Debian Bug report logs - #518768
roundup: privilege escalation in EditCSVAction

version graph

Package: roundup; Maintainer for roundup is Kai Storbeck <kai@xs4all.nl>; Source for roundup is src:roundup.

Reported by: Sebastian Harl <sh@tokkee.org>

Date: Sun, 8 Mar 2009 14:03:04 UTC

Severity: grave

Tags: security

Found in versions roundup/1.2.1-5+etch2, roundup/1.4.4-4

Fixed in version roundup/1.4.4-4+lenny1

Done: Toni Mueller <toni@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Toni Mueller <toni@debian.org>:
Bug#518768; Package roundup. (Sun, 08 Mar 2009 14:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sebastian Harl <sh@tokkee.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Toni Mueller <toni@debian.org>. (Sun, 08 Mar 2009 14:03:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sebastian Harl <sh@tokkee.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: roundup: privilege escalation in EditCSVAction
Date: Sun, 8 Mar 2009 15:01:36 +0100
[Message part 1 (text/plain, inline)]
Package: roundup
Version: 1.2.1-5+etch2
Severity: grave
Tags: security
Justification: user security hole

Hi,

Daniel Diniz discovered that EditCSVAction does not include appropriate
permission checks allowing any user to edit any item in a class she has
create / edit privileges for. This includes, amongst others, modifying
content of existing messages or issues, changing user settings or adding
roles to existing users which allows to gain admin privileges

The attack may be done using specially crafted but simple URLs. I'm not
adding an example since I'm not sure this should be made public yet. I
will provide examples to the package maintainer and the security team on
request though.

See upstream issue 2550521 [1] for more details and the original report
by Daniel - that issue mentions editing saved queries only though as the
real impact of the bug was not known at that time.

Afaik, there is no CVE for this issue yet.

Cheers,
Sebastian

[1] http://issues.roundup-tracker.org/issue2550521

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety.         -- Benjamin Franklin

[signature.asc (application/pgp-signature, inline)]

Bug marked as found in version 1.4.4-4. Request was from Sebastian Harl <sh@tokkee.org> to control@bugs.debian.org. (Sun, 08 Mar 2009 14:21:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Toni Mueller <toni@debian.org>:
Bug#518768; Package roundup. (Sun, 08 Mar 2009 15:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sebastian Harl <sh@tokkee.org>:
Extra info received and forwarded to list. Copy sent to Toni Mueller <toni@debian.org>. (Sun, 08 Mar 2009 15:39:04 GMT) Full text and rfc822 format available.

Message #12 received at 518768@bugs.debian.org (full text, mbox):

From: Sebastian Harl <sh@tokkee.org>
To: 518768@bugs.debian.org
Subject: Re: roundup: privilege escalation in EditCSVAction
Date: Sun, 8 Mar 2009 16:35:49 +0100
[Message part 1 (text/plain, inline)]
Hi again,

On Sun, Mar 08, 2009 at 03:01:36PM +0100, Sebastian Harl wrote:
> Daniel Diniz discovered that EditCSVAction does not include appropriate
> permission checks allowing any user to edit any item in a class she has
> create / edit privileges for. This includes, amongst others, modifying
> content of existing messages or issues, changing user settings or adding
> roles to existing users which allows to gain admin privileges

The attached trivial patch disabled EditCSVAction altogether. Afaik,
this feature is useful for batch editing only and isn't used by any
other parts of the web-interface (however, features like "roundup-admin
import" might use it as well), so it should be an appropriate counter-
measure in most cases for now.

Cheers,
Sebastian

PS: This patch is against the roundup source tree. To apply it to your
    local installation use something like:

      cd /usr/share/pyshared
      patch -p1 < bts518768-disable-editcsv.patch

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety.         -- Benjamin Franklin

[bts518768-disable-editcsv.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Toni Mueller <toni@debian.org>:
You have taken responsibility. (Tue, 24 Mar 2009 20:12:27 GMT) Full text and rfc822 format available.

Notification sent to Sebastian Harl <sh@tokkee.org>:
Bug acknowledged by developer. (Tue, 24 Mar 2009 20:12:27 GMT) Full text and rfc822 format available.

Message #17 received at 518768-close@bugs.debian.org (full text, mbox):

From: Toni Mueller <toni@debian.org>
To: 518768-close@bugs.debian.org
Subject: Bug#518768: fixed in roundup 1.4.4-4+lenny1
Date: Tue, 24 Mar 2009 19:53:39 +0000
Source: roundup
Source-Version: 1.4.4-4+lenny1

We believe that the bug you reported is fixed in the latest version of
roundup, which is due to be installed in the Debian FTP archive:

roundup_1.4.4-4+lenny1.diff.gz
  to pool/main/r/roundup/roundup_1.4.4-4+lenny1.diff.gz
roundup_1.4.4-4+lenny1.dsc
  to pool/main/r/roundup/roundup_1.4.4-4+lenny1.dsc
roundup_1.4.4-4+lenny1_all.deb
  to pool/main/r/roundup/roundup_1.4.4-4+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 518768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Toni Mueller <toni@debian.org> (supplier of updated roundup package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 22 Mar 2009 21:51:12 +0100
Source: roundup
Binary: roundup
Architecture: source all
Version: 1.4.4-4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Toni Mueller <toni@debian.org>
Changed-By: Toni Mueller <toni@debian.org>
Description: 
 roundup    - an issue-tracking system
Closes: 518669 518768
Changes: 
 roundup (1.4.4-4+lenny1) stable-security; urgency=high
 .
   * fix EditCSVAction and other security issues (closes: #518768)
     Special thanks for this to Daniel (ajax) Diniz, Richard Jones,
     and, by extension, to Stefan Seefeld.
     Upstream issue: #2550529
   * unbreak copying issue (closes: #518669)
   * fix SMTP-TLS (upstream issue: #2484879)
   * fix crashes on bogus pagination request (upstream issue: #2550530)
   * fix a search problem (upstream issue: #2550505)
Checksums-Sha1: 
 2d0a968cc727e925ebef3160cc9653a83e4316db 1052 roundup_1.4.4-4+lenny1.dsc
 d260eb90113d36b07d0b7ef42b1d81450d9bc2e7 31251 roundup_1.4.4-4+lenny1.diff.gz
 7c43c7ce56cb16057a0f0f349c2805a5580c8845 1278600 roundup_1.4.4-4+lenny1_all.deb
Checksums-Sha256: 
 e2f9bb0d2e64747bd27948cbf635b568faf7bbce043e36074dc1f9a3121ed691 1052 roundup_1.4.4-4+lenny1.dsc
 6c1f7508b034404dd8cbecef6a84faee8087c373611f984164c6d35ced65bba2 31251 roundup_1.4.4-4+lenny1.diff.gz
 90a5b64fafd471beccea5e819d4a897fb54edbb69daf6d9795db1a6a58a66794 1278600 roundup_1.4.4-4+lenny1_all.deb
Files: 
 06b5d9261eae320131695bddb392d5c6 1052 web optional roundup_1.4.4-4+lenny1.dsc
 28ebe811e6792bc75af81f6da4b62633 31251 web optional roundup_1.4.4-4+lenny1.diff.gz
 35c30c9d48d1d264cd8564a6ab971c03 1278600 web optional roundup_1.4.4-4+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJxsoEfoEUoHXLGtIRArIDAJ9XJhXXhmr4pT0obRnYlIVtP8n3HwCgxBBS
xcziq+6mGlhmzjq4zSIcgrs=
=OSEN
-----END PGP SIGNATURE-----





Reply sent to Toni Mueller <toni@debian.org>:
You have taken responsibility. (Sat, 11 Apr 2009 17:18:06 GMT) Full text and rfc822 format available.

Notification sent to Sebastian Harl <sh@tokkee.org>:
Bug acknowledged by developer. (Sat, 11 Apr 2009 17:18:06 GMT) Full text and rfc822 format available.

Message #22 received at 518768-close@bugs.debian.org (full text, mbox):

From: Toni Mueller <toni@debian.org>
To: 518768-close@bugs.debian.org
Subject: Bug#518768: fixed in roundup 1.4.4-4+lenny1
Date: Sat, 11 Apr 2009 16:47:41 +0000
Source: roundup
Source-Version: 1.4.4-4+lenny1

We believe that the bug you reported is fixed in the latest version of
roundup, which is due to be installed in the Debian FTP archive:

roundup_1.4.4-4+lenny1.diff.gz
  to pool/main/r/roundup/roundup_1.4.4-4+lenny1.diff.gz
roundup_1.4.4-4+lenny1.dsc
  to pool/main/r/roundup/roundup_1.4.4-4+lenny1.dsc
roundup_1.4.4-4+lenny1_all.deb
  to pool/main/r/roundup/roundup_1.4.4-4+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 518768@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Toni Mueller <toni@debian.org> (supplier of updated roundup package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 22 Mar 2009 21:51:12 +0100
Source: roundup
Binary: roundup
Architecture: source all
Version: 1.4.4-4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Toni Mueller <toni@debian.org>
Changed-By: Toni Mueller <toni@debian.org>
Description: 
 roundup    - an issue-tracking system
Closes: 518669 518768
Changes: 
 roundup (1.4.4-4+lenny1) stable-security; urgency=high
 .
   * fix EditCSVAction and other security issues (closes: #518768)
     Special thanks for this to Daniel (ajax) Diniz, Richard Jones,
     and, by extension, to Stefan Seefeld.
     Upstream issue: #2550529
   * unbreak copying issue (closes: #518669)
   * fix SMTP-TLS (upstream issue: #2484879)
   * fix crashes on bogus pagination request (upstream issue: #2550530)
   * fix a search problem (upstream issue: #2550505)
Checksums-Sha1: 
 2d0a968cc727e925ebef3160cc9653a83e4316db 1052 roundup_1.4.4-4+lenny1.dsc
 d260eb90113d36b07d0b7ef42b1d81450d9bc2e7 31251 roundup_1.4.4-4+lenny1.diff.gz
 7c43c7ce56cb16057a0f0f349c2805a5580c8845 1278600 roundup_1.4.4-4+lenny1_all.deb
Checksums-Sha256: 
 e2f9bb0d2e64747bd27948cbf635b568faf7bbce043e36074dc1f9a3121ed691 1052 roundup_1.4.4-4+lenny1.dsc
 6c1f7508b034404dd8cbecef6a84faee8087c373611f984164c6d35ced65bba2 31251 roundup_1.4.4-4+lenny1.diff.gz
 90a5b64fafd471beccea5e819d4a897fb54edbb69daf6d9795db1a6a58a66794 1278600 roundup_1.4.4-4+lenny1_all.deb
Files: 
 06b5d9261eae320131695bddb392d5c6 1052 web optional roundup_1.4.4-4+lenny1.dsc
 28ebe811e6792bc75af81f6da4b62633 31251 web optional roundup_1.4.4-4+lenny1.diff.gz
 35c30c9d48d1d264cd8564a6ab971c03 1278600 web optional roundup_1.4.4-4+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJxsoEfoEUoHXLGtIRArIDAJ9XJhXXhmr4pT0obRnYlIVtP8n3HwCgxBBS
xcziq+6mGlhmzjq4zSIcgrs=
=OSEN
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 10 May 2009 07:34:03 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 19:06:14 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.