Stefano Rivera
2011-Mar-13 14:55 UTC
[Secure-testing-team] Bug#618026: ibid: Ibid 0.1.1 contains 3 security fixes
Package: ibid
Version: 0.1.0+dfsg-2
Severity: serious
Tags: security upstream patch
Ibid 0.1.1 fixes 3 security issues [0]. They aren''t particularly
serious, but
should probably be addressed.
[0]:
http://ibid.omnia.za.net/docs/0.1.0/changes.html#release-0-1-1-pimpernel-2011-02-24
Remote Execution:
http://bugs.launchpad.net/bugs/705860
Permissions were ignored for handlers not using @match. This allowed users
to perform actions they were not authorised to.
However, no included plugins were exposed by this, all
access-restricted handlers had match patterns.
Information Disclosure:
http://bugs.launchpad.net/bugs/567576
Occasionally insecure permissions on log files. When the bot spoke
first (creating a new log file), the log file would be publicly
readable, even if the message was sent in private.
Example: If the bot delivered a privmsg memo to a user at the
beginning of the month, it would create the logfile with public
readable permissions. If the logfile directory was published by a
web server, this would make this private conversation log accessible
to the public.
Resolution: Now channels must be explicitly configured to have
publicly readable logs.
http://bugs.launchpad.net/649383
If someone received a private message from the bot during a public
meeting, the message could appear in the meeting minutes.
Example: a privmsg memo received during a meeting would appear in
the minutes.
Proposed debdiff with backported fixes attached.
SR
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, ''testing''), (500,
''unstable''), (1, ''experimental'')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_ZA.UTF-8, LC_CTYPE=en_ZA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ibid depends on:
ii libjs-jquery 1.5.1-1 JavaScript library for dynamic web
ii python 2.6.6-3+squeeze5 interactive high-level object-orie
ii python-beautifulsoup 3.2.0-1 error-tolerant HTML parser for Pyt
ii python-chardet 2.0.1-1 universal character encoding detec
ii python-configobj 4.7.2+ds-1 simple but powerful config file re
ii python-dateutil 1.4.1-3 powerful extensions to the standar
ii python-html5lib 0.90-1 HTML parser/tokenizer based on the
ii python-jinja 1.2-3+b1 small but fast and easy to use sta
ii python-pkg-resources 0.6.14-5 Package Discovery and Resource Acc
ii python-soappy 0.12.0-4 SOAP Support for Python
ii python-sqlalchemy 0.6.3-3 SQL toolkit and Object Relational
ii python-twisted-core 10.2.0-1 Event-based framework for internet
ii python-twisted-web 10.2.0-1 An HTTP protocol implementation to
ii python-twisted-words 10.2.0-1 Chat and Instant Messaging
ii python-zope.interface [ 3.5.3-1+b1 Interfaces for Python
ii python2.5 2.5.5-11 An interactive high-level object-o
ii python2.6 2.6.6-8+b1 An interactive high-level object-o
Versions of packages ibid recommends:
ii fortune-mod [fortune] 1:1.99.1-4 provides fortune cookies on demand
ii ipcalc 0.41-2 parameter calculator for IPv4 addr
ii iputils-ping 3:20101006-1 Tools to test the reachability of
ii iputils-tracepath 3:20101006-1 Tools to trace the network path to
ii man-db 2.5.9-4 on-line manual pager
ii python-dictclient 1.0.3.1 Python client library for DICT (RF
ii python-dnspython 1.8.0-1 DNS toolkit for Python
ii python-feedparser 4.1-14 Universal Feed Parser for Python
pn python-html2text <none> (no description available)
ii python-imdbpy 4.7.0-1 Python package to access the
IMDb''
ii python-twisted-mail 10.2.0-1 An SMTP, IMAP and POP protocol imp
ii python-wokkel 0.6.3-2 collection of enhancements for Twi
ii units 1.87-2 converts between different systems
Versions of packages ibid suggests:
ii apt-file 2.4.2 search for files within Debian pac
ii aptitude 0.6.3-3.2 terminal-based package manager (te
ii bc 1.06.95-2 The GNU bc arbitrary precision cal
ii bzr 2.3.0-6 easy to use distributed version co
ii caca-utils 0.99.beta17-1 text mode graphics utilities
ii dictd 1.12.0+dfsg-3 dictionary server
ii nmap 5.21-1 The Network Mapper
ii python-aalib 0.2-1 Python interface to AAlib, an ASCI
ii python-dbus 0.83.1-1 simple interprocess messaging syst
ii python-imaging 1.1.7-2 Python Imaging Library
ii python-matplotlib 0.99.3-1 Python based plotting system in a
ii python-mysqldb 1.2.2-10+b1 A Python interface to MySQL
ii python-numpy 1:1.4.1-5 Numerical Python adds a fast array
ii python-objgraph 1.7.0-1 Module for exploring Python object
ii python-psycopg2 2.2.1-1 Python module for PostgreSQL
ii python-pyfiglet 0.4+dfsg-2 Python port of the FIGlet specific
ii python-silc 0.5-1 Python bindings for SILC
ii python-svn 1.7.2-4 A(nother) Python interface to Subv
-------------- next part --------------
diff -Nru ibid-0.1.0+dfsg/debian/changelog ibid-0.1.0+dfsg/debian/changelog
--- ibid-0.1.0+dfsg/debian/changelog 2010-06-17 19:23:31.000000000 +0200
+++ ibid-0.1.0+dfsg/debian/changelog 2011-03-13 16:02:23.000000000 +0200
@@ -1,3 +1,16 @@
+ibid (0.1.0+dfsg-2+squeeze1) stable-security; urgency=high
+
+ * Fix the following security issues. Fixes backported from 0.1.1 bugfix
+ release.
