Debian Bug report logs -
#929849
buildbot: CVE-2019-12300: OAuth vulnerability in using submitted authorization token for authentication
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 1 Jun 2019 19:24:01 UTC
Severity: grave
Tags: security, upstream
Found in version buildbot/2.0.1-1
Fixed in version buildbot/2.0.1-2
Done: Robin Jarry <robin@jarry.cc>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#929849; Package src:buildbot.
(Sat, 01 Jun 2019 19:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Sat, 01 Jun 2019 19:24:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: buildbot
Version: 2.0.1-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for buildbot.
CVE-2019-12300[0]:
| Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted
| authorization token from OAuth and uses it to authenticate a user. If
| an attacker has a token allowing them to read the user details of a
| victim, they can login as the victim.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-12300
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12300
[1] https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication
The affected versions in [1] seem a bit missleading, because 2.x
versions up to 2.3.1 are affected as well, at least 2.0.1-1 as in
buster and sid has the problematic code.
Regards,
Salvatore
Reply sent
to Robin Jarry <robin@jarry.cc>:
You have taken responsibility.
(Tue, 04 Jun 2019 13:03:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 04 Jun 2019 13:03:06 GMT) (full text, mbox, link).
Message #10 received at 929849-close@bugs.debian.org (full text, mbox, reply):
Source: buildbot
Source-Version: 2.0.1-2
We believe that the bug you reported is fixed in the latest version of
buildbot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929849@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robin Jarry <robin@jarry.cc> (supplier of updated buildbot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 03 Jun 2019 14:47:25 +0200
Source: buildbot
Architecture: source
Version: 2.0.1-2
Distribution: unstable
Urgency: high
Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Changed-By: Robin Jarry <robin@jarry.cc>
Closes: 929849
Changes:
buildbot (2.0.1-2) unstable; urgency=high
.
* Fix OAuth module security bypass [CVE-2019-12300] (Closes: #929849)
Checksums-Sha1:
fd5d53656fe2b5f8b9f113b7bceef79e293ba2f6 2940 buildbot_2.0.1-2.dsc
ac60fc782403d2b33a8af618733e645da8b3471d 27264 buildbot_2.0.1-2.debian.tar.xz
34364721210542b644e05ec07274b84526654dc2 10342 buildbot_2.0.1-2_amd64.buildinfo
Checksums-Sha256:
847ce062f7d2aec73dfd836b69a7e5f529f7b5bfd720585822527e2386bffefc 2940 buildbot_2.0.1-2.dsc
5f5cf29f009a1368f0799d5fb2f451047526c57b9f141043517b399f93dd1b13 27264 buildbot_2.0.1-2.debian.tar.xz
9ba1194fac15fd9e16f21dfb62a940f4fb2212ce94e2b8efedec1c67f9c7ac4e 10342 buildbot_2.0.1-2_amd64.buildinfo
Files:
91800be6d3435f56cb4d126d44e165c6 2940 devel optional buildbot_2.0.1-2.dsc
0296ef4ae3e68ed695253040e5eb8718 27264 devel optional buildbot_2.0.1-2.debian.tar.xz
def7ae3898eb0b043c5a7ea1d6b15754 10342 devel optional buildbot_2.0.1-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEolIP6gqGcKZh4YxVM2L3AxpJkuEFAlz2Y78ACgkQM2L3AxpJ
kuFEgg//ako9B5+N4ctX3ggA74xFbJPY4ivbTAnYWUfGOXfQ5fvXOVKJruHyns3H
lH1v5dyDmOs8DQFT1Ceu7A2y4N0LR3Qgmf5kZ6p3eg7aI8qJ/caHlybh6UflBC8x
sfmShzMbYAXgwN/nncF+oNQDQ6sGZZsO4mmizpVS+qZJ2Za/8xHEWcnPyqxJsmNH
rG1Ntb/FXCor82dJmwWcrfTB2e/Sd+52rLPybb41hKak4zfA0xcagfP9eQue/bF9
P63+SEUHB5msogCZS/iMzk4hGIgof+HMEiS34/m2T/30ZcT4LQaX1tivDxAY/bbV
rP01ZaxaNcuDJQetnSwCWXqYHbqzPG61KgfZlgCuwnXAZWL6ibVeDrAoKVlzLso5
XtKLlma8W1r1f6LvxmdZtPNJozAxuAQvrI0ZXJOz4rgd+Nwu0O/CD++GRLuUBq0b
1WzYynoXU2dHDCs1zDwAS/lv32cakInhC/Fi7FpHHoRSihS6Zja1XhwpJKgyYOPR
xd9tUzyEc4r3LFEc0228OFmVfhA8ZkV5KsnLR/J2iCQLhqwuOKX4j0hYoeRjojnu
OufZNbrauSncbIZlEcMXY355ggDV69hXMYqhzJdsuZYVzdusxsRlMKnq7oBeywrZ
tJoDKl5d7IMJzLf71BKZ6fNLG0GAOlYfsklAsPGgNyTJ9+Gmih0=
=xCkJ
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:27:30 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon