Secure testing team - Mar 2006 - Re: flyspray: Multiple XSS vulnerabilities

On Mon, 2005-12-19 at 16:26 +0100, Pierre Habouzit
wrote:
> > > Multiple Cross-Site-Scripting vulnerabilties have been found in
> > > Flyspray. Have a look at
> > >
http://lostmon.blogspot.com/2005/10/flyspray-bug-killer-multiple-va
> > >riable.html for more details. This has been assigned
CVE-2005-3334,
> > > please mention so in the changelog when fixing this.
> afaict the unstable version was not upstream''s and was not touched
by
> the vulnerability. I''ve not had the time to check it though.
Since no information was added to this bug report since it was opened, I
have only the changelog, advisory and upstream code to go by. From the
changelog I read that you pulled the fix in question from the upstream
repo. I''ve tested this code against the vulnerability and it indeed
fixes it. If you believe another fix to be better, please supply a
patch.
> Moreover the current version has some problems that I''d not like
to see
> enter testing at all.
Current testing has an RC security bug. If those issues you mention are
also RC, I suggest you document them in the BTS, since I didn''t find
any
other RC issues in the tracker. If they are not, this version should
progress in order to fix the RC security bug in testing that''s absent
in
unstable.


Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051219/cdc52bb4/attachment.pgp

Le Lun 19 D?cembre 2005 16:42, Thijs Kinkhorst a ?crit :
> On Mon, 2005-12-19 at 16:26 +0100, Pierre Habouzit wrote:
> > > > Multiple Cross-Site-Scripting vulnerabilties have been found
in
> > > > Flyspray. Have a look at
> > > >
http://lostmon.blogspot.com/2005/10/flyspray-bug-killer-multipl
> > > >e-va riable.html for more details. This has been assigned
> > > > CVE-2005-3334, please mention so in the changelog when
fixing
> > > > this.
> >
> > afaict the unstable version was not upstream''s and was not
touched
> > by the vulnerability. I''ve not had the time to check it
though.
>
> Since no information was added to this bug report since it was
> opened, I have only the changelog, advisory and upstream code to go
> by. From the changelog I read that you pulled the fix in question
> from the upstream repo. I''ve tested this code against the
> vulnerability and it indeed fixes it. If you believe another fix to
> be better, please supply a patch.
>
> > Moreover the current version has some problems that I''d not
like to
> > see enter testing at all.
>
> Current testing has an RC security bug. If those issues you mention
> are also RC, I suggest you document them in the BTS, since I
didn''t
> find any other RC issues in the tracker. If they are not, this
> version should progress in order to fix the RC security bug in
> testing that''s absent in unstable.
you are right on the full line, and I just did an upload of what I 
should have done way earlier and that was almost ready on my computer.

thise one fixes a lot of bugs and use the update that upstream released 
a few day after I fixed the RC bug in a hurry.

-6 is the package that will fix all that should be, and it''ll enter
etch
in 10 days from now.

thanks for the other valuable patch you sent btw.
-- 
?O?  Pierre Habouzit
??O                                                madcoder@debian.org
OOO                                                http://www.madism.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051219/2b0e16d3/attachment.pgp

Le Lun 19 D?cembre 2005 17:02, Pierre Habouzit a ?crit :
> Le Lun 19 D?cembre 2005 16:54, Thijs Kinkhorst a ?crit :
> > On Mon, 2005-12-19 at 16:47 +0100, Pierre Habouzit wrote:
> > > -6 is the package that will fix all that should be, and
it''ll
> > > enter etch in 10 days from now.
> >
> > Great, my interest is that the problem is addressed in the best way
> > possible :) What about stable, do you want to prepare new updated
> > packages or is the current fix ok?
>
> the current fix has a nasty side effect, it leads to 342544
>
> a solution has to be brewed from the 001_update1.patch (IIRC) that
> performs checks in the regexp.php file IIRC.
>
> I should say I''ve not the time atm to extract it myself.
>
>
> Though, please note that this XSS vulneratibility IS really minor :
> it has to be created from a user that stole you a PHPSESSID, and made
> a treacheous search, and force the user to use ''last search
result''
> *BEFORE* you do a new search yourself, which is *REALLY* unlikely.
> that is not doable for anonymous users.
>
> I''ll try to have a minimalist patch ASAP, but stable version is
not
> really based on the same code (I mean the version in unstable is
> quite bigger) and I''m not sure a patch is that simple to transpose
> (you must have seen that my patch was quite brutal : I escaped any
> POST-ed or GET-et variable, which is most of the time OK, but which
> is not really nice not "the right way" since it results in some
> entities showing up in mails).
In fact, I''m just not sure that stable is concerned, as the
''last
search'' link does not exists in it as far as I remember.
-- 
?O?  Pierre Habouzit
??O                                                madcoder@debian.org
OOO                                                http://www.madism.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051219/86732611/attachment.pgp

