prayer: CVE-2018-18655: Information disclosure via Referrer: header

Debian Bug report logs - #911842
prayer: CVE-2018-18655: Information disclosure via Referrer: header

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Matthew Vernon <matthew@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: prayer: Information disclosure via Referrer: header

Date: Thu, 25 Oct 2018 11:56:22 +0100

[Message part 1 (text/plain, inline)]

Package: prayer
Version: 1.3.5-dfsg1-4+b1
Severity: important
Tags: security upstream patch

Hi,

prayer includes a Referrer header when users click on a link in their
email; this header includes the user's username, e.g.:

https://aragorn.weathertop.principate.org.uk/session/matthew:17095//AAAE@display@225@7234

This means that the operator of the linked-to website learns about the
identity of their visitors; this may be entirely personally
identifying - for example:

https://telescoper.wordpress.com/2018/10/18/a-breakthrough-for-a-bigot/#comment-339386

...where the cam.ac.uk username is enough to tell the commented
exactly who has been visiting.

The solution is to patch header.t to include:
<meta name="referrer" content="no-referrer">

Operators of prayer systems fix this by copying
templates/cam/header.t (from the source package) into
/etc/prayer/templates/cam/header.t and applying the patch, then
adjusting prayer.cf to have template_use_compiled = FALSE and then
restarting prayer.

I'm reporting this publically as the issue is already known about (cf
the blog link above); it's arguably release-critical severity, but
I'll leave that to your discretion. The fix is fairly simple, at
least!

Regards,

Matthew

-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 4.9.0-6-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages prayer depends on:
ii  adduser                                    3.115
ii  exim4                                      4.89-2+deb9u3
ii  exim4-daemon-heavy [mail-transport-agent]  4.89-2+deb9u3
ii  libc-client2007e                           8:2007f~dfsg-5
ii  libc6                                      2.24-11+deb9u3
ii  libdb5.3                                   5.3.28-12+deb9u1
ii  libldap-2.4-2                              2.4.44+dfsg-5+deb9u2
ii  libssl1.1                                  1.1.0f-3+deb9u2
ii  libtidy5                                   1:5.2.0-2
ii  logrotate                                  3.11.0-0.1
ii  lsb-base                                   9.20161125
ii  ssl-cert                                   1.0.39
ii  zlib1g                                     1:1.2.8.dfsg-5

prayer recommends no packages.

Versions of packages prayer suggests:
ii  aspell                       0.60.7~20110707-3+b2
ii  dovecot-imapd [imap-server]  1:2.2.27-3+deb9u2
ii  ispell                       3.4.00-5
pn  prayer-accountd              <none>
pn  prayer-templates-src         <none>

-- Configuration Files:
/etc/default/prayer changed [not included]
/etc/prayer/prayer.cf changed [not included]

-- no debconf information

[prayerdiff (text/plain, attachment)]

Message #10 received at 911842@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Matthew Vernon <matthew@debian.org>, 911842@bugs.debian.org

Subject: Re: Bug#911842: prayer: Information disclosure via Referrer: header

Date: Fri, 26 Oct 2018 07:30:25 +0200

Control: retitle -1 prayer: CVE-2018-18655: Information disclosure via Referrer: header

Hi,

This issue got CVE-2018-18655 assigned from MITRE.

Regards,
Salvatore

Message #17 received at 911842-close@bugs.debian.org (full text, mbox, reply):

From: Magnus Holmgren <holmgren@debian.org>

To: 911842-close@bugs.debian.org

Subject: Bug#911842: fixed in prayer 1.3.5-dfsg1-5

Date: Sat, 27 Oct 2018 21:25:47 +0000

Source: prayer
Source-Version: 1.3.5-dfsg1-5

We believe that the bug you reported is fixed in the latest version of
prayer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 911842@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Magnus Holmgren <holmgren@debian.org> (supplier of updated prayer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 27 Oct 2018 22:08:08 +0200
Source: prayer
Binary: prayer prayer-templates-src prayer-templates-dev prayer-accountd
Architecture: source amd64 all
Version: 1.3.5-dfsg1-5
Distribution: unstable
Urgency: medium
Maintainer: Magnus Holmgren <holmgren@debian.org>
Changed-By: Magnus Holmgren <holmgren@debian.org>
Description:
 prayer     - standalone IMAP-based webmail server
 prayer-accountd - account management daemon for Prayer
 prayer-templates-dev - tools for compiling Prayer templates
 prayer-templates-src - templates for customizing Prayer Webmail
Closes: 911842
Changes:
 prayer (1.3.5-dfsg1-5) unstable; urgency=medium
 .
   * [SECURITY] CVE-2018-18655 (information disclosure) no-referrer.patch:
     Add no-referrer meta header to templates (Closes: #911842).
   * Replace exim4 dependency with default-mta.
   * Install init script initially disabled instead of using an ENABLED
     flag in /etc/default/prayer to prevent premature start (note: also
     affects prayer-accountd).
   * Upgrade Standards-Version to 4.2.1 with the preceding change.
Checksums-Sha1:
 a91c5f317dbc889a95b65616cf9ffc7a9d9c0aa7 2155 prayer_1.3.5-dfsg1-5.dsc
 dcd6b2d3ff7f573572e4127f42c6ffbe48d167f1 26444 prayer_1.3.5-dfsg1-5.debian.tar.xz
 6f3a5c62f596a02f9212e596e229689f43d04cb3 117204 prayer-accountd-dbgsym_1.3.5-dfsg1-5_amd64.deb
 4b3b823d2f00499229648cea901818083a577f7e 102848 prayer-accountd_1.3.5-dfsg1-5_amd64.deb
 af17fb78b9a9cfeba2a97ee90957528c476ca83a 1532120 prayer-dbgsym_1.3.5-dfsg1-5_amd64.deb
 b13f5f209f7c5cf07007bf60786081132e556ca3 117188 prayer-templates-dev-dbgsym_1.3.5-dfsg1-5_amd64.deb
 2481cc8de463286f78b48a8fa4e284a94a7ec1e3 70560 prayer-templates-dev_1.3.5-dfsg1-5_amd64.deb
 5418414a4fb9876c098b07c0624806157a806e9e 106428 prayer-templates-src_1.3.5-dfsg1-5_all.deb
 376dd2ae99f4577d337aaf3cf37925695b896e3d 9066 prayer_1.3.5-dfsg1-5_amd64.buildinfo
 ae08cf0686ada616b6d70dc4aa0599883c079cb6 524012 prayer_1.3.5-dfsg1-5_amd64.deb
Checksums-Sha256:
 eecedfe289b7e27a8242c8a34c2282e895a4ba416fb95c77eb5cc0b65006dd78 2155 prayer_1.3.5-dfsg1-5.dsc
 1818dfb3d3b1123332366c09a594378ac0ceaab646592104269ac7d910fd9922 26444 prayer_1.3.5-dfsg1-5.debian.tar.xz
