high * Non-maintainer upload by the LTS team. diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2020-27814.patch openjpeg2-2.1.2/debian/patches/CVE-2020-27814.patch --- openjpeg2-2.1.2/debian/patches/CVE-2020-27814.patch 1970-01-01 10:00:00.0 +1000 +++ openjpeg2-2.1.2/debian/patches/CVE-2020-27814.patch 2021-02-04 08:18:20.0 +1100 @@ -0,0 +1,28 @@ +From 15cf3d95814dc931ca0ecb132f81cb152e051bae Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Mon, 23 Nov 2020 18:14:02 +0100 +Subject: [PATCH] Encoder: grow again buffer size in + opj_tcd_code_block_enc_allocate_data() (fixes #1283) + +--- + src/lib/openjp2/tcd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: openjpeg2-2.1.2/src/lib/openjp2/tcd.c +=== +--- openjpeg2-2.1.2.orig/src/lib/openjp2/tcd.c openjpeg2-2.1.2/src/lib/openjp2/tcd.c +@@ -1107,9 +1107,12 @@ static OPJ_BOOL opj_tcd_code_block_enc_a + + /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ + /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ ++/* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */ ++/* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */ ++/* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */ + /* TODO: is there a theoretical upper-bound for the compressed code */ + /* block size ? */ +-l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++l_data_size = 28 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * +(p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2020-27823.patch openjpeg2-2.1.2/debian/patches/CVE-2020-27823.patch --- openjpeg2-2.1.2/debian/patches/CVE-2020-27823.patch 1970-01-01 10:00:00.0 +1000 +++ openjpeg2-2.1.2/debian/patches/CVE-2020-27823.patch 2021-02-04 08:18:38.0 +1100 @@ -0,0 +1,25 @@ +From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Mon, 30 Nov 2020 22:31:51 +0100 +Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is + used, that would result in a heap buffer overflow (fixes #1284) + +--- + src/bin/jp2/convertpng.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: openjpeg2-2.1.2/src/bin/jp2/convertpng.c +=== +--- openjpeg2-2.1.2.orig/src/bin/jp2/convertpng.c openjpeg2-2.1.2/src/bin/jp2/convertpng.c +@@ -216,8 +216,8 @@ opj_image_t *pngtoimage(const char *
ruby-actionpack-page-caching / CVE-2020-8159
After reading the notes for this project: ruby-actionpack-page-caching (Brian May) NOTE: 20200819: Upstream's patch on does not apply due to subsequent NOTE: 20200819: refactoring. However, a quick look at the private NOTE: 20200819: page_cache_file method suggests that the issue exists, as it NOTE: 20200819: uses the path without normalising any "../" etc., simply NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby) It seems like the best thing is to run the test case first. But had lots of problems getting "get" to call the custom URL that is defined in the test. The code in stretch uses: with_routing do |set| But apparently this is not sufficient for the "get" function to work. https://stackoverflow.com/questions/27068995/with-routing-test-helper-doesnt-work-for-integration-tests So I ended up copying the test file from the sid/bullseye file and using it. And ignoring the other tests failing (I imagine these might be easy to fix). For the test in question, I still ended up with the get command unable to find the route. In desperation, I changed the line: get :ok, params: { id: "#{get_to_root}../pwnd" } To: get :ok, id: "#{get_to_root}../pwnd" Now I get the test failure: 5) Failure: PageCachingTest#test_cache_does_not_escape [/tmp/brian/tmpzof0zyk7/build/amd64/source/test/caching_test.rb:198]: Expected ["/tmp/brian/tmpzof0zyk7/build/amd64/source/test/pwnd.html", "/tmp/brian/tmpzof0zyk7/build/amd64/source/test/pwnd.html.gz"] to be empty?. Which seems to indicate that the code is vulnerable, and that my id passing is working correctly. I added also added the following line, just before the assert that fails: Find.find(File.join(project_root, "test")) { |e| puts e } Which lists the files as: /tmp/brian/tmpx4w5mn7g/build/amd64/source/test /tmp/brian/tmpx4w5mn7g/build/amd64/source/test/abstract_unit.rb /tmp/brian/tmpx4w5mn7g/build/amd64/source/test/caching_test.rb /tmp/brian/tmpx4w5mn7g/build/amd64/source/test/log_subscriber_test.rb /tmp/brian/tmpx4w5mn7g/build/amd64/source/test/pwnd.html /tmp/brian/tmpx4w5mn7g/build/amd64/source/test/pwnd.html.gz /tmp/brian/tmpx4w5mn7g/build/amd64/source/test/tmp /tmp/brian/tmpx4w5mn7g/build/amd64/source/test/tmp/test_cache /tmp/brian/tmpx4w5mn7g/build/amd64/source/test/tmp/test_cache/page_caching_test /tmp/brian/tmpx4w5mn7g/build/amd64/source/test/tmp/test_cache/page_caching_test/ok Which I think is a definite fail. But sometimes the test passes and these files don't exist. So I can't help but wonder if there is some weird race condition here. For example on one test run I got these files instead: /tmp/brian/tmptvp61kg5/build/amd64/source/test /tmp/brian/tmptvp61kg5/build/amd64/source/test/abstract_unit.rb /tmp/brian/tmptvp61kg5/build/amd64/source/test/caching_test.rb /tmp/brian/tmptvp61kg5/build/amd64/source/test/log_subscriber_test.rb /tmp/brian/tmptvp61kg5/build/amd64/source/test/tmp /tmp/brian/tmptvp61kg5/build/amd64/source/test/tmp/test_cache Which is fine. Will continue investigating at a later date when I am more awake. -- Brian May
Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512
Brian May writes: > I have a patch to fix this. As attached. I believe that there are exactly two additional packages that would need to be rebuilt in stretch (i.e. that include the http2 server code): - dnss - gobgpd Not 100% sure if these support creating a http2 server, but might be worth rebuilding just in case. Is it OK for me to add these to dla-needed.txt? -- Brian May
Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512
I have a patch to fix this. As attached. I had to apply this patch manually be hand, but I didn't notice any issues. I also noticed that tests failed when I built this in a Docker container without IPv6 support. So I added a tiny change to disable this IPv6 test if IPv6 is not supported on host (same as with the other IPv6 tests). All tests pass now, with and without IPv6 support. What is Debian LTS policy concerning Debian salsa git repos? Should I push these changes to the git repo in new a debian/stretch branch? Ask the maintainer for permission? Or what? I don't want to accidentally tread on any toes here, by asking when I shouldn't or not asking when I should. -- Brian May diff -Nru golang-golang-x-net-dev-0.0+git20161013.8b4af36+dfsg/debian/changelog golang-golang-x-net-dev-0.0+git20161013.8b4af36+dfsg/debian/changelog --- golang-golang-x-net-dev-0.0+git20161013.8b4af36+dfsg/debian/changelog 2016-10-15 21:31:25.0 +1100 +++ golang-golang-x-net-dev-0.0+git20161013.8b4af36+dfsg/debian/changelog 2020-12-04 09:10:25.0 +1100 @@ -1,3 +1,12 @@ +golang-golang-x-net-dev (1:0.0+git20161013.8b4af36+dfsg-3+deb9u1) stretch-security; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * Fix CVE-2019-9512 and CVE-2019-9514: Prevent DOS attack by limiting unread +control frames. + * Fix test error when building on host without IPv6 support. + + -- Brian May Fri, 04 Dec 2020 09:10:25 +1100 + golang-golang-x-net-dev (1:0.0+git20161013.8b4af36+dfsg-3) unstable; urgency=medium [ Paul Tagliamonte ] diff -Nru golang-golang-x-net-dev-0.0+git20161013.8b4af36+dfsg/debian/patches/0001-http2-limit-number-of-control-frames-in-server-send-.patch golang-golang-x-net-dev-0.0+git20161013.8b4af36+dfsg/debian/patches/0001-http2-limit-number-of-control-frames-in-server-send-.patch --- golang-golang-x-net-dev-0.0+git20161013.8b4af36+dfsg/debian/patches/0001-http2-limit-number-of-control-frames-in-server-send-.patch 1970-01-01 10:00:00.0 +1000 +++ golang-golang-x-net-dev-0.0+git20161013.8b4af36+dfsg/debian/patches/0001-http2-limit-number-of-control-frames-in-server-send-.patch 2020-12-04 09:10:25.0 +1100 @@ -0,0 +1,163 @@ +From: Brian May +Date: Fri, 4 Dec 2020 09:03:10 +1100 +Subject: http2: limit number of control frames in server send queue + +An attacker could cause servers to queue an unlimited number of PING +ACKs or RST_STREAM frames by soliciting them and not reading them, until +the program runs out of memory. + +Limit control frames in the queue to a few thousands (matching the limit +imposed by other vendors) by counting as they enter and exit the scheduler, +so the protection will work with any WriteScheduler. + +Once the limit is exceeded, close the connection, as we have no way to +communicate with the peer. + +This addresses CVE-2019-9512 and CVE-2019-9514. + +Fixes golang/go#33606 +--- + http2/server.go | 32 + http2/server_test.go | 26 ++ + http2/writesched.go | 6 ++ + 3 files changed, 64 insertions(+) + +diff --git a/http2/server.go b/http2/server.go +index c986bc1..2f61ef6 100644 +--- a/http2/server.go b/http2/server.go +@@ -64,6 +64,7 @@ const ( + firstSettingsTimeout = 2 * time.Second // should be in-flight with preface anyway + handlerChunkWriteSize = 4 << 10 + defaultMaxStreams = 250 // TODO: make this 100 as the GFE seems to? ++ maxQueuedControlFrames = 1; + ) + + var ( +@@ -130,6 +131,15 @@ func (s *Server) maxConcurrentStreams() uint32 { + return defaultMaxStreams + } + ++// maxQueuedControlFrames is the maximum number of control frames like ++// SETTINGS, PING and RST_STREAM that will be queued for writing before ++// the connection is closed to prevent memory exhaustion attacks. ++func (s *Server) maxQueuedControlFrames() int { ++ // TODO: if anybody asks, add a Server field, and remember to define the ++ // behavior of negative values. ++ return maxQueuedControlFrames ++} ++ + // ConfigureServer adds HTTP/2 support to a net/http Server. + // + // The configuration conf may be nil. +@@ -373,6 +383,7 @@ type serverConn struct { + sawFirstSettings bool // got the initial SETTINGS frame after the preface + needToSendSettingsAck bool + unackedSettings int// how many SETTINGS have we sent without ACKs? ++ queuedControlFrames int// control frames in the writeSched queue + clientMaxStreams uint32 // SETTINGS_MAX_CONCURRENT_STREAMS from client (our PUSH_PROMISE limit) + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curOpenStreamsuint32 // client's number of open streams +@@ -713,6 +724,14 @@ func (sc *serverConn) serve() { + case fn := <-sc.testHookCh: + fn(loopNum) + } ++ ++ // If the peer is causing us to generate a lot of control frames, ++ // but not reading them from us, assume they are trying to make us ++ // run out of memory.
Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512
Brian May writes: > But golang-golang-x-net-dev is not a source package. In fact Disregard my rumblings. I was obviously getting confused between 2 packages with similar names: golang-golang-x-net-dev which is a source package and: golang-golang-x-crypto-dev which isn't a source package; golang-go.crypto is. The information in the security tracker is good. -- Brian May
Re: reverse build depends on stretch
Bob Proulx writes: > That should at least make the files text again. Which means I think > following this should work. But note that I had to test with the > non-lz4 version on my system. > > lz4cat /var/lib/apt/lists/*Sources.lz4 | grep-dctrl -s Package -F > Build-Depends,Build-Depends-Indep quilt > > Maybe? OK, thanks for the suggestion. This appears to work on stretch: apt install liblz4-tool lz4cat /var/lib/apt/lists/*Sources.lz4 | grep-dctrl -s Package -F Build-Depends,Build-Depends-Indep quilt -- Brian May
Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512
Brian May writes: > Anyway, as this was marked as minor for golang-1.7 in Stretch, probably > also should be marked as minor for golang-golang-x-net-dev also... According to https://security-tracker.debian.org/tracker/CVE-2019-9512, golang-golang-x-net-dev is a source package that is vulnerable. But golang-golang-x-net-dev is not a source package. In fact https://packages.debian.org/search?searchon=sourcenames&keywords=golang-golang-x-crypto-dev returns 0 results. golang-golang-x-net-dev is a binary package. The source package is called golang-go.crypto. This had really confusing me for a while. -- Brian May
reverse build depends on stretch
How do I do this? I am getting defeated at every step: root@740eafbd9794:/build# grep-dctrl -s Package -F Build-Depends,Build-Depends-Indep quilt /var/lib/apt/lists/*Sources grep-dctrl: /var/lib/apt/lists/*Sources: No such file or directory root@740eafbd9794:/build# ls -l /var/lib/apt/lists/ total 83120 -rw-r- 1 root root0 Dec 2 21:40 lock drwx-- 2 _apt root 4096 Dec 2 21:45 partial -rw-r--r-- 1 root root 15040156 Jul 18 10:40 proxy.pri:_debian_dists_stretch_main_binary-amd64_Packages.lz4 -rw-r--r-- 1 root root 54488073 Jul 18 10:42 proxy.pri:_debian_dists_stretch_main_Contents-amd64.lz4 -rw-r--r-- 1 root root 14139930 Jul 18 10:40 proxy.pri:_debian_dists_stretch_main_source_Sources.lz4 -rw-r--r-- 1 root root 117947 Jul 18 10:52 proxy.pri:_debian_dists_stretch_Release -rw-r--r-- 1 root root 2410 Jul 18 11:00 proxy.pri:_debian_dists_stretch_Release.gpg -rw-r--r-- 1 root root53018 Dec 2 10:51 proxy.pri:_security_dists_stretch_updates_InRelease -rw-r--r-- 1 root root 1260511 Dec 2 10:51 proxy.pri:_security_dists_stretch_updates_main_binary-amd64_Packages.lz4 root@740eafbd9794:/build# file /var/lib/apt/lists/*Sources.lz4 /var/lib/apt/lists/proxy.pri:_debian_dists_stretch_main_source_Sources.lz4: LZ4 compressed data (v1.4+) root@740eafbd9794:/build# lzcat /var/lib/apt/lists/*Sources.lz4 lzcat: /var/lib/apt/lists/proxy.pri:_debian_dists_stretch_main_source_Sources.lz4: File format not recognized root@740eafbd9794:/build# grep-dctrl -s Package -F Build-Depends,Build-Depends-Indep quilt /var/lib/apt/lists/*Sources.lz4 grep-dctrl: /var/lib/apt/lists/proxy.pri:_debian_dists_stretch_main_source_Sources.lz4:7: expected a colon. root@740eafbd9794:/build# grep-aptavail -s Package -F Build-Depends,Build-Depends-Indep quilt [ no results ] -- Brian May https://linuxpenguins.xyz/brian/
Re: golang-github-dgrijalva-jwt-go / CVE-2020-26160
Salvatore Bonaccorso writes: > Your above tracking of the commits seems correct, which would mean > that the issue was firstly introduced actually in v3.0.0 and given the > code is not found in the buster and stretch version this would not > affect hose versions indeed. Yes, you are right. I misread the github webpage, which shows v4.0.0-preview1 in bold, but has v3.0.0 next to it. Good to know the git command to get this information, thanks for that. > So to me updating the CVE entry to not-affected for buster and stretch > (as the respective vulnerable code was introduced later) seems correct > to me. I will do so. -- Brian May
Re: golang-github-dgrijalva-jwt-go / CVE-2020-26160
Salvatore Bonaccorso writes: > Hi Brian, > > On Tue, Dec 01, 2020 at 09:01:37AM +1100, Brian May wrote: >> I note this package - golang-github-dgrijalva-jwt-go - has been marked >> as vulnerable to CVE-2020-26160 in both Debian stretch and buster. >> >> https://security-tracker.debian.org/tracker/CVE-2020-26160 >> >> But I can't find any code in these versions that even mentions the >> aud/audience fields. >> >> So I plan to mark these versions as not vulnerable. > > Were you able to track down in which version the vulnerability was > introduced? If I am reading this correctly, the broken code was introduced here: https://github.com/dgrijalva/jwt-go/commit/44718f8a89b030a85860eef946090aac75faffac === cut === func (m MapClaim) VerifyAudience(cmp string) bool { val, exists := m["aud"] if !exists { return true // Don't fail validation if claim doesn't exist } if aud, ok := val.(string); ok { return verifyAud(aud, cmp) } return false } === cut === But this code, while it is faulty, I don't think it is insecure. If a list of strings is passed, it will fail the assertion and return false. Which is a safe value to return. That issue is introduced here in the following change, which ignores if the type assertion succeeded or not. https://github.com/dgrijalva/jwt-go/commit/ec042acef733f1a3fdc10291d159e8e7a0b85ce6 === cut === -func (m MapClaim) VerifyAudience(cmp string) bool { - val, exists := m["aud"] - if !exists { - return true // Don't fail validation if claim doesn't exist - } - - if aud, ok := val.(string); ok { - return verifyAud(aud, cmp) - } - return false +// Compares the aud claim against cmp. +// If required is false, this method will return true if the value matches or is unset +func (m MapClaim) VerifyAudience(cmp string, req bool) bool { + aud, _ := m["aud"].(string) + return verifyAud(aud, cmp, req) } [...] -func verifyAud(aud string, cmp string) bool { - return aud == cmp +func verifyAud(aud string, cmp string, required bool) bool { + if aud == "" { + return !required + } + if subtle.ConstantTimeCompare([]byte(aud), []byte(cmp)) != 0 { + return true + } else { + return false + } === cut === The problem is if the type assertion fails, we get an empty string, and latter treat it as if the parameter wasn't even supplied. If I am reading this git stuff correctly, both changes were introduced - in time - between v2.3.0 and v2.4.0, but weren't actually released until version 4.0.0-preview1. Which matches what is in the CVE. The last commit also references a PR, unfortunately it doesn't say which one. I think it might be #73: https://github.com/dgrijalva/jwt-go/pull/73 Here is a great quote: https://github.com/dgrijalva/jwt-go/pull/73#discussion_r34926597 "Seems like this will lead to security issues. Also, this behavior is different from StandardClaims which just compare directly regardless of presence." Oh joy. They knew about the risk here, but looks like they went ahead anyway with an insecure solution without properly testing it :-( -- Brian May
golang-github-dgrijalva-jwt-go / CVE-2020-26160
I note this package - golang-github-dgrijalva-jwt-go - has been marked as vulnerable to CVE-2020-26160 in both Debian stretch and buster. https://security-tracker.debian.org/tracker/CVE-2020-26160 But I can't find any code in these versions that even mentions the aud/audience fields. So I plan to mark these versions as not vulnerable. -- Brian May
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Abhijith PA writes: > Also my issue is cleared and jupyter-notebook *accepted* . I hope > golang-github-ncw-rclone-dev cleared too. Yes, the two packages of mine that were waiting now got in. -- Brian May
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Abhijith PA writes: > I generated DLA for jupyter-notebook just before upload. But upload was > rejected due to `Built-Using refers to non-existing source package`. I have > pinged ftp masters couple of times to manually move needed packages to > security-master. If any ftp masters here, please help. I have a similar issue. I opened up a bug report: https://bugs.debian.org/974877 I suggest you do they same. At least with the bug report there is a formal public record of the pending request. -- Brian May
Re: golang-go.crypto / CVE-2019-11841
Brian May writes: > I have contacted ftp-master concerning rclone. Waiting a response. Still no response. I submitted a bug report: https://bugs.debian.org/974877 -- Brian May
Re: golang-go.crypto / CVE-2019-11841
Paul Wise writes: > It documents which source package versions need to be shipped to > ensure license compliance. > > https://www.debian.org/doc/debian-policy/ch-relationships.html#additional-source-packages-used-to-build-the-binary-built-using > > Please note that golang folks were/are using it in a more general way > than the use it was intended for. Interesting. It looks like obfs4proxy does not have this header, so it uploaded fine. But snapd does have this header, so I imagine it will have the same problem. I have contacted ftp-master concerning rclone. Waiting a response. -- Brian May
Re: golang-go.crypto / CVE-2019-11841
Brian May writes: > What is the process for rebuilding these in stretch LTS? Do I need to > add entries to dla-needed.txt and claim these entries? I might need help here: === cut === Debian FTP Masters (28 mins. ago) () Subject: rclone_1.35-1+deb8u1_amd64.changes REJECTED To: d...@security.debian.org, b...@debian.org Date: Mon, 09 Nov 2020 21:50:14 + golang-github-ncw-rclone-dev_1.35-1+deb8u1_all.deb: Built-Using refers to non-existing source package go-md2man (= 1.0.6+ds-1) === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns. === cut === go-md2man is in stretch, not stretch-security. But I don't see any reference to the package in the source: === cut === $ grep -r go-md2man Godeps/Godeps.json: "ImportPath": "github.com/cpuguy83/go-md2man/md2man", === cut === If I look at the binary package however, I have this "Built-Using" header: === cut === root@a852fb6a8d37:/tmp/brian/tmphbdhga9l/build/amd64# dpkg -I golang-github-ncw-rclone-dev_1.35-1+deb8u1_all.deb new debian package, version 2.0. size 177936 bytes: control archive=6263 bytes. 2753 bytes,16 lines control 17449 bytes, 177 lines md5sums Package: golang-github-ncw-rclone-dev Source: rclone Version: 1.35-1+deb8u1 Architecture: all Maintainer: Debian Go Packaging Team Installed-Size: 1059 Depends: golang-bazil-fuse-dev, golang-github-aws-aws-sdk-go-dev, golang-github-mreiferson-go-httpclient-dev, golang-github-ncw-go-acd-dev, golang-github-ncw-swift-dev, golang-github-pkg-errors-dev, golang-github-rfjakob-eme-dev, golang-github-skratchdot-open-golang-dev, golang-github-spf13-cobra-dev, golang-github-spf13-pflag-dev, golang-github-stacktic-dropbox-dev, golang-github-stretchr-testify-dev, golang-github-tsenart-tb-dev, golang-github-unknwon-goconfig-dev, golang-github-vividcortex-ewma-dev, golang-golang-x-crypto-dev, golang-golang-x-net-dev, golang-golang-x-oauth2-google-dev, golang-golang-x-sys-dev, golang-golang-x-text-dev, golang-google-api-dev Built-Using: go-md2man (= 1.0.6+ds-1), golang-1.7 (= 1.7.4-2+deb9u1), golang-bazil-fuse (= 0.0~git20160811.0.371fbbd-2), golang-blackfriday (= 1.4+git20161003.40.5f33e7b-1), golang-github-aws-aws-sdk-go (= 1.1.14+dfsg-2), golang-github-davecgh-go-spew (= 1.1.0-1), golang-github-go-ini-ini (= 1.8.6-2), golang-github-google-go-querystring (= 0.0~git20151028.0.2a60fc2-1), golang-github-jmespath-go-jmespath (= 0.2.2-2), golang-github-ncw-go-acd (= 0.0~git20161119.0.7954f1f-1), golang-github-ncw-swift (= 0.0~git20160617.0.b964f2c-2), golang-github-pkg-errors (= 0.8.0-1), golang-github-pmezard-go-difflib (= 1.0.0-1), golang-github-rfjakob-eme (= 1.0-2), golang-github-shurcool-sanitized-anchor-name (= 0.0~git20160918.0.1dba4b3-1), golang-github-skratchdot-open-golang (= 0.0~git20160302.0.75fb7ed-2), golang-github-spf13-cobra (= 0.0~git20161229.0.1dd5ff2-1), golang-github-spf13-pflag (= 0.0~git20161024.0.5ccb023-1), golang-github-stacktic-dropbox (= 0.0~git20160424.0.58f839b-2), golang-github-tsenart-tb (= 0.0~git20151208.0.19f4c3d-2), golang-github-unknwon-goconfig (= 0.0~git20160828.0.5aa4f8c-3), golang-github-vividcortex-ewma (= 0.0~git20160822.20.c595cd8-3), golang-go.crypto (= 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1), golang-golang-x-net-dev (= 1:0.0+git20161013.8b4af36+dfsg-3), golang-golang-x-oauth2 (= 0.0~git20161103.0.36bc617-4), golang-golang-x-sys (= 0.0~git20161122.0.30237cf-1), golang-google-api (= 0.0~git20161128.3cc2e59-2), golang-google-cloud (= 0.5.0-2), golang-testify (= 1.1.4+ds-1), golang-x-text (= 0.0~git20161013.0.c745997-2) Section: devel Priority: extra Homepage: https://github.com/ncw/rclone Description: go source code of rclone Rclone is a program to sync files and directories between the local file system and a variety of commercial cloud storage providers. . This package contains rclone's source code. === cut === What is this "Built-Using" header? Where does it come from? Do I have to upload everything in "Built-Using" to stretch-security first? Why? How do I resolve this in a sane and sensible manner? -- Brian May
Re: golang-go.crypto / CVE-2019-11841
Brian May writes: > This produced the following output to STDOUT: > > === cut === > obfs4proxy salsa20 > packer ssh/keys > rclone salsa20 > restic ssh/keys > snapd salsa20 > === cut === snapd seems to reproduce test failures, even without my security updates. :-( What is the process for rebuilding these in stretch LTS? Do I need to add entries to dla-needed.txt and claim these entries? -- Brian May
Re: golang-go.crypto / CVE-2019-11841
Brian May writes: > Package: acmetool > Package: chasquid > Package: coyim > Package: go-wire > Package: gocryptfs > Package: golang-github-azure-azure-sdk-for-go > Package: golang-github-azure-go-autorest > Package: golang-github-azure-go-ntlmssp > Package: golang-github-bowery-prompt > Package: golang-github-coreos-ioprogress > Package: golang-github-coreos-pkg > Package: golang-github-elithrar-simple-scrypt > Package: golang-github-endophage-gotuf > Package: golang-github-howeyc-gopass > Package: golang-github-kisom-goutils > Package: golang-github-pkg-sftp > Package: golang-github-rackspace-gophercloud > Package: golang-github-weaveworks-mesh > Package: golang-github-xenolf-lego > Package: golang-github-xordataexchange-crypt > Package: golang-golang-x-net-dev > Package: golang-gopkg-dancannon-gorethink.v2 > Package: golang-gopkg-macaroon.v1 > Package: govendor > Package: influxdb > Package: mongo-tools > Package: packer > Package: rclone > Package: restic > Package: snapd > Package: syncthing > Package: tendermint-ed25519 > Package: tendermint-go-merkle > Package: golang-ed25519-dev > Package: golang-github-bradfitz-http2 > Package: golang-github-endophage-gotuf > Package: golang-pault-go-debian > Package: influxdb > Package: obfs4proxy > Package: pluginhook I downloaded all binary packages associated with these source packages and ran the following script: (for simplicity I commented out the line that calls my script from https://github.com/brianmay/bampkgbuild/ that uses docker to Download the required files) === cut === #!/bin/sh set -e set -x # PATH="$HOME/tree/personal/bampkgbuild:$PATH" # download --architecture amd64 --distribution stretch --download binaries -- "$@" >&2 # Create a temporary directory and store its name in a variable ... TMPDIR=$(mktemp -d) # Bail out if the temp directory wasn't created successfully. if [ ! -e $TMPDIR ]; then echo "Failed to create temp directory" >&2 exit 1 fi # Make sure it gets removed even if the script exits abnormally. trap "exit 1" HUP INT PIPE QUIT TERM trap 'rm -rf "$TMPDIR"' EXIT for i in *.deb; do rm -rf "$TMPDIR" dpkg-deb --raw-extract "$i" "$TMPDIR" >&2 HIT="" if grep -qr 'src/golang.org/x/crypto/salsa20' -- $TMPDIR >&2; then HIT="salsa20 $HIT" fi if grep -qr 'src/golang.org/x/crypto/openpgp/clearsign' -- $TMPDIR >&2; then HIT="openpgp/clearsign $HIT" fi if grep -qr 'src/golang.org/x/crypto/ssh/keys' -- $TMPDIR >&2; then HIT="ssh/keys $HIT" fi if test -n "$HIT"; then echo "Package $i needs rebuilding" >&2 source="$(dpkg-deb -f "$i" Package)" if test -z "$source"; then source="$(dpkg-deb -f "$i" Package)" fi echo "$source $HIT" fi done === cut === This produced the following output to STDOUT: === cut === obfs4proxy salsa20 packer ssh/keys rclone salsa20 restic ssh/keys snapd salsa20 === cut === So I believe this is the list of packages that need to be rebuilt. -- Brian May
Re: golang-go.crypto / CVE-2019-11841
Emilio Pozuelo Monfort writes: > I would look for an automated way to do this. E.g. by downloading and > inspecting > the binaries to see if they have the affected code. Hmmm. Good idea in theory, but not sure how to do this in practise. I tried building two copies of acmetool, and comparing, but it looks like go builds are not yet reproducible. There is the known issue that the build path is encoded in the result. But I am getting other differences too. Hmm. But it looks like /usr/bin/acmetool contains strings such as: /tmp/brian/tmpxbsh4mst/build/amd64/source/obj-x86_64-linux-gnu/src/golang.org/x/crypto/ocsp/ocsp.go This looks like a source file. Wonder if it is possible to extract a list of all source files that were used to build acmetool... So far not getting anywhere with "readelf". But maybe "strings" might be sufficient. -- Brian May
Re: golang-go.crypto / CVE-2019-11841
Emilio Pozuelo Monfort writes: > That go be a simplification. However there's a chance one of those golang- > packages also has a bin package with a real binary, and then that may need to > be > rebuilt as well. > > Also, not all packages with compiled binaries necessarily need a rebuild. > E.g. > they may not use the affected code at all, just other parts of > golang-go.crypto. I am inclined to think that golang-* packages with binaries that include stuff from golang-go.crypto are likely to be for development/building purposes only, and perhaps not so important ... ? However it sounds like we need to investigate each package one at a time: Package: acmetool Package: chasquid Package: coyim Package: go-wire Package: gocryptfs Package: golang-github-azure-azure-sdk-for-go Package: golang-github-azure-go-autorest Package: golang-github-azure-go-ntlmssp Package: golang-github-bowery-prompt Package: golang-github-coreos-ioprogress Package: golang-github-coreos-pkg Package: golang-github-elithrar-simple-scrypt Package: golang-github-endophage-gotuf Package: golang-github-howeyc-gopass Package: golang-github-kisom-goutils Package: golang-github-pkg-sftp Package: golang-github-rackspace-gophercloud Package: golang-github-weaveworks-mesh Package: golang-github-xenolf-lego Package: golang-github-xordataexchange-crypt Package: golang-golang-x-net-dev Package: golang-gopkg-dancannon-gorethink.v2 Package: golang-gopkg-macaroon.v1 Package: govendor Package: influxdb Package: mongo-tools Package: packer Package: rclone Package: restic Package: snapd Package: syncthing Package: tendermint-ed25519 Package: tendermint-go-merkle Package: golang-ed25519-dev Package: golang-github-bradfitz-http2 Package: golang-github-endophage-gotuf Package: golang-pault-go-debian Package: influxdb Package: obfs4proxy Package: pluginhook We probably need someway of keeping track of what packages have already been looked at and their status with respect to this rebuild. Not really convinced data/dla-needed.txt is up to this task. >> How do I rebuild? Do I need to upload a new version? > > Unless they already are in stretch-security, then yes, sourceful uploads will > be > needed. I hope there are none of these packages that have the same version in buster... Not seen any problems yet however. Looking at items in the list from the top: acmetool - automatic certificate acquisition tool for Let's Encrypt OK, good candidate. A certificate signing tool needs to be secure. But, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954189 - it looks like the 0.0.58-5+b2 in stretch is likely to be completely broken and unusable for unrelated reasons. Is this something we should be fixing? My guess is anybody who needs in buster has already moved to the version in backports. Or is this a candidate to add to https://salsa.debian.org/debian/debian-security-support/-/blob/master/security-support-ended.deb9? In any case, unlikely to use ssh public keys or cleartext signatures, so probably won't need to rebuild. chasquid - simple SMTP (email) server written in go coyim - safe and secure XMPP chat client go-wire - Go bindings for the Wire encoding protocol gocryptfs - Encrypted overlay filesystem written in Go. Unlikely to use ssh public keys or cleartext signatures. ? same? In fact, I suspect this might hold true for the remainder of the packages. With the exception of maybe golang-github-pkg-sftp. Which is entirely go files. How am I going so far? Too conservative? However now I also realise another limitation in the above list. It probably won't mention, for example, packages that build depend on golang-github-pkg-sftp-dev which depends on golang-golang-x-crypto-dev. -- Brian May
Re: golang-go.crypto / CVE-2019-11841
Emilio Pozuelo Monfort writes: > Note that many of those are golang modules which only ship go code on the > -dev > package, and thus don't need a rebuild. OTOH, compiled binaries may need a > rebuild if they use the affected code (directly or indirectly). How do I tell which ones need rebuilding? Maybe just the ones without the 'golang-` prefix? How do I rebuild? Do I need to upload a new version? -- Brian May
Re: golang-go.crypto / CVE-2019-11841
Emilio Pozuelo Monfort writes: > Have you checked if any rdeps need to be rebuilt? No. I imagine there might be some. How do I check? I can't remember right now how to check reverse build depends. -- Brian May
[security tracker role] Processing a16b55300564d69f4c3d37a0c84cc41bf9b5638b failed
I have no idea what is wrong here, or why it is fixated on a commit that is 2 commits behind master... -- Brian May --- Begin Message --- The error message was: reference to unknown bug DLA-0001-1 reference to unknown bug DLA-0002-1 reference to unknown bug DLA-0003-1 reference to unknown bug DLA-0004-1 reference to unknown bug DLA-0005-1 reference to unknown bug DLA-0006-1 reference to unknown bug DLA-0007-1 reference to unknown bug DLA-0008-1 reference to unknown bug DLA-0009-1 reference to unknown bug DLA-0010-1 reference to unknown bug DLA-0011-1 reference to unknown bug DLA-0012-1 reference to unknown bug DLA-0013-1 reference to unknown bug DLA-0014-1 reference to unknown bug DLA-0015-1 reference to unknown bug DLA-0018-1 reference to unknown bug DLA-0019-1 reference to unknown bug DLA-0021-1 reference to unknown bug DLA-0022-1 reference to unknown bug DLA-100-1 reference to unknown bug DLA-1000-1 reference to unknown bug DLA-1001-1 reference to unknown bug DLA-1002-1 reference to unknown bug DLA-1003-1 reference to unknown bug DLA-1004-1 reference to unknown bug DLA-1005-1 reference to unknown bug DLA-1006-1 reference to unknown bug DLA-1007-1 reference to unknown bug DLA-1008-1 reference to unknown bug DLA-1009-1 reference to unknown bug DLA-101-1 reference to unknown bug DLA-1010-1 reference to unknown bug DLA-1011-1 reference to unknown bug DLA-1012-1 reference to unknown bug DLA-1013-1 reference to unknown bug DLA-1014-1 reference to unknown bug DLA-1015-1 reference to unknown bug DLA-1016-1 reference to unknown bug DLA-1017-1 reference to unknown bug DLA-1018-1 reference to unknown bug DLA-1019-1 reference to unknown bug DLA-102-1 reference to unknown bug DLA-1020-1 reference to unknown bug DLA-1021-1 reference to unknown bug DLA-1022-1 reference to unknown bug DLA-1023-1 reference to unknown bug DLA-1024-1 reference to unknown bug DLA-1025-1 reference to unknown bug DLA-1026-1 reference to unknown bug DLA-1027-1 reference to unknown bug DLA-1028-1 reference to unknown bug DLA-1029-1 reference to unknown bug DLA-103-1 reference to unknown bug DLA-1030-1 reference to unknown bug DLA-1031-1 reference to unknown bug DLA-1033-1 reference to unknown bug DLA-1034-1 reference to unknown bug DLA-1035-1 reference to unknown bug DLA-1036-1 reference to unknown bug DLA-1037-1 reference to unknown bug DLA-1038-1 reference to unknown bug DLA-1039-1 reference to unknown bug DLA-104-1 reference to unknown bug DLA-1040-1 reference to unknown bug DLA-1041-1 reference to unknown bug DLA-1042-1 reference to unknown bug DLA-1043-1 reference to unknown bug DLA-1044-1 reference to unknown bug DLA-1045-1 reference to unknown bug DLA-1046-1 reference to unknown bug DLA-1047-1 reference to unknown bug DLA-1048-1 reference to unknown bug DLA-1049-1 reference to unknown bug DLA-105-1 reference to unknown bug DLA-1050-1 reference to unknown bug DLA-1051-1 reference to unknown bug DLA-1052-1 reference to unknown bug DLA-1053-1 reference to unknown bug DLA-1054-1 reference to unknown bug DLA-1055-1 reference to unknown bug DLA-1056-1 reference to unknown bug DLA-1057-1 reference to unknown bug DLA-1058-1 reference to unknown bug DLA-1059-1 reference to unknown bug DLA-106-1 reference to unknown bug DLA-1060-1 reference to unknown bug DLA-1061-1 reference to unknown bug DLA-1062-1 reference to unknown bug DLA-1063-1 reference to unknown bug DLA-1064-1 reference to unknown bug DLA-1065-1 reference to unknown bug DLA-1066-1 reference to unknown bug DLA-1067-1 reference to unknown bug DLA-1068-1 reference to unknown bug DLA-1069-1 reference to unknown bug DLA-107-1 reference to unknown bug DLA-1070-1 reference to unknown bug DLA-1071-1 reference to unknown bug DLA-1072-1 reference to unknown bug DLA-1073-1 reference to unknown bug DLA-1074-1 reference to unknown bug DLA-1075-1 reference to unknown bug DLA-1076-1 reference to unknown bug DLA-1077-1 reference to unknown bug DLA-1078-1 reference to unknown bug DLA-1079-1 reference to unknown bug DLA-1080-1 reference to unknown bug DLA-1081-1 reference to unknown bug DLA-1082-1 reference to unknown bug DLA-1083-1 reference to unknown bug DLA-1084-1 reference to unknown bug DLA-1085-1 reference to unknown bug DLA-1087-1 reference to unknown bug DLA-1088-1 reference to unknown bug DLA-1089-1 reference to unknown bug DLA-109-1 reference to unknown bug DLA-1090-1 reference to unknown bug DLA-1091-1 reference to unknown bug DLA-1092-1 reference to unknown bug DLA-1093-1 reference to unknown bug DLA-1094-1 reference to unknown bug DLA-1095-1 reference to unknown bug DLA-1096-1 reference to unknown bug DLA-1097-1 reference to unknown bug DLA-1098-1 reference to unknown bug DLA-1099-1 reference to unknown bug DLA-110-1 reference to unknown bug DLA-1100-1 reference to unknown bug DLA-1101-1 reference to unknown bug DLA-1102-1 reference to unknown bug DLA-1103-1 reference to unknown bug DLA-1104-1 reference to unknown bug DLA-1105-1 reference to unknown bug DLA-1106-1 reference to
Re: golang-go.crypto / CVE-2019-11841
Utkarsh Gupta writes: > Ah, great. It'd nice to include this then! :) Done. See attached patch. I had to apply it manually, because patch was misapplying one of the hunks in the wrong place. There were several hunks that apply to SKEd25519 public key stuff I skipped also because this version does not have SKEd25519 public key stuff. I note that some of the ssh tests are skipped because sshd is not installed. So I added "openssh-server" to the build depends, and found that one of the tests hangs. Even if I revert my changes. The tests related to these change appear to pass, even without openssh-server installed, so I think this is good to go. -- Brian May diff -Nru golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog --- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog 2017-04-26 17:42:23.0 +1000 +++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog 2020-09-07 08:29:03.0 +1000 @@ -1,3 +1,14 @@ +golang-go.crypto (1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1) jessie-security; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * Fix CVE-2019-11841: reject potentially misleading headers and messages. + * Fix CVE-2019-11840: fix keystream loop in amd64 assembly when overflowing +32-bit counter. + * Fix CVE-2020-9283: signature verification could cause Panic when given +invalid Public key. + + -- Brian May Mon, 07 Sep 2020 08:29:03 +1000 + golang-go.crypto (1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1) unstable; urgency=medium * Reverts previous upload to permit freeze exception. diff -Nru golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch --- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch 1970-01-01 10:00:00.0 +1000 +++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch 2020-09-07 08:29:03.0 +1000 @@ -0,0 +1,1922 @@ +commit b7391e95e576cacdcdd422573063bc057239113d +Author: Filippo Valsorda +Date: Tue Mar 19 18:29:04 2019 -0400 + +salsa20/salsa: fix keystream loop in amd64 assembly when overflowing 32-bit counter + +Fixes golang/go#30965 + +Change-Id: I83a804d555c048e0124c35f95c9e611b2c5bdb01 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/436856 +Reviewed-by: Adam Langley +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/168406 +Reviewed-by: Filippo Valsorda +Run-TryBot: Filippo Valsorda +TryBot-Result: Gobot Gobot + +Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64.go +=== +--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig/salsa20/salsa/salsa20_amd64.go golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64.go +@@ -6,10 +6,9 @@ + + package salsa + +-// This function is implemented in salsa2020_amd64.s. +- + //go:noescape + ++// salsa2020XORKeyStream is implemented in salsa20_amd64.s. + func salsa2020XORKeyStream(out, in *byte, n uint64, nonce, key *byte) + + // XORKeyStream crypts bytes from in to out using the given key and counters. +Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa2020_amd64.s +=== +--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig/salsa20/salsa/salsa2020_amd64.s /dev/null +@@ -1,902 +0,0 @@ +-// Copyright 2012 The Go Authors. All rights reserved. +-// Use of this source code is governed by a BSD-style +-// license that can be found in the LICENSE file. +- +-// +build amd64,!appengine,!gccgo +- +-// This code was translated into a form compatible with 6a from the public +-// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html +- +-// func salsa2020XORKeyStream(out, in *byte, n uint64, nonce, key *byte) +-TEXT ·salsa2020XORKeyStream(SB),0,$512-40 +- MOVQ out+0(FP),DI +- MOVQ in+8(FP),SI +- MOVQ n+16(FP),DX +- MOVQ nonce+24(FP),CX +- MOVQ key+32(FP),R8 +- +- MOVQ SP,R11 +- MOVQ $31,R9 +- NOTQ R9 +- ANDQ R9,SP +- ADDQ $32,SP +- +- MOVQ R11,352(SP) +- MOVQ R12,360(SP) +- MOVQ R13,368(SP) +- MOVQ R14,376(SP) +- MOVQ R15,384(SP) +- MOVQ BX,392(SP) +- MOVQ BP,400(SP) +- MOVQ DX,R9 +- MOVQ CX,DX +- MOVQ R8,R10 +- CMPQ R9,$0 +- JBE DONE +- START: +- MOVL 20(R10),CX +- MOVL 0(R10),R
Re: golang-go.crypto / CVE-2019-11841
Utkarsh Gupta writes: > On Mon, Oct 5, 2020 at 3:03 AM Brian May wrote: >> I also had a look at CVE-2020-9283 (no DSA) - an invalid public key can >> cause a panic - however I feel this is not really a security issue. > > But still, in case you can include a fix for this in this upload, > that'd be great! I wasn't sure it was going to be worth it? $ patch --dry-run -p1 < ../CVE-2020-9283.patch checking file ssh/keys.go Hunk #1 succeeded at 494 with fuzz 1 (offset -68 lines). Hunk #2 FAILED at 584. Hunk #3 FAILED at 840. Hunk #4 succeeded at 807 with fuzz 2 (offset -57 lines). Hunk #5 FAILED at 903. Hunk #6 FAILED at 1056. Hunk #7 FAILED at 1309. 5 out of 7 hunks FAILED Looking at this again, it looks like it should be trivial to apply #2, #5, and #6 manually. Not sure why these didn't apply automatically. Which just leaves #3 - may not be required - and #7 - which only patches a comment. -- Brian May
Re: golang-go.crypto / CVE-2019-11841
Attached is my patch for golang-go.crypto which I intend to upload tomorrow for: * CVE-2019-11840 * CVE-2019-11841 I also had a look at CVE-2020-9283 (no DSA) - an invalid public key can cause a panic - however I feel this is not really a security issue. -- Brian May diff -Nru golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog --- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog 2017-04-26 17:42:23.0 +1000 +++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog 2020-09-07 08:29:03.0 +1000 @@ -1,3 +1,11 @@ +golang-go.crypto (1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1) jessie-security; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * Fix CVE-2019-11841: reject potentially misleading headers and messages. + * Fix CVE-2019-11840: fix keystream loop in amd64 assembly when overflowing 32-bit counter. + + -- Brian May Mon, 07 Sep 2020 08:29:03 +1000 + golang-go.crypto (1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1) unstable; urgency=medium * Reverts previous upload to permit freeze exception. diff -Nru golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch --- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch 1970-01-01 10:00:00.0 +1000 +++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch 2020-09-07 08:29:03.0 +1000 @@ -0,0 +1,1922 @@ +commit b7391e95e576cacdcdd422573063bc057239113d +Author: Filippo Valsorda +Date: Tue Mar 19 18:29:04 2019 -0400 + +salsa20/salsa: fix keystream loop in amd64 assembly when overflowing 32-bit counter + +Fixes golang/go#30965 + +Change-Id: I83a804d555c048e0124c35f95c9e611b2c5bdb01 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/436856 +Reviewed-by: Adam Langley +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/168406 +Reviewed-by: Filippo Valsorda +Run-TryBot: Filippo Valsorda +TryBot-Result: Gobot Gobot + +Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64.go +=== +--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig/salsa20/salsa/salsa20_amd64.go golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64.go +@@ -6,10 +6,9 @@ + + package salsa + +-// This function is implemented in salsa2020_amd64.s. +- + //go:noescape + ++// salsa2020XORKeyStream is implemented in salsa20_amd64.s. + func salsa2020XORKeyStream(out, in *byte, n uint64, nonce, key *byte) + + // XORKeyStream crypts bytes from in to out using the given key and counters. +Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa2020_amd64.s +=== +--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig/salsa20/salsa/salsa2020_amd64.s /dev/null +@@ -1,902 +0,0 @@ +-// Copyright 2012 The Go Authors. All rights reserved. +-// Use of this source code is governed by a BSD-style +-// license that can be found in the LICENSE file. +- +-// +build amd64,!appengine,!gccgo +- +-// This code was translated into a form compatible with 6a from the public +-// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html +- +-// func salsa2020XORKeyStream(out, in *byte, n uint64, nonce, key *byte) +-TEXT ·salsa2020XORKeyStream(SB),0,$512-40 +- MOVQ out+0(FP),DI +- MOVQ in+8(FP),SI +- MOVQ n+16(FP),DX +- MOVQ nonce+24(FP),CX +- MOVQ key+32(FP),R8 +- +- MOVQ SP,R11 +- MOVQ $31,R9 +- NOTQ R9 +- ANDQ R9,SP +- ADDQ $32,SP +- +- MOVQ R11,352(SP) +- MOVQ R12,360(SP) +- MOVQ R13,368(SP) +- MOVQ R14,376(SP) +- MOVQ R15,384(SP) +- MOVQ BX,392(SP) +- MOVQ BP,400(SP) +- MOVQ DX,R9 +- MOVQ CX,DX +- MOVQ R8,R10 +- CMPQ R9,$0 +- JBE DONE +- START: +- MOVL 20(R10),CX +- MOVL 0(R10),R8 +- MOVL 0(DX),AX +- MOVL 16(R10),R11 +- MOVL CX,0(SP) +- MOVL R8, 4 (SP) +- MOVL AX, 8 (SP) +- MOVL R11, 12 (SP) +- MOVL 8(DX),CX +- MOVL 24(R10),R8 +- MOVL 4(R10),AX +- MOVL 4(DX),R11 +- MOVL CX,16(SP) +- MOVL R8, 20 (SP) +- MOVL AX, 24 (SP) +- MOVL R11, 28 (SP) +- MOVL 12(DX),CX +- MOVL 12(R10),DX +- MOVL 28(R10),R8 +- MOVL 8(R10),AX +- MOVL DX,32(SP) +- MOVL CX, 36 (SP) +- MOVL R8, 40 (SP) +- MOVL AX, 44 (SP) +- MOVQ $1634760805,DX +- MOVQ $857760878,CX +- MOVQ $2036477234,R8 +- MOVQ $1797285236,AX +- MOVL DX,48(SP
Re: golang-go.crypto / CVE-2019-11841
Ola Lundqvist writes: > Looking at the code and your email I have some concerns. > > Isn't the header part of the "signed" argument? If it is not, then there is > no point of checking it since you can then just change the header anyway. > If it is part of the signed message it is possible for the function to > decode it and check it. > > Do the calling application need to do the check, can't > CheckDetachedSignature do it? > > Or have I missed something? CheckDetachedSignature is called like: openpgp.CheckDetachedSignature(keyring, bytes.NewBuffer(b.Bytes), b.ArmoredSignature.Body) b.Headers has the header we need to check, but we only pass the body b.Bytes and the signature b.ArmoredSignature.Body. As in the headers aren't covered by the signature (I assume there is a good reason...). Does this make sense now? -- Brian May
Re: golang-go.crypto / CVE-2019-11841
Ola Lundqvist writes: > Do we have an idea on how a good patch would look like? OK, I think a patch may not be as simple as I hoped. CheckDetachedSignature() is where we decode the packet and determine the hash function used. But this function is not supplied the headers so it cannot check the headers. And this function doesn't return the hashFunc used either, so the calling function cannot check the headers. Plus the hashFunc is an integer it needs to be decoded into a string - there is a private function - nameOfHash - that does this. So some sort of API change is required I think. I am a bit disappointed actually that the CheckDetachedSignature() doesn't return the hash used. It means that the calling application only has access to the insecure value that cannot be trusted. -- Brian May
golang-1.7 / CVE-2019-9514 / CVE-2019-9512
Looking at: https://security-tracker.debian.org/tracker/CVE-2019-9512 https://security-tracker.debian.org/tracker/CVE-2019-9514 Under "golang-1.7" release stretch it says "vulnerable". But in the notes, there is: [stretch] - golang-1.7 (Minor issue) Why? Anyway, as this was marked as minor for golang-1.7 in Stretch, probably also should be marked as minor for golang-golang-x-net-dev also... -- Brian May
Re: golang-go.crypto / CVE-2019-11841
Ola Lundqvist writes: > I agree with you about the hash part (the main part of it) of this CVE. In > fact this CVE is about two different things. If gnupg do hash validation I > think go should do the same. It concerns me that we have marked CVE-2019-11841 as resolved in bullseye and sid, and we have no good procedures for "undoing" a DLA/DSA that marks a CVE as resolved. This is something that has got in the past also. I think it might be possible to update data/DLA/list or data/DSA/list and remove the CVE from the DLA/DSA. Maybe then we would need to update data/CVE/list also (unless this happens automatically). But then we have still have the problem that the last email sent said that the issue was fixed. > I was referring to the second part of the vulnerability described in > "Moreover, since...". Now when I read about it, it is clear that it is only > referring to the PHP header part and not the rest of the text. I wonder if > that should be seen as a separate vulnerability, that people think the > whole text is signed, while it is just a part of it... But that should > probably be on the application layer on top of this library. Yes, it probably should have been two separate CVEs. Having two distinct issues in one CVE gets confusing when only one issue gets resolved. If I understand this correctly, I believe this part was resolved. -- Brian May
Re: golang-go.crypto / CVE-2019-11841
Ola Lundqvist writes: > To completely fix the second part of this CVE I think an API change is > necessary. > The API need to return a list of unsigned and signed portions of the > message so the application using it can make it visible what parts are > signed and what parts are not. > However such a change is large and cannot be done in LTS. I think you might have misunderstood the issue. Thee problem isn't signed vs unsigned parts of a message. The problem is that the Hash header can be altered in transit. gnupg will fail the signature verification if this happens, but golang-go.crypto will not. --- cut --- $ gpg hash_spoof.asc gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: Signature made Fr 29 Mär 2019 13:00:03 CET gpg: using RSA key 0175949FAEB97005E02272D95D5B3AD9D04EFAEE gpg: WARNING: signature digest conflict in message gpg: Can't check signature: General error --- cut --- I am not sure I understand why upstream is resistant to fixing it actually. All you need to do is get the actual hash used to sign the message, compare it with the Hash header, and reject the message if they are different. > Regarding the security purpose of the hash information I cannot really > judge. I think it serves very little function but I could be wrong. It is not just that the hash header can contain an incorrect hash that is the problem. The hash header could also be changed - with the message in transit - to contain a hidden message - which can appear to be authenticate because it is within the signed part of the message. For example, the following message will pass the golang-go.crypto test (but as above fail the gnupg test). -BEGIN PGP SIGNED MESSAGE- Hash: I need you to wire $100k to 12345566 as soon as possible. Message to be signed -BEGIN PGP SIGNATURE- iQEzBAEBAgAdFiEEAXWUn665cAXgInLZXVs62dBO+u4FAlyeCMMACgkQXVs62dBO +u6WeQgAvOTZAkwtXCZ2woIbHk+g3fgOiCOF8YtXgZCyDYZgR/JIf1+iCh7lWAjq 9/JcnifNB9lX6hyxy4qoT8loLAHNeoUzSkKiliRMcQFhtfCPInRCRtAnKDfkiA5N 0C9CesJYXoASBRafUgxeI7Q29tVdPNC8WVjJtA72yafu4b63TXKdCcu+TCHtH5lV l0rqS1JET/+UGycO+gbvegsAoNhmQp8qkFnJTTS6kJgmCs9TJlAmeX1wT8V5f5L+ 7pRe45ZBmlA7oi4lylvIp+WG1KJVgrPzeQOkybF2rFRuMxjlvqfO1/4lLrtXgA/7 v8H3ZsqUV9T/HNx5bFPOQJjbOhBVRg== =Bb6N -END PGP SIGNATURE- If the hash header was not important, then there would be no need to even include it in the message in the first place. But the fact it is included, and it could confuse programs and/or humans if it is altered. So the value of this header should be validated. -- Brian May
Re: golang-go.crypto / CVE-2019-11841
Attached is my patch for Stretch, based on the upstream patch. I am a bit uneasy about applying this and marking CVE-2019-11841 as fixed, because contrary to what upstream say I don't think CVE-2019-11841 is actually fixed. From the CVE description: [...] However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. [...] The upstream patch has done nothing to address this. -- Brian May diff -Nru golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog --- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog 2017-04-26 17:42:23.0 +1000 +++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog 2020-09-07 08:29:03.0 +1000 @@ -1,3 +1,10 @@ +golang-go.crypto (1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1) jessie-security; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * Fix CVE-2019-11841: reject potentially misleading headers and messages. + + -- Brian May Mon, 07 Sep 2020 08:29:03 +1000 + golang-go.crypto (1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1) unstable; urgency=medium * Reverts previous upload to permit freeze exception. diff -Nru golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11841.patch golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11841.patch --- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11841.patch 1970-01-01 10:00:00.0 +1000 +++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11841.patch 2020-09-07 08:27:22.0 +1000 @@ -0,0 +1,261 @@ +commit 6c9f9a831536511295256d4b4960fc4024ed967c +Author: Filippo Valsorda +Date: Tue Apr 23 15:32:34 2019 -0400 + +openpgp/clearsign: reject potentially misleading headers and messages + +Aida Mynzhasova of SEC Consult Vulnerability Lab reported that the +clearsign package accepts some malformed messages, which can make it +possible for an attacker to trick a human user (but not a Go program) +into thinking unverified text is part of the message. + +For example, if in the following message the vertical tab character is +printed as a new line, a human observer could believe that the +unverified header text is part of the signed message. + +-BEGIN PGP SIGNED MESSAGE- +Hash: SHA1\x0b\x0bThis text is part of the header. + +Hello world! +-BEGIN PGP SIGNATURE- +Version: GnuPG v1.4.10 (GNU/Linux) + +iJwEAQECAAYFAk8kMuEACgkQO9o98PRieSpMsAQAhmY/vwmNpflrPgmfWsYhk5O8 +[...] +MyTpno24AjIAGb+mH1U= +=hIJ6 +-END PGP SIGNATURE- + +The OpenPGP specs are delightfully vague about purpose and validation of +these headers. RFC 4880, Section 7 says + +The cleartext signed message consists of: + +- The cleartext header '-BEGIN PGP SIGNED MESSAGE-' on a +single line, + +- One or more "Hash" Armor Headers, + +- Exactly one empty line not included into the message digest, +[...] + +but also + +If MD5 is the only hash used, then an +implementation MAY omit this header for improved V2.x compatibility. + +and + +If more than one message digest is used in the signature, the "Hash" +armor header contains a comma-delimited list of used message digests. + +which seems to suggest that there can be zero or more Hash headers, each +with one or more algorithms, and no other header types. + +Anyway, it's entirely unclear what security purpose, if any, the Hash +header accomplishes. If the hash is too weak to be secure or +unsupported, the verification will fail. Otherwise, the user shouldn't +care. Given its dubious function, avoid breaking abstractions to check +that it matches the signature, and just document it as unverified. + +As for valid characters, RFC 4880 is silent, except reluctantly +mentioning that the Comment header can be UTF-8, but I am going to +assume that all hash algorithms will have ASCII names, because come on. + +Even more importantly, reject non-Hash SIGNED MESSAGE headers (as opposed +to the SIGNATURE headers), to prevent a "Thank you!" message turning into + +-BEGIN PGP SIGNED MESSAGE- +Reminder: I need you to wire $100
Re: golang-go.crypto / CVE-2019-11841
Brian May writes: > Brian May writes: > >> All of the distributions fail (as in the last two tests pass when they >> should now), but bullseye at least fixes one of the failures. So it >> looks like this was incorrectly marked as fixed (note bulleye and sid >> have the same version of this package). > > I filled an upstream bug report: > https://github.com/golang/go/issues/41200 Upstream responded with "That's intentional and documented in the package and in the commit message you link to. The hash header value has no security purposes." I am not convinced this is the case. I have responded. -- Brian May
Re: golang-go.crypto / CVE-2019-11841
