Debian Bug report logs - #659899
CVE-2012-0790: XSS

version graph

Package: smokeping; Maintainer for smokeping is Antoine Beaupré <anarcat@debian.org>; Source for smokeping is src:smokeping.

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Tue, 14 Feb 2012 17:06:01 UTC

Severity: grave

Tags: security

Found in version smokeping/2.3.6-5

Fixed in versions 2.3.6-5+squeeze1, 2.6.9-1~exp0, smokeping/2.6.8-2

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Forwarded to tobi@oetiker.ch

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#659899; Package smokeping. (Tue, 14 Feb 2012 17:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Antoine Beaupré <anarcat@debian.org>. (Tue, 14 Feb 2012 17:06:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2011-0790: XSS
Date: Tue, 14 Feb 2012 18:03:03 +0100
Package: smokeping
Severity: grave
Tags: security

This has been assigned CVE-2011-0790:
http://holisticinfosec.org/content/view/188/45/

Patch:
https://bugzilla.redhat.com/attachment.cgi?id=556619&action=diff&context=patch&collapsed=&headers=1&format=raw

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#659899; Package smokeping. (Tue, 14 Feb 2012 18:39:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Antoine Beaupré <anarcat@debian.org>:
Extra info received and forwarded to list. (Tue, 14 Feb 2012 18:39:07 GMT) Full text and rfc822 format available.

Message #10 received at 659899@bugs.debian.org (full text, mbox):

From: Antoine Beaupré <anarcat@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 659899@bugs.debian.org
Subject: Re: Bug#659899: CVE-2011-0790: XSS
Date: Tue, 14 Feb 2012 13:36:52 -0500
[Message part 1 (text/plain, inline)]
I'll work on uploading 2.6.7 to unstable, since it's trivial changes
From 2.6.5, including the security fix.

Then I'll prepare a package for stable. I am not sure it is actually
vulnerable but will try the supplied patch.

I am not sure how to coordinate with the security team here, can you
help me out on that?

Thanks for the report,

A.

-- 
We have no friends but the mountains.
            			- Kurdish saying
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Antoine Beaupré <anarcat@debian.org>:
You have taken responsibility. (Tue, 14 Feb 2012 19:06:06 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Tue, 14 Feb 2012 19:06:06 GMT) Full text and rfc822 format available.

Message #15 received at 659899-close@bugs.debian.org (full text, mbox):

From: Antoine Beaupré <anarcat@debian.org>
To: 659899-close@bugs.debian.org
Subject: Bug#659899: fixed in smokeping 2.6.7-1
Date: Tue, 14 Feb 2012 19:03:45 +0000
Source: smokeping
Source-Version: 2.6.7-1

We believe that the bug you reported is fixed in the latest version of
smokeping, which is due to be installed in the Debian FTP archive:

smokeping_2.6.7-1.debian.tar.gz
  to main/s/smokeping/smokeping_2.6.7-1.debian.tar.gz
smokeping_2.6.7-1.dsc
  to main/s/smokeping/smokeping_2.6.7-1.dsc
smokeping_2.6.7-1_all.deb
  to main/s/smokeping/smokeping_2.6.7-1_all.deb
smokeping_2.6.7.orig.tar.gz
  to main/s/smokeping/smokeping_2.6.7.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 659899@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antoine Beaupré <anarcat@debian.org> (supplier of updated smokeping package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Feb 2012 13:30:29 -0500
Source: smokeping
Binary: smokeping
Architecture: source all
Version: 2.6.7-1
Distribution: unstable
Urgency: high
Maintainer: Antoine Beaupré <anarcat@debian.org>
Changed-By: Antoine Beaupré <anarcat@debian.org>
Description: 
 smokeping  - latency logging and graphing system
Closes: 659899
Changes: 
 smokeping (2.6.7-1) unstable; urgency=high
 .
   * New upstream release to fix CVE-2012-0790 (Closes: #659899)
Checksums-Sha1: 
 5f69d2c67ba4ce69c170a62f6791820e677ba354 2095 smokeping_2.6.7-1.dsc
 2f03211f6bfca8cf35e8fdb04aaafec8bacbe537 411650 smokeping_2.6.7.orig.tar.gz
 fa3995f22b884f4e917a0ce2d9a586455aec62ff 21432 smokeping_2.6.7-1.debian.tar.gz
 65484512035ffb4eb4cf3ad28c581fccd6842a72 425616 smokeping_2.6.7-1_all.deb
Checksums-Sha256: 
 099a4a67ed78effb0630d2059002436a9154b310e22f67b5a6724f98002a640e 2095 smokeping_2.6.7-1.dsc
 410c564a02f9bc816aa3cd22e91a99bb64a55adebd221f2c6d61b5d67a824611 411650 smokeping_2.6.7.orig.tar.gz
 5e10066b3efd7a209377eafa53ee1cabad52c4ba9284d170ee30e2fef50a1aa3 21432 smokeping_2.6.7-1.debian.tar.gz
 54f7cfab925f6f1788abda5a72d635dce81b8c9b1effc59e259ec4f33697cb92 425616 smokeping_2.6.7-1_all.deb
Files: 
 d84c07b5dd97dbccec5cfc5bf4cd2ff8 2095 net extra smokeping_2.6.7-1.dsc
 3aeedd7cc030194241224872f8ca8ef3 411650 net extra smokeping_2.6.7.orig.tar.gz
 f9837d128d4cadbeabb9bf63933904d3 21432 net extra smokeping_2.6.7-1.debian.tar.gz
 65520fb1525c57d89812a85c87952bd2 425616 net extra smokeping_2.6.7-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJPOqztAAoJEHkhUlJ7dZIe+VMQAKGqZCv4nzVdJVluNpdQOcDZ
EGgu2z41udv22ev+qcguAvf4bCNJo9GXBa8GNyH/l6ssiGXGsdmBw92Rs7/7ILCG
w13F/R5HZyZ9w2Jrow0cIO3qfUyJCscxLnXw9yMvQCwik1+nEgF2H8bjLQjGV7gr
JX1kUA2V5NQYq16WiRCg60AJeovgda87wSGIe6s7Y9ucV9ocE0sMFU599PxCNgC0
Now49heyyjZ6lQka0pimdnUTVPa3zERH945QI5EkmHaT03BWQvnswXGGQYo/+s2p
lQaL+Y6QLHARxw3tiKnE5dztbduyd8MPRP0Bavg8L9V3UrRXLDnVC9//pTD+YB5X
HrDdI+pyolkl8ZNEqXYJQdqii6wRd3AHB6TJjxtzKnoBn3KoMKSr7/TOB1II1VRI
Z59ZzaPnugIo1p+zE96Wx/F0bPu+1BqoL6uXz6xHlL1im756YAsmoXesWdvFbnPV
RW9Old9a2iN5HEkfxpQLyzWP/IdN+Bp4yENmZZsHpSXbIV2tJzi6IlX0T7ycxLiw
IK9GGGmq9z+25eqebVhvhTA3FK26I7IEiwlhqSEIbN3/FJ0EaSkiikpPz8ulkwNC
JEADe61t5RqcxYeq1TDdBGbamEle6HYIR7MtSUAkyi0DrP6/Lt8nSf4FIKpttQB3
XzxYCq/8chKjnOo2NX2h
=k/wK
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#659899; Package smokeping. (Tue, 14 Feb 2012 19:42:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Antoine Beaupré <anarcat@debian.org>:
Extra info received and forwarded to list. (Tue, 14 Feb 2012 19:42:05 GMT) Full text and rfc822 format available.

Message #20 received at 659899@bugs.debian.org (full text, mbox):

From: Antoine Beaupré <anarcat@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 659899@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#659899: CVE-2011-0790: XSS
Date: Tue, 14 Feb 2012 14:39:05 -0500
[Message part 1 (text/plain, inline)]
Here's a debdiff to fix this issue. I can upload this to stable-security
if it is okay for you guys.

I had to fiddle a bit with the patch to make it fit with 2.3, but I
think it will work. Not sure it is *complete* however, the way 2.3
treats some arguments is different than 2.6, so it may have more
vulnerabilities that could be discovered with a more thorough audit.

Also note that I cannot actually test this patch as do not run the 2.3
release in production - too old! Besides, the wheezy package runs fine
in squeeze, I don't even need to backport...

A.

[smokeping_2.3.6-5+squeeze.debdiff (text/x-diff, inline)]
diff -u smokeping-2.3.6/debian/changelog smokeping-2.3.6/debian/changelog
--- smokeping-2.3.6/debian/changelog
+++ smokeping-2.3.6/debian/changelog
@@ -1,3 +1,9 @@
+smokeping (2.3.6-5+squeeze1) stable-security; urgency=high
+
+  * Security upgrade to fix CVE-2012-0790 (Closes: #659899)
+
+ -- Antoine Beaupré <anarcat@debian.org>  Tue, 14 Feb 2012 14:02:49 -0500
+
 smokeping (2.3.6-5) unstable; urgency=medium
 
   * debian/patches/20_html-parser.dpatch: fix an incompatibility with
diff -u smokeping-2.3.6/debian/patches/00list smokeping-2.3.6/debian/patches/00list
--- smokeping-2.3.6/debian/patches/00list
+++ smokeping-2.3.6/debian/patches/00list
@@ -3,0 +4 @@
+30_cve-2012-0790.dpatch
only in patch2:
unchanged:
--- smokeping-2.3.6.orig/debian/patches/30_cve-2012-0790.dpatch
+++ smokeping-2.3.6/debian/patches/30_cve-2012-0790.dpatch
@@ -0,0 +1,73 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## cve-2012-0790.dpatch by Vincent Danen, ported to 2.3 by Antoine Beaupré
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix for CVE-2012-0790
+
+@DPATCH@
+diff --git a/lib/Smokeping.pm b/lib/Smokeping.pm
+index d29a547..b74c3fc 100644
+--- a/lib/Smokeping.pm
++++ b/lib/Smokeping.pm
+@@ -134,8 +134,10 @@ sub cgiurl {
+ sub hierarchy ($){
+     my $q = shift;
+     my $hierarchy = '';
++    my $h = $q->param('hierarchy');
+     if ($q->param('hierarchy')){
+-       $hierarchy = 'hierarchy='.$q->param('hierarchy').';';
++       $h =~ s/[<>&%]/./g;
++       $hierarchy = 'hierarchy='.$h.';';
+     }; 
+     return $hierarchy;
+ }        
+@@ -176,6 +178,7 @@ sub update_dynaddr ($$){
+     my $address = $ENV{REMOTE_ADDR};
+     my $targetptr = $cfg->{Targets};
+     foreach my $step (@target){
++        $step =~ s/[<>&%]/./g; 
+         return "Error: Unknown target $step" 
+           unless defined $targetptr->{$step};
+         $targetptr =  $targetptr->{$step};
+@@ -979,6 +982,7 @@ sub get_detail ($$$$;$){
+     my $open = shift;
+     my $mode = shift || $q->param('displaymode') || 's';
+ 
++    $mode =~ s/[<>&%]/./g;
+     my $phys_tree = $tree;
+     my $phys_open = $open;    
+     if ($tree->{__tree_link}){
+@@ -1376,13 +1380,15 @@ sub get_detail ($$$$;$){
+         } elsif ($mode eq 's') { # classic mode
+             $startstr =~ s/\s/%20/g;
+             $endstr =~ s/\s/%20/g;
++            my $t = $q->param('target');
++            $t =~ s/[<>&%]/./g; 
+             for my $slave (@slaves){
+                 my $s = $slave ? "~$slave" : "";
+                 $page .= "<div>";
+ #           $page .= (time-$timer_start)."<br/>";
+ #           $page .= join " ",map {"'$_'"} @task;
+                 $page .= "<br/>";
+-                $page .= ( qq{<a href="}.cgiurl($q,$cfg)."?".hierarchy($q).qq{displaymode=n;start=$startstr;end=now;}."target=".$q->param('target').$s.'">'
++                $page .= ( qq{<a href="}.cgiurl($q,$cfg)."?".hierarchy($q).qq{displaymode=n;start=$startstr;end=now;}."target=".$t.$s.'">'
+                       . qq{<IMG BORDER="0" SRC="${imghref}${s}_${end}_${start}.png">}."</a>" ); #"
+                 $page .= "</div>";
+             }
+@@ -1525,8 +1531,15 @@ sub hierarchy_switcher($$){
+ sub display_webpage($$){
+     my $cfg = shift;
+     my $q = shift;
+-    my ($path,$slave) = split(/~/,$q->param('target') || '');
++    my $targ = '';
++    my $t = $q->param('target');
++    if ( $t and $t !~ /\.\./ and $t =~ /(\S+)/){
++        $targ = $1;
++        $targ =~ s/[<>;%]/./g;
++    }
++    my ($path,$slave) = split(/~/,$targ);
+     my $hierarchy = $q->param('hierarchy');
++    $hierarchy =~ s/[<>;%]/./g;
+     die "ERROR: unknown hierarchy $hierarchy\n" 
+ 	if $hierarchy and not $cfg->{Presentation}{hierarchies}{$hierarchy};
+     my $open = [ (split /\./,$path||'') ];
[Message part 3 (text/plain, inline)]

-- 
O gentilshommes, la vie est courte.
Si nous vivons, nous vivons 
pour marcher sur la tête des rois.
                        - William Shakespeare
[Message part 4 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#659899; Package smokeping. (Fri, 24 Feb 2012 13:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Antoine Beaupré <anarcat@debian.org>:
Extra info received and forwarded to list. (Fri, 24 Feb 2012 13:42:04 GMT) Full text and rfc822 format available.

Message #25 received at 659899@bugs.debian.org (full text, mbox):

From: Antoine Beaupré <anarcat@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 659899@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#659899: CVE-2011-0790: XSS
Date: Fri, 24 Feb 2012 08:39:01 -0500
[Message part 1 (text/plain, inline)]
On Tue, 14 Feb 2012 14:39:05 -0500, Antoine Beaupré <anarcat@debian.org> wrote:
> Here's a debdiff to fix this issue. I can upload this to stable-security
> if it is okay for you guys.
> 
> I had to fiddle a bit with the patch to make it fit with 2.3, but I
> think it will work. Not sure it is *complete* however, the way 2.3
> treats some arguments is different than 2.6, so it may have more
> vulnerabilities that could be discovered with a more thorough audit.
> 
> Also note that I cannot actually test this patch as do not run the 2.3
> release in production - too old! Besides, the wheezy package runs fine
> in squeeze, I don't even need to backport...

Anything up with this?

A.

-- 
We should act only in such away that if everyone 
else acted as we do, we would accept the results.
                        - Kant
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#659899; Package smokeping. (Fri, 24 Feb 2012 14:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>. (Fri, 24 Feb 2012 14:33:04 GMT) Full text and rfc822 format available.

Message #30 received at 659899@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 659899@bugs.debian.org
Subject: Re: Bug#659899: CVE-2011-0790: XSS
Date: Fri, 24 Feb 2012 15:27:54 +0100
[Message part 1 (text/plain, inline)]
Hi,
* Moritz Muehlenhoff <jmm@debian.org> [2012-02-14 18:11]:
> This has been assigned CVE-2011-0790:

Just to make sure there is no confusion, this should've been CVE-2012-0790.

