CVE-2016-1000108

Debian Bug report logs - #832433
CVE-2016-1000108

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2016-1000108

Date: Mon, 25 Jul 2016 16:03:01 +0200

Source: yaws
Severity: normal
Tags: security

http://seclists.org/oss-sec/2016/q3/95 claims that yaws sets
HTTP_PROXY based a passed Proxy: header. I don't see any
evidence for that in the source, but maybe I'm missing something?

heers,
        Moritz

Message #10 received at 832433@bugs.debian.org (full text, mbox, reply):

From: Sergei Golovan <sgolovan@nes.ru>

To: Moritz Muehlenhoff <jmm@debian.org>, 832433@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: [Pkg-erlang-devel] Bug#832433: CVE-2016-1000108

Date: Mon, 25 Jul 2016 18:04:50 +0300

Hi Moritz,

On Mon, Jul 25, 2016 at 5:03 PM, Moritz Muehlenhoff <jmm@debian.org> wrote:
> Source: yaws
> Severity: normal
> Tags: security
>
> http://seclists.org/oss-sec/2016/q3/95 claims that yaws sets
> HTTP_PROXY based a passed Proxy: header. I don't see any
> evidence for that in the source, but maybe I'm missing something?

Actually, it does set HTTP_PROXY if the Proxy: header is passed to it.
You can see in src/yaws.erl (lines 2537-2542 in 2.0.3) it collects all
unknown headers to the "other" headers collection:

        %% auxiliary headers we don't have builtin support for
        {ok, X} ->
            ?Debug("OTHER header ~p~n", [X]),
            http_collect_headers(CliSock, Req,
                                 H#headers{other=[X|H#headers.other]},
                                 SSL, Count+1);

And in src/yaws_cgi.erl (lines 370-373 in 2.0.3) it passes all the "other"
headers to the CGI script environment (with HTTP_ prepended, so Proxy
becomes HTTP_PROXY, the tohttp function does exaclty that):

            {"HTTP_COOKIE", flatten_val(make_cookie_val(H#headers.cookie))}
           ]++lists:map(fun({http_header,_,Var,_,Val})->{tohttp(Var),Val} end,
                        H#headers.other)
          )) ++

So, YAWS is vulnerable. How do you think we should fix this?

Cheers!
-- 
Sergei Golovan

Message #15 received at 832433@bugs.debian.org (full text, mbox, reply):

From: Sergei Golovan <sgolovan@nes.ru>

To: 832433@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: [Pkg-erlang-devel] Bug#832433: Bug#832433: CVE-2016-1000108

Date: Mon, 25 Jul 2016 23:41:06 +0300

Hi again,

Appears that this bug is already fixed upstream (in VCS, not in any
release yet):

https://github.com/klacke/yaws/commit/9d8fb070e782c95821c90d0ca7372fc6d7316c78#diff-54053c47eb173a90c26ed19bd9d106c1

I could take this patch and prepare the fixes for sid and jessie.

Cheers!
-- 
Sergei Golovan

Message #20 received at 832433@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Sergei Golovan <sgolovan@nes.ru>

Cc: 832433@bugs.debian.org, team@security.debian.org

Subject: Re: [Pkg-erlang-devel] Bug#832433: CVE-2016-1000108

Date: Mon, 25 Jul 2016 23:18:58 +0200

On Mon, Jul 25, 2016 at 06:04:50PM +0300, Sergei Golovan wrote:
> Hi Moritz,
> 
> On Mon, Jul 25, 2016 at 5:03 PM, Moritz Muehlenhoff <jmm@debian.org> wrote:
> > Source: yaws
> > Severity: normal
> > Tags: security
> >
> > http://seclists.org/oss-sec/2016/q3/95 claims that yaws sets
> > HTTP_PROXY based a passed Proxy: header. I don't see any
> > evidence for that in the source, but maybe I'm missing something?
> 
> Actually, it does set HTTP_PROXY if the Proxy: header is passed to it.
> You can see in src/yaws.erl (lines 2537-2542 in 2.0.3) it collects all
> unknown headers to the "other" headers collection:
> 
>         %% auxiliary headers we don't have builtin support for
>         {ok, X} ->
>             ?Debug("OTHER header ~p~n", [X]),
>             http_collect_headers(CliSock, Req,
>                                  H#headers{other=[X|H#headers.other]},
>                                  SSL, Count+1);
> 
> And in src/yaws_cgi.erl (lines 370-373 in 2.0.3) it passes all the "other"
> headers to the CGI script environment (with HTTP_ prepended, so Proxy
> becomes HTTP_PROXY, the tohttp function does exaclty that):
> 
>             {"HTTP_COOKIE", flatten_val(make_cookie_val(H#headers.cookie))}
>            ]++lists:map(fun({http_header,_,Var,_,Val})->{tohttp(Var),Val} end,
>                         H#headers.other)
>           )) ++
> 
> So, YAWS is vulnerable. How do you think we should fix this?

Oh, you're right I missed that code section!

> Appears that this bug is already fixed upstream (in VCS, not in any
> release yet):
> 
> https://github.com/klacke/yaws/commit/9d8fb070e782c95821c90d0ca7372fc6d7316c78#diff-54053c47eb173a90c26ed19bd9d106c1
>
> I could take this patch and prepare the fixes for sid and jessie.

The impact is still fairly limited, so I think it's sufficient if
we fix this through the next jessie point release.

Cheers,
        Moritz

Message #29 received at 832433-close@bugs.debian.org (full text, mbox, reply):

From: Sergei Golovan <sgolovan@debian.org>

To: 832433-close@bugs.debian.org

Subject: Bug#832433: fixed in yaws 2.0.3-2

Date: Tue, 26 Jul 2016 11:30:51 +0000

Source: yaws
Source-Version: 2.0.3-2

We believe that the bug you reported is fixed in the latest version of
yaws, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 832433@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sergei Golovan <sgolovan@debian.org> (supplier of updated yaws package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 26 Jul 2016 13:48:07 +0300
Source: yaws
Binary: yaws erlang-yaws erlang-yapp yaws-doc yaws-chat yaws-mail yaws-wiki yaws-yapp
Architecture: source amd64 all
Version: 2.0.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>
Changed-By: Sergei Golovan <sgolovan@debian.org>
Description:
 erlang-yapp - Erlang application for deploying Yaws webserver applications
 erlang-yaws - Erlang application which implements HTTP webserver
 yaws       - High performance HTTP 1.1 webserver written in Erlang
 yaws-chat  - Chat application for Yaws webserver
 yaws-doc   - Documentation and examples for Yaws webserver
 yaws-mail  - Webmail application for Yaws webserver
 yaws-wiki  - Wiki application for Yaws webserver
 yaws-yapp  - Provides an easy way to deploy applications for Yaws webserver
Closes: 832433
Changes:
 yaws (2.0.3-2) unstable; urgency=medium
 .
   * Applied a patch from upstream to fix CVE-2016-1000108 (passing the
     HTTP_PROXY environment variable to CGI scripts). Closes: #832433.
   * Finally fixed the paths of run_erl and to_erl utilities in the
     /usr/bin/yaws script.
Checksums-Sha1:
 622b88c6aaed28e2d356648887d8e4fe007f83d7 2432 yaws_2.0.3-2.dsc
 4663f62e78027c5deb99071f7f525f8ce3a8453a 27816 yaws_2.0.3-2.debian.tar.xz
 bbdcfe602e9e55122660c0cce0bce2eaddf091c7 80324 erlang-yapp_2.0.3-2_amd64.deb
 8fb7c719f1d4299849998b5eed9f3b089ddf7ad4 20204 erlang-yaws-dbgsym_2.0.3-2_amd64.deb
 332a93d02829811d437aabe65c6a69ea91d25ab7 1196668 erlang-yaws_2.0.3-2_amd64.deb
 7e27c0464fe63464b8b46e91a424eaf9c1348a3b 75478 yaws-chat_2.0.3-2_all.deb
 24bfe42c37a7c1042bcf0dd7d8acaf387a8fc60b 1015904 yaws-doc_2.0.3-2_all.deb
 ed8aac7648cf1347326ef0c406ee181edf5a7fcf 166604 yaws-mail_2.0.3-2_all.deb
 ebe1ed4cf85b2e281ef4eab849381afb005d9e81 202014 yaws-wiki_2.0.3-2_all.deb
 f665facc9a31fa68c19ce933bc0c25ebc87c7473 59222 yaws-yapp_2.0.3-2_all.deb
 e8c7a70293447b689f7d8b35989d8dc74a2e5ac5 88890 yaws_2.0.3-2_all.deb
Checksums-Sha256:
 2aa8481b007c6774f1cf0ceac524f529942a4c92bd1033a69325f7c6dc8c2780 2432 yaws_2.0.3-2.dsc
 2dfa698b676865ba1d03c58be63177b08ec4232f8e7cc25a85112d81b04c59b7 27816 yaws_2.0.3-2.debian.tar.xz
 1f0f9294d0243bddbb60ba8a397c9a7ff376f641a2664020a5006aa3fda949b6 80324 erlang-yapp_2.0.3-2_amd64.deb
 0ba449adc1b6b957a2cee8d263620086a8fab57540dc4c794f860b32f9bcbe5f 20204 erlang-yaws-dbgsym_2.0.3-2_amd64.deb
 7c986804a2f5300c3b7f7f2a53617ba39cc4e6aa18a4b2ccb0d49b05d29edde9 1196668 erlang-yaws_2.0.3-2_amd64.deb
 4f7e81b44553f7c7cfb7ad339546c6cec4f81a1cd4c0af45f53723496d45b090 75478 yaws-chat_2.0.3-2_all.deb
 66d2e4b5b65d161d79a9abb27d76429e113796413d8d7023e8bfdda855fdb51c 1015904 yaws-doc_2.0.3-2_all.deb
 5a3cecb7aa261a653e06819168f58f6126f7c70f30e14b3b239e7a6ed75c83c3 166604 yaws-mail_2.0.3-2_all.deb
 e65b59ce88ba079dc735a83d63111359c2288b7011c54fe5a27479448b9e582a 202014 yaws-wiki_2.0.3-2_all.deb
 768f52529520a61ddca246acc9c361a345eb27bc7b9f74a705d7fa26527f48b9 59222 yaws-yapp_2.0.3-2_all.deb
 dd5489240fa1e709dd619391c9d88b25e9412a4679f7d93ba72dd470fad81afa 88890 yaws_2.0.3-2_all.deb
Files:
 080ad8d7a6f416b7401abcba67138367 2432 httpd optional yaws_2.0.3-2.dsc
 48f9b89c4012b1be909b4a2715e4aa55 27816 httpd optional yaws_2.0.3-2.debian.tar.xz
 23730237a9f4351c3c53b6c142183274 80324 httpd optional erlang-yapp_2.0.3-2_amd64.deb
 61a57347e2918346ed7a2d495f5cdf92 20204 debug extra erlang-yaws-dbgsym_2.0.3-2_amd64.deb
 2bc617a925eaf00a6183d507ce34fda5 1196668 httpd optional erlang-yaws_2.0.3-2_amd64.deb
 0254af1fccbd103e0409da95ae87c428 75478 web optional yaws-chat_2.0.3-2_all.deb
 e7f1e9cd7f195f90adfc1fcd7869dccf 1015904 doc optional yaws-doc_2.0.3-2_all.deb
 f62e153a43ed3b9ca4d00a4adbb71619 166604 web optional yaws-mail_2.0.3-2_all.deb
 e1d208208349cb38d8fa26002f643ce7 202014 web optional yaws-wiki_2.0.3-2_all.deb
 179ef73beaee61efa57ba7e92c272c9e 59222 web optional yaws-yapp_2.0.3-2_all.deb
 5d06a076c50dfb342d80dee7adb9ace2 88890 httpd optional yaws_2.0.3-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBV5dD5VfnxjJPgTkdAQjXtBAAiLgGEvA5+7LjKt13Zm5tU0Ov0ePeCLPG
m0618kbdoIbwg/nrHg0FIgm909BQmlQWHs7pS1rTcmcg74kU4ojA2YAWK7JtsPRQ
2aYnQkYLHrBu7S22MyrZN6OBbEWfQB8A4UtRGEqMqtoyD6H31/jhXXz9Sd6a07GK
4V/0fUeErTfvtJJMnccRIgAxp33vIu1XbLJ6+bJZ0YIpdnAsTkkOBQlh/16BHVCf
GKeAeecobHrsB7xK37uR/Qp2npe5LdmEwDtfSnorplzsCV8UGLCYLTfXkXCoQ5Qf
RvsI+QswffSgNwHKgKu3Cx+8bbZDz8aN+cQDPexZDuHlVW21dIkKUqcewWmQgnWK
wDHPKSzywVoe9+yU4AI+OsqNWB6qbDfdG5KIGI680/9tUtQsIkcrwCwZLY26yJmi
QDJUrPIltIx94su3gKGrsS93CJJ2U+Z0eXkjJNkkEr3EIkeZoqQFhoIo3tLw9jHE
WaDD8bBrjfLZPzevXGoYL1llKvMr61f/UxUaqnEgC+FcAtYwB9dPQuFKKkFDVyIJ
rlQxUsRlarXpfrk0Nr6clk+HDxEI2d0L7AHMbrm7Icxwipo0qRKCpnhRxLBgLn7P
8dw9c3LRFohtLyTuI7Xq9AHZGtxkE+08+5lYt/maNCmdrQIp0+TLu0lGPUL9BYgJ
dWTGYGXAhiI=
=NVXS
-----END PGP SIGNATURE-----

Message #34 received at 832433-close@bugs.debian.org (full text, mbox, reply):

From: Sergei Golovan <sgolovan@debian.org>

To: 832433-close@bugs.debian.org

Subject: Bug#832433: fixed in yaws 1.98-4+deb8u1

Date: Sat, 13 Aug 2016 10:17:14 +0000

Source: yaws
Source-Version: 1.98-4+deb8u1

We believe that the bug you reported is fixed in the latest version of
yaws, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 832433@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sergei Golovan <sgolovan@debian.org> (supplier of updated yaws package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 26 Jul 2016 07:47:24 +0300
Source: yaws
Binary: yaws erlang-yaws yaws-doc yaws-chat yaws-mail yaws-wiki yaws-yapp
Architecture: source all amd64
Version: 1.98-4+deb8u1
Distribution: jessie
Urgency: low
Maintainer: Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>
Changed-By: Sergei Golovan <sgolovan@debian.org>
Description:
 erlang-yaws - Erlang application which implements HTTP webserver
 yaws       - High performance HTTP 1.1 webserver written in Erlang
 yaws-chat  - Chat application for Yaws web server
 yaws-doc   - Documentation and examples for Yaws web server
 yaws-mail  - Webmail application for Yaws web server
 yaws-wiki  - Wiki application for Yaws web server
 yaws-yapp  - Provides an easy way to deploy applications for Yaws web server
Closes: 832433
Changes:
 yaws (1.98-4+deb8u1) jessie; urgency=low
 .
   * Applied a patch from upstream to fix CVE-2016-1000108 (passing HTTP_PROXY
     to CGI scripts). Closes: #832433.
Checksums-Sha1:
 666382354ea5cc4dee784dd70b9e5ec2ac70ac92 2399 yaws_1.98-4+deb8u1.dsc
 a028d4570d677a9b6af3804139440866ccac2984 20000 yaws_1.98-4+deb8u1.debian.tar.xz
 0f11d6b91fc01a87d06fbb0d419b18f602ad8929 78466 yaws_1.98-4+deb8u1_all.deb
 468d6b31ba7c725bd2d08a655844decec7c12b2f 400214 erlang-yaws_1.98-4+deb8u1_amd64.deb
 81f32edfcc1942983354c099e0940a1257315c61 921158 yaws-doc_1.98-4+deb8u1_all.deb
 6aa96d37f260768813d1619360ab3ae7b8b877ea 67842 yaws-chat_1.98-4+deb8u1_all.deb
 0ddd44c9c59a7112241b22e015f3ce295da0f460 158878 yaws-mail_1.98-4+deb8u1_all.deb
 3f39d98077b36383b47ee1d787da5cfe15c95b71 193910 yaws-wiki_1.98-4+deb8u1_all.deb
 39b8767232c4ae87ea4ba7c5bc75f71192c2b883 68232 yaws-yapp_1.98-4+deb8u1_all.deb
Checksums-Sha256:
 64452219ad8446d82e02bbbfd22b71835c1dc3fcf941820ce2046d5be96fb408 2399 yaws_1.98-4+deb8u1.dsc
 a34cc4bee71518d5f7d8d0b889604465e4b1e92d4c1e1cc6eb35d4f57c286501 20000 yaws_1.98-4+deb8u1.debian.tar.xz
 6a63653320b28899811c0af7b5d8f8a3c555822497cf0d1312a1c3ae21438225 78466 yaws_1.98-4+deb8u1_all.deb
 8159d8204421ac2278d4b3f986fcf826a1ac004ba1ee621f5eab0d294db64be4 400214 erlang-yaws_1.98-4+deb8u1_amd64.deb
 c691b693857bf39230c5b20866272f2f9588f82e4acf624fbb92742bab592fb8 921158 yaws-doc_1.98-4+deb8u1_all.deb
 b6128827084bef9ea7eebcb1b3f75b2497020f59bc24f4bbb5ec7a84fa0e6cd4 67842 yaws-chat_1.98-4+deb8u1_all.deb
 4a86ae1d2d7d272736c58603e406eb24a415f30ce49e6a8425c4e4fcaa4709f6 158878 yaws-mail_1.98-4+deb8u1_all.deb
 ab1880c280d7758e04a99ac7b95f54d266f2547af3bca5bd1bbdb769645e4a60 193910 yaws-wiki_1.98-4+deb8u1_all.deb
 7b93178938c937364a053e6e20ab6000fdb1b975ffe8dbdd251324f1ef5f084a 68232 yaws-yapp_1.98-4+deb8u1_all.deb
Files:
 7a43a318cdbba77377384ff252bf83f7 2399 httpd optional yaws_1.98-4+deb8u1.dsc
 cc32b35b2b82521bab91405d8b68a292 20000 httpd optional yaws_1.98-4+deb8u1.debian.tar.xz
 531cf05abcbfa6ec4a7c5e4fa73d08ac 78466 httpd optional yaws_1.98-4+deb8u1_all.deb
 b32f52e193695defb24dca15fdacccb9 400214 httpd optional erlang-yaws_1.98-4+deb8u1_amd64.deb
 c8ed75ff15d072f2f431dd08c68ef23e 921158 doc optional yaws-doc_1.98-4+deb8u1_all.deb
 c015655761c8b207cc895bc70163b70c 67842 web optional yaws-chat_1.98-4+deb8u1_all.deb
 70d0de38770edf764a4b21225758a01e 158878 web optional yaws-mail_1.98-4+deb8u1_all.deb
 8828a9414d41183436cfe3c1a2fd3fd9 193910 web optional yaws-wiki_1.98-4+deb8u1_all.deb
 782db2c7d9271e099ee59ca5de931855 68232 web optional yaws-yapp_1.98-4+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBV51/AlfnxjJPgTkdAQi+qhAAh4tMNLB68MsW4JH6pD8aHZ1kCqDG61vC
GezcLFtW/OvvBgZ15wwyfuhk8X01eWnQfVTZvZTui44HUNFei8uOB5+++xr5Gcst
UfvWt/C8HTR4W/eerRvo9tIUe5zr5KB58kBvpLsvYUozYRaRA5fTLpSpx4iSc/At
/5WJ817HKHXSNMcfNN3v5ZJXEf53LBKdAiWI0Yeo8bl2JvaK/LHmoqB+Pebjsybe
vf0z1kEqpLGJ/anOQyWC1HeW6BFY9opR4jemd9r5pkJ0YocXUvex0rfYcL/SZlKb
0I/Dr6fXZpAAIyTfbZRGMATcziWVOgSfr0CwJZzh730/xagkX2FtmLam1v3ERlf8
DpLLXLsq7oCc6iwnygEVTMkovKQjhn/9/anGJ5E+RvqZ3MWfp8nRydg2C2xwDhU8
FbwUuteWuFq3vOAYVzuz2qnVPNSJzgi/4suj6+BAGG0wl7BUOddFHiP4fEscYERt
HA+TJSInS2WdUA5qK/o7XiaYM0JewnodHEQCzyJL5bCjJX0BAWR7Yx63Qj8DQTEA
w1Cpda30D894240yAA3ZrXXSFQAAN6IFMAmroJNLuNJ+cTxhq2DYjnBFsCD/s9WF
hVJK/0NiYHjgrQ+fbvEFCX4YMXnRVrci1ocJMxC8CBWf/Aw7S7thYzvrO5fzoI6x
oPxykkyXYs0=
=J8A+
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.