On Mon, 2005-12-19 at 16:47 +0100, Pierre Habouzit
wrote:
> -6 is the package that will fix all that should be, and it''ll
enter etch
> in 10 days from now.
Great, my interest is that the problem is addressed in the best way
possible :) What about stable, do you want to prepare new updated
packages or is the current fix ok?


Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051219/d24f455f/attachment.pgp

Le Lun 19 D?cembre 2005 16:54, Thijs Kinkhorst a ?crit :
> On Mon, 2005-12-19 at 16:47 +0100, Pierre Habouzit wrote:
> > -6 is the package that will fix all that should be, and it''ll
enter
> > etch in 10 days from now.
>
> Great, my interest is that the problem is addressed in the best way
> possible :) What about stable, do you want to prepare new updated
> packages or is the current fix ok?
the current fix has a nasty side effect, it leads to 342544

a solution has to be brewed from the 001_update1.patch (IIRC) that 
performs checks in the regexp.php file IIRC.

I should say I''ve not the time atm to extract it myself.


Though, please note that this XSS vulneratibility IS really minor : it 
has to be created from a user that stole you a PHPSESSID, and made a 
treacheous search, and force the user to use ''last search
result''
*BEFORE* you do a new search yourself, which is *REALLY* unlikely. that 
is not doable for anonymous users.

I''ll try to have a minimalist patch ASAP, but stable version is not 
really based on the same code (I mean the version in unstable is quite 
bigger) and I''m not sure a patch is that simple to transpose (you must 
have seen that my patch was quite brutal : I escaped any POST-ed or 
GET-et variable, which is most of the time OK, but which is not really 
nice not "the right way" since it results in some entities showing up 
in mails).
-- 
?O?  Pierre Habouzit
??O                                                madcoder@debian.org
OOO                                                http://www.madism.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051219/6c73043f/attachment.pgp

On Mon, Dec 19, 2005 at 04:47:50PM +0100, Pierre Habouzit
wrote:
> > > Moreover the current version has some problems that I''d
not like to
> > > see enter testing at all.
> > Current testing has an RC security bug. If those issues you mention
> > are also RC, I suggest you document them in the BTS, since I
didn''t
> > find any other RC issues in the tracker. If they are not, this
> > version should progress in order to fix the RC security bug in
> > testing that''s absent in unstable.
> you are right on the full line, and I just did an upload of what I 
> should have done way earlier and that was almost ready on my computer.
> thise one fixes a lot of bugs and use the update that upstream released 
> a few day after I fixed the RC bug in a hurry.
> -6 is the package that will fix all that should be, and it''ll
enter etch
> in 10 days from now.
If this fixes a release critical security bug, *why* are we treating it
with urgency=low?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051219/fd36aa99/attachment.pgp

On Tue, Dec 20, 2005 at 12:42:40AM +0100, Pierre Habouzit
wrote:
> Le Lun 19 D?cembre 2005 22:15, Steve Langasek a ?crit :
> > On Mon, Dec 19, 2005 at 04:47:50PM +0100, Pierre Habouzit wrote:
> > > > > Moreover the current version has some problems that
I''d not
> > > > > like to see enter testing at all.
> > > > Current testing has an RC security bug. If those issues you
> > > > mention are also RC, I suggest you document them in the BTS,
> > > > since I didn''t find any other RC issues in the
tracker. If they
> > > > are not, this version should progress in order to fix the RC
> > > > security bug in testing that''s absent in unstable.
> > > you are right on the full line, and I just did an upload of what
I
> > > should have done way earlier and that was almost ready on my
> > > computer.
> > > thise one fixes a lot of bugs and use the update that upstream
> > > released a few day after I fixed the RC bug in a hurry.
> > > -6 is the package that will fix all that should be, and
it''ll enter
> > > etch in 10 days from now.
> > If this fixes a release critical security bug, *why* are we treating
> > it with urgency=low?
> I already did an upload with urgency low, either you can force it to be 
> high, or I can reupload, as you want.
Ok, urgency bumped.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051219/4d68c9a2/attachment.pgp

