CVE-2010-4335

Debian Bug report logs - #606386
CVE-2010-4335

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2010-4335

Date: Wed, 08 Dec 2010 21:19:34 +0100

Package: cakephp
Severity: grave
Tags: security

A security issue has been found in cakephp, please see here for a fix:
https://github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cb

Please upload an isolated fix to sid, which can migrate to testing.

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages cakephp depends on:
pn  php5                          <none>     (no description available)

Versions of packages cakephp recommends:
pn  cakephp-scripts               <none>     (no description available)

Versions of packages cakephp suggests:
pn  cakephp-instaweb              <none>     (no description available)
pn  php5-mysql                    <none>     (no description available)

Message #10 received at 606386@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 606386@bugs.debian.org

Subject: cakephp: diff for NMU version 1.3.2-1.1

Date: Tue, 14 Dec 2010 15:56:53 +0000

tags 606386 + patch
tags 606386 + pending
thanks

Dear maintainer,

I've prepared an NMU for cakephp (versioned as 1.3.2-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

--
Jonathan Wiltshire (jmw)


diff -Nru cakephp-1.3.2/debian/changelog cakephp-1.3.2/debian/changelog
--- cakephp-1.3.2/debian/changelog	2010-06-15 10:05:27.000000000 +0100
+++ cakephp-1.3.2/debian/changelog	2010-12-14 15:45:50.000000000 +0000
@@ -1,3 +1,11 @@
+cakephp (1.3.2-1.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Patch for CVE-2010-4335 (unsafe unserialize)
+    Closes: #606386
+
+ -- Jonathan Wiltshire <jmw@debian.org>  Tue, 14 Dec 2010 15:41:20 +0000
+
 cakephp (1.3.2-1) unstable; urgency=low
 
   * New upstream release (Closes: #585684)
diff -Nru cakephp-1.3.2/debian/patches/03-CVE-2010-4335.diff cakephp-1.3.2/debian/patches/03-CVE-2010-4335.diff
--- cakephp-1.3.2/debian/patches/03-CVE-2010-4335.diff	1970-01-01 01:00:00.000000000 +0100
+++ cakephp-1.3.2/debian/patches/03-CVE-2010-4335.diff	2010-12-14 15:49:52.000000000 +0000
@@ -0,0 +1,61 @@
+Description: protect against an unsafe serialise CVE-2010-4335
+Origin: https://github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cb
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606386
+Last-Update: 2010-12-14
+
+diff --git a/cake/libs/controller/components/security.php b/cake/libs/controller/components/security.php
+index c267c6c..7e5b3b2 100644
+--- a/cake/libs/controller/components/security.php
++++ b/cake/libs/controller/components/security.php
+@@ -618,10 +618,15 @@ class SecurityComponent extends Object {
+ 		}
+ 		unset($check['_Token']);
+ 
++		$locked = str_rot13($locked);
++		if (preg_match('/(\A|;|{|})O\:[0-9]+/', $locked)) {
++			return false;
++		}
++
+ 		$lockedFields = array();
+ 		$fields = Set::flatten($check);
+ 		$fieldList = array_keys($fields);
+-		$locked = unserialize(str_rot13($locked));
++		$locked = unserialize($locked);
+ 		$multi = array();
+ 
+ 		foreach ($fieldList as $i => $key) {
+diff --git a/cake/tests/cases/libs/controller/components/security.test.php b/cake/tests/cases/libs/controller/components/security.test.php
+index 883f1c8..bbd5141 100644
+--- a/cake/tests/cases/libs/controller/components/security.test.php
++++ b/cake/tests/cases/libs/controller/components/security.test.php
+@@ -608,6 +608,30 @@ DIGEST;
+ 		$result = $this->Controller->Security->validatePost($this->Controller);
+ 		$this->assertFalse($result, 'validatePost passed when key was missing. %s');
+ 	}
++
++/**
++ * Test that objects can't be passed into the serialized string. This was a vector for RFI and LFI 
++ * attacks. Thanks to Felix Wilhelm
++ *
++ * @return void
++ */
++	function testValidatePostObjectDeserialize() {
++		$this->Controller->Security->startup($this->Controller);
++		$key = $this->Controller->params['_Token']['key'];
++		$fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877';
++
++		// a corrupted serialized object, so we can see if it ever gets to deserialize
++		$attack = 'O:3:"App":1:{s:5:"__map";a:1:{s:3:"foo";s:7:"Hacked!";s:1:"fail"}}';
++		$fields .= urlencode(':' . str_rot13($attack));
++
++		$this->Controller->data = array(
++			'Model' => array('username' => 'mark', 'password' => 'foo', 'valid' => '0'),
++			'_Token' => compact('key', 'fields')
++		);
++		$result = $this->Controller->Security->validatePost($this->Controller);
++		$this->assertFalse($result, 'validatePost passed when key was missing. %s');
++	}
++
+ /**
+  * Tests validation of checkbox arrays
+  *
diff -Nru cakephp-1.3.2/debian/patches/series cakephp-1.3.2/debian/patches/series
--- cakephp-1.3.2/debian/patches/series	2010-06-15 10:05:27.000000000 +0100
+++ cakephp-1.3.2/debian/patches/series	2010-12-14 15:40:13.000000000 +0000
@@ -1,2 +1,3 @@
 01-remove-shebang.diff
 02-cake-binary-libs.diff
+03-CVE-2010-4335.diff

