apt-cacher: CVE-2017-7443: HTTP response splitting

Debian Bug report logs - #858739
apt-cacher: CVE-2017-7443: HTTP response splitting

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: apt-cacher: HTTP response splitting

Date: Sat, 25 Mar 2017 21:04:41 +0100

Source: apt-cacher
Version: 1.7.13
Severity: important
Tags: security

This is to have a BTS reference, since no CVE has been assigned.

Patch:


diff -Nru apt-cacher-1.7.14/apt-cacher apt-cacher-1.7.15/apt-cacher
--- apt-cacher-1.7.14/apt-cacher	2017-01-08 11:29:03.000000000 +0100
+++ apt-cacher-1.7.15/apt-cacher	2017-03-14 17:55:18.000000000 +0100
@@ -2090,8 +2090,8 @@
 		    $request->protocol($3||'HTTP/1.0');
 
 		    clean_uri($request->uri);
-		    if($request->uri =~ m#(?:^|/)\.{2}/#) { # Reject ../ or /../
-			sendrsp(HTTP::Response->new(403, 'Forbidden: Invalid URI ' . $request->uri));
+		    if($request->uri =~ m#(?:^|/)\.{2}/|%0[ad]#i) { # Reject ../, /../ or encoded new lines
+			sendrsp(HTTP::Response->new(403, 'Forbidden: Insecure URI ' . $request->uri));
 			return 1; # next REQUEST
 		    }
 		    return $request if $mode && $mode eq 'cgi'; # Not going to get anything else
diff -Nru apt-cacher-1.7.14/debian/changelog apt-cacher-1.7.15/debian/changelog
--- apt-cacher-1.7.14/debian/changelog	2017-01-08 11:37:20.000000000 +0100
+++ apt-cacher-1.7.15/debian/changelog	2017-03-21 10:52:04.000000000 +0100
@@ -1,3 +1,9 @@
+apt-cacher (1.7.15) unstable; urgency=medium
+
+  * Prevent HTTP response splitting with encoded newlines in request.
+
+ -- Mark Hindley <mark@hindley.org.uk>  Tue, 21 Mar 2017 09:52:04 +0000
+
 apt-cacher (1.7.14) unstable; urgency=medium
 
   * Update to debhelper compatibility 9.

Message #10 received at 858739@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 858739@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: apt-cacher: HTTP response splitting

Date: Sun, 26 Mar 2017 11:14:02 +0100

Hi,

> This is to have a BTS reference, since no CVE has been assigned.

Do you plan to request one, etc.?


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #17 received at 858739-done@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 858739-done@bugs.debian.org

Subject: apt-cacher_1.7.6+deb7u1_amd64.changes ACCEPTED into oldstable

Date: Mon, 27 Mar 2017 10:14:53 +0100

Version: 1.7.6+deb7u1


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 26 Mar 2017 22:05:16 +0100
Source: apt-cacher
Binary: apt-cacher
Architecture: source all
Version: 1.7.6+deb7u1
Distribution: wheezy-security
Urgency: medium
Maintainer: Mark Hindley <mark@hindley.org.uk>
Changed-By: Mark Hindley <mark@hindley.org.uk>
Description: 
 apt-cacher - Caching proxy for Debian package and source files
Changes: 
 apt-cacher (1.7.6+deb7u1) wheezy-security; urgency=medium
 .
   * Prevent HTTP response splitting with encoded newlines in
     request. Backport of fix for #858739.
Checksums-Sha1: 
 48a8eca61f4dd8d2defc44def155a3bc9c954158 1530 apt-cacher_1.7.6+deb7u1.dsc
 d697951df00ef5a50b84edde0292aae55b657974 119849 apt-cacher_1.7.6+deb7u1.tar.gz
 3d1546fc1c7dc7a15bfc6f54b05edd8e62ce4830 106052 apt-cacher_1.7.6+deb7u1_all.deb
Checksums-Sha256: 
 631a29a83eb6d77d335e0806b9317e61e6c140b7f841899b4ab9b9b822a3b7fe 1530 apt-cacher_1.7.6+deb7u1.dsc
 eb8803be076eb7d28d0a00b98028eecace50d8c8a094c71fc454ae1efec85679 119849 apt-cacher_1.7.6+deb7u1.tar.gz
 262d5abf5329bce62003c286f100f400fc9f96f39f3f75a817a9fb54159ffaf5 106052 apt-cacher_1.7.6+deb7u1_all.deb
Files: 
 6eeacf10989e8b7f851101397b6f86be 1530 net optional apt-cacher_1.7.6+deb7u1.dsc
 f02cd8676e60b0c2c4efd8a3a672be9c 119849 net optional apt-cacher_1.7.6+deb7u1.tar.gz
 d19727961f4ac4cdf3e6e3888a9b2293 106052 net optional apt-cacher_1.7.6+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAljYzoQACgkQHpU+J9Qx
HliKhw/6AmZfnNK+aaobthqVDKKoEUDOMEXl/QCpTwtw9tP25WcAYGtPM4En9kAU
g/gUychSh4RyzEB8pG7Eqot8LGASigl2thtzDEdh8L8dkEDYp5irnCdFUg+chmV2
Oe6syqm4DLaTyP+QCQxkfqjM5ebwNedbUnRRmhm5BJzz6xkk/0m2YlYCQtXRA3f+
nGnav76RwTNxeXLl/BxaGg6zpf0+cJt4ug/58TEAY5J3MtnFvRWB26hptW9/uYwp
mlwTxWhxlp966b1D4cxfgZ4KEJWIJxY3Wq4OaDZ16oyqS/2T14jbLbSRqy/EsXv9
uguyBOgZrkdgRuUxmcfONf04+AjofGso/ORljeAsHfU7pttjs0ItpmYQgJ5bYWIZ
W7M8tgltPCphfJGLO3BPUQ4RJqJMGF6iFavmrF4e1KUv8CqaEG45euvv0SBJK3xN
kAQkm6umD5KBfUf/l+MHwA+255fQqb+9FUUg9nPLDudVa6xLtxOuGGhkpRvQexSO
mmlMwhgyYCTDd8yKHOggXpqFgrJzqqihdh7TyxONSX/aorY+7EBfjDHG1yKVIFTr
5gGp9qZd+fqPYP3h4FY6pqwM+P+nDOd/CqZLq4dfrkCBfItoCGX0FJlghemPItVP
2470Uudsae6CIveGDcCv70AyAY8nmXHLJkki3OiD06fGxhO4lNA=
=uNJZ
-----END PGP SIGNATURE-----



Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #20 received at 858739@bugs.debian.org (full text, mbox, reply):

From: Mark Hindley <mark@hindley.org.uk>

To: Salvatore Bonaccorso <carnil@debian.org>, 858739@bugs.debian.org

Cc: security@debian.org

Subject: Re: Bug#858739: apt-cacher: HTTP response splitting

Date: Mon, 27 Mar 2017 12:34:38 +0100

Hello,

I have backported this fix to apt-cacher 1.7.10 for jessie.

I would be grateful if you could review it an upload.

Sources of 1.7.10+deb8u1 are available from

 http://www.hindley.org.uk/~mark/debian

Many thanks.

Mark

Message #27 received at 858739@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Mark Hindley <mark@hindley.org.uk>

Cc: 858739@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#858739: apt-cacher: HTTP response splitting

Date: Mon, 27 Mar 2017 14:01:14 +0200

Hi Mark,

On Mon, Mar 27, 2017 at 12:34:38PM +0100, Mark Hindley wrote:
> Hello,
> 
> I have backported this fix to apt-cacher 1.7.10 for jessie.
> 
> I would be grateful if you could review it an upload.
> 
> Sources of 1.7.10+deb8u1 are available from
> 
>  http://www.hindley.org.uk/~mark/debian

It's not planned to release a DSA for this issue, can you please
shedule a fix via a stable-proposed-update for the next jessie point
release?

https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable

Thanks already.

Regards,
Salvatore

Message #38 received at 858739-close@bugs.debian.org (full text, mbox, reply):

From: Mark Hindley <mark@hindley.org.uk>

To: 858739-close@bugs.debian.org

Subject: Bug#858739: fixed in apt-cacher 1.7.13+deb9u1

Date: Tue, 09 May 2017 19:48:26 +0000

Source: apt-cacher
Source-Version: 1.7.13+deb9u1

We believe that the bug you reported is fixed in the latest version of
apt-cacher, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 858739@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Hindley <mark@hindley.org.uk> (supplier of updated apt-cacher package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 24 Apr 2017 19:38:26 +0100
Source: apt-cacher
Binary: apt-cacher
Architecture: source all
Version: 1.7.13+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Mark Hindley <mark@hindley.org.uk>
Changed-By: Mark Hindley <mark@hindley.org.uk>
Description:
 apt-cacher - Caching proxy server for Debian/Ubuntu software repositories
Closes: 858739
Changes:
 apt-cacher (1.7.13+deb9u1) stretch; urgency=medium
 .
   * Backport fix for CVE-2017-7443: Prevent HTTP response splitting with
     encoded newlines in request.  (closes: #858739)
Checksums-Sha1:
 56d91905a9d4eb5c20480efd4034ab00df5f8600 1496 apt-cacher_1.7.13+deb9u1.dsc
 5df0e54a3ec2e2f4d963b249d593ff14a0243194 99060 apt-cacher_1.7.13+deb9u1.tar.xz
 24a5815bf1945bc8895ccffab30e90693d73f939 102220 apt-cacher_1.7.13+deb9u1_all.deb
 87541da216a14d9bc3806f287d785b6407889d21 7068 apt-cacher_1.7.13+deb9u1_amd64.buildinfo
Checksums-Sha256:
 f56dc234c66699f3f1fb6df838982a885a3934fd9f561efa8e99b41512a8bced 1496 apt-cacher_1.7.13+deb9u1.dsc
 0581b7781b561d677c4de329402cd02ed1a28edb6d129149047dffce065f4f44 99060 apt-cacher_1.7.13+deb9u1.tar.xz
 a7503265e92c83a22752be66b1ffff3310694f5a17a08b6aff7b11488398bf31 102220 apt-cacher_1.7.13+deb9u1_all.deb
 04dbe5633e85f9ca74a4bdbf42064876a473dce401316a498a6e1bc2212f197e 7068 apt-cacher_1.7.13+deb9u1_amd64.buildinfo
Files:
 7667daf7e3baffb0f1500afd83840b25 1496 net optional apt-cacher_1.7.13+deb9u1.dsc
 b0edc677104ad26244ef7af91021c49d 99060 net optional apt-cacher_1.7.13+deb9u1.tar.xz
 d7e8ba1be631225a7ca0da45caf36fef 102220 net optional apt-cacher_1.7.13+deb9u1_all.deb
 ce30418fc2f64d289dea8bb5bbd1a2a9 7068 net optional apt-cacher_1.7.13+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEZI3Zj0vEgpAXyw40aXQOXLNf7DwFAlkSFq0ACgkQaXQOXLNf
7Dxq/g/7BTpr0f2GuOHKSZvkbHW7IMQyRiFyfJqaEV9anHghVLw35zzCmbb63izU
G2RTinP5TG3GZrGOfy2aK0NWYjgID7tg543N0vGeF8BdqVKmcT9LFi/mA+5ezyym
ivzu9I46Re906crih/qpfM8oeM6G9XHlf3nc/TWtbY7NJ/Gh4KfsY/GJe+xE+Fih
MdHMLaZj7nQEoeI2+JGBmtvtlm4Nv3E58blPo1GsFLSbTd6df1k0M2hh45XWsa3i
t5iAUTBrBy887N8K5AcdKo4nnBBEzfUZM/goLdpiVSUHIjpUH38Ep/3B9XuUA+KU
ns6V90jTHELDoMW3YFkJA/tn4YUF9oB3l7oa5Kl6mfNb7D59nq7ikypvq5MspTaS
KtuwYldtaAgX3peLDTG2HLVVYbdP1RMoQ3ffgWdAHbXnWIm7JPT83shJaFT6cLjQ
4ZcvYQeQhnrdfNJKKHPg9rOTTXg1/x+nrANz7dEGdBJTBDwwWx3zrIE5RlhiSo3f
do71msl1Z9p/IqY/pWX+Y08mDxdu6v6+PndBv+ecel5/i1G/HimKREXVBnS0WXgJ
WgMmmvlqrJbObcFIcVH67D3hZxkTg7+9pxtW4OpkFA21gADJjljl/2mRGdVjoz75
G4mZiT4TbQ2EsjF/H0FyArc77XiBDeXHxcKsrbJiyvJDcEYDyr8=
=mO/N
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.