reopen 335997
found 335997 0.9.7-2
thanks

Hello Pierre,

Sorry, didn''t have time to get back to this earlier. I''ve
verified that
unstable is indeed completely fixed for CVE-2005-3334 (which contains
some typos in the names of the affected variables).
> Though, please note that this XSS vulneratibility IS really minor : it 
> has to be created from a user that stole you a PHPSESSID, and made a 
> treacheous search, and force the user to use ''last search
result''
> *BEFORE* you do a new search yourself, which is *REALLY* unlikely. that 
> is not doable for anonymous users.
I don''t subscribe to this assessment. This is a classic XSS, which can
be exploited as any other: trick the user in going to a specially
crafted URL and you can access his password cookie through JavaScript.
You don''t need to steal anything or bring the system in a specific
state.
> I''ll try to have a minimalist patch ASAP, but stable version is
not
> really based on the same code (I mean the version in unstable is quite 
> bigger) and I''m not sure a patch is that simple to transpose (you
must
> have seen that my patch was quite brutal : I escaped any POST-ed or 
> GET-et variable, which is most of the time OK, but which is not really 
> nice not "the right way" since it results in some entities
showing up
> in mails).
At least I can confirm that the stable version is still vulnerable to
this attack, it''s easily reproducable. If you want I can look into
providing a patch or updated package. In any case, the bug should not
yet be closed.


bye,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051231/223c22d6/attachment.pgp

Le Lun 19 D?cembre 2005 13:41, Thijs Kinkhorst a ?crit :
> close 335997 0.9.8-4
> tags 335997 patch
> thanks
>
> > Multiple Cross-Site-Scripting vulnerabilties have been found in
> > Flyspray. Have a look at
> > http://lostmon.blogspot.com/2005/10/flyspray-bug-killer-multiple-va
> >riable.html for more details. This has been assigned CVE-2005-3334,
> > please mention so in the changelog when fixing this.
>
> This RC bug has been open for >50 days without response from the
> maintainer, so I''ve taken the liberty to work towards a fix.
>
> For unstable:
> This has already been addressed in the current unstable version by an
> update from the upstream repository in version 0.9.8-4, uploaded by
> the maintainer on 2005-10-26. I''m marking the bug as fixed in that
> version with this mail.
>
> For testing:
> The current unstable version just has to migrate to testing, and that
> will happen soon because I''m now marking the RC bug as fixed in
> 0.9.8-4.
>
> For stable:
> I''ve extracted the right patch from the unstable version (which
has
> been present without any bugreports since the end of October), and
> that is attached. I''ve also prepared updated packages here:
> http://www.a-eskwadraat.nl/~kink/flyspray/
>
> For oldstable:
> Does not contain flyspray.
>
>
> Bye,
> Thijs

afaict the unstable version was not upstream''s and was not touched by 
the vulnerability. I''ve not had the time to check it though.

Moreover the current version has some problems that I''d not like to see
enter testing at all.
-- 
?O?  Pierre Habouzit
??O                                                madcoder@debian.org
OOO                                                http://www.madism.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051219/7406378b/attachment.pgp

Le Lun 19 D?cembre 2005 22:15, Steve Langasek a ?crit :
> On Mon, Dec 19, 2005 at 04:47:50PM +0100, Pierre Habouzit wrote:
> > > > Moreover the current version has some problems that
I''d not
> > > > like to see enter testing at all.
> > >
> > > Current testing has an RC security bug. If those issues you
> > > mention are also RC, I suggest you document them in the BTS,
> > > since I didn''t find any other RC issues in the tracker.
If they
> > > are not, this version should progress in order to fix the RC
> > > security bug in testing that''s absent in unstable.
> >
> > you are right on the full line, and I just did an upload of what I
> > should have done way earlier and that was almost ready on my
> > computer.
> >
> > thise one fixes a lot of bugs and use the update that upstream
> > released a few day after I fixed the RC bug in a hurry.
> >
> > -6 is the package that will fix all that should be, and it''ll
enter
> > etch in 10 days from now.
>
> If this fixes a release critical security bug, *why* are we treating
> it with urgency=low?
I already did an upload with urgency low, either you can force it to be 
high, or I can reupload, as you want.
-- 
?O?  Pierre Habouzit
??O                                                madcoder@debian.org
OOO                                                http://www.madism.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051220/fc9ffd2e/attachment.pgp

Skipped content of type multipart/mixed-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051219/61075142/attachment.pgp