 b6aafbb84505a043e12ea9f8ca3240c1c406993e4632d918e763b11ba42121fd 117204 prayer-accountd-dbgsym_1.3.5-dfsg1-5_amd64.deb
 39ab4871af339f695aa2782269f3b1d5edbe8b3c894f752a957badaaaaab35fd 102848 prayer-accountd_1.3.5-dfsg1-5_amd64.deb
 59405e41f9fe3c216b8e5a94dc267622200fad4d03455ac8e36d3c333de852c8 1532120 prayer-dbgsym_1.3.5-dfsg1-5_amd64.deb
 3db265905adfa14dfae4def1e3bcf2630ffb5d647d5d8d75fe710d3ff09b7199 117188 prayer-templates-dev-dbgsym_1.3.5-dfsg1-5_amd64.deb
 f587a0ee554db4534f2eb429adc06cf2efa2a90757d88a2e4900d2100cbc9240 70560 prayer-templates-dev_1.3.5-dfsg1-5_amd64.deb
 60c4c270ace25e10e9779d25c14af38082b60930e8891a5c72de6c9491614d53 106428 prayer-templates-src_1.3.5-dfsg1-5_all.deb
 745cb0a5ab91f02a98209db3e66f7838e6468c3b87f7fb6905f0f928ea3aa2ce 9066 prayer_1.3.5-dfsg1-5_amd64.buildinfo
 0149def3877870d1ec6750c242c040e46ec134768e196f3477e189458233deb4 524012 prayer_1.3.5-dfsg1-5_amd64.deb
Files:
 e87f90e98115dee54622abb07777f495 2155 mail optional prayer_1.3.5-dfsg1-5.dsc
 ba941730d3cc72de69241f1a0e04c922 26444 mail optional prayer_1.3.5-dfsg1-5.debian.tar.xz
 1c259f49920f86d957bb6d8afc95ede0 117204 debug optional prayer-accountd-dbgsym_1.3.5-dfsg1-5_amd64.deb
 759a786ed3c960d5eb7d4203fb0c7457 102848 mail optional prayer-accountd_1.3.5-dfsg1-5_amd64.deb
 6e6f11924a6f52d06ce104388e30041d 1532120 debug optional prayer-dbgsym_1.3.5-dfsg1-5_amd64.deb
 efc161d5dd9e528218047d66e6066e7b 117188 debug optional prayer-templates-dev-dbgsym_1.3.5-dfsg1-5_amd64.deb
 c54e8d3927e1923330062f5d8623a86e 70560 mail optional prayer-templates-dev_1.3.5-dfsg1-5_amd64.deb
 22f8c63f765acd0501f76214d6e1bb37 106428 mail optional prayer-templates-src_1.3.5-dfsg1-5_all.deb
 80993abcd9a18445ef5f5be058fc05d5 9066 mail optional prayer_1.3.5-dfsg1-5_amd64.buildinfo
 eefb2a0af30d7ee86ca5b7109e044b61 524012 mail optional prayer_1.3.5-dfsg1-5_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEzSoHOzhhVBcKQILo1PIZv+yZhIkFAlvUxyAACgkQ1PIZv+yZ
hInvQA//XO3mxgNYvPT+jGtvq7zK/GGt1yXcWvGSgI85VSgwhaI9ZRtODIcTVDts
l3a2dGarttBnS+35D+I48N0oSyKRhWyOfhuyWsyRBB80+iEnb+DaK0lrZjSCVMI3
BQzdXomnF0R9YQRa99pslbq16ejn57cYUYHMfcWBqgV9heRXlaPppEAaqaQWFzow
rne8x6PQs7w8KShOwQOtyCgLoY/djPebYcUtZkVaxpERguYhnNNQTda3u6O7qqyI
ox6YO0+VXOd9auws/SAm3fkeBP3ae+RZDg2Mmw8dJYaT2QsF4sNgbROXaxhddIh/
oilFMRleU7xv0Yt7VGXb0Tc7mBYLdWK7xmEbxRQYukde/xvWh6/sajT9vA6ZTwP7
KULaeXc3pIC0iDEzM/W6HrDcfuMRHtd3LORhBdnCo4xE/KVrKdjXDhDpGeYzcq+s
v9M5wN7xf04kfkxFudCZzfzR0F/MriljXbo5xT0HobcFasZi8/AJ5+8i8+aFGrpB
5E/PENxniKvforWGYJIcEPE2HPy9w5B14tZDe+AnUuSCYXZI3CsoJavISDIw0ZiR
/Qus/mbACvuq+ys1EieV469b6shZEzU7Y+TjMTzqc/uIFa/djeDdFeBsD6d2auuf
FohmqOvpuXGzjqTa8yyMoKBzRFlcqyHgjjOTR8tgsR7+yqtIrVw=
=qv5w
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.