Debian Bug report logs - #335997
flyspray: Multiple XSS vulnerabilities

version graph

Package: flyspray; Maintainer for flyspray is (unknown);

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Thu, 27 Oct 2005 09:33:01 UTC

Severity: grave

Tags: fixed, patch, security

Found in version flyspray/0.9.7-2

Fixed in version flyspray/0.9.8-6

Done: Thijs Kinkhorst <kink@squirrelmail.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: flyspray: Multiple XSS vulnerabilities
Date: Thu, 27 Oct 2005 11:31:59 +0200
Package: flyspray
Severity: grave
Tags: security
Justification: user security hole

Multiple Cross-Site-Scripting vulnerabilties have been found in
Flyspray. Have a look at 
http://lostmon.blogspot.com/2005/10/flyspray-bug-killer-multiple-variable.html
for more details. This has been assigned CVE-2005-3334, please mention so in
the changelog when fixing this.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc1
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #10 received at 335997@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 335997@bugs.debian.org
Cc: luk@debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, control@bugs.debian.org
Subject: Re: flyspray: Multiple XSS vulnerabilities
Date: Mon, 19 Dec 2005 13:41:24 +0100
[Message part 1 (text/plain, inline)]
close 335997 0.9.8-4
tags 335997 patch
thanks

> Multiple Cross-Site-Scripting vulnerabilties have been found in
> Flyspray. Have a look at 
> http://lostmon.blogspot.com/2005/10/flyspray-bug-killer-multiple-variable.html
> for more details. This has been assigned CVE-2005-3334, please mention so in
> the changelog when fixing this.

This RC bug has been open for >50 days without response from the
maintainer, so I've taken the liberty to work towards a fix.

For unstable:
This has already been addressed in the current unstable version by an
update from the upstream repository in version 0.9.8-4, uploaded by the
maintainer on 2005-10-26. I'm marking the bug as fixed in that version
with this mail.

For testing:
The current unstable version just has to migrate to testing, and that
will happen soon because I'm now marking the RC bug as fixed in 0.9.8-4.

For stable:
I've extracted the right patch from the unstable version (which has been
present without any bugreports since the end of October), and that is
attached. I've also prepared updated packages here:
http://www.a-eskwadraat.nl/~kink/flyspray/

For oldstable:
Does not contain flyspray.


Bye,
Thijs
[CVE-2005-3334.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Bug marked as fixed in version 0.9.8-4, send any further explanations to Moritz Muehlenhoff <jmm@inutil.org> Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: patch Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #19 received at 335997@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: team@security.debian.org
Cc: 335997@bugs.debian.org, luk@debian.org
Subject: Re: flyspray: Multiple XSS vulnerabilities
Date: Mon, 19 Dec 2005 14:10:18 +0100
[Message part 1 (text/plain, inline)]
On Mon, 2005-12-19 at 13:41 +0100, Thijs Kinkhorst wrote:
> For stable:
> I've extracted the right patch from the unstable version (which has been
> present without any bugreports since the end of October), and that is
> attached. I've also prepared updated packages here:
> http://www.a-eskwadraat.nl/~kink/flyspray/

Here's some more information for a possible advisory:

Package        : flyspray
Vulnerability  : missing input sanitising
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2005-3334
Debian Bug     : 335997

Lostmon has discovered cross site scripting vulnerabilities in multiple
parameters of flyspray, a lightweight bug tracking system, which allows
attackers to insert arbitary script code into the index.php page.

The old stable distribution (woody) does not contain flyspray.

For the stable distribution (sarge) this problem has been fixed in
version 0.9.7-2.1.

For the testing (etch) and unstable distribution (sid) this problem has
been fixed in version 0.9.8-5.


bye,
Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #24 received at 335997@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Thijs Kinkhorst <kink@squirrelmail.org>
Cc: 335997@bugs.debian.org, team@security.debian.org, luk@debian.org
Subject: Re: Bug#335997: flyspray: Multiple XSS vulnerabilities
Date: Mon, 19 Dec 2005 15:04:48 +0100
* Thijs Kinkhorst:

> For the testing (etch) and unstable distribution (sid) this problem has
> been fixed in version 0.9.8-5.

> close 335997 0.9.8-4

-4 or -5?



Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #29 received at 335997@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 335997@bugs.debian.org, team@security.debian.org, luk@debian.org
Subject: Re: Bug#335997: flyspray: Multiple XSS vulnerabilities
Date: Mon, 19 Dec 2005 15:11:22 +0100
[Message part 1 (text/plain, inline)]
On Mon, 2005-12-19 at 15:04 +0100, Florian Weimer wrote:
> * Thijs Kinkhorst:
> 
> > For the testing (etch) and unstable distribution (sid) this problem has
> > been fixed in version 0.9.8-5.
> 
> > close 335997 0.9.8-4
> 
> -4 or -5?

The changelog for -4 lists the fix ("* Branch pull from upstream
(closes: #335596)."), but the -5 changelog consists of a vague message
from which I conclude that -4 was in some way a broken upload ("The
[ I'm ashamed ] release ... * Put the patches in the right
directory.."). Since -4 isn't available from the Debian servers anymore,
I can't check whether that package actually fixed the bug or that it
tried but failed.

In any case, -5 seems to be the "right" version. If you want to adjust
the bug version tags for that, go ahead.


Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Pierre Habouzit <pierre.habouzit@m4x.org>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #34 received at 335997@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <pierre.habouzit@m4x.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>, 335997@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>, luk@debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, control@bugs.debian.org
Subject: Re: Bug#335997: flyspray: Multiple XSS vulnerabilities
Date: Mon, 19 Dec 2005 16:26:31 +0100
[Message part 1 (text/plain, inline)]
Le Lun 19 Décembre 2005 13:41, Thijs Kinkhorst a écrit :
> close 335997 0.9.8-4
> tags 335997 patch
> thanks
>
> > Multiple Cross-Site-Scripting vulnerabilties have been found in
> > Flyspray. Have a look at
> > http://lostmon.blogspot.com/2005/10/flyspray-bug-killer-multiple-va
> >riable.html for more details. This has been assigned CVE-2005-3334,
> > please mention so in the changelog when fixing this.
>
> This RC bug has been open for >50 days without response from the
> maintainer, so I've taken the liberty to work towards a fix.
>
> For unstable:
> This has already been addressed in the current unstable version by an
> update from the upstream repository in version 0.9.8-4, uploaded by
> the maintainer on 2005-10-26. I'm marking the bug as fixed in that
> version with this mail.
>
> For testing:
> The current unstable version just has to migrate to testing, and that
> will happen soon because I'm now marking the RC bug as fixed in
> 0.9.8-4.
>
> For stable:
> I've extracted the right patch from the unstable version (which has
> been present without any bugreports since the end of October), and
> that is attached. I've also prepared updated packages here:
> http://www.a-eskwadraat.nl/~kink/flyspray/
>
> For oldstable:
> Does not contain flyspray.
>
>
> Bye,
> Thijs


afaict the unstable version was not upstream's and was not touched by 
the vulnerability. I've not had the time to check it though.

Moreover the current version has some problems that I'd not like to see 
enter testing at all.
-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #39 received at 335997@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: Pierre Habouzit <pierre.habouzit@m4x.org>
Cc: 335997@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, luk@debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org
Subject: Re: Bug#335997: flyspray: Multiple XSS vulnerabilities
Date: Mon, 19 Dec 2005 16:42:37 +0100
[Message part 1 (text/plain, inline)]
On Mon, 2005-12-19 at 16:26 +0100, Pierre Habouzit wrote:
> > > Multiple Cross-Site-Scripting vulnerabilties have been found in
> > > Flyspray. Have a look at
> > > http://lostmon.blogspot.com/2005/10/flyspray-bug-killer-multiple-va
> > >riable.html for more details. This has been assigned CVE-2005-3334,
> > > please mention so in the changelog when fixing this.

> afaict the unstable version was not upstream's and was not touched by 
> the vulnerability. I've not had the time to check it though.

Since no information was added to this bug report since it was opened, I
have only the changelog, advisory and upstream code to go by. From the
changelog I read that you pulled the fix in question from the upstream
repo. I've tested this code against the vulnerability and it indeed
fixes it. If you believe another fix to be better, please supply a
patch.