+ - perms-705860.patch: Enforce access-restriction on handlers without
+ @match patterns. (LP: #705860)
+ - logfile-visibility-567576.patch: Channels must be explicitly configured
+ to have publicly readable logs. (LP: #567576)
+ - meeting-privacy-649383.patch: Don''t report private messages from
the bot
+ in meeting minutes. (LP: #649383)
+
+ -- Stefano Rivera <stefanor at debian.org> Sun, 13 Mar 2011 15:50:35
+0200
+
ibid (0.1.0+dfsg-2) unstable; urgency=low
* Don''t leak uid and umask into source tarball.
diff -Nru ibid-0.1.0+dfsg/debian/patches/logfile-visibility-567576.patch
ibid-0.1.0+dfsg/debian/patches/logfile-visibility-567576.patch
--- ibid-0.1.0+dfsg/debian/patches/logfile-visibility-567576.patch 1970-01-01
02:00:00.000000000 +0200
+++ ibid-0.1.0+dfsg/debian/patches/logfile-visibility-567576.patch 2011-03-13
16:19:07.000000000 +0200
@@ -0,0 +1,85 @@
+Description: Channels must be explicitly configured to have publicly readable
logs.
+ Occasionally insecure permissions on log files. When the bot spoke first
+ (creating a new log file), the log file would be publicly readable, even if
+ the message was sent in private.
+ .
+ Resolution: Now channels must be explicitly configured to have publicly
+ readable logs.
+Bug-Upstream: https://bugs.launchpad.net/ibid/+bug/567576
+Origin: upstream,
https://code.launchpad.net/~stefanor/ibid/logfile-visibility-567576-0.1/+merge/36937
+Last-Update: 2011-03-13
+
+--- a/ibid/plugins/log.py
++++ b/ibid/plugins/log.py
+@@ -4,6 +4,8 @@
+ """Logs messages sent and received."""
+
+ from datetime import datetime
++import fnmatch
++import logging
+ from os.path import dirname, join, expanduser
+ from os import chmod, makedirs
+
+@@ -11,9 +13,11 @@
+
+ import ibid
+ from ibid.plugins import Processor, handler
+-from ibid.config import Option, BoolOption
++from ibid.config import Option, BoolOption, ListOption
+ from ibid.event import Event
+
++log = logging.getLogger(''plugins.log'')
++
+ class Log(Processor):
+
+ addressed = False
+@@ -38,6 +42,9 @@
+ rename_format = Option(''rename_format'', ''Format
string for rename events'',
+ u''%(timestamp)s %(sender_nick)s (%(sender_connection)s)
has renamed to %(new_nick)s'')
+
++ public_logs = ListOption(''public_logs'',
++ u''List of source:channel globs for channels which should
have public logs'',
++ [])
+ public_mode = Option(''public_mode'',
+ u''File Permissions mode for public channels, in
octal'', ''644'')
+ private_mode = Option(''private_mode'',
+@@ -47,6 +54,21 @@
+
+ logs = {}
+
++ def setup(self):
++ sources = list(set(ibid.config.sources.keys())
++ | set(ibid.sources.keys()))
++ for glob in self.public_logs:
++ if u'':'' not in glob:
++ log.warning(u"public_logs configuration values must
follow the "
++ u"format source:channel. \"%s\"
doesn''t contain a "
++ u"colon.", glob)
++ continue
++ source_glob = glob.split(u'':'', 1)[0]
++ if not fnmatch.filter(sources, source_glob):
++ log.warning(u''public_logs includes "%s",
but there is no ''
++ u''configured source matching
"%s"'',
++ glob, source_glob)
++
+ def get_logfile(self, event):
+ when = event.time
+ if not self.date_utc:
+@@ -70,8 +92,15 @@
+
+ file = open(filename, ''a'')
+ self.logs[filename] = file
+- if event.get(''public'', True):
+- chmod(filename, int(self.public_mode, 8))
++
++ for glob in self.public_logs:
++ if u'':'' not in glob:
++ continue
++ source_glob, channel_glob = glob.split(u'':'',
1)
++ if (fnmatch.fnmatch(event.source, source_glob)
++ and fnmatch.fnmatch(event.channel, channel_glob)):
++ chmod(filename, int(self.public_mode, 8))
++ break
+ else:
+ chmod(filename, int(self.private_mode, 8))
+
diff -Nru ibid-0.1.0+dfsg/debian/patches/meeting-privacy-649383.patch
ibid-0.1.0+dfsg/debian/patches/meeting-privacy-649383.patch
--- ibid-0.1.0+dfsg/debian/patches/meeting-privacy-649383.patch 1970-01-01
02:00:00.000000000 +0200
+++ ibid-0.1.0+dfsg/debian/patches/meeting-privacy-649383.patch 2011-03-13
16:20:08.000000000 +0200
@@ -0,0 +1,21 @@
+Description: Don''t report private messages from the bot in meeting
minutes.