Cheers
Nico
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to 'CVE-2012-0790: XSS' from 'CVE-2011-0790: XSS' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Fri, 24 Feb 2012 14:33:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#659899; Package smokeping. (Mon, 27 Feb 2012 19:15:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>. (Mon, 27 Feb 2012 19:15:07 GMT) Full text and rfc822 format available.

Message #37 received at 659899@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Antoine Beaupré <anarcat@debian.org>
Cc: Moritz Muehlenhoff <jmm@debian.org>, 659899@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#659899: CVE-2011-0790: XSS
Date: Mon, 27 Feb 2012 20:12:08 +0100
* Antoine Beaupré:

> ++       $h =~ s/[<>&%]/./g;

> ++        $step =~ s/[<>&%]/./g; 

> ++    $mode =~ s/[<>&%]/./g;

> ++            $t =~ s/[<>&%]/./g; 

> ++        $targ =~ s/[<>;%]/./g;

> ++    $hierarchy =~ s/[<>;%]/./g;

These patterns do not match the special character ".  Therefore, it is
still possible to escape from the target="$t" parameter (for example)
and inject an onmouseover handler.

I would prefer if this could be fixed.  Has upstream already released
this patch as a security update?




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#659899; Package smokeping. (Mon, 27 Feb 2012 19:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Antoine Beaupré <anarcat@debian.org>:
Extra info received and forwarded to list. (Mon, 27 Feb 2012 19:21:05 GMT) Full text and rfc822 format available.

Message #42 received at 659899@bugs.debian.org (full text, mbox):

From: Antoine Beaupré <anarcat@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Moritz Muehlenhoff <jmm@debian.org>, 659899@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#659899: CVE-2011-0790: XSS
Date: Mon, 27 Feb 2012 14:17:25 -0500
[Message part 1 (text/plain, inline)]
On Mon, 27 Feb 2012 20:12:08 +0100, Florian Weimer <fw@deneb.enyo.de> wrote:
> * Antoine Beaupré:
> 
> > ++       $h =~ s/[<>&%]/./g;
> 
> > ++        $step =~ s/[<>&%]/./g; 
> 
> > ++    $mode =~ s/[<>&%]/./g;
> 
> > ++            $t =~ s/[<>&%]/./g; 
> 
> > ++        $targ =~ s/[<>;%]/./g;
> 
> > ++    $hierarchy =~ s/[<>;%]/./g;
> 
> These patterns do not match the special character ".  Therefore, it is
> still possible to escape from the target="$t" parameter (for example)
> and inject an onmouseover handler.
> 
> I would prefer if this could be fixed.  Has upstream already released
> this patch as a security update?

I don't actually know - I followed your lead and used that patch in the
bugzilla Redhat bugtrackers:

https://bugzilla.redhat.com/attachment.cgi?id=556619&action=diff&context=patch&collapsed=&headers=1&format=raw

A.

-- 
It is better to sit alone than in company with the bad; and it is better
still to sit with the good than alone. It better to speak to a seeker of
knowledge than to remain silent; but silence is better than idle words.
                        - Imam Bukhari
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#659899; Package smokeping. (Mon, 27 Feb 2012 19:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>. (Mon, 27 Feb 2012 19:27:04 GMT) Full text and rfc822 format available.

Message #47 received at 659899@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Antoine Beaupré <anarcat@debian.org>
Cc: Moritz Muehlenhoff <jmm@debian.org>, 659899@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#659899: CVE-2011-0790: XSS
Date: Mon, 27 Feb 2012 20:24:16 +0100
* Antoine Beaupré:

> I don't actually know - I followed your lead and used that patch in the
> bugzilla Redhat bugtrackers:
>
> https://bugzilla.redhat.com/attachment.cgi?id=556619&action=diff&context=patch&collapsed=&headers=1&format=raw

Okay, I'm notifying folks that this patch is probably not correct.
In the meantime, could you prepare an update which also strips the
" character (and = as well, just to be sure).  Let's hope that this
doesn't break any functionality.




Information forwarded to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#659899; Package smokeping. (Mon, 27 Feb 2012 19:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>. (Mon, 27 Feb 2012 19:30:03 GMT) Full text and rfc822 format available.

Message #52 received at 659899@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Antoine Beaupré <anarcat@debian.org>
Cc: Moritz Muehlenhoff <jmm@debian.org>, 659899@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#659899: CVE-2011-0790: XSS
Date: Mon, 27 Feb 2012 20:27:05 +0100
* Antoine Beaupré:

> I don't actually know - I followed your lead and used that patch in the
> bugzilla Redhat bugtrackers:
>
> https://bugzilla.redhat.com/attachment.cgi?id=556619&action=diff&context=patch&collapsed=&headers=1&format=raw

*grml*

Fedora has already released the potentially incorrect patch.  I've
asked on the oss-security mailing list.  Sorry for the delay.




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#659899; Package smokeping. (Sun, 01 Apr 2012 14:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Antoine Beaupré <anarcat@debian.org>:
Extra info received and forwarded to list. (Sun, 01 Apr 2012 14:00:03 GMT) Full text and rfc822 format available.

Message #57 received at 659899@bugs.debian.org (full text, mbox):

From: Antoine Beaupré <anarcat@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Moritz Muehlenhoff <jmm@debian.org>, 659899@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#659899: CVE-2011-0790: XSS
Date: Sun, 01 Apr 2012 09:58:09 -0400
[Message part 1 (text/plain, inline)]
On Mon, 27 Feb 2012 20:27:05 +0100, Florian Weimer <fw@deneb.enyo.de> wrote:
> * Antoine Beaupré:
> 
> > I don't actually know - I followed your lead and used that patch in the
> > bugzilla Redhat bugtrackers:
> >
> > https://bugzilla.redhat.com/attachment.cgi?id=556619&action=diff&context=patch&collapsed=&headers=1&format=raw
> 
> *grml*
> 
> Fedora has already released the potentially incorrect patch.  I've
> asked on the oss-security mailing list.  Sorry for the delay.

uh... what's up now?

a.

-- 
Conformity-the natural instinct to passively yield to that vague something
recognized as authority.
                        - Mark Twain
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#659899; Package smokeping. (Mon, 04 Mar 2013 13:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>. (Mon, 04 Mar 2013 13:45:03 GMT) Full text and rfc822 format available.

Message #62 received at 659899@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>, 659899@bugs.debian.org
Cc: Antoine Beaupré <anarcat@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, team@security.debian.org, tobi@oetiker.ch
Subject: Re: Bug#659899: CVE-2011-0790: XSS
Date: Mon, 4 Mar 2013 14:43:40 +0100
Hi all

On Mon, Feb 27, 2012 at 08:27:05PM +0100, Florian Weimer wrote:
> * Antoine Beaupré:
> 
> > I don't actually know - I followed your lead and used that patch in the
> > bugzilla Redhat bugtrackers:
> >
> > https://bugzilla.redhat.com/attachment.cgi?id=556619&action=diff&context=patch&collapsed=&headers=1&format=raw
> 
> *grml*
> 
> Fedora has already released the potentially incorrect patch.  I've
> asked on the oss-security mailing list.  Sorry for the delay.

I have contacted Tobi Oetiker regarding the issues mentioned and he
promptly replied to me. He uploaded a new upstream version (2.6.9)
which changes the regexpes to:

	qr/[<>%&'";]/

So this can be integrated in the fix addressing stable-security.

p.s.: could also be updated for testing/unstable to have the fix in
upcoming stable release.

p.s.2: Thank you Tobi!