> Moreover the current version has some problems that I'd not like to see 
> enter testing at all.

Current testing has an RC security bug. If those issues you mention are
also RC, I suggest you document them in the BTS, since I didn't find any
other RC issues in the tracker. If they are not, this version should
progress in order to fix the RC security bug in testing that's absent in
unstable.


Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Pierre Habouzit <pierre.habouzit@m4x.org>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #44 received at 335997@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <pierre.habouzit@m4x.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>
Cc: 335997@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, luk@debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org
Subject: Re: Bug#335997: flyspray: Multiple XSS vulnerabilities
Date: Mon, 19 Dec 2005 16:47:50 +0100
[Message part 1 (text/plain, inline)]
Le Lun 19 Décembre 2005 16:42, Thijs Kinkhorst a écrit :
> On Mon, 2005-12-19 at 16:26 +0100, Pierre Habouzit wrote:
> > > > Multiple Cross-Site-Scripting vulnerabilties have been found in
> > > > Flyspray. Have a look at
> > > > http://lostmon.blogspot.com/2005/10/flyspray-bug-killer-multipl
> > > >e-va riable.html for more details. This has been assigned
> > > > CVE-2005-3334, please mention so in the changelog when fixing
> > > > this.
> >
> > afaict the unstable version was not upstream's and was not touched
> > by the vulnerability. I've not had the time to check it though.
>
> Since no information was added to this bug report since it was
> opened, I have only the changelog, advisory and upstream code to go
> by. From the changelog I read that you pulled the fix in question
> from the upstream repo. I've tested this code against the
> vulnerability and it indeed fixes it. If you believe another fix to
> be better, please supply a patch.
>
> > Moreover the current version has some problems that I'd not like to
> > see enter testing at all.
>
> Current testing has an RC security bug. If those issues you mention
> are also RC, I suggest you document them in the BTS, since I didn't
> find any other RC issues in the tracker. If they are not, this
> version should progress in order to fix the RC security bug in
> testing that's absent in unstable.

you are right on the full line, and I just did an upload of what I 
should have done way earlier and that was almost ready on my computer.

thise one fixes a lot of bugs and use the update that upstream released 
a few day after I fixed the RC bug in a hurry.

-6 is the package that will fix all that should be, and it'll enter etch 
in 10 days from now.

thanks for the other valuable patch you sent btw.
-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #49 received at 335997@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: Pierre Habouzit <pierre.habouzit@m4x.org>
Cc: 335997@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, luk@debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org
Subject: Re: Bug#335997: flyspray: Multiple XSS vulnerabilities
Date: Mon, 19 Dec 2005 16:54:52 +0100
[Message part 1 (text/plain, inline)]
On Mon, 2005-12-19 at 16:47 +0100, Pierre Habouzit wrote:
> -6 is the package that will fix all that should be, and it'll enter etch 
> in 10 days from now.

Great, my interest is that the problem is addressed in the best way
possible :) What about stable, do you want to prepare new updated
packages or is the current fix ok?


Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Pierre Habouzit <pierre.habouzit@m4x.org>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #54 received at 335997@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <pierre.habouzit@m4x.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>
Cc: 335997@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, luk@debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org
Subject: Re: Bug#335997: flyspray: Multiple XSS vulnerabilities
Date: Mon, 19 Dec 2005 17:02:27 +0100
[Message part 1 (text/plain, inline)]
Le Lun 19 Décembre 2005 16:54, Thijs Kinkhorst a écrit :
> On Mon, 2005-12-19 at 16:47 +0100, Pierre Habouzit wrote:
> > -6 is the package that will fix all that should be, and it'll enter
> > etch in 10 days from now.
>
> Great, my interest is that the problem is addressed in the best way
> possible :) What about stable, do you want to prepare new updated
> packages or is the current fix ok?

the current fix has a nasty side effect, it leads to 342544

a solution has to be brewed from the 001_update1.patch (IIRC) that 
performs checks in the regexp.php file IIRC.

I should say I've not the time atm to extract it myself.


Though, please note that this XSS vulneratibility IS really minor : it 
has to be created from a user that stole you a PHPSESSID, and made a 
treacheous search, and force the user to use 'last search result' 
*BEFORE* you do a new search yourself, which is *REALLY* unlikely. that 
is not doable for anonymous users.