Message #19 received at 606386-close@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 606386-close@bugs.debian.org

Subject: Bug#606386: fixed in cakephp 1.3.2-1.1

Date: Thu, 16 Dec 2010 16:17:09 +0000

Source: cakephp
Source-Version: 1.3.2-1.1

We believe that the bug you reported is fixed in the latest version of
cakephp, which is due to be installed in the Debian FTP archive:

cakephp-scripts_1.3.2-1.1_all.deb
  to main/c/cakephp/cakephp-scripts_1.3.2-1.1_all.deb
cakephp_1.3.2-1.1.debian.tar.gz
  to main/c/cakephp/cakephp_1.3.2-1.1.debian.tar.gz
cakephp_1.3.2-1.1.dsc
  to main/c/cakephp/cakephp_1.3.2-1.1.dsc
cakephp_1.3.2-1.1_all.deb
  to main/c/cakephp/cakephp_1.3.2-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 606386@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated cakephp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 14 Dec 2010 15:41:20 +0000
Source: cakephp
Binary: cakephp cakephp-scripts
Architecture: source all
Version: 1.3.2-1.1
Distribution: unstable
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 cakephp    - MVC rapid application development framework for PHP
 cakephp-scripts - MVC rapid application development framework for PHP (scripts)
Closes: 606386
Changes: 
 cakephp (1.3.2-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Patch for CVE-2010-4335 (unsafe unserialize)
     Closes: #606386
Checksums-Sha1: 
 fe5723a820351d75112824b5b3840afbcbfcfa3a 1793 cakephp_1.3.2-1.1.dsc
 9ccd94cbb71282d2075dd3e6958788e68605c503 7524 cakephp_1.3.2-1.1.debian.tar.gz
 a43af6ebe1e14a152a5f030924a8d3a794f3bec6 872672 cakephp_1.3.2-1.1_all.deb
 1d360d107d22a12b46f6d1a09dd38d2c63753b22 98232 cakephp-scripts_1.3.2-1.1_all.deb
Checksums-Sha256: 
 54550c08be77e3259fd30cd0901b8493b978911e934ec125f8fc4c6dc2f9b6f6 1793 cakephp_1.3.2-1.1.dsc
 5f704199101cd5ee9d87bd5b52e801398fbddc24adfefa66bc505fd20c87ba22 7524 cakephp_1.3.2-1.1.debian.tar.gz
 acaf22efa85431107dbbf0c482f759862cf1064cf13ebdd5a9eadf24005a35bf 872672 cakephp_1.3.2-1.1_all.deb
 316e9f174457c0d3cac831832c091d3bdeee3369472044a7b8add2f6b3d7febc 98232 cakephp-scripts_1.3.2-1.1_all.deb
Files: 
 37cc814f1994c20aa714837cd2c3c892 1793 web optional cakephp_1.3.2-1.1.dsc
 ab16946b98adc37269e8ba68b4180cfb 7524 web optional cakephp_1.3.2-1.1.debian.tar.gz
 52d26bc8f13b104c6206eefa939fa4df 872672 web optional cakephp_1.3.2-1.1_all.deb
 e0bc417362db75ad18b87a3a0dd4c84c 98232 web optional cakephp-scripts_1.3.2-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJNB5KNAAoJEFOUR53TUkxRsOYP/RZW0GshY8gcU5xiG6UqSJ2e
e8GDtfZ4CskEym0IDwxczE86git821tcUvlXG3gMyUzTZwcDXDiRID+uu+ntWu7/
QD8kbfTkYSiu2IewDuFJ/1+0xhJlMS+mua6hjkitPjRM9xNSid8iuuwbmBUeyp/e
51wK/y6WrWTdOkgxHjLK0bWYCHnisy0QMYOl7mflU7T0eV78TzHSjnrpWRGShnJu
f5x3R7RYuAeNFPVqNeqMVicYSfpcaE8Uka6j3v5FhjzdYSBdPOQPhENGSplX70Mk
kjiyvJ88wcVr3PXd7pT++apBqqI5TQOkUcPTM8Gh0xlDYO3FIxCu7ybv2AO+t0qL
fVX4oSLN6Egi6waZG9Wd3QQspnoaKY0BaHZfsMXBvOgAZ68rJyysfO6CJQdbfBzi
+Tg9ImvRMD3gGW1oe0/IUfc4ppENN5V94EeL/F+9DTWEtGmDXOk27JQ8O3eLpb2r
dpBmZArXf8y3Wrh9XDtD8408gm2UFwwMdR43HDEogjGCLQFXhmpqv6FOiiNWIxf5
72jaEbsTwz8vnEoigghlvD7g/4yJyVit5ko4XNclsiSjO5141SJXvwxog5VC/HPf
tkwxBblPzc5yo1epNdIIhRznsE2yfjqTGF1MDuJC9yzhQ2xSaPWhSDCuUJEnefAn
4bTg9isTDAxEfo9SIK0T
=OD3I
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.