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#659899; Package smokeping. (Sat, 16 Mar 2013 12:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>. (Sat, 16 Mar 2013 12:42:04 GMT) Full text and rfc822 format available.

Message #67 received at 659899@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: 659899@bugs.debian.org
Cc: Antoine Beaupré <anarcat@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, team@security.debian.org, tobi@oetiker.ch
Subject: Re: Bug#659899: CVE-2012-0790: XSS
Date: Sat, 16 Mar 2013 12:40:04 +0000
Control: reopen -1

Hi,

squeeze is vulnerable, as seen on the Navigator Graph page by changing
the displaymode in the URL.  It gets echoed back by this:

> return "<div>ERROR: unknown displaymode $mode</div>"

I'm not convinced the 'blacklist characters' approach was a great way to
handle it, but at least in wheezy/sid it seems no longer possible to
inject HTML that way.


Even in smokeping-2.6.9 though the "start" and "end" time fields are not
filtered.  For example, enter this in one of the text boxes as a start
or end time:

now" oops "

and the generated HTML contains:

<IMG id="zoom" BORDER="0" width="697" height="315"
SRC="/smokeping/images/__navcache/136343653521739_now" oops
"_1363423440.png">

Fortunately though, it doesn't seem possible to use an equals sign in
these parameters, and so I don't see a way to perform XSS.


It is a little scary that these strings are also used to create/unlink
files:

/var/cache/smokeping/images/__navcache# ls -alt | head
-rw-r--r-- 1 www-data root 32316 Mar 16 12:22 136343653521739_now" oops
"_1363423440.png

And so for example, a start/end time of:

now"/

triggers an error;  the quotes in the error message are not properly
'quoted', but fortunately HTML tags are being stripped out somehow:

> ERROR: Could not save png to '/var/cache/smokeping/images/__navcache/136343678121739_now"/_1363423440.png'
> /var/cache/smokeping/images/__navcache/136343678121739_now"/_1363423440.png

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Bug reopened Request was from Steven Chamberlain <steven@pyro.eu.org> to 659899-submit@bugs.debian.org. (Sat, 16 Mar 2013 12:42:04 GMT) Full text and rfc822 format available.

No longer marked as fixed in versions smokeping/2.6.7-1. Request was from Steven Chamberlain <steven@pyro.eu.org> to 659899-submit@bugs.debian.org. (Sat, 16 Mar 2013 12:42:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#659899; Package smokeping. (Sat, 16 Mar 2013 13:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>. (Sat, 16 Mar 2013 13:06:04 GMT) Full text and rfc822 format available.

Message #76 received at 659899@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: 659899@bugs.debian.org
Cc: Antoine Beaupré <anarcat@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, team@security.debian.org, tobi@oetiker.ch
Subject: Re: Bug#659899: CVE-2012-0790: XSS
Date: Sat, 16 Mar 2013 13:02:24 +0000
On 16/03/13 12:40, Steven Chamberlain wrote:
> and the generated HTML contains:
> 
> <IMG id="zoom" BORDER="0" width="697" height="315"
> SRC="/smokeping/images/__navcache/136343653521739_now" oops
> "_1363423440.png">
> 
> Fortunately though, it doesn't seem possible to use an equals sign in
> these parameters, and so I don't see a way to perform XSS.

I forgot to mention something obvious, that angle bracket < > are
filtered out here, otherwise XSS would have been easy.  Braces { } are
also filtered.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Information forwarded to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#659899; Package smokeping. (Sat, 16 Mar 2013 14:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>. (Sat, 16 Mar 2013 14:00:04 GMT) Full text and rfc822 format available.

Message #81 received at 659899@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Steven Chamberlain <steven@pyro.eu.org>, 659899@bugs.debian.org
Cc: Antoine Beaupré <anarcat@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, team@security.debian.org, tobi@oetiker.ch
Subject: Re: Bug#659899: CVE-2012-0790: XSS
Date: Sat, 16 Mar 2013 13:56:27 +0000
On Sat, 2013-03-16 at 12:40 +0000, Steven Chamberlain wrote:
> Control: reopen -1
[...]
> squeeze is vulnerable, as seen on the Navigator Graph page by changing
> the displaymode in the URL.  It gets echoed back by this:

"
Bug reopened
No longer marked as fixed in versions smokeping/2.6.7-1.
"

Is that really what you meant to do? If the intent was to indicate that
squeeze needs fixing but other versions are okay, the appropriate tool
is making sure the "found" versions are correct, not removing the fixed
version and -done indication.

Regards,

Adam




Information forwarded to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#659899; Package smokeping. (Sat, 16 Mar 2013 14:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>. (Sat, 16 Mar 2013 14:21:04 GMT) Full text and rfc822 format available.

Message #86 received at 659899@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Steven Chamberlain <steven@pyro.eu.org>
Cc: 659899@bugs.debian.org, Antoine Beaupré <anarcat@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, team@security.debian.org, tobi@oetiker.ch, "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Re: Bug#659899: CVE-2012-0790: XSS
Date: Sat, 16 Mar 2013 15:15:54 +0100
[Message part 1 (text/plain, inline)]
Control: fixed -1 2.6.7-1

Hi Steven

On Sat, Mar 16, 2013 at 12:40:04PM +0000, Steven Chamberlain wrote:
> Control: reopen -1

Hmm, as Adam wrote, was this intentional? Because this way we lost the
version tracking for already fixed version. BTS handles fixed versions
already.

Btw, it's a nice timing, since I just yesterday uploaded also the fix
for smokeping to stable to security-master which is not to be
reviewed.

Thank you furthermore for your analysis of further issues! If
possible, could you bring these further possible issues to upstream
(Tobias Oetiker is already in CC list however).

Attached is the debdiff which I uploaded yesterday.

Thank you and regards,
Salvatore
[smokeping_2.3.6-5+squeeze1.debdiff (text/plain, attachment)]

Marked as fixed in versions smokeping/2.6.7-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to 659899-submit@bugs.debian.org. (Sat, 16 Mar 2013 14:21:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#659899; Package smokeping. (Sat, 16 Mar 2013 16:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>. (Sat, 16 Mar 2013 16:33:04 GMT) Full text and rfc822 format available.

Message #93 received at 659899@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 659899@bugs.debian.org, Antoine Beaupré <anarcat@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, team@security.debian.org, tobi@oetiker.ch, fw@deneb.enyo.de
Subject: Re: Bug#659899: CVE-2012-0790: XSS
Date: Sat, 16 Mar 2013 16:30:00 +0000
Hi,

On 16/03/13 13:56, Adam D. Barratt wrote:
>> On Sat, 2013-03-16 at 12:40 +0000, Steven Chamberlain wrote:
>> No longer marked as fixed in versions smokeping/2.6.7-1.
> 
> Is that really what you meant to do?

I can't remember now, so it was probably a mistake, but now I can think
of a reason to reopen it:

Is the fix in 2.6.7-1 not considered sufficient, or does wheezy/sid need
the revised fix from 2.6.9?

In what places were the " and = characters thought to still be a risk?

(Other than in start/end dates as I've shown;  but those are still not
being filtered in upstream 2.6.9)

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#659899; Package smokeping. (Sat, 16 Mar 2013 16:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Antoine Beaupré <anarcat@debian.org>:
Extra info received and forwarded to list. (Sat, 16 Mar 2013 16:45:04 GMT) Full text and rfc822 format available.

