Debian Bug report logs - #833885
gbrowse: ships a deterministic/predictable OpenID consumer secret

version graph

Package: gbrowse; Maintainer for gbrowse is Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>; Source for gbrowse is src:gbrowse (PTS, buildd, popcon).

Reported by: Chris Lamb <lamby@debian.org>

Date: Tue, 9 Aug 2016 21:51:01 UTC

Severity: normal

Tags: security

Found in version gbrowse/2.54+dfsg-7

Fixed in version gbrowse/2.56+dfsg-1

Done: Andreas Tille <tille@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-builds@lists.alioth.debian.org, Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#833885; Package gbrowse. (Tue, 09 Aug 2016 21:51:05 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Lamb <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to reproducible-builds@lists.alioth.debian.org, Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>. (Tue, 09 Aug 2016 21:51:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>
To: submit@bugs.debian.org
Subject: gbrowse: ships a deterministic/predictable OpenID constumer secret
Date: Tue, 09 Aug 2016 22:47:45 +0100
Package: gbrowse
Version: 2.54+dfsg-7
Severity: normal
Tags: security
User: reproducible-builds@lists.alioth.debian.org
Usertags: randomness
X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org

Hi,

gbrowse ships an OpenID consumer secret in /usr/share/perl5/GBrowse/ConfigData.pm:

       {
         'OpenIDConsumerSecret' => '639098210478536',
         'cgibin' => '/usr/lib/cgi-bin/gbrowse',
         'conf' => '/etc/gbrowse',
         'config_done' => 1,
         'databases' => '/var/lib/gbrowse/databases',
         'htdocs' => '/usr/share/gbrowse/htdocs',
         'installetc' => 'y',
         'persistent' => '/var/lib/gbrowse',
         'registration_done' => '1',
         'tmp' => '/var/cache/gbrowse'
       },


The number is randomly generated a build-time, meaning that everyone installing
that particular .deb gets the same "secret". The security implications of this
should be obvious, hence the tag.

(In addition, it also means the package is not reproducible.)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#833885; Package gbrowse. (Wed, 14 Dec 2016 09:21:05 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Tille <tille@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>. (Wed, 14 Dec 2016 09:21:06 GMT) (full text, mbox, link).

Message #10 received at 833885@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>
To: 833885@bugs.debian.org, Olivier Sallou <osallou@debian.org>, Charles Plessy <plessy@debian.org>, "Aaron M. Ucko" <ucko@debian.org>
Subject: Re: gbrowse: ships a deterministic/predictable OpenID constumer secret
Date: Wed, 14 Dec 2016 10:19:40 +0100
Hi,

as far as I can see the solution for this issue would be to use a
symlink for /usr/share/perl5/GBrowse/ConfigData.pm pointing to something
like /etc/gbrowse/ConfigData.pm while the file
/etc/gbrowse/ConfigData.pm will be created in postinst.  Is this correct
and will somebody of the other Uploaders (in CC) be able to care for
this since I personally do not have any clue how to test gbrowse to
verify the correct functionality?

Kind regards

       Andreas.

-- 
http://fam-tille.de

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#833885; Package gbrowse. (Wed, 14 Dec 2016 09:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to olivier sallou <olivier.sallou@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>. (Wed, 14 Dec 2016 09:45:03 GMT) (full text, mbox, link).

Message #15 received at 833885@bugs.debian.org (full text, mbox, reply):

From: olivier sallou <olivier.sallou@gmail.com>
To: Andreas Tille <tille@debian.org>, 833885@bugs.debian.org, Olivier Sallou <osallou@debian.org>, Charles Plessy <plessy@debian.org>, "Aaron M. Ucko" <ucko@debian.org>
Subject: Re: gbrowse: ships a deterministic/predictable OpenID constumer secret
Date: Wed, 14 Dec 2016 09:41:39 +0000
[Message part 1 (text/plain, inline)]
Le mer. 14 déc. 2016 à 10:19, Andreas Tille <tille@debian.org> a écrit :

> Hi,
>
> as far as I can see the solution for this issue would be to use a
> symlink for /usr/share/perl5/GBrowse/ConfigData.pm pointing to something
> like /etc/gbrowse/ConfigData.pm while the file
> /etc/gbrowse/ConfigData.pm will be created in postinst.  Is this correct
> and will somebody of the other Uploaders (in CC) be able to care for
> this since I personally do not have any clue how to test gbrowse to
> verify the correct functionality?
>

I think openid is not configured for GBrowse in Debian , so it should not
be an issue
It is true that consumersecret is generated at build time. It should not.
Linking ConfigData.pm to etc file is the correct behavior, but putting a
post install step may not be necessary. It is a config parameter and user
should update it if he wish to use openid as a configuration parameter.
It is up to the user to update this value like he wuold in other packages
for password/secret related stuff.

Olivier

>
> Kind regards
>
>        Andreas.
>
> --
> http://fam-tille.de
>

[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#833885; Package gbrowse. (Wed, 14 Dec 2016 10:15:02 GMT) (full text, mbox, link).

Acknowledgement sent to olivier sallou <olivier.sallou@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>. (Wed, 14 Dec 2016 10:15:03 GMT) (full text, mbox, link).