Brian May writes: > All of the distributions fail (as in the last two tests pass when they > should now), but bullseye at least fixes one of the failures. So it > looks like this was incorrectly marked as fixed (note bulleye and sid > have the same version of this package). I filled an upstream bug report: https://github.com/golang/go/issues/41200 -- Brian May
Re: golang-go.crypto / CVE-2019-11841
Brian May writes: > My attempts to run the reproducer program have not been successful, as > *none* of the signatures validate. Not even the known good case. I worked it out. The source had: -BEGIN PGP PUBLIC KEY BLOCK- mQENBFyeB6MBCAC+X0+7sQkrpg4zjQGj9NQSwPvDV5JjWxIXpf1n+mtrZewO8RvR But we really need a newline between these two lines. I created a reproducer for this for various Debian versions using Docker: https://salsa.debian.org/bam/cve-2019-11841 As per the note in the security tracker: https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442 Patch fixes the second part of the CVE ("prepend arbitrary text") but not the first ("ignores the value of [the Hash] header"), as hinted at reporter's 2019-05-09 note: https://packetstormsecurity.com/files/152840/Go-Cryptography-Libraries-Cleartext-Message-Spoofing.html When I run my script I get the following output: === cut === Testing debian:stretch Sending build context to Docker daemon 78.85kB Step 1/6 : ARG IMAGE Step 2/6 : FROM ${IMAGE:-debian:bullseye} ---> 6d935b41319b Step 3/6 : RUN apt-get update && apt-get install -y golang golang-golang-x-crypto-dev && rm -rf /var/lib/apt/lists/* ---> Using cache ---> 59138999d865 Step 4/6 : WORKDIR /opt ---> Using cache ---> 0d3cd2502ca0 Step 5/6 : COPY sig_spoof.go . ---> Using cache ---> fca2fb7cdbb9 Step 6/6 : CMD GOPATH=/usr/share/gocode/ go run sig_spoof.go ---> Using cache ---> d1abe6a096eb Successfully built d1abe6a096eb Successfully tagged cve-2019-11841:debian_stretch Verifying not tampered... Signature accepted! Verifying spoofed hash... Signature accepted! Verifying spoofed cleartext... Signature accepted! Testing debian:buster Sending build context to Docker daemon 78.85kB Step 1/6 : ARG IMAGE Step 2/6 : FROM ${IMAGE:-debian:bullseye} ---> ee11c54e6bb7 Step 3/6 : RUN apt-get update && apt-get install -y golang golang-golang-x-crypto-dev && rm -rf /var/lib/apt/lists/* ---> Using cache ---> 58c133d72716 Step 4/6 : WORKDIR /opt ---> Using cache ---> 4d0b655f72c4 Step 5/6 : COPY sig_spoof.go . ---> Using cache ---> 58ddeb727942 Step 6/6 : CMD GOPATH=/usr/share/gocode/ go run sig_spoof.go ---> Using cache ---> c08127a525a3 Successfully built c08127a525a3 Successfully tagged cve-2019-11841:debian_buster Verifying not tampered... Signature accepted! Verifying spoofed hash... Signature accepted! Verifying spoofed cleartext... Signature accepted! Testing debian:bullseye Sending build context to Docker daemon 78.85kB Step 1/6 : ARG IMAGE Step 2/6 : FROM ${IMAGE:-debian:bullseye} ---> 0622e5011273 Step 3/6 : RUN apt-get update && apt-get install -y golang golang-golang-x-crypto-dev && rm -rf /var/lib/apt/lists/* ---> Using cache ---> 62064fd7dc75 Step 4/6 : WORKDIR /opt ---> Using cache ---> 62ad4e1fc354 Step 5/6 : COPY sig_spoof.go . ---> Using cache ---> 57f8ae6b45ef Step 6/6 : CMD GOPATH=/usr/share/gocode/ go run sig_spoof.go ---> Using cache ---> 7297eba7a4b6 Successfully built 7297eba7a4b6 Successfully tagged cve-2019-11841:debian_bullseye Verifying not tampered... Signature accepted! Verifying spoofed hash... Signature accepted! Verifying spoofed cleartext... No clearsign text found Done === cut === All of the distributions fail (as in the last two tests pass when they should now), but bullseye at least fixes one of the failures. So it looks like this was incorrectly marked as fixed (note bulleye and sid have the same version of this package). -- Brian May
golang-go.crypto / CVE-2019-11841
My attempts to run the reproducer program have not been successful, as *none* of the signatures validate. Not even the known good case. $ GOPATH=/usr/share/gocode/ go run sig_spoof.go Verifying not tampered... openpgp: invalid argument: no armored data found Verifying spoofed hash... openpgp: invalid argument: no armored data found Verifying spoofed cleartext... No clearsign text found I tried this on Debian stretch, buster, bullseye, and using the version of package downloaded using "go get golang.org/x/crypto/openpgp/clearsign" on bullseye (this doesn't work on stretch or buster due to certificate errors). I was wondering if there was an error in my copy of sig_spoof. I downloaded the source using: https://dl.packetstormsecurity.net/1905-exploits/SA-20190513-0.txt And deleted everything before and after the code, so I think it should be OK. Any ideas? -- Brian May https://linuxpenguins.xyz/brian/
Re: slirp / CVE-2020-7039 / CVE-2020-8608
Roberto C. Sánchez writes: > On Wed, Aug 12, 2020 at 08:55:43AM +1000, Brian May wrote: >> I am seriously thinking that slirp from unstable should be ported as is >> from sid to buster and stretch. This is not a new upstream version, it >> has bug fixes and security updates only. Probably the same changes I >> would have to make myself in fact. Such as replacing sprintf calls with >> snprintf calls for example. >> >> This would fix CVE-2020-7039 and provide the prerequisite to fixing >> CVE-2020-8608. >> >> Only thing, I am not sure what to do with the versioning: >> >> stretch 1:1.0.17-8 >> buster 1:1.0.17-8 >> sid 1:1.0.17-10 >> >> In fact, because stretch and buster has the same version, does this mean >> I can't make any security uploads to stretch? >> >> On the other hand the security team has marked both these as no-DSA, in >> buster meaning maybe I should do the same thing too? > > I would ask the Security Team if they are open to considering taking > 1:1.0.17-10 into buster. The version would be 1:1.0.17-10~deb10u1. If > they agree, then you could subsequently upload to stretch with version > 1:1.0.17-10~deb9u1. If they are not open to considering it, then it > seems that the only viable course of action is the mark them no-dsa. I think perhaps the appropriate course of action would be to fix it in sid, then back port to the other distributions. But fixing sid requires fixing #778124 first. OK, that is a simple fix, but surprised this ever worked. Attached is my WIP patch. It doesn't quite compile just yet, because it refers to functions like g_critical, g_error and g_strerror which will probably need to be replaced by something else. It also doesn't yet fix the IDENT service. I also notice a number of untouched calls to "sprintf" which make me nervous, and perhaps every call to "snprintf" should be replaced with a call to slirp_fmt0 (because snprintf doesn't guarantee the result will be null terminated). Including the IDENT service, which the patch changes, but the code is a bit different, so not easy to apply as is. No point doing an incomplete fix I think. I suspect every instance of sprintf and snprintf needs to be replaced with the slirp_fmt0 call. Existing sprintf calls will also need an extra argument. Maybe a better approach would be to switch to the latest upstream version and use that everywhere? -- Brian May diff -Nru slirp-1.0.17/debian/changelog slirp-1.0.17/debian/changelog --- slirp-1.0.17/debian/changelog 2020-01-25 06:12:54.0 +1100 +++ slirp-1.0.17/debian/changelog 2020-08-13 09:04:48.0 +1000 @@ -1,3 +1,11 @@ +slirp (1:1.0.17-10.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix FTBS by deduplicating symbols (Closes: #778124). + * Fix for CVE-2020-8608. + + -- Brian May Thu, 13 Aug 2020 09:04:48 +1000 + slirp (1:1.0.17-10) unstable; urgency=high * Fix for CVE-2020-7039 (Closes: #949085) diff -Nru slirp-1.0.17/debian/patches/015_fix_duplicate_definitions.patch slirp-1.0.17/debian/patches/015_fix_duplicate_definitions.patch --- slirp-1.0.17/debian/patches/015_fix_duplicate_definitions.patch 1970-01-01 10:00:00.0 +1000 +++ slirp-1.0.17/debian/patches/015_fix_duplicate_definitions.patch 2020-08-13 08:16:48.0 +1000 @@ -0,0 +1,23 @@ +--- a/src/options.c b/src/options.c +@@ -74,10 +74,6 @@ + * Read the config file + */ + +-int (*lprint_print) _P((void *, const char *format, va_list)); +-char *lprint_ptr, *lprint_ptr2, **lprint_arg; +-struct sbuf *lprint_sb; +- + int cfg_unit; + int ctl_password_ok; + char *ctl_password; +--- a/src/misc.c b/src/misc.c +@@ -593,6 +593,7 @@ + + int (*lprint_print) _P((void *, const char *, va_list)); + char *lprint_ptr, *lprint_ptr2, **lprint_arg; ++struct sbuf *lprint_sb; + + void + #ifdef __STDC__ diff -Nru slirp-1.0.17/debian/patches/CVE-2020-8608.patch slirp-1.0.17/debian/patches/CVE-2020-8608.patch --- slirp-1.0.17/debian/patches/CVE-2020-8608.patch 1970-01-01 10:00:00.0 +1000 +++ slirp-1.0.17/debian/patches/CVE-2020-8608.patch 2020-08-13 08:42:37.0 +1000 @@ -0,0 +1,133 @@ +--- a/src/tcp_subr.c b/src/tcp_subr.c +@@ -1015,7 +1015,7 @@ + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), "ORT %d,%d,%d,%d,%d,%d\r\n%s", ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), "ORT %d,%d,%d,%d,%d,%d\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); + return 1; + } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) { +@@ -1046,7 +1046,7 @@ + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), ++ m->m_len += slirp
slirp / CVE-2020-7039 / CVE-2020-8608
I am seriously thinking that slirp from unstable should be ported as is from sid to buster and stretch. This is not a new upstream version, it has bug fixes and security updates only. Probably the same changes I would have to make myself in fact. Such as replacing sprintf calls with snprintf calls for example. This would fix CVE-2020-7039 and provide the prerequisite to fixing CVE-2020-8608. Only thing, I am not sure what to do with the versioning: stretch 1:1.0.17-8 buster 1:1.0.17-8 sid 1:1.0.17-10 In fact, because stretch and buster has the same version, does this mean I can't make any security uploads to stretch? On the other hand the security team has marked both these as no-DSA, in buster meaning maybe I should do the same thing too? -- Brian May https://linuxpenguins.xyz/brian/
Re: ksh / CVE-2019-14868
Attached is my patch to deal with this issue. It is mostly a copy and paste of the code from the upstream patch, except the following changes were required (and from the original code): * The number call has been replaced with a strtonll call. * The sh_isstate call has been changed to take only one parameter. * The "Varsubscript = true;" line was removed. I attempted to get tests working also, but these don't appear to be getting called in the Debian tests. Instead I ran the tests manually by hand, and they are produced expected values. (stretch-i386-default)root@silverfish:/tmp/brian/tmpkaecyd6p/build/i386# SHLVL='7' ksh -c 'echo $SHLVL' 8 (stretch-i386-default)root@silverfish:/tmp/brian/tmpkaecyd6p/build/i386# SHLVL='013' ksh -c 'echo $SHLVL' 14 (stretch-i386-default)root@silverfish:/tmp/brian/tmpkaecyd6p/build/i386# SHLVL='2#11' ksh -c 'echo $SHLVL' 4 (stretch-i386-default)root@silverfish:/tmp/brian/tmpkaecyd6p/build/i386# SHLVL='16#B' ksh -c 'echo $SHLVL' 12 &2)0]' ksh -c 'echo $SHLVL' 1 diff -Nru ksh-93u+20120801/debian/changelog ksh-93u+20120801/debian/changelog --- ksh-93u+20120801/debian/changelog 2017-05-31 19:57:56.0 +1000 +++ ksh-93u+20120801/debian/changelog 2020-07-16 07:53:51.0 +1000 @@ -1,3 +1,11 @@ +ksh (93u+20120801-3.1+deb9u1) stretch-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * Fix CVE-2019-14868: An attacker could use flaw to override or bypass +environment restrictions to execute shell commands. + + -- Brian May Thu, 16 Jul 2020 07:53:51 +1000 + ksh (93u+20120801-3.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru ksh-93u+20120801/debian/patches/CVE-2019-14868.patch ksh-93u+20120801/debian/patches/CVE-2019-14868.patch --- ksh-93u+20120801/debian/patches/CVE-2019-14868.patch1970-01-01 10:00:00.0 +1000 +++ ksh-93u+20120801/debian/patches/CVE-2019-14868.patch2020-07-16 07:53:51.0 +1000 @@ -0,0 +1,83 @@ +--- a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c +@@ -511,23 +511,34 @@ + Shell_t *shp = sh_getinterp(); + register Sfdouble_t d; + char base=(shp->inarith?0:10), *last; +- if(*str==0) +- { +- if(ptr) +- *ptr = (char*)str; +- return(0); ++ if(*str==0) { ++ d = 0.0; ++ last = (char *)str; ++ } else { ++ d = strtonll(str,&last,&base,-1); ++ if (*last && !shp->inarith && sh_isstate(SH_INIT)) { ++ // This call is to handle "base#value" literals if we're importing untrusted env vars. ++ base = 0; ++ d = strtonll(str,&last,&base,-1); ++ } ++ if (*last) { ++ if (sh_isstate(SH_INIT)) { ++ // Initializing means importing untrusted env vars. Since the string does not appear ++ // to be a recognized numeric literal give up. We can't safely call strval() since ++ // that allows arbitrary expressions which would create a security vulnerability. ++ d = 0.0; ++ } else { ++ if (*last != '.' || last[1] != '.') { ++ d = strval(shp, str, &last, arith, mode); ++ } ++ if (!ptr && *last && mode > 0) { ++ errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str); ++ } ++ } ++ } else if (d == 0.0 && *str == '-') { ++ d = -0.0; ++ } + } +- errno = 0; +- d = strtonll(str,&last,&base,-1); +- if(*last || errno) +- { +- if(!last || *last!='.' || last[1]!='.') +- d = strval(shp,str,&last,arith,mode); +- if(!ptr && *last && mode>0) +- errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str); +- } +- else if (!d && *str=='-') +- d = -0.0; + if(ptr) + *ptr = last; + return(d); +--- a/src/cmd/ksh93/tests/subshell.sh b/src/cmd/ksh93/tests/subshell.sh +@@ -617,4 +617,27 @@ + fi + done + ++# == ++# Verify that importing untrusted env vars does not allow evaluating arbitrary expressions but does ++# recognize all integer literals recognized by ksh. ++expect=8 ++actual=$(env SHLVL='7' $SHELL -c 'echo $SHLVL') ++[[ $act
Re: ksh / CVE-2019-14868
I meant to include this test run: (stretch-amd64-default)root@silverfish:/home/brian# SHLVL='2#11+x[$(/bin/echo DANGER WILL ROBINSON >&2)0]' /usr/bin/ksh Segmentation fault DANGER WILL ROBINSON As in no echo command is required. Below is the full stack trace of the segfault (recompiled without the strip=0 option). (stretch-i386-default)root@silverfish:/tmp/brian/tmpf2btue5q/build/i386# ulimit -c unlimited (stretch-i386-default)root@silverfish:/tmp/brian/tmpf2btue5q/build/i386# SHLVL='2#11+x[$(/bin/echo DANGER WILL ROBINSON >&2)0]' /usr/bin/ksh DANGER WILL ROBINSON Segmentation fault (core dumped) (stretch-i386-default)root@silverfish:/tmp/brian/tmpf2btue5q/build/i386# ls core core (stretch-i386-default)root@silverfish:/tmp/brian/tmpf2btue5q/build/i386# gdb /usr/bin/ksh core GNU gdb (Debian 7.12-6) 7.12.0.20161007-git Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/bin/ksh...Reading symbols from /usr/lib/debug/.build-id/5f/77fa7b40ec10980eebf65a2ba1cebac53d8894.debug...done. done. warning: core file may not match specified executable file. [New LWP 15788] Core was generated by `/usr/bin/ksh'. Program terminated with signal SIGSEGV, Segmentation fault. #0 job_alloc () at ./src/cmd/ksh93/sh/jobs.c:1871 1871./src/cmd/ksh93/sh/jobs.c: No such file or directory. (gdb) bt #0 job_alloc () at ./src/cmd/ksh93/sh/jobs.c:1871 #1 job_post (shp=0x56772fa0 , pid=15789, join=) at ./src/cmd/ksh93/sh/jobs.c:1353 #2 0x5663b25a in _sh_fork (shp=0x56772fa0 , parent=15789, flags=0, jobid=0xffa15798) at ./src/cmd/ksh93/sh/xec.c:3142 #3 0x5663bcc2 in sh_ntfork (shp=shp@entry=0x56772fa0 , argv=0xf7caf334, jobid=0xffa15798, flag=, t=, t=) at ./src/cmd/ksh93/sh/xec.c:4034 #4 0x56640ed7 in sh_exec (t=, flags=) at ./src/cmd/ksh93/sh/xec.c:1686 #5 0x56638291 in sh_subshell (shp=0x56772fa0 , t=0xf7caf298, flags=, comsub=1) at ./src/cmd/ksh93/sh/subshell.c:625 #6 0x56619654 in comsubst (mp=0xf7cb1880, t=, t@entry=0x0, type=type@entry=1) at ./src/cmd/ksh93/sh/macro.c:2135 #7 0x56615af7 in varsub (mp=mp@entry=0xf7cb1880) at ./src/cmd/ksh93/sh/macro.c:1168 #8 0x56618d14 in copyto (mp=mp@entry=0xf7cb1880, endch=endch@entry=0, newquote=) at ./src/cmd/ksh93/sh/macro.c:633 #9 0x56619108 in sh_mactrim (shp=0x56772fa0 , str=0xf7cb1034 "[$(/bin/echo DANGER WILL ROBINSON >&2)0]", mode=0) at ./src/cmd/ksh93/sh/macro.c:183 #10 0x565ef8d7 in scope (np=0xf7cbb390, lvalue=lvalue@entry=0xffa16598, assign=assign@entry=0) at ./src/cmd/ksh93/sh/arith.c:161 #11 0x565f0288 in arith (ptr=0xffa16594, lvalue=0xffa16598, type=2, n=) at ./src/cmd/ksh93/sh/arith.c:444 #12 0x56634bd2 in arith_exec (ep=0xf7caf248) at ./src/cmd/ksh93/sh/streval.c:249 #13 0x56636441 in strval (shp=0x56772fa0 , s=0xf7cb102e "2#11+x[$(/bin/echo DANGER WILL ROBINSON >&2)0]", end=0xffa16778, conv=0x565eff40 , emode=1) at ./src/cmd/ksh93/sh/streval.c:964 #14 0x565ef560 in sh_strnum (str=0xf7cb102e "2#11+x[$(/bin/echo DANGER WILL ROBINSON >&2)0]", ptr=0x0, mode=1) at ./src/cmd/ksh93/sh/arith.c:525 #15 0x565f0e70 in sh_arith (shp=0x56772fa0 , str=0xf7cb102e "2#11+x[$(/bin/echo DANGER WILL ROBINSON >&2)0]") at ./src/cmd/ksh93/sh/arith.c:538 #16 0x5661d0ae in nv_putval (np=0xf7cb0bf4, string=0xf7cb102e "2#11+x[$(/bin/echo DANGER WILL ROBINSON >&2)0]", flags=0) at ./src/cmd/ksh93/sh/name.c:1783 #17 0x566015ed in env_init (shp=0x56772fa0 ) at ./src/cmd/ksh93/sh/init.c:2036 #18 sh_init (argc=1, argv=0xffa18a74, userinit=0x0) at ./src/cmd/ksh93/sh/init.c:1380 #19 0x565e4da6 in sh_main () #20 0x565e4af9 in main (argc=1, argv=0xffa18a74) at ./src/cmd/ksh93/sh/pmain.c:45 I am guessing this segfault might be because we are attempting to access job.freejobs[x] before job.freejobs has been initialised because we weren't expecting to run jobs yet. Yes, this appears to be the case: /* * initialize the shell */ Shell_t *sh_init(register int argc,register char *argv[], Shinit_f userinit) { [...] env_init(shp); /* function that causes the error */ [...] /* initialize jobs table */ job_clear(); [...] } -- Brian May
Re: ksh / CVE-2019-14868
Ola Lundqvist writes: > Interesting. I wonder how I concluded that it was just arithmetic > expressions. Do you want me to re-check it? Yes please, might be a good idea. > Segmentation faults can be problematic too, but it looks like we have > some protection against this CVE already. The question is whether the > subshell is actually executed before the sigsegv. According to strace, does appear to be the case. I just noticed when I try to run this inside gdb it works fine: (stretch-amd64-default)root@silverfish:/home/brian# SHLVL='2#11+x[$(/bin/echo DANGER WILL ROBINSON >&2)0]' gdb /usr/bin/ksh GNU gdb (Debian 7.12-6) 7.12.0.20161007-git Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/bin/ksh...(no debugging symbols found)...done. (gdb) show environment SHLVL SHLVL = 2#11+x[$(/bin/echo DANGER WILL ROBINSON >&2)0] (gdb) r Starting program: /usr/bin/ksh # echo $SHLVL 1 # [Inferior 1 (process 16002) exited normally] (gdb) q Tried again with a core file, but looks like I will need to recompile with debugging symbols: (stretch-amd64-default)root@silverfish:/home/brian# gdb /usr/bin/ksh core GNU gdb (Debian 7.12-6) 7.12.0.20161007-git Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/bin/ksh...(no debugging symbols found)...done. warning: core file may not match specified executable file. [New LWP 16516] Core was generated by `/usr/bin/ksh'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x55db50ac8501 in ?? () (gdb) bt #0 0x55db50ac8501 in ?? () #1 0x55db50af5b11 in ?? () #2 0x55db50af645f in ?? () #3 0x55db50afae8f in ?? () #4 0x55db50af2c1f in ?? () #5 0x55db50ad5577 in ?? () #6 0x55db50ad2316 in ?? () #7 0x55db50ad4c8e in ?? () #8 0x55db50ad5000 in ?? () #9 0x55db50aadb15 in ?? () #10 0x55db50aae3a4 in ?? () #11 0x55db50aefd24 in ?? () #12 0x55db50af106c in ?? () #13 0x55db50aad792 in ?? () #14 0x55db50ad9294 in ?? () #15 0x55db50abec72 in ?? () #16 0x55db50aa38dd in ?? () #17 0x7f2658ae42e1 in __libc_start_main (main=0x55db50aa3650, argc=1, argv=0x7ffe505157a8, init=, fini=, rtld_fini=, stack_end=0x7ffe50515798) at ../csu/libc-start.c:291 #18 0x55db50aa368a in ?? () -- Brian May