+ If someone received a private message from the bot during a public meeting,
+ the message could appear in the meeting minutes.
+Origin: upstream,
https://code.launchpad.net/~max-rabkin/ibid/meeting-privacy-649383-0.1/+merge/36810
+Bug-Upstream: https://bugs.launchpad.net/ibid/+bug/649383
+Last-Update: 2011-03-13
+
+--- a/ibid/plugins/meetings.py
++++ b/ibid/plugins/meetings.py
+@@ -259,7 +259,10 @@
+ ''message'': message,
+ ''time'': event.time,
+ })
+- for response in event.responses:
++ for response in event.responses:
++ if (response[''source''],
response[''target'']) in meetings:
++ meeting = meetings[(response[''source''],
response[''target''])]
++
+ type = ''message''
+ if response.get(''action'', False):
+ type = ''action''
diff -Nru ibid-0.1.0+dfsg/debian/patches/perms-705860.patch
ibid-0.1.0+dfsg/debian/patches/perms-705860.patch
--- ibid-0.1.0+dfsg/debian/patches/perms-705860.patch 1970-01-01
02:00:00.000000000 +0200
+++ ibid-0.1.0+dfsg/debian/patches/perms-705860.patch 2011-03-13
16:18:18.000000000 +0200
@@ -0,0 +1,38 @@
+Description: Enforce access-restriction on handlers without @match patterns.
+ Permissions were ignored for handlers not using @match. This allowed users to
+ perform actions they were not authorised to.
+Bug-Upstream: https://bugs.launchpad.net/ibid/+bug/705860
+Origin: upstream,
https://code.launchpad.net/~max-rabkin/ibid/perms-705860/+merge/47037
+Last-Update: 2011-03-13
+
+--- a/ibid/plugins/__init__.py
++++ b/ibid/plugins/__init__.py
+@@ -131,19 +131,22 @@
+
+ found = False
+ for method in self._get_event_handlers():
++ args = None
+ if not hasattr(method, ''pattern''):
+ found = True
+- method(event)
++ args = ()
+ elif hasattr(event, ''message''):
+ found = True
+ match = method.pattern.search(
+ event.message[method.message_version])
+ if match is not None:
+- if (not getattr(method, ''auth_required'',
False)
+- or auth_responses(event, self.permission)):
+- method(event, *match.groups())
+- elif not getattr(method,
''auth_fallthrough'', True):
+- event.processed = True
++ args = match.groups()
++ if args is not None:
++ if (not getattr(method, ''auth_required'',
False)
++ or auth_responses(event, self.permission)):
++ method(event, *args)
++ elif not getattr(method, ''auth_fallthrough'',
True):
++ event.processed = True
+
+ if not found:
+ raise RuntimeError(u''No handlers found in %s'' %
self)
diff -Nru ibid-0.1.0+dfsg/debian/patches/series
ibid-0.1.0+dfsg/debian/patches/series
--- ibid-0.1.0+dfsg/debian/patches/series 2010-06-17 11:48:50.000000000 +0200
+++ ibid-0.1.0+dfsg/debian/patches/series 2011-03-13 16:15:03.000000000 +0200
@@ -3,3 +3,6 @@
docs.diff
separate-data.diff
fortune-path.diff
+perms-705860.patch
+logfile-visibility-567576.patch
+meeting-privacy-649383.patch