Message #98 received at 659899@bugs.debian.org (full text, mbox):

From: Antoine Beaupré <anarcat@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, Steven Chamberlain <steven@pyro.eu.org>
Cc: 659899@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>, team@security.debian.org, tobi@oetiker.ch, "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Re: Bug#659899: CVE-2012-0790: XSS
Date: Sat, 16 Mar 2013 12:42:39 -0400
[Message part 1 (text/plain, inline)]
Control: found -1 2.6.7-1
Control: fixed -1 2.6.9-1~exp0
Control: fixed -1 2.3.6-5+squeeze1
Control: tags -1 pending
Control: block -1 with 703193

On 2013-03-16, Salvatore Bonaccorso wrote:
> Control: fixed -1 2.6.7-1
>
> Hi Steven
>
> On Sat, Mar 16, 2013 at 12:40:04PM +0000, Steven Chamberlain wrote:
>> Control: reopen -1
>
> Hmm, as Adam wrote, was this intentional? Because this way we lost the
> version tracking for already fixed version. BTS handles fixed versions
> already.

From what I understand from the upstream changelog, 2.6.7 would still be
affected, because the patch we had before was incomplete. So I think
that "reopen" was actually accurate.

I have done an upload of 2.6.9 to factor those changes in, which I hope
to pass by the RM so that 2.6.9-1 gets into wheezy. 2.6.9 unfortunately
has unrelated changes, so I have uploaded it to experimental, but those
changes seem important enough, to me, to go into wheezy.

Before going forward with the sid upload, I'll wait for RM's approval
though. See #703193 for followup on that.

Thanks for the security upload!

A.

-- 
Information is not knowledge
Knowledge is not wisdom
Wisdom is not truth
                        - Frank Zappa
[Message part 2 (application/pgp-signature, inline)]

Marked as found in versions smokeping/2.6.7-1; no longer marked as fixed in versions smokeping/2.6.7-1. Request was from Antoine Beaupré <anarcat@debian.org> to 659899-submit@bugs.debian.org. (Sat, 16 Mar 2013 16:45:04 GMT) Full text and rfc822 format available.

Marked as fixed in versions 2.6.9-1~exp0. Request was from Antoine Beaupré <anarcat@debian.org> to 659899-submit@bugs.debian.org. (Sat, 16 Mar 2013 16:45:05 GMT) Full text and rfc822 format available.

Marked as fixed in versions 2.3.6-5+squeeze1. Request was from Antoine Beaupré <anarcat@debian.org> to 659899-submit@bugs.debian.org. (Sat, 16 Mar 2013 16:45:06 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Antoine Beaupré <anarcat@debian.org> to 659899-submit@bugs.debian.org. (Sat, 16 Mar 2013 16:45:06 GMT) Full text and rfc822 format available.

Added blocking bug(s) of 659899: 703193 Request was from Antoine Beaupré <anarcat@debian.org> to 659899-submit@bugs.debian.org. (Sat, 16 Mar 2013 16:45:07 GMT) Full text and rfc822 format available.

Reply sent to Antoine Beaupré <anarcat@debian.org>:
You have taken responsibility. (Sat, 16 Mar 2013 16:51:08 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sat, 16 Mar 2013 16:51:08 GMT) Full text and rfc822 format available.

Message #113 received at 659899-close@bugs.debian.org (full text, mbox):

From: Antoine Beaupré <anarcat@debian.org>
To: 659899-close@bugs.debian.org
Subject: Bug#659899: fixed in smokeping 2.6.9-1~exp0
Date: Sat, 16 Mar 2013 16:48:54 +0000
Source: smokeping
Source-Version: 2.6.9-1~exp0

We believe that the bug you reported is fixed in the latest version of
smokeping, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 659899@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antoine Beaupré <anarcat@debian.org> (supplier of updated smokeping package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 16 Mar 2013 11:34:03 -0400
Source: smokeping
Binary: smokeping
Architecture: source all
Version: 2.6.9-1~exp0
Distribution: experimental
Urgency: high
Maintainer: Antoine Beaupré <anarcat@debian.org>
Changed-By: Antoine Beaupré <anarcat@debian.org>
Description: 
 smokeping  - latency logging and graphing system
Closes: 659899
Changes: 
 smokeping (2.6.9-1~exp0) experimental; urgency=high
 .
   * New upstream release to properly fix CVE-2012-0790 (Closes: #659899)
   * Acknowledge the NMU, thanks gregor!
Checksums-Sha1: 
 877dfb9e0a47413b55f952774fc7d6d5bfd9680c 2085 smokeping_2.6.9-1~exp0.dsc
 55f82ed4979eb3ee28d8fd2379c1c22629f800cc 417586 smokeping_2.6.9.orig.tar.gz
 40a70971e72e9abe23c7dd6fedcc9dd45cdeed43 21804 smokeping_2.6.9-1~exp0.debian.tar.gz
 f3893ece65584765275b14181556bc33fa178bf6 427554 smokeping_2.6.9-1~exp0_all.deb
Checksums-Sha256: 
 bbccc4d7397f24a98c6b564b047ae6ebaf3fa0a8cf938811cd8c7aef8604aca4 2085 smokeping_2.6.9-1~exp0.dsc
 7a88dcc8eed4d12c77c37d5d0a0bcfc76d24943c87e469a7d7136e084c26e1d5 417586 smokeping_2.6.9.orig.tar.gz
 900bf69abeca6704aed72bd0d317e0b5e84bf71b0cb95915e8b42c07bff2e009 21804 smokeping_2.6.9-1~exp0.debian.tar.gz
 e362afc0c96c94d41d5b56fe92f1dde76158f398e3b696781551c5729d459ad4 427554 smokeping_2.6.9-1~exp0_all.deb
Files: 
 e2e54664b7935474a4fd94589de71375 2085 net extra smokeping_2.6.9-1~exp0.dsc
 8553840ec5b00b41334f7578a527824f 417586 net extra smokeping_2.6.9.orig.tar.gz
 35d570557f4cf5f8c343817bd9fb63c1 21804 net extra smokeping_2.6.9-1~exp0.debian.tar.gz
 94056ccaaa7de3e81d8596b60d1d714b 427554 net extra smokeping_2.6.9-1~exp0_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRRJ0WAAoJEHkhUlJ7dZIeOxsQAIet1K1+5r8mCGI1uBByOhB6
qMAcP/aNdxswsPwpsklekXuZqTH8KmRN+UslK9r434eTAKdfk8MLCAMSoe1oKgbn
1ynSVZt7qHY4Gm/bRLbKoTJLuiZXbHpDeWZgjIZCz5k2I4FUryBKlS1PUx7hYlf7
gN9rD4GPcguaUfO2AsCRwGgRBJ9K/6bpWM4f8twC1Lo+Xw+wqr1jZymhp+WyPjqR
qLpKC+gBg8cTIsdbdGCl81sAR86BcOoeOl0O+4LvfNWDh7b1Mt/4lzbOv0PmyI6c
6EyggsOhtzIWmWYA7osc145EMPgxjCQocYeDtn1Qr9jXx1NDL/J/DAl36XtzrdGB
PQaMBhH2PJXlyI/yNFI74YliAFJKNphVGDJ1n/mQORhR4h8wmmWa3fxCTsIfGKR1
v4/VOfeA7Z/um8VGshFNuIas3j6USD8S0ygbWsjEfABUe/Uc82wI/FaAWVcCsZui
rczmj7iBPiFN35SDjDRiwdr/6yU6PuSUz4VyhKJkwQOub3Naxz9xKCUzDAK3sefT
ffKt/fXVvxmCnTD7N5lCf/gfu+GlFh1gyGLNksz+edX+tcKgIKOcRmS3rYfrbTDL
zYq2by1MHtXmYdwndGHSKZ6Sz7TLgiwwv/lA1BJXhTHj5+hK3rXA2iBnNiAxIK2z
c7Jum2xmpRoo8GC9cJ3U
=xfJe
-----END PGP SIGNATURE-----




Marked as found in versions smokeping/2.3.6-5. Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Sat, 16 Mar 2013 20:42:04 GMT) Full text and rfc822 format available.

No longer marked as found in versions smokeping/2.6.7-1. Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Sat, 16 Mar 2013 20:42:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#659899; Package smokeping. (Sat, 16 Mar 2013 21:51:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>. (Sat, 16 Mar 2013 21:51:07 GMT) Full text and rfc822 format available.

Message #122 received at 659899@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Antoine Beaupré <anarcat@debian.org>
Cc: Steven Chamberlain <steven@pyro.eu.org>, 659899@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>, team@security.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Re: Bug#659899: CVE-2012-0790: XSS
Date: Sat, 16 Mar 2013 22:47:54 +0100
Hi Antoine

Dropping Tobias Oetiker again from Cc, don't know if he is actually
interested to follow this. But we might/should bring further issues
with smokeping to him.

On Sat, Mar 16, 2013 at 12:42:39PM -0400, Antoine Beaupré wrote:
> Control: found -1 2.6.7-1
> Control: fixed -1 2.6.9-1~exp0
> Control: fixed -1 2.3.6-5+squeeze1
> Control: tags -1 pending
> Control: block -1 with 703193
> 
> On 2013-03-16, Salvatore Bonaccorso wrote:
> > Control: fixed -1 2.6.7-1
> >
> > Hi Steven
> >
> > On Sat, Mar 16, 2013 at 12:40:04PM +0000, Steven Chamberlain wrote:
> >> Control: reopen -1
> >
> > Hmm, as Adam wrote, was this intentional? Because this way we lost the
> > version tracking for already fixed version. BTS handles fixed versions
> > already.
> 
> From what I understand from the upstream changelog, 2.6.7 would still be
> affected, because the patch we had before was incomplete. So I think
> that "reopen" was actually accurate.

Indeed, Steven is right. 2.6.7-1 has not the full charatecter set as
supplied later with the 2.6.9 release upstream, so this needs to be
also updated and pushed for wheezy.

So again, thanks Steven for pringing this up.

> I have done an upload of 2.6.9 to factor those changes in, which I hope
> to pass by the RM so that 2.6.9-1 gets into wheezy. 2.6.9 unfortunately
> has unrelated changes, so I have uploaded it to experimental, but those
> changes seem important enough, to me, to go into wheezy.
> 
> Before going forward with the sid upload, I'll wait for RM's approval
> though. See #703193 for followup on that.

Hmm, this will quite sure not be approved. And Jonathan Wiltshire
already commented there. A new upstream version at this stage of the
freeze is not acceptable. But how about the attached patch for
unstable?

Thank you for your work, and regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#659899; Package smokeping. (Sat, 16 Mar 2013 21:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>. (Sat, 16 Mar 2013 21:57:05 GMT) Full text and rfc822 format available.

Message #127 received at 659899@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 659899@bugs.debian.org
Cc: Antoine Beaupré <anarcat@debian.org>, Steven Chamberlain <steven@pyro.eu.org>, Moritz Muehlenhoff <jmm@debian.org>, team@security.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Re: Bug#659899: CVE-2012-0790: XSS
Date: Sat, 16 Mar 2013 22:53:39 +0100
[Message part 1 (text/plain, inline)]
On Sat, Mar 16, 2013 at 10:47:54PM +0100, Salvatore Bonaccorso wrote:
> Hmm, this will quite sure not be approved. And Jonathan Wiltshire
> already commented there. A new upstream version at this stage of the
> freeze is not acceptable. But how about the attached patch for
> unstable?

... which I have forgotten to attach.

Regards,
Salvatore
[659899-CVE-2012-0790.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#659899; Package smokeping. (Sat, 16 Mar 2013 22:51:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>. (Sat, 16 Mar 2013 22:51:07 GMT) Full text and rfc822 format available.

Message #132 received at 659899@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 659899@bugs.debian.org, Antoine Beaupré <anarcat@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, team@security.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>, tobi@oetiker.ch
Subject: Re: Bug#659899: CVE-2012-0790: XSS
Date: Sat, 16 Mar 2013 22:49:15 +0000
Hi!

On 16/03/13 21:53, Salvatore Bonaccorso wrote:
> On Sat, Mar 16, 2013 at 10:47:54PM +0100, Salvatore Bonaccorso wrote:
>> [...] But how about the attached patch for
>> unstable?

Thank you for that.  It does seem like the right way to handle it for
wheezy.

Your patch seems correct to me.  But defining $xssBadRx would be just
one extra line of diff... so why not use it?  Then it would be more
consistent with upstream.


I've added Tobias back into Cc: as I would like to ask:

While here, I wonder if the user-supplied $start/$end could be filtered
with this same regex, to address the things I noted earlier?  I thought
maybe it could go in parse_datetime which is before they are used in any
file paths or output by anything.  And I don't *think* any valid time
specifier would contain the characters of $xssBadRx.

Thanks everyone,
Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Information forwarded to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#659899; Package smokeping. (Sat, 16 Mar 2013 23:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>. (Sat, 16 Mar 2013 23:15:04 GMT) Full text and rfc822 format available.

Message #137 received at 659899@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 659899@bugs.debian.org, Antoine Beaupré <anarcat@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, team@security.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Re: Bug#659899: CVE-2012-0790: XSS
Date: Sat, 16 Mar 2013 23:13:56 +0000
[Message part 1 (text/plain, inline)]
Another difference is that upstream 2.6.9 used a replacement character
of underscore rather than a dot.  Attached is my suggested revision of
Salvatore's patch (also adds filtering of time specifiers).

I've tested this on an existing wheezy/sid SmokePing installation;  it
stops the injection of quotes into the <img> tag I demonstrated before.
 It also prevents those characters from being used in graph filenames in
the cache directory.  I've tried some valid time specifiers and they are
still working.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org
[CVE-2012-0790.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#659899; Package smokeping. (Sun, 17 Mar 2013 00:39:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Antoine Beaupré <anarcat@debian.org>:
Extra info received and forwarded to list. (Sun, 17 Mar 2013 00:39:08 GMT) Full text and rfc822 format available.

Message #142 received at 659899@bugs.debian.org (full text, mbox):

From: Antoine Beaupré <anarcat@debian.org>
To: Steven Chamberlain <steven@pyro.eu.org>, Salvatore Bonaccorso <carnil@debian.org>
Cc: 659899@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>, team@security.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Re: Bug#659899: CVE-2012-0790: XSS
Date: Sat, 16 Mar 2013 20:37:07 -0400
[Message part 1 (text/plain, inline)]
On 2013-03-16, Steven Chamberlain wrote:
> Another difference is that upstream 2.6.9 used a replacement character
> of underscore rather than a dot.  Attached is my suggested revision of
> Salvatore's patch (also adds filtering of time specifiers).
>
> I've tested this on an existing wheezy/sid SmokePing installation;  it
> stops the injection of quotes into the <img> tag I demonstrated before.
>  It also prevents those characters from being used in graph filenames in
> the cache directory.  I've tried some valid time specifiers and they are
> still working.

Alright, I pushed this patch as 2.6.8-2, thanks!

I have also requested a freeze exception for that upload. Hopefully that
will be enough for now. :)

A.
-- 
Premature optimization is the root of all evil
                        - Donald Knuth
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Antoine Beaupré <anarcat@debian.org>:
You have taken responsibility. (Sun, 17 Mar 2013 00:51:05 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sun, 17 Mar 2013 00:51:05 GMT) Full text and rfc822 format available.

Message #147 received at 659899-close@bugs.debian.org (full text, mbox):

From: Antoine Beaupré <anarcat@debian.org>
To: 659899-close@bugs.debian.org
Subject: Bug#659899: fixed in smokeping 2.6.8-2
Date: Sun, 17 Mar 2013 00:49:06 +0000
Source: smokeping
Source-Version: 2.6.8-2

We believe that the bug you reported is fixed in the latest version of
smokeping, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 659899@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antoine Beaupré <anarcat@debian.org> (supplier of updated smokeping package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 16 Mar 2013 20:19:34 -0400
Source: smokeping
Binary: smokeping
Architecture: source all
Version: 2.6.8-2
Distribution: unstable
Urgency: high
Maintainer: Antoine Beaupré <anarcat@debian.org>
Changed-By: Antoine Beaupré <anarcat@debian.org>
Description: 
 smokeping  - latency logging and graphing system
Closes: 659899
Changes: 
 smokeping (2.6.8-2) unstable; urgency=high
 .
   * Acknowledge gregor's NMU, thanks!
   * Urgency high to fix CVE-2012-0790 again (Closes: #659899)
Checksums-Sha1: 
 2001f27b361fa00717c3496f08fa8ba443110574 2065 smokeping_2.6.8-2.dsc
 ac75a445c24936fa9c35b20ba36e5d4acb225f42 22964 smokeping_2.6.8-2.debian.tar.gz
 776d638d1ea1df901f2de044b0e15b9dccf5b7c5 422294 smokeping_2.6.8-2_all.deb
Checksums-Sha256: 
 883c11e013cfa1be9f1a7d87d9312a41051c0ec5fec6041170402de433048b10 2065 smokeping_2.6.8-2.dsc
 8a4174706da018e74ca38294b2cf26ae4aaf5fa623580085257589a443faf7f3 22964 smokeping_2.6.8-2.debian.tar.gz
 eb2a52c83ac0ac5815fa9dce3f3f8f7ed7f2c4e8343136a5b388a71ffc4a57f6 422294 smokeping_2.6.8-2_all.deb
Files: 
 a53ee67d8b0d5ec9bde4aa4b9c1291ac 2065 net extra smokeping_2.6.8-2.dsc
 ee13cf4069858e725f3cd40baa0b3c82 22964 net extra smokeping_2.6.8-2.debian.tar.gz
 701ef1e7668442d0e797b85c94910d67 422294 net extra smokeping_2.6.8-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRRQ7aAAoJEHkhUlJ7dZIeahAP/ioE+xU946mC9WRYWMLXTaaY
sidLksQ7lE96O0AK38jqduuCFLVUlNsyFaQREB+XTNRy2RmvijUvU0GxF3QDfCou
GFVp69+6ra9Z8Qr7YZrEt7CWUNjwF1ogjXk8v9ssizMtDQvRnH4nB2mBKkNOD8Ls
05bOQ1fSxDefqFEY6TBjilKPp73og2jHaL20Y8nX05UW2+773EMk/UZt+luZIWed
x8yyjjJlKTl/pHnBI5rx7SCweGL+QzZfx1slQ9CBdbYpMvoLtR2Nc5BVjRSuLchY
0KpyzNsIeebLdAfhI18c6hkJyWrrGHQA64oj8dC5qQfaGP6Rct2d8xezvXsdiYsg
9xipK3jSul/Kf3R7jbd+6U7KZmeajHqjokiAA6h5HqQ16UAN7sB2NNxmwG4EOHwG
LMiyaPMcuZq84zHtaYX0kb3dDn66lmtaGUpr7ubmp6UVNSV5GX1q48Qupv9ysTgK
31N51Ikny/XDBQasi4So4oBr/a8C6MawbMsRDYLMVs8tcFG28Iwp5FEA5yUL9A2c
8pr1CxsdCbAxCGJnaiefmSBwDXEBWfFoPBE+z5ASymrAZIyF6OV0A8ktFTYfIhQ2
csiJENuyLxvnKic25oyX9hTAueANUBnPY/Cm4Qryb0GOyR7WObPCSIFKN0eq+n0G
xUOJ19nOSb0nspbrQSNs
=Yqoe
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#659899; Package smokeping. (Sun, 17 Mar 2013 08:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tobias Oetiker <tobi@oetiker.ch>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>. (Sun, 17 Mar 2013 08:27:04 GMT) Full text and rfc822 format available.

Message #152 received at 659899@bugs.debian.org (full text, mbox):

From: Tobias Oetiker <tobi@oetiker.ch>
To: Steven Chamberlain <steven@pyro.eu.org>
Cc: Salvatore Bonaccorso <carnil@debian.org>, 659899@bugs.debian.org, Antoine Beaupré <anarcat@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, team@security.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Re: Bug#659899: CVE-2012-0790: XSS
Date: Sun, 17 Mar 2013 09:20:53 +0100 (CET)
Folks,

Yesterday Steven Chamberlain wrote:

> Hi!
>
> On 16/03/13 21:53, Salvatore Bonaccorso wrote:
> > On Sat, Mar 16, 2013 at 10:47:54PM +0100, Salvatore Bonaccorso wrote:
> >> [...] But how about the attached patch for
> >> unstable?
>
> Thank you for that.  It does seem like the right way to handle it for
> wheezy.
>
> Your patch seems correct to me.  But defining $xssBadRx would be just
> one extra line of diff... so why not use it?  Then it would be more
> consistent with upstream.
>
>
> I've added Tobias back into Cc: as I would like to ask:
>
> While here, I wonder if the user-supplied $start/$end could be filtered
> with this same regex, to address the things I noted earlier?  I thought
> maybe it could go in parse_datetime which is before they are used in any
> file paths or output by anything.  And I don't *think* any valid time
> specifier would contain the characters of $xssBadRx.
>
> Thanks everyone,
> Regards,

it seems you spend a lot of thought on this ... (much more than I
am presently able to) ... so if you come up with ideas and patches
for the master, just send a pul request on github ...

cheers
tobi

>

-- 
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
http://it.oetiker.ch tobi@oetiker.ch ++41 62 775 9902 / sb: -9900



Reply sent to Steven Chamberlain <steven@pyro.eu.org>:
You have marked Bug as forwarded. (Sun, 17 Mar 2013 11:21:11 GMT) Full text and rfc822 format available.

Message #155 received at 659899-forwarded@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: tobi@oetiker.ch
Cc: 659899-quiet@bugs.debian.org, 659899-forwarded@bugs.debian.org
Subject: [PATCH] Filter user-supplied start/end time specifiers
Date: Sun, 17 Mar 2013 10:37:21 +0000
Time specifiers supplied in the Navigator Graph page web form are used
to construct filenames in the cache directory.

Also on that page, or in error output, the URL of that graph is not
properly escaped.  Injection of some characters into HTML is possible,
similar to CVE-2012-0790 but perhaps not enough to cause XSS.

As a precaution, use the existing regex $xssBadRx to filter out
unnecessary characters which fixes both issues.  Doing this in
parse_datetime conveniently covers all uses.

diff --git a/lib/Smokeping.pm b/lib/Smokeping.pm
index cec130a..babd658 100644
--- a/lib/Smokeping.pm
+++ b/lib/Smokeping.pm
@@ -1029,12 +1029,13 @@ sub smokecol ($) {
 sub parse_datetime($){
     my $in = shift;
     for ($in){
+        $in =~ s/$xssBadRx/_/g;
 	/^(\d+)$/ && do { my $value = $1; $value = time if $value > 2**32; return $value};
         /^\s*(\d{4})-(\d{1,2})-(\d{1,2})(?:\s+(\d{1,2}):(\d{2})(?::(\d{2}))?)?\s*$/  && 
             return POSIX::mktime($6||0,$5||0,$4||0,$3,$2-1,$1-1900,0,0,-1);
         /^now$/ && return time;
         /([ -:a-z0-9]+)/ && return $1;     
     };
     return time;
 }
         
-- 
1.7.10.4




Information stored :
Bug#659899; Package smokeping. (Sun, 17 Mar 2013 11:21:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and filed, but not forwarded. (Sun, 17 Mar 2013 11:21:14 GMT) Full text and rfc822 format available.