Re: ksh / CVE-2019-14868
at(3, {st_mode=S_IFREG|0755, st_size=1689360, ...}) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2ccefe4000 mmap(NULL, 3795296, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f2ccea28000 mprotect(0x7f2ccebbd000, 2097152, PROT_NONE) = 0 mmap(0x7f2ccedbd000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x195000) = 0x7f2ccedbd000 mmap(0x7f2ccedc3000, 14688, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f2ccedc3000 close(3)= 0 arch_prctl(ARCH_SET_FS, 0x7f2ccefe5480) = 0 mprotect(0x7f2ccedbd000, 16384, PROT_READ) = 0 mprotect(0x5633d68d1000, 4096, PROT_READ) = 0 mprotect(0x7f2ccefea000, 4096, PROT_READ) = 0 munmap(0x7f2ccefe6000, 15058) = 0 brk(NULL) = 0x5633d6b5c000 brk(0x5633d6b7d000) = 0x5633d6b7d000 fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0 write(1, "DANGER WILL ROBINSON\n", 21DANGER WILL ROBINSON ) = 21 close(1)= 0 close(2)= 0 exit_group(0) = ? +++ exited with 0 +++ Segmentation fault -- Brian May
Re: DLA template and user signatures
Sylvain Beucler writes: > On 07/07/2020 12:01, Emilio Pozuelo Monfort wrote: >> - it was brought up that some DLAs include personal signatures at the end > > In what context did you receive this feedback? I have found that I have to delete any personal signatures or the GPG check will fail, and the email will (silently) never get published. -- Brian May
ksh / CVE-2019-14868
Is dla-needed.txt for Jessie or Stretch now? ksh was removed from dla-needed.txt for Stretch and classified "minor": https://salsa.debian.org/security-tracker-team/security-tracker/commit/87322fcf Then it was added again: https://salsa.debian.org/security-tracker-team/security-tracker/commit/59a9cd9dca3afc830fea869d12baf2f3d7c21126 Should we mark it as ignored in Stretch also? Or maybe the reason (as given in the commit message when ksh was first removed) was wrong? https://salsa.debian.org/security-tracker-team/security-tracker/commit/b72cc677e719d37f5f3378d616d9cb53315db927 -- Brian May
Re: jquery / CVE-2020-7656
Ola Lundqvist writes: > I think the risk of breaking things is quite significant. At least > that is my experience from updating jquery for various applications. > > I guess we should then mark it as ignored, with some motivation around > that. Done. https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e566eb8abcb548cf7020f18e4dce28aabfc5265 -- Brian May
Re: unbound not supported
Holger Levsen writes: > for d-s-s in jessie i'm still unsure, which version number to use > (see https://lists.debian.org/debian-release/2020/06/msg00136.html > for a summary of the problem). allocating and issuing the DLA will > be easy once I'm clear about that version number... I have wondered if it even makes sense list of supported packages (which is somewhat dynamic) in a package in the distribution itself (which is suppose to be relatively stable and - apart from exceptions such as security updates - follow a strict order of unstable -> testing -> stable -> oldstable). Plus after the distribution is no longer supported, I imagine the d-s-s file in that distribution is no longer valid and should not be used (unless we update it at the time the distribution stops being supported). Wouldn't it be better to have, maybe a wiki page somewhere that lists unsupported packages? -- Brian May
Re: drupal7
Brian May writes: > Drupal7, in Jessie has 3 security issues: My proposed changes to drupal7 in Jessie: diff -Nru drupal7-7.32/debian/changelog drupal7-7.32/debian/changelog --- drupal7-7.32/debian/changelog 2019-05-20 20:05:42.0 +1000 +++ drupal7-7.32/debian/changelog 2020-06-15 07:30:19.0 +1000 @@ -1,3 +1,9 @@ +drupal7 (7.32-1+deb8u18) jessie-security; urgency=medium + + * Fix CVE-2020-13662 / SA-CORE-2020-003: Fix Open Redirect vulnerability. + + -- Brian May Mon, 15 Jun 2020 07:30:19 +1000 + drupal7 (7.32-1+deb8u17) jessie-security; urgency=medium * Non-maintainer upload by the LTS Security Team. diff -Nru drupal7-7.32/debian/patches/CVE-2020-13662.patch drupal7-7.32/debian/patches/CVE-2020-13662.patch --- drupal7-7.32/debian/patches/CVE-2020-13662.patch1970-01-01 10:00:00.0 +1000 +++ drupal7-7.32/debian/patches/CVE-2020-13662.patch2020-06-15 07:30:19.0 +1000 @@ -0,0 +1,14 @@ +--- a/includes/common.inc b/includes/common.inc +@@ -684,7 +684,10 @@ + // We do not allow absolute URLs to be passed via $_GET, as this can be an attack vector. + if (isset($_GET['destination']) && !url_is_external($_GET['destination'])) { + $destination = drupal_parse_url($_GET['destination']); +-$path = $destination['path']; ++// Double check the path derived by drupal_parse_url() is not external. ++if (!url_is_external($destination['path'])) { ++ $path = $destination['path']; ++} + $options['query'] = $destination['query']; + $options['fragment'] = $destination['fragment']; + } diff -Nru drupal7-7.32/debian/patches/series drupal7-7.32/debian/patches/series --- drupal7-7.32/debian/patches/series 2019-05-20 20:05:42.0 +1000 +++ drupal7-7.32/debian/patches/series 2020-06-15 07:24:44.0 +1000 @@ -25,3 +25,4 @@ SA-CORE-2019-004 SA-CORE-2019-006 SA-CORE-2019-007 +CVE-2020-13662.patch -- Brian May
drupal7
Drupal7, in Jessie has 3 security issues: CVE-2020-11022 / CVE-2020-11023 / SA-CORE-2020-002 Vulnerabilities in jquery library. The Debian drupal7 package comes with jquery 1.4.4 (debian/missing-sources/jquery-1.4.4.js). 7.27+dfsg-1 the maintainer attempted to use the libjs-jquery package instead. 7.27+dfsg2-1 - the next release - the above change was reverted due to "heavy breakage", with a reference to https://bugs.debian.org/699286 which says "Turns out, they have a hard dependency on the 1.4.4 version." The upstream patch is invasive: https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77 Plus has the commit "There is no patch for 1.x or 2.x, they are no longer supported and in any case this is a pretty big breaking change, likely even more so on the browsers supported by those versions. Patching this would almost surely cause a cascade of failures in code and plugins that you would need to address." As such, I am reluctant to want to try to patch the query issues. CVE-2020-13662 / SA-CORE-2020-003 The upstream patch (https://git.drupalcode.org/project/drupal/-/commit/905ff00a44160adee3f266cdcc87d3350a64a072) is trivial and applies cleanly to the Jessie version. === cut === --- drupal7-7.32.orig/includes/common.inc +++ drupal7-7.32/includes/common.inc @@ -684,7 +684,10 @@ // We do not allow absolute URLs to be passed via $_GET, as this can be an attack vector. if (isset($_GET['destination']) && !url_is_external($_GET['destination'])) { $destination = drupal_parse_url($_GET['destination']); -$path = $destination['path']; +// Double check the path derived by drupal_parse_url() is not external. +if (!url_is_external($destination['path'])) { + $path = $destination['path']; +} $options['query'] = $destination['query']; $options['fragment'] = $destination['fragment']; } === cut === As such, I am inclined to patch the CVE-2020-13662 / SA-CORE-2020-003 issue, but not touch the jquery issue. Comments? -- Brian May https://linuxpenguins.xyz/brian/
Re: unbound not supported
Brian May writes: > I sent a email to Moritz Muehlenhoff, asking why is changed it to > unsupported, but not got a response yet. Response was that upstream support has ended the old version unbound, and it was deemed to risky too backport changes from supported versions to the old version. -- Brian May
Re: jquery / CVE-2020-7656
Brian May writes: > But... surprise surprise, it looks like buildFragment may be broken: It looks like this commit might fix that: https://github.com/jquery/jquery/commit/22ad8723ce07569a9b039c7901f29e86ad14523c But this is a rather invasive commit. Don't think we should apply it to Jessie. I believe any fix we make to the package in Jessie risks: * Breaking existing applications. * Not fixing the problem entirely. Plus the version in Jessie is likely to have numerous security issues already, not just this one. Looking through some of the git commit logs around this time seems to verify this view that there could be serious issues in such an old version of JQuery. I think it is a matter of: * Leave it. I mean how likely is it that a JavaScript app will conduct load() on an untrusted URL anyway? Particularly with modern browsers with Same-origin policy - I suspect not likely. * Update Jessie to a newer upstream version. Maybe the one in Stretch. Yes, there is the risk this will break stuff. I tend to favour the first option. Mark the issue as nodsa or similar. -- Brian May
Re: jquery / CVE-2020-7656
"Chris Lamb" writes: > You don't seem to address this concern which leaves open the > possibility that you did not see this or I did not communicate it > effectively enough. If the latter, please let me know how I could make my > language clearer. No need to, I think we agree with each other here :-) -- Brian May
Re: unbound not supported
Holger Levsen writes: > On Tue, Jun 09, 2020 at 07:13:03AM +1000, Brian May wrote: >> I notice that according to DSA-4694, unbound is not supported anymore in >> Stretch. >> https://www.debian.org/security/2020/dsa-4694 >> Does this mean we should also mark it as unsupported in Jessie? > > I believe so, yes. > > I'd be happy to add this to debian-security-support and release a DLA > (for d-s-s) to announce it. Shall I? Sounds good to me. I sent a email to Moritz Muehlenhoff, asking why is changed it to unsupported, but not got a response yet. -- Brian May
Re: jquery / CVE-2020-7656
"Chris Lamb" writes: > I did consider this. However, as I implied last time — and you have > independently discovered! — Javascript development is very weird with > lots of edge-cases, and that is before we consider the inconsistencies > of a higher-level API like jQuery and the underlying DOM APIs etc. > etc. should be fine... But we probably should make sure we don't export a new API method for parseHTML, this could affect client code. But... surprise surprise, it looks like buildFragment may be broken: === code === jQuery.buildFragment = function( args, nodes, scripts ) { var fragment, cacheable, cacheresults, doc, first = args[ 0 ]; // nodes may contain either an explicit document object, // a jQuery collection or context object. // If nodes[0] contains a valid object to assign to doc if ( nodes && nodes[0] ) { doc = nodes[0].ownerDocument || nodes[0]; } // Ensure that an attr object doesn't incorrectly stand in as a document object // Chrome and Firefox seem to allow this to occur and will throw exception // Fixes #8950 if ( !doc.createDocumentFragment ) { doc = document; } === code === When I test this with the exploit, this fails, because the first if statement fails, and hence doc is not assigned a value for the second if statement. In typical fashion, it looks like this function is completely different in master: https://github.com/jquery/jquery/blob/9c98e4e86eda857ee063bc48adbc1a11bb5506ee/src/manipulation/buildFragment.js Will investigate further, in case there is a simple fix. -- Brian May
Re: jquery / CVE-2020-7656
Brian May writes: > rscript = /)<[^<]*)*<\/script>/gi, The simplest possible solution would be to update that regexp to allows white space in the closing tag. But of course the problem here is that a regexp isn't really the right tool for parsing HTML content, and it is very possible this regexp contains other hidden security features. -- Brian May
Re: jquery / CVE-2020-7656
"Chris Lamb" writes: > Brian, > >> Do we only need to filter out javascript if a selector is provided for >> some reason? > > Yes. Javascript development is fun. Oh, I see it in the docs. I don't know how I missed this before. From https://api.jquery.com/load/ "When calling .load() using a URL without a suffixed selector expression, the content is passed to .html() prior to scripts being removed. This executes the script blocks before they are discarded. If .load() is called with a selector expression appended to the URL, however, the scripts are stripped out prior to the DOM being updated, and thus are not executed. An example of both cases can be seen below:" Nothing like consistency in APIs :-( > (As I added in the notes, I do not know how we are meant to cleanly > fix this issue in jessie's version of jQuery.) Have you considered the possibility of back porting the parseHTML function? At quick glance it looks like it should be do-able, but the imports need changing. It looks like the bulk of the work is done by the buildFragment, and the Jessie package does have this function. But in a different file. https://github.com/jquery/jquery/blob/d0ce00cdfa680f1f0c38460bc51ea14079ae8b07/src/core/parseHTML.js -- Brian May
jquery / CVE-2020-7656
This appears to be a vulnerability in that the "load()" function will not correctly filter out javascript from loaded HTML. https://snyk.io/vuln/SNYK-JS-JQUERY-569619 As per was supposedly fixed in the following commit: https://github.com/jquery/jquery/commit/a938d7b1282fc0e5c52502c225ae8f0cef219f0a NOTE: 20200606: This was fixed upstream in a set of wider changes NOTE: 20200606: (a938d7b128) which cannot be applied. Even the specific dlaneeded.txt The relevant line that has been changed is this one. https://github.com/jquery/jquery/commit/a938d7b1282fc0e5c52502c225ae8f0cef219f0a#diff-c3749d3acba09ca9ec16bb56e496408bR177 Before (if selector set): rscript = /)<[^<]*)*<\/script>/gi, jQuery("") .append( responseText.replace( rscript, "" ) ) .find( selector ) : Before (if selector not set): responseText is used as is. After (if selector set): jQuery("").append( jQuery.parseHTML( responseText ) ).find( selector ) : After (if selector not set): responseText is used as is. OK, so for the case where selector is set, we now call parseHTML instead of replacing the text. Presumable this fixes the problem. But this function not available in the Jessie version. But even more importantly, it looks like to me that if selector was not given, we don't do any filtering of JavaScript if a selector is not provided. Even in the latest version of master. https://github.com/jquery/jquery/blob/master/src/ajax/load.js#L58 Does this mean the security bug is not sufficiently fixed? Or do we only need to filter out javascript if a selector is provided for some reason? I am also a bit puzzled, I would have expected a function called load() would load JavaScript, and if you add it to the DOM as per the example, I would expect it to be executed. https://snyk.io/vuln/SNYK-JS-JQUERY-569619 -- Brian May https://linuxpenguins.xyz/brian/
unbound not supported
I notice that according to DSA-4694, unbound is not supported anymore in Stretch. https://www.debian.org/security/2020/dsa-4694 Does this mean we should also mark it as unsupported in Jessie? -- Brian May https://linuxpenguins.xyz/brian/
Re: [RFC] Proposal: Migrate LTS/TODO wiki page to GitLab issues
Roberto C. Sánchez writes: > Rationale: The nature of a wiki makes it suboptimal for managing > discrete work units. As developers, we are all familiar with > interacting with the Debian BTS and other similar systems (e.g., Jira, > GitHub issues, etc.). While the Debian BTS would be a natural first > choice, the best mechanism for grouping related issues that do not > belong to a single package is usertags. However, there is currently not > a way to subscribe to usertags in order to receive notification of new > bugs created with the tag or of existing bugs which have the tag added > to them. How much is this an problem? I imagine it should be possible to create some sort of app that queries the issues with a tag (I assume gitlab has some sort of API for this) and automatically subscribes them. > With that in mind, the creation of a new Salsa project for > grouping and managing these issues is the best choice given available > tooling. Note: it looks like I may not have access to lts-team. I see a "request access" link, which I will click. I mention this here only because it might affect others as well. > Objective: Remove all content from LTS/TODO which can reasonably be > captured in one or more GitLab Salsa issues. Then, from this point > forward manage non-package-specific LTS tasks as issues within the > lts-team/lts-extra-tasks project. > > Please reply with any objections, concerns, comments, or suggestions. This sounds like a good idea to me. Just need to come up with an appropriate list of tags to represent the status. e.g. if a particular TODO item is waiting on response from security team for example. -- Brian May
Re: bluez / CVE-2020-0556
Roberto C. Sánchez writes: > My own conclusion is that a backport of the stretch version of bluez is > the best course. If no objections are raised, then I will proceed with > uploading the backport at the end of this week. Sounds reasonable to me. > I too concluded that something like this would be the closest adaptation > of the upstream fix to the older bluez in jessie. That said, I will > note that the absence of enclosing braces around the two statements in > your 'if' block make the 'return' fall outside the 'if'; the function > will always return early here. Oops. Probably obvious I mostly program in Python... -- Brian May
TODO List
I am finding the TODO list hard to follow, so trying to improve it. Currently it is more like a wish list, as opposed to an actionable list of tasks. Is the "Find upstream developers who are willing to work on LTS support" still relevant? It lists packages such as Xen, which I thought were already dealt with. We probably need to break the TODO list down into actionable tasks. e.g. "Improve the security-tracker to not break salsa" is not an actionable task because nobody in the LTS team knows how to proceed with this. Would this plugin be any use? https://moinmo.in/TaskPlanner - It might allow us to visualise the required tasks in a cleaner manner. Also it occurred to me that Python 2 support is disappearing, but the scripts in security tracker are still Python 3 only (my latest merge requests have been stalled). Not sure if we need to add this to the TODO list or not. -- Brian May https://linuxpenguins.xyz/brian/
Re: bluez / CVE-2020-0556
Brian May writes: > Looking at commit > https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7d9718cfcc11eaa9d8059e721301cdc00ef8c82e, > it looks like maybe we should be patching the attio_connected_cb() > function instead. But this function doesn't appear to have any way to > return an error indicating it failed, which seems to be required by the > patch. It might be sufficient just to ignore the error and return > without immediately if device is not bonded. Not sure how much I can > trust this however. > > My gut feeling to fix this we should backport version 5.43-2+deb9u2 from > stretch to Jessie. Yes, this might break stuff, but I suspect just the > very basic idea of this security fix - rejecting unbonded connections - > could break stuff also. Thinking this through some more, I struggle to get bluetooth working correctly on the latest Debian, let alone testing an older release. I am not sure if this is due to hardware or software issues. Not to mention the fact I don't have a lot of bluetooth HID devices to test. I am sure I had a bluetooth keyboard somewhere... Is anybody here in a better position then I am to test this? If not, this might be another reason to backport the Stretch version... Regardless, I suspect something like the following patch might be a good starting point. Although I am not entirely convinced you can reject a connection from the attio_connected_cb function like this... === cut diff --git a/profiles/input/hog.c b/profiles/input/hog.c index b9aba657a..971fda822 100644 --- a/profiles/input/hog.c +++ b/profiles/input/hog.c @@ -654,6 +654,11 @@ static void attio_connected_cb(GAttrib *attrib, gpointer user_data) DBG("HoG connected"); + /* HOGP 1.0 Section 6.1 requires bonding */ + if (!device_is_bonded(hogdev, btd_device_get_bdaddr_type(hogdev))) + DBG("HoG not bonded"); + return; + hogdev->attrib = g_attrib_ref(attrib); if (hogdev->reports == NULL) { === cut -- Brian May
Re: bluez / CVE-2020-0556
Ola Lundqvist writes: > I based my conclusion on the fact that hog.c does not seem to have the > concept of bonded at all. > This is what I mean with "does not seem to need". But I'm new to this > code so I could very well be wrong. I believe bonded is a global bluetooth concept, not specific to hog (which is just one protocol). See: https://codeitbro.blogspot.com/2017/04/ble-pairing-vs-bonding.html If you look at hog.c before the upstream commit was applied, it didn't have any concept of bonded either. -- Brian May
bluez / CVE-2020-0556
I am a bit puzzled by the following comment from dla-needed.txtfor bluez: NOTE: 20200503: Looking at the four patches included in the stretch update it looks like it NOTE: 20200503: can be applied as is. What will fail is hog.c but that file do not seem to NOTE: 20200503: need an update. (Ola) As far as i can tell, the first commit fixes the security flaw, and the only file it touches in hog.c. If true that hog.c does not need an update, does this means the package is not vulnerable? I suspect not. https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 - fix vulnerability. https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 - make security posture configurable to support newer devices. https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=35d8d895cd0b724e58129374beb0bb4a2edf9519 https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f2778f5877d20696d68a452b26e4accb91bfb19e - fix potential regressions. The patch patches the hog_accept function, which is a callback set as part of the hog_profile: static struct btd_profile hog_profile = { .name = "input-hog", .remote_uuid= HOG_UUID, .device_probe = hog_probe, .device_remove = hog_remove, .accept = hog_accept, .disconnect = hog_disconnect, .auto_connect = true, }; Unfortunately the version in Jessie doesn't even have an accept entry: static struct btd_profile hog_profile = { .name = "input-hog", .remote_uuid= HOG_UUID, .device_probe = hog_probe, .device_remove = hog_remove, }; Looking at commit https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7d9718cfcc11eaa9d8059e721301cdc00ef8c82e, it looks like maybe we should be patching the attio_connected_cb() function instead. But this function doesn't appear to have any way to return an error indicating it failed, which seems to be required by the patch. It might be sufficient just to ignore the error and return without immediately if device is not bonded. Not sure how much I can trust this however. My gut feeling to fix this we should backport version 5.43-2+deb9u2 from stretch to Jessie. Yes, this might break stuff, but I suspect just the very basic idea of this security fix - rejecting unbonded connections - could break stuff also. -- Brian May https://linuxpenguins.xyz/brian/
Re: keystone support in Jessie
"Chris Lamb" writes: > Yes I believe so. Can you go ahead and request to add it there > whilst you have it open? If not, let me me know and I will go ahead > with that. I have removed keystone from dla-needed.txt in 18c3371ddc. Will do so. Probably Monday. -- Brian May
nginx / CVE-2020-11724
>From dla-needed.txt: > NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly > invasible and, alas, no tests. (lamby) What does invasible mean in this context? (I think I could guess - but rather not...) -- Brian May https://linuxpenguins.xyz/brian/
keystone support in Jessie
According to https://security-tracker.debian.org/tracker/CVE-2018-14432 [jessie] - keystone (Not supported in Jessie) https://salsa.debian.org/security-tracker-team/security-tracker/commit/3af1be6fb2f917d1809cdcec011f6b66ffe11234 But I don't see keystone listed in the security-support-ended file: https://salsa.debian.org/debian/debian-security-support/blob/master/security-support-ended.deb8 We have got a new TODO item to fix keystone for Jessie: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/270cb63d918d3324b3dccfb93b45458824faf100 I assume this was a mistake, and keystone should be listed in security-support-ended? -- Brian May https://linuxpenguins.xyz/brian/
Re: mumble package / CVE-2018-20743
Abhijith PA writes: >> Unfortunately, I can't find any record of these discussions - in order >> to reduce duplicated work - is it possible you could please summarise >> here on debian-lts? > > I believe its a severe issue thus initiated discussion privately with > t...@security.debian.org I think, like it or not, details were already publicly available in the referenced github issue. From comment posted on 1st March. There is probably no point trying to keep this secret. -- Brian May
mumble package / CVE-2018-20743
Hello All, Background: Yesterday I started looking at an unclaimed package, mumble. I concluded that the security patch requires C++11, does unless C++11 support is enabled, but enabling C++11 support is not possible with the Jessie package as is because the Jessie package has no build support for C++11. Then today I noticed that Abhijith is still working on this package, who added the following entry to dla-needed.txt: === cut === commit c68a758f05548b7441dc218176123c37db4bb3bb Author: Abhijith PA Date: Tue May 5 18:02:27 2020 +0530 Add note for mumble in dla-needed.txt diff --git a/data/dla-needed.txt b/data/dla-needed.txt index 1f1e7888df..ef6beea1ac 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -65,6 +65,7 @@ mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith) + NOTE: 20200504: discussion going on with t...@security.debian.org and mumble maintainer (abhijith) -- nginx NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasible and, alas, no tests. (lamby) === cut === Abhijith: Unfortunately, I can't find any record of these discussions - in order to reduce duplicated work - is it possible you could please summarise here on debian-lts? Alternatively (or maybe additionally) you might want to reclaim the mumble package again... Regards -- Brian May https://linuxpenguins.xyz/brian/
Re: Issues regarding ruby-rack/CVE-2019-16782
Utkarsh Gupta writes: > Please don't yet patch CVE-2019-16782 for Buster, Stretch, Jessie, et al. > This security update induces a regression, resulting in some issues in > using the library. > Also, there's a slight possibility of this patch inducing a backdoor on > it's own. > > The issues have already been opened to/with the upstream and I hope > they're looking into it. > P.S. Shall update here when available :) For reference I filled a similar bug against Django <https://code.djangoproject.com/ticket/31412#comment:8> and they responded with: > After consideration, the Django Security Team conclude that this is not > a practical attack vector. > > Work on the related hardenings, such as the referenced tickets should > continue. I am inclined to think we do not need to worry about patching old releases for this vulnerability for similar reasons. -- Brian May
Re: Issues regarding ruby-rack/CVE-2019-16782
Ola Lundqvist writes: > I have looked into this some but I have not been able to determine how long > the session ids were before the fix. Do anyone have that information? > Based on that we can rather easily determine how long time a timing attack > would take. My guess is a really long time. The more I look into this issue, the more I get confused. In summary, it seems to be a rather complicated fix for something which I would imagine to be very simple, and this is making me nervous about trying to come up with my own simple patch. >From https://github.com/advisories/GHSA-hrqr-hxpp-chr3: "Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id." "The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison." It appears to be talking about the lib/rack/session/pool.rb pool method of storing sessions. ... but I believe this stores the sessions in a in-memory hash table, not the database. From the comment at the top of the file: # Rack::Session::Pool provides simple cookie based session management. # Session data is stored in a hash held by @pool. # In the context of a multithreaded environment, sessions being # committed to the pool is done in a merging manner. Also, I am not seeing any code that allows the hash to be stored to a disk file or a database of any kind (did I miss something?) OK, so maybe we can conduct a timing attack against an in hash. As well as a database (??). Lets assume we can. Why do they even need to worry about checking the unhashed id in the hash table? When you upgrade it will kill the previous processes, which will kill the previous hash table, and no previous sessions will be valid anymore anyway. As far as I am aware it is not possible to upgrade a ruby process without restarting everything. Another possibility is that the researchers were more concerned about backends such as "memcache" rather then "cookie" or "pool". However the change that I can find in upstream only seems to be concerned with the "pool" backend. https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38 Possibly this is because the memcache method was deprecated and moved to another gem: https://github.com/rack/rack/commit/54600771e3c9628c873fb1140b800ebb52f18e70#diff-ec7f0fcff10d701615d85df33fbbd545 Which replaces Memcache with Dalli instead. I have no idea if Dalli has been appropriately patched to deal with CVE-2019-16782. -- Brian May
Re: December LTS Report
Brian May writes: > Hugo Lefeuvre writes: > >> xcftools: >> >> + create a reproducer for CVE-2019-5086 and write a patch (still waiting >>for some external review). >> + start to investigate CVE-2019-5087. > > I am a bit puzzled, what is the difference between CVE-2019-5086 and > CVE-2019-5087? > > As far as I can tell they both a the same vulnerability. Did I miss > something? Never mind. My brain was incorrectly trying to tell me that TALOS-2019-0878 == TALOS-2019-0879. -- Brian May
Re: December LTS Report
Hugo Lefeuvre writes: > xcftools: > > + create a reproducer for CVE-2019-5086 and write a patch (still waiting >for some external review). > + start to investigate CVE-2019-5087. I am a bit puzzled, what is the difference between CVE-2019-5086 and CVE-2019-5087? As far as I can tell they both a the same vulnerability. Did I miss something? -- Brian May
Re: Support of lua-cgi
Ola Lundqvist writes: > Hi fellow LTS members > > Today (as part of front desk work) I triaged lua-cgi and I thought that the > session id vulnerabilities were rather basic and severe. So I thought that > if it is a really used software it would have been found much earlier. > Especially since the vulnerability have been there for some 6 years or so. > So I checked popcorn and it is not really used much. I know we cannot trust > popcorn that much but there were just some 80 installations reported in > total. > > So I think we should probably mark lua-cgi as unsupported instead of fixing > the vulnerabilities. Somehow the discussion on this turned to private emails, which wasn't my intention. Anyway, the summary is I don't believe that lua-cgi in Debian is vulnerable, because it is broken and cannot actually save sessions. For details, see the bug report I filled: http://bugs.debian.org/954300 I updated the bug report on the security issue, see: http://bugs.debian.org/953037 I also created some upstream bug reports: https://github.com/keplerproject/cgilua/issues/16 https://github.com/keplerproject/cgilua/issues/17 So I now intend to wait a bit and see if I get any responses. If not, I will mark this security issue as "not vulnerable" in Debian, because it is not possible to exploit as it is broken. -- Brian May
Re: phppgadmin / CVE-2019-10784
Ola Lundqvist writes: > I do not see how SameSite attribute would help in this case. Or how do you > mean that it would protect against this? This is what the SameSite attribute was designed for. To protect against CSRF attacks. If a user clicks a link that creates post request to another site, then the cookie won't be transmitted from the browser and the user will not have any login session, so damaging stuff using the user's credentials is not possible. -- Brian May
Re: phppgadmin / CVE-2019-10784
Ola Lundqvist writes: > I have ideas on how we can reduce the attack possibilities but I cannot > find any perfect solution to this. What about setting samesite=Lax in the session Cookie? This should solve all problems for POST requests. Are there any vulnerable GET requests? Additionally this is already the default for Chrome (I don't think Firefox has done this yet though). https://web.dev/samesite-cookies-explained/ I posted this suggestion upstream also, but got no response - yet. https://github.com/phppgadmin/phppgadmin/issues/94#issuecomment-597464834 Only problem is older browsers won't be protected, I am not sure this is a big issue however. I imagine setting the samesite value will be a lot less invasive then some of the other solutions being discussed here. The other problem might be implementing this. I see PHP has a session.cookie_samesite option but this was only implemented in PHP >= 7.3 https://www.php.net/manual/en/session.configuration.php -- Brian May
Re: Issues regarding ruby-rack/CVE-2019-16782
Ola Lundqvist writes: > I think the attacker needs to be very close, or at least on a connection to > the server with a very predictable timing making a live server exploit > difficult from a distance. Potentially possible. Yes, very likely. Unless the database is loaded, but that too could be another variable that makes this attack difficult. > This is a general problem for most kind of services and I do not think it > is limited to ruby-rack. It just happen to be so that we have a specific > CVE for ruby-rack. Others may have exactly the same issue. Agreed. > The solution to look up the hash of the session id makes sense. It makes > things much harder to exploit. > > The best solution as I see it is to do one the following: > > alternative 1: > At upgrade change all database session keys to the hash(key) and then only > lookup using the hash of the session id key. > There is no need to change the interface at all as I can see it. This would be my preference. As I have mentioned before, upstream were concerned this might break applications. The details given here - https://github.com/rack/rack/issues/1432#issuecomment-571688819 - don't entirely make sense to me. e.g. "The private id could be leaked" - if the public id is leaked, then it is easy to generate the private id anyway. > alternative 2: > No change at upgrade. At lookup look for the hash(key) and if that fails > look for the key. To improve the security we can introduce a random delay > between 0 and ... well the time a lookup take worst case. > Still no reason to change the interface as I see it. Yes, this is what upstream did, apart from the "not change the interface" or "introduce a random delay". > alternative 3: > Do as upstream. The problem is that upstream introduced an API change in a > non-backwards compatible way. This works for unstable, but I do not think > it is preferred for oldstable, oldoldstable or stable. > > Which one to choose. I think alternative 1 is the most secure option but > the upgrade may be complicated and is a little fault prone. I think > alternative 2 is good enough, especially with some random delay. Like I said, I am struggling to understand why upstream feels they need to keep track of two separate ids, or why not just hash the key before each database lookup. I am finding it hard to visualise an application that would use the session id in such a way that it would break if we hash it before looking up the database. I am not familiar with Ruby coding standards, Maybe existing Ruby code can do "interesting things" such as direct lookups in the session database using the session key? Also I noticed - and thought interesting - that storing sessions in the database was considered using rails (not rack being discussed here) was deprecated in 2012) http://blog.remarkablelabs.com/2012/12/activerecord-sessionstore-gem-extraction-rails-4-countdown-to-2013 -- Brian May
Re: Issues regarding ruby-rack/CVE-2019-16782
Ola Lundqvist writes: > Precisely. This is why I was asking about the length of the session id > used. With the length we can estimate how many times an attacker my try to > find all possible values. > If this is small enough (and the attacker is close enough) it can be > exploited. But if the session key is really large, then there is no way > that this can be done in practice even with ears of tries. If I understand this code correctly, by reading it. https://github.com/rack/rack/blob/18f708b5b691f0219be35e453dbb7ef8397060c9/lib/rack/session/abstract/id.rb The default size of a sid is intended 128 bits or 32 hex digits long. However, this value is created by SecureRandom.hex() - see https://ruby-doc.org/stdlib-2.5.1/libdoc/securerandom/rdoc/SecureRandom.html, which actually takes a parameter with number of bytes, not number of digits. So when we pass this function 32, we actually get 32 bytes (=256 bits), or 64 digits. irb(main):007:0> p SecureRandom.hex(1) "82" => "82" irb(main):006:0> p SecureRandom.hex(2) "5fad" => "5fad" -- Brian May
Re: Issues regarding ruby-rack/CVE-2019-16782
Ola Lundqvist writes: > So regarding your throught about why Rack has this and not others. Well I > think all have the same issue. I think it is a little of a stretch that > this can be used in practice. I mean an attacker must do a broad search of > all possible session identifiers to make use of this. Or have I > misunderstood something? I suspect you are mostly correct. However how many people would really notice if an attacker made numerous connections to their website in attempt to exploit this? -- Brian May