I'll try to have a minimalist patch ASAP, but stable version is not 
really based on the same code (I mean the version in unstable is quite 
bigger) and I'm not sure a patch is that simple to transpose (you must 
have seen that my patch was quite brutal : I escaped any POST-ed or 
GET-et variable, which is most of the time OK, but which is not really 
nice not "the right way" since it results in some entities showing up 
in mails).
-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Pierre Habouzit <pierre.habouzit@m4x.org>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #59 received at 335997@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <pierre.habouzit@m4x.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>
Cc: 335997@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, luk@debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org
Subject: Re: Bug#335997: flyspray: Multiple XSS vulnerabilities
Date: Mon, 19 Dec 2005 17:03:21 +0100
[Message part 1 (text/plain, inline)]
Le Lun 19 Décembre 2005 17:02, Pierre Habouzit a écrit :
> Le Lun 19 Décembre 2005 16:54, Thijs Kinkhorst a écrit :
> > On Mon, 2005-12-19 at 16:47 +0100, Pierre Habouzit wrote:
> > > -6 is the package that will fix all that should be, and it'll
> > > enter etch in 10 days from now.
> >
> > Great, my interest is that the problem is addressed in the best way
> > possible :) What about stable, do you want to prepare new updated
> > packages or is the current fix ok?
>
> the current fix has a nasty side effect, it leads to 342544
>
> a solution has to be brewed from the 001_update1.patch (IIRC) that
> performs checks in the regexp.php file IIRC.
>
> I should say I've not the time atm to extract it myself.
>
>
> Though, please note that this XSS vulneratibility IS really minor :
> it has to be created from a user that stole you a PHPSESSID, and made
> a treacheous search, and force the user to use 'last search result'
> *BEFORE* you do a new search yourself, which is *REALLY* unlikely.
> that is not doable for anonymous users.
>
> I'll try to have a minimalist patch ASAP, but stable version is not
> really based on the same code (I mean the version in unstable is
> quite bigger) and I'm not sure a patch is that simple to transpose
> (you must have seen that my patch was quite brutal : I escaped any
> POST-ed or GET-et variable, which is most of the time OK, but which
> is not really nice not "the right way" since it results in some
> entities showing up in mails).

In fact, I'm just not sure that stable is concerned, as the 'last 
search' link does not exists in it as far as I remember.
-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Pierre Habouzit <madcoder@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #64 received at 335997-close@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <madcoder@debian.org>
To: 335997-close@bugs.debian.org
Subject: Bug#335997: fixed in flyspray 0.9.8-6
Date: Mon, 19 Dec 2005 08:02:07 -0800
Source: flyspray
Source-Version: 0.9.8-6

We believe that the bug you reported is fixed in the latest version of
flyspray, which is due to be installed in the Debian FTP archive:

flyspray_0.9.8-6.diff.gz
  to pool/main/f/flyspray/flyspray_0.9.8-6.diff.gz
flyspray_0.9.8-6.dsc
  to pool/main/f/flyspray/flyspray_0.9.8-6.dsc
flyspray_0.9.8-6_all.deb
  to pool/main/f/flyspray/flyspray_0.9.8-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 335997@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Habouzit <madcoder@debian.org> (supplier of updated flyspray package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 19 Dec 2005 16:41:05 +0100
Source: flyspray
Binary: flyspray
Architecture: source all
Version: 0.9.8-6
Distribution: unstable
Urgency: low
Maintainer: Pierre Habouzit <madcoder@debian.org>
Changed-By: Pierre Habouzit <madcoder@debian.org>
Description: 
 flyspray   - lightweight Bug Tracking System (BTS) in PHP
Closes: 335997 337717 342544 343610 344014
Changes: 
 flyspray (0.9.8-6) unstable; urgency=low
 .
   * Php apps cannot depends upon phpapi (closes: #343610).
   * Postinst typos fixed (closes: #344014).
   * Update fr.po (closes: #337717).
 .
   * Update patches to use flypsray-update1 instead of home-brewed patches.
     - it fixes the htmlspecialchars problem (closes: #342544).
     - it fixes the security problem with upstream's method (closes: #335997).
Files: 
 95f09672d4fd4d4df8ccb1c54db73fab 595 web optional flyspray_0.9.8-6.dsc
 5b90e8db34dd8d09b2fc81752ec834d1 22849 web optional flyspray_0.9.8-6.diff.gz
 b56fa04cc6af97df8eedd175691410f7 390420 web optional flyspray_0.9.8-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDptVpvGr7W6HudhwRApGDAJ9nwB15tj+NjcyVOW3+ZnP1j8CYpQCfU6J6
2XDAe5WJyuAZWeEv4TZjNyU=
=aytD
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #69 received at 335997@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Pierre Habouzit <pierre.habouzit@m4x.org>, 335997@bugs.debian.org
Cc: Thijs Kinkhorst <kink@squirrelmail.org>, Moritz Muehlenhoff <jmm@inutil.org>, luk@debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org
Subject: Re: Bug#335997: flyspray: Multiple XSS vulnerabilities
Date: Mon, 19 Dec 2005 13:15:03 -0800
[Message part 1 (text/plain, inline)]
On Mon, Dec 19, 2005 at 04:47:50PM +0100, Pierre Habouzit wrote:
> > > Moreover the current version has some problems that I'd not like to
> > > see enter testing at all.

> > Current testing has an RC security bug. If those issues you mention
> > are also RC, I suggest you document them in the BTS, since I didn't
> > find any other RC issues in the tracker. If they are not, this
> > version should progress in order to fix the RC security bug in
> > testing that's absent in unstable.

> you are right on the full line, and I just did an upload of what I 
> should have done way earlier and that was almost ready on my computer.

> thise one fixes a lot of bugs and use the update that upstream released 
> a few day after I fixed the RC bug in a hurry.

> -6 is the package that will fix all that should be, and it'll enter etch 
> in 10 days from now.

If this fixes a release critical security bug, *why* are we treating it
with urgency=low?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Pierre Habouzit <pierre.habouzit@m4x.org>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #74 received at 335997@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <pierre.habouzit@m4x.org>
To: Steve Langasek <vorlon@debian.org>
Cc: 335997@bugs.debian.org, Thijs Kinkhorst <kink@squirrelmail.org>, Moritz Muehlenhoff <jmm@inutil.org>, luk@debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org
Subject: Re: Bug#335997: flyspray: Multiple XSS vulnerabilities
Date: Tue, 20 Dec 2005 00:42:40 +0100
[Message part 1 (text/plain, inline)]
Le Lun 19 Décembre 2005 22:15, Steve Langasek a écrit :
> On Mon, Dec 19, 2005 at 04:47:50PM +0100, Pierre Habouzit wrote:
> > > > Moreover the current version has some problems that I'd not
> > > > like to see enter testing at all.
> > >
> > > Current testing has an RC security bug. If those issues you
> > > mention are also RC, I suggest you document them in the BTS,
> > > since I didn't find any other RC issues in the tracker. If they
> > > are not, this version should progress in order to fix the RC
> > > security bug in testing that's absent in unstable.
> >
> > you are right on the full line, and I just did an upload of what I
> > should have done way earlier and that was almost ready on my
> > computer.
> >
> > thise one fixes a lot of bugs and use the update that upstream
> > released a few day after I fixed the RC bug in a hurry.
> >
> > -6 is the package that will fix all that should be, and it'll enter
> > etch in 10 days from now.
>
> If this fixes a release critical security bug, *why* are we treating
> it with urgency=low?

I already did an upload with urgency low, either you can force it to be 
high, or I can reupload, as you want.
-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #79 received at 335997@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Pierre Habouzit <pierre.habouzit@m4x.org>
Cc: 335997@bugs.debian.org, Thijs Kinkhorst <kink@squirrelmail.org>, Moritz Muehlenhoff <jmm@inutil.org>, luk@debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org
Subject: Re: Bug#335997: flyspray: Multiple XSS vulnerabilities
Date: Mon, 19 Dec 2005 22:13:21 -0800
[Message part 1 (text/plain, inline)]
On Tue, Dec 20, 2005 at 12:42:40AM +0100, Pierre Habouzit wrote:
> Le Lun 19 Décembre 2005 22:15, Steve Langasek a écrit :
> > On Mon, Dec 19, 2005 at 04:47:50PM +0100, Pierre Habouzit wrote:
> > > > > Moreover the current version has some problems that I'd not
> > > > > like to see enter testing at all.

> > > > Current testing has an RC security bug. If those issues you
> > > > mention are also RC, I suggest you document them in the BTS,
> > > > since I didn't find any other RC issues in the tracker. If they
> > > > are not, this version should progress in order to fix the RC
> > > > security bug in testing that's absent in unstable.

> > > you are right on the full line, and I just did an upload of what I
> > > should have done way earlier and that was almost ready on my
> > > computer.

> > > thise one fixes a lot of bugs and use the update that upstream
> > > released a few day after I fixed the RC bug in a hurry.

> > > -6 is the package that will fix all that should be, and it'll enter
> > > etch in 10 days from now.

> > If this fixes a release critical security bug, *why* are we treating
> > it with urgency=low?

> I already did an upload with urgency low, either you can force it to be 
> high, or I can reupload, as you want.

Ok, urgency bumped.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #84 received at 335997@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: Pierre Habouzit <pierre.habouzit@m4x.org>
Cc: control@bugs.debian.org, 335997@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, luk@debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org
Subject: Re: Bug#335997: flyspray: Multiple XSS vulnerabilities
Date: Sat, 31 Dec 2005 16:27:47 +0100
[Message part 1 (text/plain, inline)]
reopen 335997
found 335997 0.9.7-2
thanks

Hello Pierre,

Sorry, didn't have time to get back to this earlier. I've verified that
unstable is indeed completely fixed for CVE-2005-3334 (which contains
some typos in the names of the affected variables).

> Though, please note that this XSS vulneratibility IS really minor : it 
> has to be created from a user that stole you a PHPSESSID, and made a 
> treacheous search, and force the user to use 'last search result' 
> *BEFORE* you do a new search yourself, which is *REALLY* unlikely. that 
> is not doable for anonymous users.

I don't subscribe to this assessment. This is a classic XSS, which can
be exploited as any other: trick the user in going to a specially
crafted URL and you can access his password cookie through JavaScript.
You don't need to steal anything or bring the system in a specific
state.

> I'll try to have a minimalist patch ASAP, but stable version is not 
> really based on the same code (I mean the version in unstable is quite 
> bigger) and I'm not sure a patch is that simple to transpose (you must 
> have seen that my patch was quite brutal : I escaped any POST-ed or 
> GET-et variable, which is most of the time OK, but which is not really 
> nice not "the right way" since it results in some entities showing up 
> in mails).

At least I can confirm that the stable version is still vulnerable to
this attack, it's easily reproducable. If you want I can look into
providing a patch or updated package. In any case, the bug should not
yet be closed.


bye,
Thijs
[signature.asc (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 0.9.7-2. Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 0.9.8-6, send any further explanations to Moritz Muehlenhoff <jmm@inutil.org> Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #95 received at 335997@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 335997@bugs.debian.org
Cc: team@security.debian.org, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Fixed packages for flyspray xss (CVE-2005-3334)
Date: Mon, 16 Jan 2006 18:31:05 +0100
[Message part 1 (text/plain, inline)]
Hello Pierre & security team,

While this issue has been addressed in unstable before the holidays,
CVE-2005-3334 (multiple xss in flyspray) is still open in sarge. I've
taken the liberty to prepare a patch and updated packages.

In short:
Taken patch from sid(/upstream), updated it to match the style of the
similar checks in that file in 0.9.7 so it's minimally intrusive.
Verified that issue is solved.

Patch: attached.
Packages: http://www.a-eskwadraat.nl/~kink/flyspray/


Possible advistory text:
=====
Package        : flyspray
Vulnerability  : missing input sanitising
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2005-3334
Debian Bug     : 335997

Lostmon has discovered cross site scripting vulnerabilities in multiple
parameters of flyspray, a lightweight bug tracking system, which allows
attackers to insert arbitary script code into the index.php page.

The old stable distribution (woody) does not contain flyspray.

For the stable distribution (sarge) this problem has been fixed in
version 0.9.7-2.1.

