Debian Bug report logs - #859136
CVE-2016-1566: XSS vulnerability in file browser

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupre <anarcat@orangeseeds.org>

To: submit@bugs.debian.org

Subject: CVE-2016-1566: XSS vulnerability in file browser

Date: Thu, 30 Mar 2017 14:45:21 -0400

[Message part 1 (text/plain, inline)]

Package: guacamole-client
X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
Severity: normal
Tags: security
Version: 0.9.9+dfsg-1

Hi,

the following vulnerability was published for guacamole.

CVE-2016-1566[0]:
| Cross-site scripting (XSS) vulnerability in the file browser in
| Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location
| shared by multiple users, allows remote authenticated users to inject
| arbitrary web script or HTML via a crafted filename.  NOTE: this
| vulnerability was fixed in guacamole.war on 2016-01-13, but the
| version number was not changed.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-1566
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1566

[signature.asc (application/pgp-signature, inline)]

Message #12 received at 859136@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: 859136@bugs.debian.org

Subject: Re: CVE-2016-1566: XSS vulnerability in file browser

Date: Mon, 2 Oct 2017 21:19:17 +0200

On Thu, Mar 30, 2017 at 02:45:21PM -0400, Antoine Beaupre wrote:
> Package: guacamole-client
> X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
> Severity: normal
> Tags: security
> Version: 0.9.9+dfsg-1
> 
> Hi,
> 
> the following vulnerability was published for guacamole.
> 
> CVE-2016-1566[0]:
> | Cross-site scripting (XSS) vulnerability in the file browser in
> | Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location
> | shared by multiple users, allows remote authenticated users to inject
> | arbitrary web script or HTML via a crafted filename.  NOTE: this
> | vulnerability was fixed in guacamole.war on 2016-01-13, but the
> | version number was not changed.

What's the status? More than half a year has passed.

Cheers,
        Moritz

Message #17 received at 859136@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 859136@bugs.debian.org

Subject: Re: Bug#859136: CVE-2016-1566: XSS vulnerability in file browser

Date: Tue, 3 Oct 2017 20:55:47 +0200

Hi

On Mon, Oct 02, 2017 at 09:19:17PM +0200, Moritz Muehlenhoff wrote:
> On Thu, Mar 30, 2017 at 02:45:21PM -0400, Antoine Beaupre wrote:
> > Package: guacamole-client
> > X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
> > Severity: normal
> > Tags: security
> > Version: 0.9.9+dfsg-1
> > 
> > Hi,
> > 
> > the following vulnerability was published for guacamole.
> > 
> > CVE-2016-1566[0]:
> > | Cross-site scripting (XSS) vulnerability in the file browser in
> > | Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location
> > | shared by multiple users, allows remote authenticated users to inject
> > | arbitrary web script or HTML via a crafted filename.  NOTE: this
> > | vulnerability was fixed in guacamole.war on 2016-01-13, but the
> > | version number was not changed.
> 
> What's the status? More than half a year has passed.

Upstream commit, afaics 

https://github.com/glyptodon/guacamole-client/commit/7da13129c432d1c0a577342a9bf23ca2bde9c367

Regards,
Salvatore

Message #24 received at 859136-submitter@bugs.debian.org (full text, mbox, reply):

From: Dominik George <nik@naturalnet.de>

To: 859136-submitter@bugs.debian.org

Subject: Bug#859136 marked as pending

Date: Tue, 17 Oct 2017 13:59:18 +0000

tag 859136 pending
thanks

Hello,

Bug #859136 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/pkg-remote/packages/guacamole-client.git/commit/?id=e06c65f

---
commit e06c65fef15274ea8190e5b5e409dcfbecbe8708
Author: Dominik George <nik@naturalnet.de>
Date:   Tue Oct 17 15:58:58 2017 +0200

    Update control and changelog.

diff --git a/debian/changelog b/debian/changelog
index 8a3c08d..ff9b437 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+guacamole-client (0.9.13-1) UNRELEASED; urgency=medium
+
+  * New upstream version.
+    + Includes fix for CVE-2016-1566. (Closes: #859136)
+  * Update watch file for Apache Incubator. (Closes: #859373)
+  * Update Standards-Version to 4.1.1, no changes needed.
+
+ -- Dominik George <nik@naturalnet.de>  Tue, 17 Oct 2017 15:56:10 +0200
+
 guacamole-client (0.9.9+dfsg-1) unstable; urgency=medium
 
   [ Dominik George ]

Message #29 received at 859136@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 964195@bugs.debian.org, 859136@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: guacamole-client: CVE-2020-9497 and CVE-2020-9498

Date: Sat, 10 Oct 2020 14:51:40 +0200

[Message part 1 (text/plain, inline)]

Hi,

I am currently investigating the security vulnerabilities in
guacamole-client.