Re: Issues regarding ruby-rack/CVE-2019-16782
Ola Lundqvist writes: > I would have understood the upstream argument if the public key is a hash > of the private one. If it is the other way around (as you describe it) I do > not see any point. > That would even be a new CVE, because that is a security issue, really. > > I think it should return the public key and the public key should be a hash > of the private one. I do think the names upstream has chosen for these variables is rather confusing. public/private makes it seem like public key cryptography, where there is a public key, and it is safe for *anybody* to know this value (depending on how much you trust the cryptography that is). Not the case here. If you hashed the private id to create the public id you would still need to keep the public id secret. But that wouldn't work, because you couldn't lookup the session in the database using the public key. "public_id" is the secret session key that is stored in a cookie on the user's browser. It must remain secret at all times, just like any session key. It gives the holder unlimited access to the session. Normally we would lookup the session directly in the database as in query(public_id). However, as the attacker can carefully control the input and time how long it takes, this can lead to timing attacks. So instead we hash the public_id first. As in query(hash(public_id)). Now an attacker has problems carefully controlling the input to the database query, and this makes it hard (or impossible?) to do a timing based attack. Upstream has decided to call this hashed value the private key. As in private_id = hash(public_id) I think this is unfortunate terminology. Possibly it external_id/internal_id would be better. However I think we are stuck with it now. If there was an SQL operation that allowed us to do a query with a fixed time, that would also solve the problem. Unfortunately, I don't think there is such a thing. It has already been the goal for SQL databases to make these queries as fast as possible. Does this help explain things? I am still unclear why Rack has this issue, and not other libraries that do a similar lookup of an untrusted key value provided by the user in the database, e.g. Django. -- Brian May
Re: Issues regarding ruby-rack/CVE-2019-16782
Ola Lundqvist writes: > Interesting. I think the upstream solution to search first for private id > and then for public id is good enough for Debian stable releases. > It should be extremely difficult (unless the computer is really slow) to > calculate the timing for the public id part since there are so many other > variables like link speed, process switching time and other that will cause > delays on the same magnitude. > > For unstable, maybe a more secure solution is better. > > What I think we need to do however is to make a correction without changing > to the more complex object to avoid breakage. Would that be a lot of work > to do that? It is easy to make the complex object auto cast to a string. The problem is what string should it return? Should it return the public string? The applications that expect to be able to use that string to look up session data will break. Should it return the private string? Upstream says that this runs the risk of leaking the private key "The public id is ok for anyone to know, and the private id must be kept secret." This argument confuses me as the private key is just a hash of the public key, it seems anybody with the public key can obtain the private key. Wonder if I misunderstood something here? def hash_sid(sid) Digest::SHA256.hexdigest(sid) end def private_id "#{ID_VERSION}::#{hash_sid(public_id)}" end Depending on what the application does the with session id however, just blindly returning the private id might not always be the correct thing either. Plus now, as applications are adapting to this new API anyway, if we change this now we could break applications that use the new API. Django, does a lookup of the Session table using a Session key - which I believe comes from an untrusted cookie. Probably many others too. Does this mean Django is equally vulnerable? Or maybe Django already done something to mitigate against this? I don't see anything. https://github.com/django/django/blob/master/django/contrib/sessions/backends/db.py This is the default session backend, others are also available: https://docs.djangoproject.com/en/3.0/topics/http/sessions/#configuring-sessions -- Brian May
Re: Issues regarding ruby-rack/CVE-2019-16782
Ola Lundqvist writes: > I have looked into this some but I have not been able to determine how long > the session ids were before the fix. Do anyone have that information? > Based on that we can rather easily determine how long time a timing attack > would take. My guess is a really long time. My understanding is increasing. The problem is when we lookup the session details from the database: @pool[sid] As sid is untrusted data, it means that can attacker can carefully control the value and find out information on existing sessions based on timing the query. This patch would change that database lookup to: @pool[sid.private_id] Where sid.private_id = "#{ID_VERSION}::#{hash_sid(public_id)}" This means the timing attack is harder (impossible?), because an attacker cannot create good test data for the database lookup. The problem with this approach however is we now have broken all existing sessions. Because we have already stored the public id, not the private id in the database. So the upstream solution is to use: @pool[sid.private_id] || @pool[sid.public_id] If the private_id lookup fails, the public_id lookup will be tried. In https://github.com/rack/rack/issues/1431 the issue is raised that the code still does the public_id lookup, which is what was responsible for the bug in the first place. However the counter claim is that we have already done the private_id lookup, and that is going to make timing attacks hard. If I understand this correctly, the goal will be to remove the public_id lookup eventually. Also, as upstream changed sid from a string to a more complicated object, this breaks the current API. There are other possible solutions, but as mentioned in https://github.com/rack/rack/issues/1432#issuecomment-571688819 these could lead to silent breakage, which is probably not a better outcome. -- Brian May
Re: Issues regarding ruby-rack/CVE-2019-16782
Utkarsh Gupta writes: > Please don't yet patch CVE-2019-16782 for Buster, Stretch, Jessie, et al. > This security update induces a regression, resulting in some issues in > using the library. > Also, there's a slight possibility of this patch inducing a backdoor on > it's own. > > The issues have already been opened to/with the upstream and I hope > they're looking into it. > P.S. Shall update here when available :) Do you have any references to the upstream issue regarding the possible backdoor? I see: https://github.com/rack/rack/issues/1431 https://github.com/rack/rack/issues/1432 https://github.com/rack/rack/issues/1433 Apparently the regression is unavoidable - see https://github.com/rack/rack/issues/1432#issuecomment-571688819 Which in turn generated controversy - is it OK to cause breakage if it fixes a known security issue? https://github.com/rack/rack/issues/1432#issuecomment-571701768 This might rule out being able to provide fixes for Buster and Jessie. Oh, I see, #1431 mentions the possible backdoor; a claim that was disputed. It also seems like "I agree that the vulnerability is not that great and does take substantial time to pull off." - wonder if it even worth trying to fix this for anything other then unstable+testing. -- Brian May
ruby-rack-cors / CVE-2019-18978
Attached is my proposed patch for Jessie. This had to be adapted from the upstream patch, however I think I have understood the intentions clearly. The Rack::Utils.clean_path_info and Rack::Utils.unescape_path functions required by the upstream patch are not available in Jessie, so I copied these from upstream: https://github.com/rack/rack/blob/master/lib/rack/utils.rb The supplied test case fails as expected without the required change and succeeds as expected with the required change. I just noticed I still need to update the changelog entry before uploading. diff -Nru ruby-rack-cors-0.2.9/debian/changelog ruby-rack-cors-0.2.9/debian/changelog --- ruby-rack-cors-0.2.9/debian/changelog 2014-04-24 23:53:38.0 +1000 +++ ruby-rack-cors-0.2.9/debian/changelog 2020-02-04 17:25:44.0 +1100 @@ -1,3 +1,9 @@ +ruby-rack-cors (0.2.9-1+deb8u1) UNRELEASED; urgency=high + + * Non-maintainer upload by the LTS Team. + + -- Brian May Tue, 04 Feb 2020 17:25:44 +1100 + ruby-rack-cors (0.2.9-1) unstable; urgency=low * New upstream release diff -Nru ruby-rack-cors-0.2.9/debian/patches/CVE-2019-18978.patch ruby-rack-cors-0.2.9/debian/patches/CVE-2019-18978.patch --- ruby-rack-cors-0.2.9/debian/patches/CVE-2019-18978.patch1970-01-01 10:00:00.0 +1000 +++ ruby-rack-cors-0.2.9/debian/patches/CVE-2019-18978.patch2020-02-04 17:25:44.0 +1100 @@ -0,0 +1,104 @@ +--- a/test/unit/cors_test.rb b/test/unit/cors_test.rb +@@ -160,6 +160,12 @@ + assert_cors_success + assert_not_nil last_response.headers['Content-Type'] + end ++ ++should "decode URL and resolve paths before resource matching" do ++ header 'Origin', 'http://localhost:3000' ++ get '/public/a/..%2F..%2Fprivate/stuff' ++ assert_cors_failure ++end + end + + protected +--- a/test/unit/test.ru b/test/unit/test.ru +@@ -28,6 +28,7 @@ + allow do + origins '*' + resource '/public' ++resource '/public/*' + resource '/public_without_credentials', :credentials => false + end + +--- a/lib/rack/cors.rb b/lib/rack/cors.rb +@@ -30,17 +30,20 @@ + env['HTTP_ORIGIN'] = 'file://' if env['HTTP_ORIGIN'] == 'null' + env['HTTP_ORIGIN'] ||= env['HTTP_X_ORIGIN'] + ++ path = evaluate_path(env) ++ + cors_headers = nil + if env['HTTP_ORIGIN'] + debug(env) do + [ 'Incoming Headers:', + " Origin: #{env['HTTP_ORIGIN']}", ++" Path-Info: #{path}", + " Access-Control-Request-Method: #{env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']}", + " Access-Control-Request-Headers: #{env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}" + ].join("\n") + end + if env['REQUEST_METHOD'] == 'OPTIONS' and env['HTTP_ACCESS_CONTROL_REQUEST_METHOD'] +- if headers = process_preflight(env) ++ if headers = process_preflight(env, path) + debug(env) do + "Preflight Headers:\n" + + headers.collect{|kv| " #{kv.join(': ')}"}.join("\n") +@@ -48,7 +51,7 @@ + return [200, headers, []] + end + else +- cors_headers = process_cors(env) ++ cors_headers = process_cors(env, path) + end + end + status, headers, body = @app.call env +@@ -74,17 +77,41 @@ + end + end + ++ PATH_SEPS = Regexp.union(*[::File::SEPARATOR, ::File::ALT_SEPARATOR].compact) ++ ++ def clean_path_info(path_info) ++parts = path_info.split PATH_SEPS ++ ++clean = [] ++ ++parts.each do |part| ++ next if part.empty? || part == '.' ++ part == '..' ? clean.pop : clean << part ++end ++ ++clean_path = clean.join(::File::SEPARATOR) ++clean_path.prepend("/") if parts.empty? || parts.first.empty? ++clean_path ++ end ++ ++ def evaluate_path(env) ++path = env['PATH_INFO'] ++# path = Rack::Utils.clean_path_info(Rack::Utils.unescape_path(path)) if path ++path = clean_path_info(::URI::DEFAULT_PARSER.unescape(path)) if path ++path ++ end ++ + def all_resources + @all_resources ||= [] + end + +- def process_preflight(env) +-resource = find_resource(env['HTTP_ORIGIN'], env['PATH_INFO'],env) ++ def process_preflight(env, path) ++resource = find_resource(env['HTTP_ORIGIN'], path,env) + resource && resource.process_preflight(env) + end + +- def process_cors(env) +-resource = find_resource(env[
Re: ibus/CVE-2019-14822/glibc
Brian May writes: > Here is a better stack trace (previous version was picking up system > version of glib): Here is an even better version of the even better version of the stack trace that is actually useful (disabled compile time optimisation) (gdb) bt #0 0x772cbd08 in _g_log_abort (breakpoint=1) at gmessages.c:315 #1 0x772ccbea in g_logv (log_domain=0x778125ef "GLib-GObject", log_level=G_LOG_LEVEL_CRITICAL, format=0x7735b3af "%s: assertion '%s' failed", args=0x7fffd778) at gmessages.c:1042 #2 0x772ccce0 in g_log (log_domain=0x778125ef "GLib-GObject", log_level=G_LOG_LEVEL_CRITICAL, format=0x7735b3af "%s: assertion '%s' failed") at gmessages.c:1081 #3 0x772ccd21 in g_return_if_fail_warning (log_domain=0x778125ef "GLib-GObject", pretty_function=0x77813ccb <__FUNCTION__.12599> "g_object_ref", expression=0x77812b1b "G_IS_OBJECT (object)") at gmessages.c:1090 #4 0x777ee588 in g_object_ref (_object=0x0) at gobject.c:3041 #5 0x77ab4bf0 in cache_recv_address (socket=0x61c130, native=0x7fffe1b0, native_len=12) at gsocket.c:4038 #6 0x77ab501d in g_socket_receive_message (socket=0x61c130, address=0x7fffe318, vectors=0x7fffe330, num_vectors=1, messages=0x0, num_messages=0x0, flags=0x0, cancellable=0x0, error=0x7fffe320) at gsocket.c:4269 #7 0x77aed427 in read_netlink_messages (socket=0x0, condition=G_IO_IN, user_data=0x6119e0) at gnetworkmonitornetlink.c:328 #8 0x77aecd65 in g_network_monitor_netlink_initable_init (initable=0x6119e0, cancellable=0x0, error=0x0) at gnetworkmonitornetlink.c:141 #9 0x77a90ae4 in g_initable_init (initable=0x6119e0, cancellable=0x0, error=0x0) at ginitable.c:112 #10 0x77a90cd8 in g_initable_new_valist (object_type=6391376, first_property_name=0x0, var_args=0x7fffe4f0, cancellable=0x0, error=0x0) at ginitable.c:228 #11 0x77a90b9a in g_initable_new (object_type=6391376, cancellable=0x0, error=0x0, first_property_name=0x0) at ginitable.c:146 #12 0x77a941a1 in try_implementation (extension=0x6106c0, verify_func=0x0) at giomodule.c:755 #13 0x77a943a1 in _g_io_module_get_default (extension_point=0x77b76308 "gio-network-monitor", envvar=0x77b762f0 "GIO_USE_NETWORK_MONITOR", verify_func=0x0) at giomodule.c:857 #14 0x77a9e1b7 in g_network_monitor_get_default () at gnetworkmonitor.c:74 #15 0x00401761 in test_default () at network-monitor.c:241 #16 0x772ede8e in test_case_run (tc=0x613990) at gtestutils.c:2059 #17 0x772ee230 in g_test_run_suite_internal (suite=0x610240, path=0x7735fec0 "") at gtestutils.c:2120 #18 0x772ee2f2 in g_test_run_suite_internal (suite=0x610220, path=0x7735fec0 "") at gtestutils.c:2131 #19 0x772ee472 in g_test_run_suite (suite=0x610220) at gtestutils.c:2184 #20 0x772ed15f in g_test_run () at gtestutils.c:1488 #21 0x00402a7f in main (argc=1, argv=0x7fffe9f8) at network-monitor.c:536 Looking at gsocket.c:4038, saddr (source address) is NULL for some unknown reason. This value comes from: saddr = g_socket_address_new_from_native (native, native_len); No idea why this appears to be failing yet. -- Brian May
Re: ibus/CVE-2019-14822/glibc
Here is a better stack trace (previous version was picking up system version of glib): (jessie-amd64-default)brian@silverfish:~/debian/lts/packages/glib2.0/glib$ LD_LIBRARY_PATH=$PWD/gio/.libs:$PWD/glib/.libs gdb gio/tests/.libs/network-monitor GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from gio/tests/.libs/network-monitor...done. (gdb) r Starting program: /home/brian/debian/lts/packages/glib2.0/glib/gio/tests/.libs/network-monitor [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". /network-monitor/default: (/home/brian/debian/lts/packages/glib2.0/glib/gio/tests/.libs/network-monitor:27600): GLib-GObject-CRITICAL **: g_object_ref: assertion 'G_IS_OBJECT (object)' failed Program received signal SIGTRAP, Trace/breakpoint trap. g_logv (log_domain=0x77843856 "GLib-GObject", log_level=G_LOG_LEVEL_CRITICAL, format=, args=args@entry=0x7fffda98) at gmessages.c:1046 1046 g_private_set (&g_log_depth, GUINT_TO_POINTER (depth)); (gdb) bt #0 g_logv (log_domain=0x77843856 "GLib-GObject", log_level=G_LOG_LEVEL_CRITICAL, format=, args=args@entry=0x7fffda98) at gmessages.c:1046 #1 0x7731dc52 in g_log (log_domain=, log_level=, format=) at gmessages.c:1079 #2 0x7781deba in g_object_ref () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 #3 0x77ad4e17 in cache_recv_address (native_len=, native=, socket=0x61c130) at gsocket.c:4038 #4 g_socket_receive_message (socket=0x61c130, address=address@entry=0x7fffe548, vectors=, vectors@entry=0x7fffe560, num_vectors=, num_vectors@entry=1, messages=messages@entry=0x0, num_messages=num_messages@entry=0x0, flags=0x0, cancellable=0x0, error=0x7fffe540) at gsocket.c:4269 #5 0x77b018df in read_netlink_messages (socket=socket@entry=0x0, condition=condition@entry=G_IO_IN, user_data=user_data@entry=0x6119e0) at gnetworkmonitornetlink.c:324 #6 0x77b02287 in g_network_monitor_netlink_initable_init (initable=, cancellable=, error=0x0) at gnetworkmonitornetlink.c:141 #7 0x77ab9d3e in g_initable_new_valist (object_type=, first_property_name=0x0, var_args=0x7fffe638, cancellable=0x0, error=0x0) at ginitable.c:228 #8 0x77ab9e2c in g_initable_new (object_type=, cancellable=cancellable@entry=0x0, error=error@entry=0x0, first_property_name=first_property_name@entry=0x0) at ginitable.c:146 #9 0x77abd456 in try_implementation (extension=, verify_func=verify_func@entry=0x0) at giomodule.c:755 #10 0x77abd5a0 in _g_io_module_get_default (extension_point=0x77b67c9f "gio-network-monitor", envvar=0x77b69565 "GIO_USE_NETWORK_MONITOR", verify_func=0x0) at giomodule.c:857 #11 0x00402433 in test_default () at network-monitor.c:241 #12 0x7733b753 in test_case_run (tc=0x613990) at gtestutils.c:2059 #13 g_test_run_suite_internal (suite=suite@entry=0x610240, path=path@entry=0x773b9fde "") at gtestutils.c:2120 #14 0x7733b922 in g_test_run_suite_internal (suite=suite@entry=0x610220, path=, path@entry=0x773b9fde "") at gtestutils.c:2131 #15 0x7733bc6b in g_test_run_suite (suite=0x610220) at gtestutils.c:2184 #16 0x7733bca1 in g_test_run () at gtestutils.c:1488 #17 0x00401361 in main (argc=1, argv=0x7fffeab8) at network-monitor.c:536 (gdb) -- Brian May
Re: ibus/CVE-2019-14822/glibc
Brian May writes: > commit 7cba800a84730c9c5843acdd775e42b8c1438edf (HEAD) > Author: Alexander Larsson > Date: Mon Jun 1 10:02:47 2015 +0200 This patch decreases the number of errors from 1 to 52. (jessie-amd64-default)brian@silverfish:~/debian/lts/packages/glib2.0/glib$ gio/tests/network-monitor /network-monitor/default: (/home/brian/debian/lts/packages/glib2.0/glib/gio/tests/.libs/lt-network-monitor:20114): GLib-GObject-CRITICAL **: g_object_ref: assertion 'G_IS_OBJECT (object)' failed Trace/breakpoint trap gdb shows: (jessie-amd64-default)brian@silverfish:~/debian/lts/packages/glib2.0/glib$ LD_LIBRARY_PATH=$PWD/gio/.libs gdb gio/tests/.libs/network-monitor core GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from gio/tests/.libs/network-monitor...done. [New LWP 22889] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `gio/tests/.libs/network-monitor'. Program terminated with signal SIGTRAP, Trace/breakpoint trap. #0 0x7f035382adc0 in g_logv () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 (gdb) bt #0 0x7f035382adc0 in g_logv () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #1 0x7f035382afff in g_log () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #2 0x7f0353d01eba in g_object_ref () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 #3 0x7f0353fb8e17 in cache_recv_address (native_len=, native=, socket=0x13f2130) at gsocket.c:4038 #4 g_socket_receive_message (socket=0x13f2130, address=address@entry=0x7fff92d8c288, vectors=, vectors@entry=0x7fff92d8c2a0, num_vectors=, num_vectors@entry=1, messages=messages@entry=0x0, num_messages=num_messages@entry=0x0, flags=0x0, cancellable=0x0, error=0x7fff92d8c280) at gsocket.c:4269 #5 0x7f0353fe58df in read_netlink_messages (socket=socket@entry=0x0, condition=condition@entry=G_IO_IN, user_data=user_data@entry=0x13e79e0) at gnetworkmonitornetlink.c:324 #6 0x7f0353fe6287 in g_network_monitor_netlink_initable_init (initable=, cancellable=, error=0x0) at gnetworkmonitornetlink.c:141 #7 0x7f0353f9dd3e in g_initable_new_valist (object_type=, first_property_name=0x0, var_args=0x7fff92d8c378, cancellable=0x0, error=0x0) at ginitable.c:228 #8 0x7f0353f9de2c in g_initable_new (object_type=, cancellable=cancellable@entry=0x0, error=error@entry=0x0, first_property_name=first_property_name@entry=0x0) at ginitable.c:146 #9 0x7f0353fa1456 in try_implementation (extension=, verify_func=verify_func@entry=0x0) at giomodule.c:755 #10 0x7f0353fa15a0 in _g_io_module_get_default (extension_point=0x7f035404bc9f "gio-network-monitor", envvar=0x7f035404d565 "GIO_USE_NETWORK_MONITOR", verify_func=0x0) at giomodule.c:857 #11 0x00402433 in test_default () at network-monitor.c:241 #12 0x7f03538493d3 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #13 0x7f03538495a2 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #14 0x7f035384990b in g_test_run_suite () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #15 0x7f0353849941 in g_test_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #16 0x000000401361 in main (argc=1, argv=0x7fff92d8c818) at network-monitor.c:536 I am guessing maybe this patch has other requirements :-( -- Brian May
Re: ibus/CVE-2019-14822/glibc
Brian May writes: > With the 2nd patch, hangs, I pushed Ctrl-C to abort: > > (jessie-amd64-sbuild)brian@silverfish:/$ > /build/glib2.0-sBwZ3c/glib2.0-2.42.1/debian/build/deb/gio/tests/.libs/lt-network-monitor > -k --tap > # random seed: R02Sfd80eb1bd64b09d0b63ad8bcdfd117d2 > # Start of network-monitor tests > ^C git bisect shows the following commit fixes this: commit 7cba800a84730c9c5843acdd775e42b8c1438edf (HEAD) Author: Alexander Larsson Date: Mon Jun 1 10:02:47 2015 +0200 GNetworkMonitorNetlink: Fix check for non-kernel messages This code used to look at the SCM_CREDENTIALS and ignore every message not from uid 0. However, when user namespaces are in use this does not work, as if uid 0 is not mapped you get overflowuid instead. Right now this means we ignore all messages in such user namespaces and glib apps hang on startup. We can't look at pids either, as pid 0 is returned for processes outside your pid namespace. Instead the correct approach is to look at the sending sockaddr and if the port id (nl_pid) is zero, then its from the kernel. Source: http://lists.linuxfoundation.org/pipermail/containers/2015-May/036032.html https://bugzilla.gnome.org/show_bug.cgi?id=750203 -- Brian May
Re: ibus/CVE-2019-14822/glibc
stops talking. gdb session (note I had to override the shell because the default is zsh which didn't exist on my chroot, which caused problems for gdb): (jessie-amd64-sbuild)brian@silverfish:/build/glib2.0-sBwZ3c/glib2.0-2.42.1/debian/build/deb$ SHELL=/bin/sh gdb /build/glib2.0-sBwZ3c/glib2.0-2.42.1/debian/build/deb/gio/tests/.libs/lt-network-monitor GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /build/glib2.0-sBwZ3c/glib2.0-2.42.1/debian/build/deb/gio/tests/.libs/lt-network-monitor...done. (gdb) r Starting program: /build/glib2.0-sBwZ3c/glib2.0-2.42.1/debian/build/deb/gio/tests/.libs/lt-network-monitor [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". /network-monitor/default: ^C Program received signal SIGINT, Interrupt. 0x77030ad0 in __poll_nocancel () at ../sysdeps/unix/syscall-template.S:81 81 ../sysdeps/unix/syscall-template.S: No such file or directory. (gdb) bt #0 0x77030ad0 in __poll_nocancel () at ../sysdeps/unix/syscall-template.S:81 #1 0x77ad6f05 in g_socket_condition_timed_wait (socket=, condition=, timeout=, cancellable=0x0, error=0x7fffe5c8) at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/gsocket.c:3655 #2 0x77ad7d84 in g_socket_receive_message (socket=0x61d130, address=address@entry=0x0, vectors=, vectors@entry=0x7fffe5d0, num_vectors=, num_vectors@entry=1, messages=messages@entry=0x0, num_messages=num_messages@entry=0x0, flags=0x7fffe5bc, cancellable=0x0, error=0x7fffe5c8) at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/gsocket.c:4231 #3 0x77b03c15 in read_netlink_messages (socket=socket@entry=0x0, condition=condition@entry=G_IO_IN, user_data=user_data@entry=0x6129e0) at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/gnetworkmonitornetlink.c:312 #4 0x77b045af in g_network_monitor_netlink_initable_init (initable=0x6129e0, cancellable=, error=0x0) at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/gnetworkmonitornetlink.c:141 #5 0x77abe2ca in g_initable_new_valist (object_type=, first_property_name=0x0, var_args=0x7fffe6b0, cancellable=0x0, error=0x0) at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/ginitable.c:228 #6 0x77abe3b6 in g_initable_new (object_type=, cancellable=cancellable@entry=0x0, error=error@entry=0x0, first_property_name=first_property_name@entry=0x0) at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/ginitable.c:146 #7 0x77ac14a6 in try_implementation (extension=, verify_func=verify_func@entry=0x0) at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/giomodule.c:755 #8 0x77ac1620 in _g_io_module_get_default (extension_point=0x77b69e9f "gio-network-monitor", envvar=0x77b6b945 "GIO_USE_NETWORK_MONITOR", verify_func=0x0) at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/giomodule.c:857 #9 0x00402482 in test_default () at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/tests/network-monitor.c:241 #10 0x7736b3d3 in test_case_run (tc=0x614990) at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./glib/gtestutils.c:2059 #11 g_test_run_suite_internal (suite=suite@entry=0x611240, path=path@entry=0x773c5f5e "") at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./glib/gtestutils.c:2120 #12 0x7736b5a2 in g_test_run_suite_internal (suite=suite@entry=0x611220, path=, path@entry=0x773c5f5e "") at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./glib/gtestutils.c:2131 #13 0x7736b90b in g_test_run_suite (suite=0x611220) at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./glib/gtestutils.c:2184 #14 0x7736b941 in g_test_run () at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./glib/gtestutils.c:1488 #15 0x00401461 in main (argc=1, argv=0x7fffeb68) at #/build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/tests/network-monitor.c:536 -- Brian May
Re: ibus/CVE-2019-14822/glibc
Emilio Pozuelo Monfort writes: > Yes, that's the failing test I mentioned in my email. Building without the > patches works for me. I am still looking at whether upgrading ibus is worth it > due to the regression risk. It looks like the 2nd patch that is doing this. Just the 1st patch is fine. My running theory at present is that the test is confused because authentication is now required. I have no idea whether this is worth it or not. Possibly one option to think about is just patch ibus - that way the security issue is solved, and wait and see if anybody complains about the glib2.0 breakage. -- Brian May
Re: ibus/CVE-2019-14822/glibc
Brian May writes: > My build is still running the tests, but I don't expect any problems as > the test was getting skipped anyway... Tests seem to be hanging, on the next test after: PASS: network-address 37 /gresolver/resolve-address/0 PASS: network-address 38 /gresolver/resolve-address/1 PASS: network-address 39 /gresolver/resolve-address/2 PASS: network-address 40 /gresolver/resolve-address/3 PASS: network-address 41 /gresolver/resolve-address/4 PASS: network-address 42 /gresolver/resolve-address/5 PASS: network-address 43 /gresolver/resolve-address/6 PASS: network-address 44 /gresolver/resolve-address/7 PASS: network-address 45 /gresolver/resolve-address/8 PASS: network-address 46 /gresolver/resolve-address/9 PASS: network-address 47 /gresolver/resolve-address/10 PASS: network-address 48 /gresolver/resolve-address/11 PASS: network-address 49 /gresolver/resolve-address/12 Running Command seems to be: /bin/bash /build/glib2.0-S2dcj2/glib2.0-2.42.1/./tap-driver.sh --test-name network-monitor --log-file network-monitor.log --trs-file network-monitor.trs --color-tests no --enable-hard-errors yes --expect-failure no -- /build/glib2.0-S2dcj2/glib2.0-2.42.1/./tap-test ./network-monitor This doesn't appear to be anything related to anything I have changed. Will try building again without my patches. -- Brian May
Re: ibus/CVE-2019-14822/glibc
Brian May writes: > Emilio Pozuelo Monfort writes: > >> I have been looking at this, but building glib with only the two fix commits >> (not the tests one) makes the build hang on the network-monitor tests. I >> haven't >> investigated much yet, but I wonder if it may be an issue with my local >> configuration. Did you glib build succeed? If so can you publish the source >> and >> debs? I'd like to test that with some qt5 apps to verify the regression fix. > > I just tried compiling with all patches. The 3rd patch kills it for it, > it references a _g_dbus_hexencode function that does not appear to > exist. OK, fixed this in: https://people.debian.org/~bam/glib2.0/ Version 2.42.1-1+deb8u4 My build is still running the tests, but I don't expect any problems as the test was getting skipped anyway... -- Brian May
Re: ibus/CVE-2019-14822/glibc
Emilio Pozuelo Monfort writes: > I have been looking at this, but building glib with only the two fix commits > (not the tests one) makes the build hang on the network-monitor tests. I > haven't > investigated much yet, but I wonder if it may be an issue with my local > configuration. Did you glib build succeed? If so can you publish the source > and > debs? I'd like to test that with some qt5 apps to verify the regression fix. I just tried compiling with all patches. The 3rd patch kills it for it, it references a _g_dbus_hexencode function that does not appear to exist. libtool: compile: gcc -DHAVE_CONFIG_H -I. -I/<>/./gio -I.. -DG_LOG_DOMAIN=\"GLib-GIO\" -I.. -I../glib -I/<>/./glib -I/<>/. -I/<>/./gmodule -DG_DISABLE_CAST_CHECKS -DGIO_COMPILATION -DGIO_MODULE_DIR=\"/usr/lib/x86_64-linux-gnu/gio/modules\" -D_FORTIFY_SOURCE=2 -pthread -Wall -Wstrict-prototypes -Werror=declaration-after-statement -Werror=missing-prototypes -Werror=implicit-function-declaration -Werror=pointer-arith -Werror=init-self -Werror=format=2 -Werror=missing-include-dirs -fvisibility=hidden -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -c /<>/./gio/gdbusauth.c -fPIC -DPIC -o .libs/libgio_2_0_la-gdbusauth.o /<>/./gio/gdbusauth.c: In function ‘client_choose_mech_and_send_initial_response’: /<>/./gio/gdbusauth.c:520:7: error: implicit declaration of function ‘_g_dbus_hexencode’ [-Werror=implicit-function-declaration] encoded = _g_dbus_hexencode (initial_response, initial_response_len); ^ /<>/./gio/gdbusauth.c:520:15: warning: assignment makes pointer from integer without a cast encoded = _g_dbus_hexencode (initial_response, initial_response_len); ^ /<>/./gio/gdbusauth.c: In function ‘_g_dbus_auth_run_client’: /<>/./gio/gdbusauth.c:812:32: warning: assignment makes pointer from integer without a cast encoded_data = _g_dbus_hexencode (data, data_len); ^ /<>/./gio/gdbusauth.c: In function ‘_g_dbus_auth_run_server’: /<>/./gio/gdbusauth.c:1187:42: warning: assignment makes pointer from integer without a cast encoded_data = _g_dbus_hexencode (data, data_len); ^ cc1: some warnings being treated as errors Makefile:3465: recipe for target 'libgio_2_0_la-gdbusauth.lo' failed The patch removes a function called "hexencode" and replaces it with "_g_dbus_hexencode". I wonder if it would be sufficient just to reverse this bit of the change? -- Brian May
Re: ibus/CVE-2019-14822/glibc
Brian May writes: > Apparently the fix for ibus creates a regression in glibc that must get > fixed also: > > https://gitlab.gnome.org/GNOME/glib/merge_requests/1176 > > However this patch patches GIO in glibc, and it looks like glibc in > Jessie (2.19-18+deb8u10) doesn't have this directory. Or anything > related to GIO that I can see. > > Hence, I am inclined to think maybe glibc doesn't need to be fixed in > Jessie. i have back-ported the patches to the Jessie version. Hopefully this is correct :-) https://gitlab.gnome.org/penguin_brian/glib/compare/2.42.1...fix_gio_auth If I incorporate the test patch into the Debian package, expecting a test failure, instead I get the following results: SKIP: gdbus-server-auth 1 /gdbus/server-auth # SKIP Testing interop with libdbus not supported SKIP: gdbus-server-auth 2 /gdbus/server-auth/tcp # SKIP Testing interop with libdbus not supported SKIP: gdbus-server-auth 3 /gdbus/server-auth/anonymous # SKIP Testing interop with libdbus not supported SKIP: gdbus-server-auth 4 /gdbus/server-auth/external # SKIP EXTERNAL authentication not implemented on this platform SKIP: gdbus-server-auth 5 /gdbus/server-auth/sha1 # SKIP Testing interop with libdbus not supported SKIP: gdbus-server-auth 6 /gdbus/server-auth/anonymous/tcp # SKIP Testing interop with libdbus not supported SKIP: gdbus-server-auth 7 /gdbus/server-auth/sha1/tcp # SKIP Testing interop with libdbus not supported This is something I would like to be able to test before uploading. At least it does look like I enabled the test correctly. Not sure when I will get to look at this again, I haven't claimed it, if somebody else wants to take over then go ahead. -- Brian May
Re: ibus/CVE-2019-14822/glibc
"Adam D. Barratt" writes: > I think you might want s/glibc/glib/g? Odd. I am sure I read (and wrote) glibc everywhere. But now I see glib, which actually makes more sense. Did somebody just change the universe when I wasn't looking? :-) Disregard everything I said in that email, will make sure I check the correct package tonight. -- Brian May
ibus/CVE-2019-14822/glibc
Apparently the fix for ibus creates a regression in glibc that must get fixed also: https://gitlab.gnome.org/GNOME/glib/merge_requests/1176 However this patch patches GIO in glibc, and it looks like glibc in Jessie (2.19-18+deb8u10) doesn't have this directory. Or anything related to GIO that I can see. Hence, I am inclined to think maybe glibc doesn't need to be fixed in Jessie. -- Brian May https://linuxpenguins.xyz/brian/
automatically strip no-dsa tags by gen-DLA
In an attempt to complete this TODO item from the wiki: automatically strip no-dsa tags by gen-DLA https://wiki.debian.org/LTS/TODO#automatically_strip_no-dsa_tags_by_gen-DLA This is my very early attempt to modify the CVE parser so that it can write the results back to the CVE file again. Meaning we can made deliberate modifications to the data before doing so. https://salsa.debian.org/snippets/354 Unfortunately in making the required changes, it is no longer compatible with the previous API. As we need to keep track of all the data in such away that any modifications are reversible. Which is why I copied the files completely rather then trying to edit in place. The original parser makes certain changes that are not reversible and can produce slightly different results (e.g. different ordering of values, different white-space, etc). Currently it produces a file with the following differences (see diff below), the first two changes are due to twp tab characters being replaced by spaces (not sure it matters enough to try and fix this...) and the last was due to deliberate filtering (line 273). The filtering is currently hard coded, this should be called somehow by gen-DLA. Any comments or suggestions? === cut === --- data/CVE/list 2019-11-12 16:54:16.835792742 +1100 +++ a 2019-11-15 16:51:09.043817845 +1100 @@ -354371,7 +354371,7 @@ NOT-FOR-US: Trend Micro Anti-Rootkit Common Module CVE-2007-0855 (Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR an ...) - rar 1:3.7b1-1 (high; bug #410582) - [sarge] - rar (Non-free) + [sarge] - rar (Non-free) [etch] - rar (Non-free) - unrar-nonfree 1:3.7.3-1 (high; bug #410580) [sarge] - unrar-nonfree 1:3.5.2-0.2 @@ -359261,7 +359261,7 @@ NOT-FOR-US: BytesFall Explorer (bfExplorer) CVE-2006-5718 (Cross-site scripting (XSS) vulnerability in error.php in phpMyAdmin 2. ...) - phpmyadmin 4:2.9.0.3-1 (low; bug #396638) - [sarge] - phpmyadmin (Vulnerable code not present) + [sarge] - phpmyadmin (Vulnerable code not present) CVE-2006-5717 (Multiple cross-site scripting (XSS) vulnerabilities in Zend Google Dat ...) NOT-FOR-US: Zend Google Data Client Library (ZendGData) CVE-2006-5716 (Directory traversal vulnerability in aff_news.php in FreeNews 2.1 allo ...) @@ -376628,7 +376628,6 @@ NOT-FOR-US: Sun Java System Directory Server CVE-2005-3268 (yiff server (yiff-server) 2.14.2 on Debian GNU/Linux runs as root and ...) - yiff 2.14.2-8 (bug #334616; low) - [sarge] - yiff (Only a minor privacy leak) CVE-2005-3267 (Integer overflow in Skype client before 1.4.x.84 on Windows, before 1. ...) NOT-FOR-US: Skype CVE-2005-3266 === cut === -- Brian May
angular.js / CVE-2019-14863
Here is my very simple patch to fix this issue. diff -Nru angular.js-1.2.26/debian/changelog angular.js-1.2.26/debian/changelog --- angular.js-1.2.26/debian/changelog 2014-10-08 05:41:25.0 +1100 +++ angular.js-1.2.26/debian/changelog 2019-11-11 17:39:43.0 +1100 @@ -1,3 +1,10 @@ +angular.js (1.2.26-1+deb8u1) jessie-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * Fix CVE-2019-14863: properly sanitize xlink:href attribute interoplation. + + -- Brian May Mon, 11 Nov 2019 17:39:43 +1100 + angular.js (1.2.26-1) unstable; urgency=low * New upstream release. diff -Nru angular.js-1.2.26/debian/patches/CVE-2019-14863.patch angular.js-1.2.26/debian/patches/CVE-2019-14863.patch --- angular.js-1.2.26/debian/patches/CVE-2019-14863.patch 1970-01-01 10:00:00.0 +1000 +++ angular.js-1.2.26/debian/patches/CVE-2019-14863.patch 2019-11-11 17:39:43.0 +1100 @@ -0,0 +1,11 @@ +--- a/src/ng/compile.js b/src/ng/compile.js +@@ -748,7 +748,7 @@ + nodeName = nodeName_(this.$$element); + + // sanitize a[href] and img[src] values +-if ((nodeName === 'A' && key === 'href') || ++if ((nodeName === 'A' && (key === 'href' || key === 'xlinkHref')) || + (nodeName === 'IMG' && key === 'src')) { + this[key] = value = $$sanitizeUri(value, key === 'src'); + } diff -Nru angular.js-1.2.26/debian/patches/series angular.js-1.2.26/debian/patches/series --- angular.js-1.2.26/debian/patches/series 1970-01-01 10:00:00.0 +1000 +++ angular.js-1.2.26/debian/patches/series 2019-11-11 17:39:43.0 +1100 @@ -0,0 +1 @@ +CVE-2019-14863.patch I noticed I didn't spell interpolation correctly, probably error from the CVE; I have fixed that. -- Brian May