Acknowledgement sent
to Steve Kemp <skx@debian.org>:
New Bug report received and forwarded. Copy sent to Arnaud Fontaine <arnau@debian.org>.
(Fri, 11 Sep 2009 12:39:05 GMT) (full text, mbox, link).
Subject: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
Date: Fri, 11 Sep 2009 13:29:13 +0100
Subject: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
Package: planet
Justification: user security hole
Severity: grave
Tags: security
*** Please type your report below this line ***
The planet feed aggregator attempts to remove malicious content from
user-submitted feeds. It does a great job, but fails to sanitize
this input:
<img src="javascript:alert(1);" >
At least Opera will execute this code.
The packages in Etch and Lenny are vulnerable and should require a
security update. Fixed packages are available from:
http://www.steve.org.uk/tmp/planet/etch/
+
http://www.steve.org.uk/tmp/planet/lenny/
This is the patch I used:
--- planet-2.0.orig/planet/sanitize.py
+++ planet-2.0/planet/sanitize.py
@@ -70,6 +70,12 @@
# utility method to be called by descendants
attrs = [(k.lower(), v) for k, v in attrs]
attrs = [(k, k in ('rel', 'type') and v.lower() or v) for k, v in attrs]
+
+ for i in xrange (len (attrs)):
+ k,v = attrs[i]
+ if (( k == "src" ) or ( k == "href" ) ) and (v.find("javascript:" ) <> -1 ):
+ del attrs[i]
+
return attrs
def unknown_starttag(self, tag, attrs):
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Information forwarded
to debian-bugs-dist@lists.debian.org, Arnaud Fontaine <arnau@debian.org>: Bug#546178; Package planet.
(Tue, 15 Sep 2009 16:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Arnaud Fontaine <arnau@debian.org>.
(Tue, 15 Sep 2009 16:24:04 GMT) (full text, mbox, link).
The patch doesn't account for case variations, so it shold be updated:
+
+ for i in xrange (len (attrs)):
+ k,v = attrs[i]
+ if (( k == "src" ) or ( k == "href" ) ) and (v.lower().find("javascript:" ) <> -1 ):
+ del attrs[i]
+
return attrs
Steve
--
http://www.steve.org.uk/
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#546178; Package planet.
(Fri, 18 Sep 2009 11:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Arnaud Fontaine <arnau@debian.org>:
Extra info received and forwarded to list.
(Fri, 18 Sep 2009 11:42:04 GMT) (full text, mbox, link).
Hi,
I have prepared yesterday a package for Lenny including this patch. At
the moment, I'm waiting for a reply from the debian-security team.
Concerning unstable and testing fixes, I plan to remove planet from
unstable ASAP because there has not been any new upstream release for 3
years now. I have already contacted the ftpmaster and Noah Slater
(maintainer of planet-venus which replaces planet).
Thank you very much for the patch and bug report.
Regards,
Arnaud Fontaine
Information forwarded
to debian-bugs-dist@lists.debian.org, Arnaud Fontaine <arnau@debian.org>: Bug#546178; Package planet.
(Fri, 18 Sep 2009 11:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Arnaud Fontaine <arnau@debian.org>.
(Fri, 18 Sep 2009 11:57:05 GMT) (full text, mbox, link).
On Fri Sep 18, 2009 at 13:38:39 +0200, Arnaud Fontaine wrote:
> I have prepared yesterday a package for Lenny including this patch. At
> the moment, I'm waiting for a reply from the debian-security team.
Great. Don't forget etch to.
> Thank you very much for the patch and bug report.
Did you see the followup discussion from Secunia about another
planet-problem, relating to the handling of CDATA ?
(To be honest if I were to re-do the patch now I'd probably
do it the other way round : Make sure "src"starts with http:
to cover other cases too.)
Steve
--
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#546178; Package planet.
(Fri, 18 Sep 2009 12:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Arnaud Fontaine <arnau@debian.org>:
Extra info received and forwarded to list.
(Fri, 18 Sep 2009 12:12:05 GMT) (full text, mbox, link).
>>>>> Steve Kemp <skx@debian.org> writes:
Hi,
> Did you see the followup discussion from Secunia about another
> planet-problem, relating to the handling of CDATA ?
No I didn't, I could not find this discussion, could you please point it
me out? As soon as all these issues will have been addressed, I will
prepare a package (debian-security team: please do not upload the
package for now).
> (To be honest if I were to re-do the patch now I'd probably do
> it the other way round : Make sure "src"starts with http: to cover
> other cases too.)
As the debian-security team has not replied yet, maybe it is still
possible to update the patch?
Cheers,
Arnaud Fontaine
Information forwarded
to debian-bugs-dist@lists.debian.org, Arnaud Fontaine <arnau@debian.org>: Bug#546178; Package planet.
(Fri, 18 Sep 2009 12:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Arnaud Fontaine <arnau@debian.org>.
(Fri, 18 Sep 2009 12:54:06 GMT) (full text, mbox, link).
On Fri Sep 18, 2009 at 14:06:44 +0200, Arnaud Fontaine wrote:
> No I didn't, I could not find this discussion, could you please point it
> me out? As soon as all these issues will have been addressed, I will
> prepare a package (debian-security team: please do not upload the
> package for now).
Basically it comes down to CDATA and the handling of <description>
This is the comment I received:
--
please find attached the two reproducers for the CDATA thing. poc1.xml
is not correctly filtered while poc2.xml is filtered, although they are
nearly identical.
If you edit the newly patched function to print the k and v values,
you'll see that the attributes aren't passed through.
--
Steve
--
Information forwarded
to debian-bugs-dist@lists.debian.org, Arnaud Fontaine <arnau@debian.org>: Bug#546178; Package planet.
(Fri, 18 Sep 2009 13:39:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Arnaud Fontaine <arnau@debian.org>.
(Fri, 18 Sep 2009 13:39:08 GMT) (full text, mbox, link).
Hi,
* Arnaud Fontaine <arnau@debian.org> [2009-09-18 15:09]:
> >>>>> Steve Kemp <skx@debian.org> writes:
[...]
> > (To be honest if I were to re-do the patch now I'd probably do
> > it the other way round : Make sure "src"starts with http: to cover
> > other cases too.)
>
> As the debian-security team has not replied yet, maybe it is still
> possible to update the patch?
Please update this through -proposed-updates, we're
currently swamped with more severe issues.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#546178; Package planet.
(Mon, 21 Sep 2009 11:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Arnaud Fontaine <arnau@debian.org>:
Extra info received and forwarded to list.
(Mon, 21 Sep 2009 11:03:11 GMT) (full text, mbox, link).
>>>>> Steve Kemp <skx@debian.org> writes:
Hi,
> Basically it comes down to CDATA and the handling of
> <description>
> This is the comment I received:
> -- please find attached the two reproducers for the CDATA
> thing. poc1.xml is not correctly filtered while poc2.xml is
> filtered, although they are nearly identical.
> If you edit the newly patched function to print the k and v
> values, you'll see that the attributes aren't passed through. --
Unfortunately, I don't have so much time at the moment to be able to
provide a new patch. Would you have time to do it? If you really can't
make it, I will try to do it anyway.
BTW, planet has now been removed from unstable, so this is only about
fixing the oldstable and stable packages.
Thank you very much for your help fixing this bug.
Cheers,
Arnaud
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#546178; Package planet.
(Thu, 01 Oct 2009 11:15:37 GMT) (full text, mbox, link).
Acknowledgement sent
to Arnaud Fontaine <arnau@debian.org>:
Extra info received and forwarded to list.
(Thu, 01 Oct 2009 11:15:39 GMT) (full text, mbox, link).
>>>>> Moritz Muehlenhoff <jmm@inutil.org> writes:
Hi,
> As indicated by Nico, please propose this for a stable point
> update by filing a bug against the release.debian.org pseudo
> package.
I have not uploaded it yet because, as mentioned in the bug report, the
patch doesn't fix all the cases. I don't have time to look at it, but I
can upload the package if another patch is proposed.
Cheers,
Arnaud Fontaine
Information forwarded
to debian-bugs-dist@lists.debian.org, Arnaud Fontaine <arnau@debian.org>: Bug#546178; Package planet.
(Sun, 03 Jan 2010 13:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Miguel Figueiredo <elmig@debianpt.org>:
Extra info received and forwarded to list. Copy sent to Arnaud Fontaine <arnau@debian.org>.
(Sun, 03 Jan 2010 13:12:03 GMT) (full text, mbox, link).
Hi all,
this bug report already has a proposed patch by Steve Kemp (15/09/2009).
Can this be fixed in a security update for the people running (old)stable?
--
Melhores Cumprimentos/Best Regards,
Miguel Figueiredo
Information forwarded
to debian-bugs-dist@lists.debian.org, Arnaud Fontaine <arnau@debian.org>: Bug#546178; Package planet.
(Thu, 14 Jan 2010 15:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Arnaud Fontaine" <arnaud@andesi.org>:
Extra info received and forwarded to list. Copy sent to Arnaud Fontaine <arnau@debian.org>.
(Thu, 14 Jan 2010 15:00:03 GMT) (full text, mbox, link).
On Sun, January 3, 2010 14:01, Miguel Figueiredo wrote:
> Hi all,
Hi,
> this bug report already has a proposed patch by Steve Kemp (15/09/2009).
> Can this be fixed in a security update for the people running (old)stable?
As explained before, the patch proposed does not completely fix the
problem and unfortunately I haven't had time yet to look at it. As planet
is not available anymore in testing/unstable because it has been
deprecated in favor of planet-venus, I would recommend switching to
planet-venus.
Regards,
Arnaud Fontaine
Reply sent
to Sandro Tosi <morph@debian.org>:
You have taken responsibility.
(Sun, 27 Mar 2011 11:27:00 GMT) (full text, mbox, link).
Notification sent
to Steve Kemp <skx@debian.org>:
Bug acknowledged by developer.
(Sun, 27 Mar 2011 11:27:00 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.