SQL-ledger unsafe for use with untrusted users or public installations

Debian Bug report logs - #409703
SQL-ledger unsafe for use with untrusted users or public installations

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alex de Oliveira Silva <enerv@host.sk>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2007-0667: sql-ledger: Arbitrary Code Execution

Date: Sun, 04 Feb 2007 17:35:28 -0300

Package: sql-ledger
Version: 2.6.22-1
Severity: important
Tags: security

Hi.
Maybe sql-ledger is affected by CVE-2007-0667.

Description:
Separate from CVE-2006-5872, there is a possibility of causing arbitrary
code execution during redirects. This requires a valid login to exploit
and was discovered and brought to the attention of both the SQL-Ledger
and LedgerSMB team in November. LedgerSMB 1.1.5 corred the problem, but
it is still not corrected in SQL-Ledger.

Reference:
http://www.frsirt.com/english/advisories/2007/0407
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0667

Note:
Please mention the CVE id in the changelog.


Thanks in advanced.


regards,
--
   .''`.
  : :' :    Alex de Oliveira Silva | enerv
  `. `'     www.enerv.net
    `-

Message #10 received at 409703@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Alex de Oliveira Silva <enerv@host.sk>, 409703@bugs.debian.org

Cc: chris@metatrontech.com

Subject: Re: Bug#409703: CVE-2007-0667: sql-ledger: Arbitrary Code Execution

Date: Mon, 5 Feb 2007 09:17:43 +0100

Hello,

On Sun, 04 Feb 2007, Alex de Oliveira Silva wrote:
> Package: sql-ledger
> Version: 2.6.22-1
> