Debian Bug report logs - #546178
planet: [CVE-2009-2937] - Insufficient escaping of input feeds

version graph

Package: planet; Maintainer for planet is (unknown);

Reported by: Steve Kemp <skx@debian.org>

Date: Fri, 11 Sep 2009 12:39:02 UTC

Severity: grave

Tags: security

Fixed in version 2.0-16+rm

Done: Sandro Tosi <morph@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Arnaud Fontaine <arnau@debian.org>:
Bug#546178; Package planet. (Fri, 11 Sep 2009 12:39:05 GMT) (full text, mbox, link).


Acknowledgement sent to Steve Kemp <skx@debian.org>:
New Bug report received and forwarded. Copy sent to Arnaud Fontaine <arnau@debian.org>. (Fri, 11 Sep 2009 12:39:05 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>
To: submit@bugs.debian.org
Subject: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
Date: Fri, 11 Sep 2009 13:29:13 +0100
Subject: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
Package: planet
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

The planet feed aggregator attempts to remove malicious content from
user-submitted feeds.  It does a great job, but fails to sanitize
this input:

  <img src="javascript:alert(1);" >

At least Opera will execute this code.

The packages in Etch and Lenny are vulnerable and should require a
security update.  Fixed packages are available from:

 http://www.steve.org.uk/tmp/planet/etch/
+
 http://www.steve.org.uk/tmp/planet/lenny/

This is the patch I used:

--- planet-2.0.orig/planet/sanitize.py
+++ planet-2.0/planet/sanitize.py
@@ -70,6 +70,12 @@
         # utility method to be called by descendants
         attrs = [(k.lower(), v) for k, v in attrs]
         attrs = [(k, k in ('rel', 'type') and v.lower() or v) for k, v in attrs]
+
+        for i in xrange (len (attrs)):
+            k,v = attrs[i]
+            if (( k == "src" ) or ( k == "href" ) ) and (v.find("javascript:" ) <> -1 ):
+                del attrs[i]
+
         return attrs

     def unknown_starttag(self, tag, attrs):


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash





Information forwarded to debian-bugs-dist@lists.debian.org, Arnaud Fontaine <arnau@debian.org>:
Bug#546178; Package planet. (Tue, 15 Sep 2009 16:24:04 GMT) (full text, mbox, link).


Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Arnaud Fontaine <arnau@debian.org>. (Tue, 15 Sep 2009 16:24:04 GMT) (full text, mbox, link).


Message #10 received at 546178@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>
To: 546178@bugs.debian.org
Subject: Updated patch
Date: Tue, 15 Sep 2009 17:18:14 +0100
  The patch doesn't account for case variations, so it shold be updated:

+
+        for i in xrange (len (attrs)):
+            k,v = attrs[i]
+            if (( k == "src" ) or ( k == "href" ) ) and (v.lower().find("javascript:" ) <> -1 ):
+                del attrs[i]
+
         return attrs

Steve
--
http://www.steve.org.uk/




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#546178; Package planet. (Fri, 18 Sep 2009 11:42:04 GMT) (full text, mbox, link).


Acknowledgement sent to Arnaud Fontaine <arnau@debian.org>:
Extra info received and forwarded to list. (Fri, 18 Sep 2009 11:42:04 GMT) (full text, mbox, link).


Message #15 received at 546178@bugs.debian.org (full text, mbox, reply):

From: Arnaud Fontaine <arnau@debian.org>
To: Steve Kemp <skx@debian.org>
Cc: 546178@bugs.debian.org
Subject: Re: Bug#546178: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
Date: Fri, 18 Sep 2009 13:38:39 +0200
[Message part 1 (text/plain, inline)]
Hi,

I have prepared  yesterday a package for Lenny  including this patch. At
the moment, I'm waiting for a reply from the debian-security team.

Concerning  unstable and  testing fixes,  I plan  to remove  planet from
unstable ASAP because there has not  been any new upstream release for 3
years  now.  I  have already  contacted  the ftpmaster  and Noah  Slater
(maintainer of planet-venus which replaces planet).

Thank you very much for the patch and bug report.

Regards,
Arnaud Fontaine
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Arnaud Fontaine <arnau@debian.org>:
Bug#546178; Package planet. (Fri, 18 Sep 2009 11:57:05 GMT) (full text, mbox, link).


Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Arnaud Fontaine <arnau@debian.org>. (Fri, 18 Sep 2009 11:57:05 GMT) (full text, mbox, link).


Message #20 received at 546178@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>
To: Arnaud Fontaine <arnau@debian.org>
Cc: Steve Kemp <skx@debian.org>, 546178@bugs.debian.org
Subject: Re: Bug#546178: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
Date: Fri, 18 Sep 2009 12:52:41 +0100
On Fri Sep 18, 2009 at 13:38:39 +0200, Arnaud Fontaine wrote:

> I have prepared  yesterday a package for Lenny  including this patch. At
> the moment, I'm waiting for a reply from the debian-security team.

  Great.  Don't forget etch to.

> Thank you very much for the patch and bug report.

  Did you see the followup discussion from Secunia about another
 planet-problem, relating to the handling of CDATA ?

  (To be honest if I were to re-do the patch now I'd probably
 do it the other way round : Make sure "src"starts with http:
 to cover other cases too.)

Steve
--





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#546178; Package planet. (Fri, 18 Sep 2009 12:12:04 GMT) (full text, mbox, link).


Acknowledgement sent to Arnaud Fontaine <arnau@debian.org>:
Extra info received and forwarded to list. (Fri, 18 Sep 2009 12:12:05 GMT) (full text, mbox, link).


Message #25 received at 546178@bugs.debian.org (full text, mbox, reply):

From: Arnaud Fontaine <arnau@debian.org>
To: Steve Kemp <skx@debian.org>
Cc: 546178@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#546178: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
Date: Fri, 18 Sep 2009 14:06:44 +0200
[Message part 1 (text/plain, inline)]
>>>>> Steve Kemp <skx@debian.org> writes:

Hi,

    >   Did you  see the followup discussion from  Secunia about another
    > planet-problem, relating to the handling of CDATA ?

No I didn't, I could not find this discussion, could you please point it
me out?   As soon as all these  issues will have been  addressed, I will
prepare  a  package (debian-security  team:  please  do  not upload  the
package for now).

    >   (To be honest  if I were to re-do the patch  now I'd probably do
    > it the other way round : Make sure "src"starts with http: to cover
    > other cases too.)

As  the debian-security  team has  not replied  yet, maybe  it  is still
possible to update the patch?

Cheers,
Arnaud Fontaine
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Arnaud Fontaine <arnau@debian.org>:
Bug#546178; Package planet. (Fri, 18 Sep 2009 12:54:06 GMT) (full text, mbox, link).


Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Arnaud Fontaine <arnau@debian.org>. (Fri, 18 Sep 2009 12:54:06 GMT) (full text, mbox, link).


Message #30 received at 546178@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>
To: Arnaud Fontaine <arnau@debian.org>
Cc: 546178@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#546178: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
Date: Fri, 18 Sep 2009 13:37:31 +0100
[Message part 1 (text/plain, inline)]
On Fri Sep 18, 2009 at 14:06:44 +0200, Arnaud Fontaine wrote:

> No I didn't, I could not find this discussion, could you please point it
> me out?   As soon as all these  issues will have been  addressed, I will
> prepare  a  package (debian-security  team:  please  do  not upload  the
> package for now).

 Basically it comes down to CDATA and the handling of <description>

 This is the comment I received:

--
 please find attached the two reproducers for the CDATA thing. poc1.xml
 is not correctly filtered while poc2.xml is filtered, although they are
 nearly identical.

 If you edit the newly patched function to print the k and v values,
 you'll see that the attributes aren't passed through.
--

Steve
--
[poc1.xml (application/xml, attachment)]
[poc2.xml (application/xml, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Arnaud Fontaine <arnau@debian.org>:
Bug#546178; Package planet. (Fri, 18 Sep 2009 13:39:08 GMT) (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Arnaud Fontaine <arnau@debian.org>. (Fri, 18 Sep 2009 13:39:08 GMT) (full text, mbox, link).


Message #35 received at 546178@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Arnaud Fontaine <arnau@debian.org>
Cc: Steve Kemp <skx@debian.org>, 546178@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#546178: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
Date: Fri, 18 Sep 2009 15:20:10 +0200
[Message part 1 (text/plain, inline)]
Hi,
* Arnaud Fontaine <arnau@debian.org> [2009-09-18 15:09]:
> >>>>> Steve Kemp <skx@debian.org> writes:
[...] 
>     >   (To be honest  if I were to re-do the patch  now I'd probably do
>     > it the other way round : Make sure "src"starts with http: to cover
>     > other cases too.)
> 
> As  the debian-security  team has  not replied  yet, maybe  it  is still
> possible to update the patch?

Please update this through -proposed-updates, we're 
currently swamped with more severe issues.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#546178; Package planet. (Mon, 21 Sep 2009 11:03:08 GMT) (full text, mbox, link).


Acknowledgement sent to Arnaud Fontaine <arnau@debian.org>:
Extra info received and forwarded to list. (Mon, 21 Sep 2009 11:03:11 GMT) (full text, mbox, link).


Message #40 received at 546178@bugs.debian.org (full text, mbox, reply):

From: Arnaud Fontaine <arnau@debian.org>
To: Steve Kemp <skx@debian.org>
Cc: 546178@bugs.debian.org
Subject: Re: Bug#546178: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
Date: Mon, 21 Sep 2009 12:21:11 +0200
[Message part 1 (text/plain, inline)]
>>>>> Steve Kemp <skx@debian.org> writes:

Hi,

    >   Basically   it  comes  down   to  CDATA  and  the   handling  of
    > <description>

    >  This is the comment I received:

    >  --  please  find  attached  the two  reproducers  for  the  CDATA
    >  thing.  poc1.xml is  not  correctly  filtered  while poc2.xml  is
    > filtered, although they are nearly identical.

    >   If you edit  the newly  patched function  to print  the k  and v
    > values, you'll see that the attributes aren't passed through.  --

Unfortunately, I  don't have so  much time at  the moment to be  able to
provide a new patch.  Would you have time to do it?  If you really can't
make it, I will try to do it anyway.

BTW, planet  has now been removed  from unstable, so this  is only about
fixing the oldstable and stable packages.

Thank you very much for your help fixing this bug.

Cheers,
Arnaud
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#546178; Package planet. (Thu, 01 Oct 2009 11:15:37 GMT) (full text, mbox, link).


Acknowledgement sent to Arnaud Fontaine <arnau@debian.org>:
Extra info received and forwarded to list. (Thu, 01 Oct 2009 11:15:39 GMT) (full text, mbox, link).


Message #45 received at 546178@bugs.debian.org (full text, mbox, reply):

From: Arnaud Fontaine <arnau@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: team@security.debian.org, Steve Kemp <skx@debian.org>, 546178@bugs.debian.org
Subject: Re: planet: [CVE-2009-2937] - Insufficient escaping of input feeds
Date: Thu, 01 Oct 2009 12:32:22 +0200
[Message part 1 (text/plain, inline)]
>>>>> Moritz Muehlenhoff <jmm@inutil.org> writes:

Hi,

    >  As indicated  by Nico,  please propose  this for  a  stable point
    >  update by  filing  a bug  against  the release.debian.org  pseudo
    > package.

I have not uploaded it yet  because, as mentioned in the bug report, the
patch doesn't fix all the cases. I  don't have time to look at it, but I
can upload the package if another patch is proposed.

Cheers,
Arnaud Fontaine
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Arnaud Fontaine <arnau@debian.org>:
Bug#546178; Package planet. (Sun, 03 Jan 2010 13:12:03 GMT) (full text, mbox, link).


Acknowledgement sent to Miguel Figueiredo <elmig@debianpt.org>:
Extra info received and forwarded to list. Copy sent to Arnaud Fontaine <arnau@debian.org>. (Sun, 03 Jan 2010 13:12:03 GMT) (full text, mbox, link).


Message #50 received at 546178@bugs.debian.org (full text, mbox, reply):

From: Miguel Figueiredo <elmig@debianpt.org>
To: 546178@bugs.debian.org
Subject: status of proposed patch
Date: Sun, 3 Jan 2010 13:01:29 +0000
Hi all,

this bug report already has a proposed patch by Steve Kemp (15/09/2009).
Can this be fixed in a security update for the people running (old)stable?

-- 

Melhores Cumprimentos/Best Regards,

Miguel Figueiredo




Information forwarded to debian-bugs-dist@lists.debian.org, Arnaud Fontaine <arnau@debian.org>:
Bug#546178; Package planet. (Thu, 14 Jan 2010 15:00:02 GMT) (full text, mbox, link).


Acknowledgement sent to "Arnaud Fontaine" <arnaud@andesi.org>:
Extra info received and forwarded to list. Copy sent to Arnaud Fontaine <arnau@debian.org>. (Thu, 14 Jan 2010 15:00:03 GMT) (full text, mbox, link).


Message #55 received at 546178@bugs.debian.org (full text, mbox, reply):

From: "Arnaud Fontaine" <arnaud@andesi.org>
To: "Miguel Figueiredo" <elmig@debianpt.org>
Cc: 546178@bugs.debian.org
Subject: Re: Bug#546178: status of proposed patch
Date: Thu, 14 Jan 2010 15:51:32 +0100
On Sun, January 3, 2010 14:01, Miguel Figueiredo wrote:
> Hi all,

Hi,

> this bug report already has a proposed patch by Steve Kemp (15/09/2009).
> Can this be fixed in a security update for the people running (old)stable?

As explained before, the patch proposed does not completely fix the
problem and unfortunately I haven't had time yet to look at it. As planet
is not available anymore in testing/unstable because it has been
deprecated in favor of planet-venus, I would recommend switching to
planet-venus.

Regards,
Arnaud Fontaine






Reply sent to Sandro Tosi <morph@debian.org>:
You have taken responsibility. (Sun, 27 Mar 2011 11:27:00 GMT) (full text, mbox, link).


Notification sent to Steve Kemp <skx@debian.org>:
Bug acknowledged by developer. (Sun, 27 Mar 2011 11:27:00 GMT) (full text, mbox, link).


Message #60 received at 546178-done@bugs.debian.org (full text, mbox, reply):

From: Sandro Tosi <morph@debian.org>
To: 506098-done@bugs.debian.org, 451632-done@bugs.debian.org, 451639-done@bugs.debian.org, 387710-done@bugs.debian.org, 413497-done@bugs.debian.org, 457414-done@bugs.debian.org, 454814-done@bugs.debian.org, 481494-done@bugs.debian.org, 546178-done@bugs.debian.org
Cc: Sandro Tosi <morph@debian.org>
Subject: planet removed from Debian unstable
Version: 2.0-16+rm

planet has been removed from Debian unstable: http://bugs.debian.org/547542

Closing its bugs with a Version higher than the last unstable upload.

More information about this script at:
  http://git.debian.org/?p=users/morph/mass-bugs-close.git;a=blob_plain;f=README;hb=HEAD




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Apr 2011 07:49:16 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:22:12 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.