Message #20 received at 833885@bugs.debian.org (full text, mbox, reply):

From: olivier sallou <olivier.sallou@gmail.com>
To: Andreas Tille <tille@debian.org>, 833885@bugs.debian.org, Olivier Sallou <osallou@debian.org>, Charles Plessy <plessy@debian.org>, "Aaron M. Ucko" <ucko@debian.org>
Subject: Re: gbrowse: ships a deterministic/predictable OpenID constumer secret
Date: Wed, 14 Dec 2016 10:11:10 +0000
[Message part 1 (text/plain, inline)]
Le mer. 14 déc. 2016 à 10:41, olivier sallou <olivier.sallou@gmail.com> a
écrit :

> Le mer. 14 déc. 2016 à 10:19, Andreas Tille <tille@debian.org> a écrit :
>
> Hi,
>
> as far as I can see the solution for this issue would be to use a
> symlink for /usr/share/perl5/GBrowse/ConfigData.pm pointing to something
> like /etc/gbrowse/ConfigData.pm while the file
> /etc/gbrowse/ConfigData.pm will be created in postinst.  Is this correct
> and will somebody of the other Uploaders (in CC) be able to care for
> this since I personally do not have any clue how to test gbrowse to
> verify the correct functionality?
>
>
> I think openid is not configured for GBrowse in Debian , so it should not
> be an issue
> It is true that consumersecret is generated at build time. It should not.
> Linking ConfigData.pm to etc file is the correct behavior, but putting a
> post install step may not be necessary. It is a config parameter and user
> should update it if he wish to use openid as a configuration parameter.
> It is up to the user to update this value like he wuold in other packages
> for password/secret related stuff.
>

Bu the way, openid is more and more deprecated and supported by less and
less providers..... so it may not worth the effort. Simply linking to etc
for user config ,if he wants to, should be necessary.
We won't be able anyway to test openid easily as it needs to get a server
and to declare the app in openid provider.... :-(

Olivier

>
> Olivier
>
>
> Kind regards
>
>        Andreas.
>
> --
> http://fam-tille.de
>
>

[Message part 2 (text/html, inline)]

Changed Bug title to 'gbrowse: ships a deterministic/predictable OpenID consumer secret' from 'gbrowse: ships a deterministic/predictable OpenID constumer secret'. Request was from Chris Lamb <lamby@debian.org> to control@bugs.debian.org. (Tue, 17 Jan 2017 05:36:02 GMT) (full text, mbox, link).

Reply sent to Andreas Tille <tille@debian.org>:
You have taken responsibility. (Wed, 18 Jan 2017 16:39:08 GMT) (full text, mbox, link).

Notification sent to Chris Lamb <lamby@debian.org>:
Bug acknowledged by developer. (Wed, 18 Jan 2017 16:39:08 GMT) (full text, mbox, link).

Message #27 received at 833885-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>
To: 833885-close@bugs.debian.org
Subject: Bug#833885: fixed in gbrowse 2.56+dfsg-1
Date: Wed, 18 Jan 2017 16:34:04 +0000
Source: gbrowse
Source-Version: 2.56+dfsg-1

We believe that the bug you reported is fixed in the latest version of
gbrowse, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 833885@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Tille <tille@debian.org> (supplier of updated gbrowse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 18 Jan 2017 17:16:19 +0100
Source: gbrowse
Binary: gbrowse gbrowse-data gbrowse-calign
Architecture: source amd64 all
Version: 2.56+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Andreas Tille <tille@debian.org>
Description:
 gbrowse    - GMOD Generic Genome Browser
 gbrowse-calign - CAlign helper
 gbrowse-data - Sample data to use GBrowse
Closes: 826458 833885 848236
Changes:
 gbrowse (2.56+dfsg-1) unstable; urgency=medium
 .
   [ Olivier Sallou ]
   * Fix deprecated unescaped left brace in regex
     Closes: #826458
 .
   [ Andreas Tille ]
   * New upstream version
     Closes: #848236
   * Symlink OpenID constumer secret to /etc/gbrowse/ConfigData.pm
     and document this in README.Debian
     Closes: #833885
   * debhelper 10
   * d/watch: version=4
   * Exclude some tests via debian/tests/pkg-perl/smoke-skip
   * Add missing Build-Depends: libbio-graphics-perl, libbio-coordinate-perl
   * Enhance descriptions
   * hardening=+all
   * Remove unused lintian override
   * Add $remote_fs to required-start
   * Add missing Depends: lsb-base (>= 3.0-6)
   * Fix runlevel of initscript
   * Fix manpage synopsises and spelling
   * Init lsb functions in all init scripts
   * Add missing "update-rc.d gbrowse-aws-balancer" calls
Checksums-Sha1:
 22501e2a43df3dacafaa3f948ef6d7054d3caf69 2641 gbrowse_2.56+dfsg-1.dsc
 269fba6b75112b0a2037350308914f05d4747697 4355977 gbrowse_2.56+dfsg.orig.tar.gz
 7e59e2a3845af9e05428c21295f5608dd14c8e83 22284 gbrowse_2.56+dfsg-1.debian.tar.xz
 2a079697dfab0a1d8775cbd7ef300decb29250bd 27932 gbrowse-calign-dbgsym_2.56+dfsg-1_amd64.deb
 62b246fb48e723e48c8b08f9ef1b890a8920a2e7 35794 gbrowse-calign_2.56+dfsg-1_amd64.deb
 9b71506aacaff0080b4b367389f26fe3111c651b 1234536 gbrowse-data_2.56+dfsg-1_all.deb
 dd8457a4a82e6cd0eee47863aef51f6657dd67ed 2376460 gbrowse_2.56+dfsg-1_all.deb
 3933e56299ffbea133aeb1636ec5e26cec8a3a33 8349 gbrowse_2.56+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 248ff3221d27950baa8cebe5bdf5f27b941de0162d75f70e6ed9c8696f9f5136 2641 gbrowse_2.56+dfsg-1.dsc
 f6da1ff315b17ec260810cf439a54ae7ddd66728015be03f7fbb6ba795676f81 4355977 gbrowse_2.56+dfsg.orig.tar.gz
 6bb109a315a8c998aea87b41b58247dc41f855a43f2faca0538851cb7a651b45 22284 gbrowse_2.56+dfsg-1.debian.tar.xz
 fc6949cb40e7b4b2cbb9d969feda0e285ac4f7f06c3ddad6560878cfde203f5e 27932 gbrowse-calign-dbgsym_2.56+dfsg-1_amd64.deb
 8d4311b886643ff8f02e51514984f4e7fd467438830b94e3cee6e505f63311bd 35794 gbrowse-calign_2.56+dfsg-1_amd64.deb
 ad4fa399e6c9e271ccc3aa648f30908d0afbfc01f43925b264107d8b9254514d 1234536 gbrowse-data_2.56+dfsg-1_all.deb
 0c35efefd08ef8f24c00dde5999354bd34f5ce1acf6b5873829e58bc7363fcaa 2376460 gbrowse_2.56+dfsg-1_all.deb
 a098fa0ef76022ab49afc43ba5159d3b3036c265eec685816d1be4b1ef76d421 8349 gbrowse_2.56+dfsg-1_amd64.buildinfo
Files:
 389aa71b47fccb7a51069d4655a5bf5c 2641 science optional gbrowse_2.56+dfsg-1.dsc
 9638dd3e43897548172911706277f177 4355977 science optional gbrowse_2.56+dfsg.orig.tar.gz
 66459ba99292df4f861f9e0354bfa9d6 22284 science optional gbrowse_2.56+dfsg-1.debian.tar.xz
 9a13b1a1c180467561c7cdfb65c81eda 27932 debug extra gbrowse-calign-dbgsym_2.56+dfsg-1_amd64.deb
 119584e9543decac6e5b202c6edeaf64 35794 science optional gbrowse-calign_2.56+dfsg-1_amd64.deb
 bbb037cda01422da94524072774b4bf1 1234536 science optional gbrowse-data_2.56+dfsg-1_all.deb
 821faded43382c17c3ea79a179a71967 2376460 science optional gbrowse_2.56+dfsg-1_all.deb
 f2082fd5e24a4dc80737a6ed31e33edf 8349 science optional gbrowse_2.56+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYf5YSAAoJEFeKBJTRxkbRA2EP/3h6IqKnUMK7lsRcQNHjPLxX
FLUbJzjIV/AN+WnooRS69m/Vg8F4MRIRVdaaZCcXeH4qxp7FkMxtFbCiNpsGAgSF
DNKOyMfdcSn2zEmR53tQu7sgjZMrGfA4JN/TYiOIT0ZMXwmgHRpYC3mZaVzmJcEh
PMzcam4X+hSljNNRuYujg2y69K509DFJnVR032PgoxDhCgdGrv5LwzvgcebXZyJZ
BCiM0xij+/+gY0DzeqHHrlVvu22WWTsVYgVPuRN7LlwiaYxawpftZijeuUN6/5Iy
Rsvl8SWeFRq67jRqkxxNFDUb2KYeaALYAEokctYYx/Y1DC/44WC3XYSKLkRu/VdP
xvp4b740JzvBcO/392WB3ZpGGAbLnIz+xLvKxKY/TngPhVK50+reSRN6qrjII8Ep
BY4XRJrmGYpEGvOqXarSTt1jtGtq/93OkgJjhLBAXrF43YD2lHjnVFWBVI2kDT1H
CsfNcxO6T3d3XAAHWSatQg8UbdBrWBqcFWZNnriX1n3fkEsgIDCfbesCfU6WvZNV
PDNP2MdBfr8rQxE0pnuKGrnC9u+P4cfLPC//jRS5gKOenewAxehHeDRRbaSpSZxN
6oBbBXiMrHXEfIe0CteMiBd1929JBcBQPiEWMaZlneH9uJdA6yMbRtlmh2PLi0Uw
ugkl1En60wzGO8FO1jJO
=hkWu
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 12 Jun 2019 07:26:57 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Aug 19 15:11:36 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.