Message #161 received at 659899-forwarded@bugs.debian.org (full text, mbox):

From: Tobias Oetiker <tobi@oetiker.ch>
To: Steven Chamberlain <steven@pyro.eu.org>
Cc: 659899-quiet@bugs.debian.org, 659899-forwarded@bugs.debian.org
Subject: Re: [PATCH] Filter user-supplied start/end time specifiers
Date: Sun, 17 Mar 2013 13:15:31 +0100 (CET)
Hi Steven,

thanks for the analysis and patch ... already pushed to master

lg
tobi

Today Steven Chamberlain wrote:

> Time specifiers supplied in the Navigator Graph page web form are used
> to construct filenames in the cache directory.
>
> Also on that page, or in error output, the URL of that graph is not
> properly escaped.  Injection of some characters into HTML is possible,
> similar to CVE-2012-0790 but perhaps not enough to cause XSS.
>
> As a precaution, use the existing regex $xssBadRx to filter out
> unnecessary characters which fixes both issues.  Doing this in
> parse_datetime conveniently covers all uses.
>
> diff --git a/lib/Smokeping.pm b/lib/Smokeping.pm
> index cec130a..babd658 100644
> --- a/lib/Smokeping.pm
> +++ b/lib/Smokeping.pm
> @@ -1029,12 +1029,13 @@ sub smokecol ($) {
>  sub parse_datetime($){
>      my $in = shift;
>      for ($in){
> +        $in =~ s/$xssBadRx/_/g;
>  	/^(\d+)$/ && do { my $value = $1; $value = time if $value > 2**32; return $value};
>          /^\s*(\d{4})-(\d{1,2})-(\d{1,2})(?:\s+(\d{1,2}):(\d{2})(?::(\d{2}))?)?\s*$/  &&
>              return POSIX::mktime($6||0,$5||0,$4||0,$3,$2-1,$1-1900,0,0,-1);
>          /^now$/ && return time;
>          /([ -:a-z0-9]+)/ && return $1;
>      };
>      return time;
>  }
>
>

-- 
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
http://it.oetiker.ch tobi@oetiker.ch ++41 62 775 9902 / sb: -9900



Information stored :
Bug#659899; Package smokeping. (Sun, 17 Mar 2013 12:24:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tobias Oetiker <tobi@oetiker.ch>:
Extra info received and filed, but not forwarded. (Sun, 17 Mar 2013 12:24:08 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Thu, 21 Mar 2013 22:06:07 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Thu, 21 Mar 2013 22:06:07 GMT) Full text and rfc822 format available.

Message #171 received at 659899-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 659899-close@bugs.debian.org
Subject: Bug#659899: fixed in smokeping 2.3.6-5+squeeze1
Date: Thu, 21 Mar 2013 22:02:04 +0000
Source: smokeping
Source-Version: 2.3.6-5+squeeze1

We believe that the bug you reported is fixed in the latest version of
smokeping, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 659899@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated smokeping package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 Mar 2013 22:46:57 +0100
Source: smokeping
Binary: smokeping
Architecture: source all
Version: 2.3.6-5+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Jose Carlos Garcia Sogo <jsogo@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 smokeping  - latency logging and graphing system
Closes: 659899
Changes: 
 smokeping (2.3.6-5+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2012-0790: Fix cross-site scripting vulnerability allowing a
     remote attacker to inject arbitrary web script or html via the
     displaymode parameter. Initial patch prepared by Antoine Beaupré.
     Add an adjustment to the patterns to exclude more special
     characters. (Closes: #659899)
Checksums-Sha1: 
 6b8cc752817e35f41b191909851639b502392fbf 1956 smokeping_2.3.6-5+squeeze1.dsc
 35a9072404d874898e6cd0c89ef438be21bc5279 580785 smokeping_2.3.6.orig.tar.gz
 8b8f8d9603208821f8cb4c3aaff1ff975de916e3 24485 smokeping_2.3.6-5+squeeze1.diff.gz
 de663f0f9853fe36335934b04576aa94dbc24f7b 617190 smokeping_2.3.6-5+squeeze1_all.deb
Checksums-Sha256: 
 74d2ce63ce6fcb8d95ed9ab3365ac43c208fb29a174276e28c5f05a901119ac4 1956 smokeping_2.3.6-5+squeeze1.dsc
 20e75da551b9a1f8b2957e8c4ff7f273fcf765eb39fbccafd6e74a7c6cb556b5 580785 smokeping_2.3.6.orig.tar.gz
 04ac97f05a7973f2f9cc75171e380f749f345f2963475e6fec65547c546f28e2 24485 smokeping_2.3.6-5+squeeze1.diff.gz
 674514befcc1edc608d67d38242310f4ba288b028546dcdbd83c94f2a70962fa 617190 smokeping_2.3.6-5+squeeze1_all.deb
Files: 
 2a39e17519bb45e920b8d2ecce09fb5a 1956 net extra smokeping_2.3.6-5+squeeze1.dsc
 06d5ed4ed693a17960dfa3361443bf72 580785 net extra smokeping_2.3.6.orig.tar.gz
 d772531a7522237e9ac260872d2d132f 24485 net extra smokeping_2.3.6-5+squeeze1.diff.gz
 fd4d8cc29127154d0cb8990c142febb6 617190 net extra smokeping_2.3.6-5+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRQ6/8AAoJEHidbwV/2GP+NokQAIdPmZb/cgsPYPTUtgz0ip38
hspyFEygIYT7cyvwt9J0Gu9VLjh+vb89+t6KYGgBDCk3/65MUB9RL5LTsYR6eVGO
NNJca7P9Xy8Fk+eKEw2HCzXh7ok8KN1LlHOpmb1sV0x+bEo0p7QfZDoowa4mbd78
/Dr6R93qQdnoutpwY625siqAxwkZJ2SUFwmOKtIf7tA4kvAi755PO1IBJYI9TDkw
rwyC21wczxrAD3n6VaRBQam0aPgXiyROi0UxDW81RoJjpCjpvdwuNSwvpRpxqCxN
g0d/n1XTOkQkr3WlrRHEmElq9dKhVqnERyxkI0TQKxQq/A0BA8isxk4QLwA/Y2Yh
+oLF88D+u4mVJkmRnmFQKS4jHfCFBjGNp2AELwe4o0wbS80PUoT48d1uc5FOS1DT
RbY3CU2hvIQDF4azReCSBXi4YAJhtWJMfVQJVNva2p1dcr3ed6W9fGFuEtiA2rOM
k2xpa+Papn3JVIjiP0WVWEreRYzSNilzKXuDvTigoibBMOd+nUuebDysMDtZc0My
M6e8hmIeXPbsRzKeZogrPaLPahoRlEXNoO79AsdZ0yxis+llSbbnjFR0n2spoB9K
+2bHEGT0XBdlZEM3oSSwLEK5jxB2r2wnv6E2uxI02HEkIYSuaPHrddm+n7nRvF1M
WhpO66xVznyHy0BbmFn3
=jX82
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 08:33:24 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 11:30:53 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.