Debian Bug report logs - #484499
slash: possible SQL injection vulnerability

version graph

Package: slash; Maintainer for slash is (unknown);

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Wed, 4 Jun 2008 12:45:02 UTC

Severity: grave

Tags: confirmed, etch, patch, security

Fixed in version slash/2.2.6-8etch1

Done: Axel Beckert <abe@deuxchevaux.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Axel Beckert <abe@deuxchevaux.org>:
Bug#484499; Package slash. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Axel Beckert <abe@deuxchevaux.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: slash: possible SQL injection vulnerability
Date: Wed, 04 Jun 2008 22:31:31 +1000
Package: slash
Severity: grave
Tags: security
Justification: user security hole

Hi

A possible SQL injection vulnerability was discovered in slash.
The vulnerability was an SQL injection. Its effect was to allow a user
with no special authorization to read any information from any table the
Slash site's mysql user was authorized to read (which may include other
databases, including information_schema).

More information can be found here[0].

The upstream patch can be found here[1].

Cheers
Steffen

[0]: http://www.slashcode.com/article.pl?sid=08/01/07/2314232

[1]: http://slashcode.cvs.sourceforge.net/slashcode/slash/Slash/Utility/Environment/Environment.pm?r1=1.223&r2=1.225




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#484499; Package slash. Full text and rfc822 format available.

Acknowledgement sent to Axel Beckert <abe@deuxchevaux.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 484499@bugs.debian.org (full text, mbox):

From: Axel Beckert <abe@deuxchevaux.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 484499@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#484499: slash: possible SQL injection vulnerability
Date: Wed, 4 Jun 2008 15:02:07 +0200
tag 484499 + confirmed pending patch etch
thanks

Hi,

the bug is well known to me, there are fixed packages available for
Etch and Sarge (since at that time Sarge still had security support).

Security Team has been informed about the bug on the day of the
initial disclosure, but I'm still waiting for them to publish an DSA
and publish a DSA and updated packages. I exchange a few mails
with them, but I haven't heard anything since end of January. (Last
mail from Moritz Muehlenhoff at Tue Jan 29 20:20:08 2008, last mail
from me to Moritz Tue Jan 29 20:36:55 2008.)

		Kind regards, Axel
-- 
/~\                                    | Axel Beckert
\ /  Plain Text Ribbon Campaign        | abe@deuxchevaux.org     (Mail)
 X   Say No to HTML in E-Mail and News | abe@noone.org    (Mail+Jabber)
/ \                                    | http://noone.org/abe/    (Web)




Tags added: confirmed, pending, patch, etch Request was from Axel Beckert <abe@deuxchevaux.org> to control@bugs.debian.org. (Wed, 04 Jun 2008 13:06:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Axel Beckert <abe@deuxchevaux.org>:
Bug#484499; Package slash. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Axel Beckert <abe@deuxchevaux.org>. Full text and rfc822 format available.

Message #17 received at 484499@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Axel Beckert <abe@deuxchevaux.org>
Cc: 484499@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#484499: slash: possible SQL injection vulnerability
Date: Wed, 4 Jun 2008 23:24:06 +1000
[Message part 1 (text/plain, inline)]
Hi Alex

> the bug is well known to me, there are fixed packages available for
> Etch and Sarge (since at that time Sarge still had security support).
>
> Security Team has been informed about the bug on the day of the
> initial disclosure, but I'm still waiting for them to publish an DSA
> and publish a DSA and updated packages. I exchange a few mails
> with them, but I haven't heard anything since end of January. (Last
> mail from Moritz Muehlenhoff at Tue Jan 29 20:20:08 2008, last mail
> from me to Moritz Tue Jan 29 20:36:55 2008.)
Yes, I am aware that the stable team knows about it. The issue, however, is 
unembargoed (and thus public and known) and nothing stops you from uploading 
fixed packages to unstable.

I had a look at the etch packages you provided for the security update and saw 
that there are some other changes to all the Makefiles.
Also there is some code added into the postinst to restart apache. Are these 
changes really necessary for the security update?

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#484499; Package slash. Full text and rfc822 format available.

Acknowledgement sent to Axel Beckert <abe@deuxchevaux.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #22 received at 484499@bugs.debian.org (full text, mbox):

From: Axel Beckert <abe@deuxchevaux.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 484499@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#484499: slash: possible SQL injection vulnerability
Date: Wed, 4 Jun 2008 16:50:18 +0200
Hi,

Steffen Joeris schrieb am Wed, Jun 04, 2008 at 11:24:06PM +1000:
> Yes, I am aware that the stable team knows about it.

Oh, ok.

> The issue, however, is unembargoed (and thus public and known)

Of course it is.

> and nothing stops you from uploading fixed packages to unstable.

That's not right. slash is currently uninstallable in Sid (due to the
dependency on Apache 1.3, see #429071) and I asked in my reply to the
last mail from the Security Team how to deal with this issue in in
unstable, but never got an answer. (If there are any misunderstandings
in regards of this, I'm happy if I can clear them.)

But fixing #429071 is quite a lot of work through which I'm currently
not completely through (and maybe I won't be for lenny).

> I had a look at the etch packages you provided for the security
> update and saw that there are some other changes to all the
> Makefiles. Also there is some code added into the postinst to
> restart apache. Are these changes really necessary for the security
> update?

IIRC they were other changes necessary because otherwise the upgrade
would fail (what's not the idea of a security update IMHO).

I initially took over the package in a quite bad shape, fixed nearly
all of the at that time open bugs for Etch. But I seem to have
overseen that there were also some bugs when upgrading the package. At
least my upgrade tests resulted in the package wanting to create new
databases, etc. I at least remember that I had to change some more
things than just the bug to make the upgrade work smooth.

I'm still not sure how to deal with this in unstable, but the next
upload for this package will surely go to experimental, so the package
shouldn't be that long in unstable anymore. Maybe this can be seen as
fix for the issue.

		Regards, Axel
-- 
/~\                                    | Axel Beckert
\ /  Plain Text Ribbon Campaign        | abe@deuxchevaux.org     (Mail)
 X   Say No to HTML in E-Mail and News | abe@noone.org    (Mail+Jabber)
/ \                                    | http://noone.org/abe/    (Web)




Information forwarded to debian-bugs-dist@lists.debian.org, Axel Beckert <abe@deuxchevaux.org>:
Bug#484499; Package slash. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Axel Beckert <abe@deuxchevaux.org>. Full text and rfc822 format available.

Message #27 received at 484499@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 484499@bugs.debian.org
Subject: Re: Bug#484499: slash: possible SQL injection vulnerability
Date: Thu, 5 Jun 2008 02:54:33 +1000
[Message part 1 (text/plain, inline)]
Hi

Please use CVE-2008-2231 as a reference for this issue.
It should be included in every changelog entry that deals with this issue.
Thanks in advance.

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Axel Beckert <abe@deuxchevaux.org>:
Bug#484499; Package slash. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Axel Beckert <abe@deuxchevaux.org>. Full text and rfc822 format available.

Message #32 received at 484499@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 484499@bugs.debian.org
Subject: slash XSS vulnerability
Date: Fri, 6 Jun 2008 15:44:43 +0200
[Message part 1 (text/plain, inline)]
Hi Axel,
the second part of the patch that adds userfield to the 
alphanumeric values is not part of the SQL injection fix.

To be precise this are two different vulnerabilities, the 
SQL injection and this part of the patch fixes a XSS flaw 
that got CVE-2008-2553 assigned.

Please also reference this CVE id in the changelog.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Axel Beckert <abe@deuxchevaux.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #37 received at 484499-close@bugs.debian.org (full text, mbox):

From: Axel Beckert <abe@deuxchevaux.org>
To: 484499-close@bugs.debian.org
Subject: Bug#484499: fixed in slash 2.2.6-8etch1
Date: Sat, 06 Sep 2008 11:25:14 +0000
Source: slash
Source-Version: 2.2.6-8etch1

We believe that the bug you reported is fixed in the latest version of
slash, which is due to be installed in the Debian FTP archive:

slash_2.2.6-8etch1.diff.gz
  to pool/main/s/slash/slash_2.2.6-8etch1.diff.gz
slash_2.2.6-8etch1.dsc
  to pool/main/s/slash/slash_2.2.6-8etch1.dsc
slash_2.2.6-8etch1_amd64.deb
  to pool/main/s/slash/slash_2.2.6-8etch1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 484499@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <abe@deuxchevaux.org> (supplier of updated slash package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 14 Jul 2008 02:17:10 +0200
Source: slash
Binary: slash
Architecture: source amd64
Version: 2.2.6-8etch1
Distribution: stable-security
Urgency: high
Maintainer: Axel Beckert <abe@deuxchevaux.org>
Changed-By: Axel Beckert <abe@deuxchevaux.org>
Description: 
 slash      - The code that runs Slashdot
Closes: 484499
Changes: 
 slash (2.2.6-8etch1) stable-security; urgency=high
 .
   * Security fixes for CVE-2008-2231 and CVE-2008-2553 (Closes: #484499)
Files: 
 70b86d7e0c6f4d70e6ecc1e027739be5 954 web extra slash_2.2.6-8etch1.dsc
 a9886e1e08e47e0db4f3ba3e750102ff 584128 web extra slash_2.2.6.orig.tar.gz
 2b23a32433e9b168b09ad43e0fd1d160 21622 web extra slash_2.2.6-8etch1.diff.gz
 e81e95ed88e082dc56cd10b3770c4360 588970 web extra slash_2.2.6-8etch1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJIuuWsAAoJEL97/wQC1SS+0FgIAJL7Mihr5uJVC1VchY0zWcUU
FXRhTyFqY23Vq9Ue/e+aCf5fZO9izSG6cU03j+u9CZOkWxJMSDQxrQRDBJDTp8K2
VJci3qNCtRgmV8tgKkECoSj8zR8VB5OeIbNZSeHcgQyz5mGhpd8o4i6AAa5OraTt
nSmJoYzR+AhraJbZ7FlwOthiG6VWL9RXuUO+UPLX1pveNU0wJRezjzGSfuye6AZM
/i/U0QIvIQEnCDbOw572uKf2YRMstd1H8wP6e9AyEXjvjG69fGrCyE2Vvva0aoL7
JYnMT0qnQgMzTQzbPv3dbHvWQGw4E2w/YFx4NHyxsMp6ZCYhC3BgrMIGxkFIHLM=
=/gQw
-----END PGP SIGNATURE-----





Reply sent to Axel Beckert <abe@deuxchevaux.org>:
You have taken responsibility. (Thu, 23 Oct 2008 15:54:03 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Thu, 23 Oct 2008 15:54:03 GMT) Full text and rfc822 format available.

Message #42 received at 484499-close@bugs.debian.org (full text, mbox):

From: Axel Beckert <abe@deuxchevaux.org>
To: 484499-close@bugs.debian.org
Subject: Bug#484499: fixed in slash 2.2.6-8etch1
Date: Thu, 23 Oct 2008 15:28:16 +0000
Source: slash
Source-Version: 2.2.6-8etch1

We believe that the bug you reported is fixed in the latest version of
slash, which is due to be installed in the Debian FTP archive:

slash_2.2.6-8etch1.diff.gz
  to pool/main/s/slash/slash_2.2.6-8etch1.diff.gz
slash_2.2.6-8etch1.dsc
  to pool/main/s/slash/slash_2.2.6-8etch1.dsc
slash_2.2.6-8etch1_amd64.deb
  to pool/main/s/slash/slash_2.2.6-8etch1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 484499@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <abe@deuxchevaux.org> (supplier of updated slash package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 14 Jul 2008 02:17:10 +0200
Source: slash
Binary: slash
Architecture: source amd64
Version: 2.2.6-8etch1
Distribution: stable-security
Urgency: high
Maintainer: Axel Beckert <abe@deuxchevaux.org>
Changed-By: Axel Beckert <abe@deuxchevaux.org>
Description: 
 slash      - The code that runs Slashdot
Closes: 484499
Changes: 
 slash (2.2.6-8etch1) stable-security; urgency=high
 .
   * Security fixes for CVE-2008-2231 and CVE-2008-2553 (Closes: #484499)
Files: 
 70b86d7e0c6f4d70e6ecc1e027739be5 954 web extra slash_2.2.6-8etch1.dsc
 a9886e1e08e47e0db4f3ba3e750102ff 584128 web extra slash_2.2.6.orig.tar.gz
 2b23a32433e9b168b09ad43e0fd1d160 21622 web extra slash_2.2.6-8etch1.diff.gz
 e81e95ed88e082dc56cd10b3770c4360 588970 web extra slash_2.2.6-8etch1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJIuuWsAAoJEL97/wQC1SS+0FgIAJL7Mihr5uJVC1VchY0zWcUU
FXRhTyFqY23Vq9Ue/e+aCf5fZO9izSG6cU03j+u9CZOkWxJMSDQxrQRDBJDTp8K2
VJci3qNCtRgmV8tgKkECoSj8zR8VB5OeIbNZSeHcgQyz5mGhpd8o4i6AAa5OraTt
nSmJoYzR+AhraJbZ7FlwOthiG6VWL9RXuUO+UPLX1pveNU0wJRezjzGSfuye6AZM
/i/U0QIvIQEnCDbOw572uKf2YRMstd1H8wP6e9AyEXjvjG69fGrCyE2Vvva0aoL7
JYnMT0qnQgMzTQzbPv3dbHvWQGw4E2w/YFx4NHyxsMp6ZCYhC3BgrMIGxkFIHLM=
=/gQw
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 02 Mar 2009 07:33:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 08:55:30 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.