For the testing (etch) and unstable distribution (sid) this problem has
been fixed in version 0.9.8-6.
======

Let me know if you need any more information.


bye,
Thijs
[CVE-2005-3334.stable.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #100 received at 335997@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <madcoder@debian.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>, 335997@bugs.debian.org
Cc: team@security.debian.org, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Bug#335997: Fixed packages for flyspray xss (CVE-2005-3334)
Date: Mon, 16 Jan 2006 18:44:13 +0100
[Message part 1 (text/plain, inline)]
thanks a lot to have it sorted out !

should I prepare a security upload aimed to sarge ? or do the security 
team will handle it ? I must say I'm not very used to security uploads 
(this one beeing almost my first one).

I can have it ready in a couple of minutes if needed, as the patch is 
ready.

Le Lun 16 Janvier 2006 18:31, Thijs Kinkhorst a écrit :
> Hello Pierre & security team,
>
> While this issue has been addressed in unstable before the holidays,
> CVE-2005-3334 (multiple xss in flyspray) is still open in sarge. I've
> taken the liberty to prepare a patch and updated packages.
>
> In short:
> Taken patch from sid(/upstream), updated it to match the style of the
> similar checks in that file in 0.9.7 so it's minimally intrusive.
> Verified that issue is solved.
>
> Patch: attached.
> Packages: http://www.a-eskwadraat.nl/~kink/flyspray/
>
>
> Possible advistory text:
> =====
> Package        : flyspray
> Vulnerability  : missing input sanitising
> Problem-Type   : remote
> Debian-specific: no
> CVE ID         : CVE-2005-3334
> Debian Bug     : 335997
>
> Lostmon has discovered cross site scripting vulnerabilities in
> multiple parameters of flyspray, a lightweight bug tracking system,
> which allows attackers to insert arbitary script code into the
> index.php page.
>
> The old stable distribution (woody) does not contain flyspray.
>
> For the stable distribution (sarge) this problem has been fixed in
> version 0.9.7-2.1.
>
> For the testing (etch) and unstable distribution (sid) this problem
> has been fixed in version 0.9.8-6.
> ======
>
> Let me know if you need any more information.
>
>
> bye,
> Thijs

-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #105 received at 335997@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <kink@squirrelmail.org>
To: "Pierre Habouzit" <madcoder@debian.org>
Cc: 335997@bugs.debian.org, team@security.debian.org, "Moritz Muehlenhoff" <jmm@inutil.org>
Subject: Re: Bug#335997: Fixed packages for flyspray xss (CVE-2005-3334)
Date: Mon, 16 Jan 2006 19:41:35 +0100 (CET)
Hello Pierre,

On Mon, January 16, 2006 18:44, Pierre Habouzit wrote:
> thanks a lot to have it sorted out !
>
> should I prepare a security upload aimed to sarge ? or do the security
> team will handle it ? I must say I'm not very used to security uploads
> (this one beeing almost my first one).
>
> I can have it ready in a couple of minutes if needed, as the patch is
> ready.

I don't think any more preparation is needed since I have made packages
available for sarge already. If these are good enough for the security
team they can upload them or you can upload them. I think we now just need
to wait for the OK from the team.


Thijs




Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#335997; Package flyspray. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #110 received at 335997@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>
Cc: team@security.debian.org, 335997@bugs.debian.org, luk@debian.org
Subject: Re: flyspray: Multiple XSS vulnerabilities
Date: Sun, 22 Jan 2006 19:59:25 +0100
Thijs Kinkhorst wrote:
> On Mon, 2005-12-19 at 13:41 +0100, Thijs Kinkhorst wrote:
> > For stable:
> > I've extracted the right patch from the unstable version (which has been
> > present without any bugreports since the end of October), and that is
> > attached. I've also prepared updated packages here:
> > http://www.a-eskwadraat.nl/~kink/flyspray/
> 
> Here's some more information for a possible advisory:

Thanks a lot, I'll use your package and text for the advisory.

Regards,

	Joey

-- 
Have you ever noticed that "General Public Licence" contains the word "Pub"?

Please always Cc to me when replying to me on the lists.



Tags added: fixed Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 07:48:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 17:06:46 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.