I believe the reported CVE-2020-9497 and CVE-2020-9498 issues only
affect the server part of guacamole but this one has not been packaged
yet. The security researchers who reported the vulnerabilities have
discussed them in detail at

https://research.checkpoint.com/2020/apache-guacamole-rce/

The paragraph about the Disclosure Timeline mentions the following
commit which appears to fix both issues. (or all four according to
checkpoint.com)

https://github.com/apache/guacamole-server/commit/a0e11dc81727528224d28466903454e1cb0266bb

Please double-check if the findings are correct. At the moment I am
inclined to mark the guacamole-client package as not affected by
CVE-2020-9497 and CVE-2020-9498.

Then I also looked into CVE-2016-1566. It appears to me the current
version in stretch and unstable has already been fixed.

If

https://github.com/glyptodon/guacamole-client/commit/7da13129c432d1c0a577342a9bf23ca2bde9c367

is the fixing commit, then it is already included in version 0.9.9+dfsg-1


The other CVE, CVE-2018-1340 and CVE-2017-3158, are still relevant though.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #34 received at 859136@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 859136@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>, 859136-done@bugs.debian.org

Subject: Re: Bug#859136: CVE-2016-1566: XSS vulnerability in file browser

Date: Sat, 10 Oct 2020 19:46:09 +0200

Hi,

On Tue, Oct 03, 2017 at 08:55:47PM +0200, Salvatore Bonaccorso wrote:
> Hi
> 
> On Mon, Oct 02, 2017 at 09:19:17PM +0200, Moritz Muehlenhoff wrote:
> > On Thu, Mar 30, 2017 at 02:45:21PM -0400, Antoine Beaupre wrote:
> > > Package: guacamole-client
> > > X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
> > > Severity: normal
> > > Tags: security
> > > Version: 0.9.9+dfsg-1
> > > 
> > > Hi,
> > > 
> > > the following vulnerability was published for guacamole.
> > > 
> > > CVE-2016-1566[0]:
> > > | Cross-site scripting (XSS) vulnerability in the file browser in
> > > | Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location
> > > | shared by multiple users, allows remote authenticated users to inject
> > > | arbitrary web script or HTML via a crafted filename.  NOTE: this
> > > | vulnerability was fixed in guacamole.war on 2016-01-13, but the
> > > | version number was not changed.
> > 
> > What's the status? More than half a year has passed.
> 
> Upstream commit, afaics 
> 
> https://github.com/glyptodon/guacamole-client/commit/7da13129c432d1c0a577342a9bf23ca2bde9c367

Promted by the question from Markus: it looks no released version in
Debian actually ever contained the broken code in guacFileBrowser.js
as the version uploaded to Debian as 0.9.9+dfsg-1 was already with the
fixed code (note that the upstream versions are quite useless here as
they seem to have released twice 0.9.9).

Regards,
Salvatore

Message #44 received at 859136@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Markus Koschany <apo@debian.org>, 859136@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#859136: guacamole-client: CVE-2020-9497 and CVE-2020-9498

Date: Sat, 10 Oct 2020 19:50:32 +0200

Hi,

On Sat, Oct 10, 2020 at 02:51:40PM +0200, Markus Koschany wrote:
> Then I also looked into CVE-2016-1566. It appears to me the current
> version in stretch and unstable has already been fixed.
> 
> If
> 
> https://github.com/glyptodon/guacamole-client/commit/7da13129c432d1c0a577342a9bf23ca2bde9c367
> 
> is the fixing commit, then it is already included in version 0.9.9+dfsg-1

Prompted by your question I double-checked this. In fact the versions
released in Debian never contained the vulnerability, so marked it as
such, thanks for the note.

Reason: the earlier version did not contain the code, and the next one
uploaded to unstable was 0.9.9+dfsg-1 which contained the fully fixed
javascript code. Upstream's versions are useless here as they seem to
have released twice 0.9.9 (once broken and once fixed).

Regards,
Salvatore

Send a report that this bug log contains spam.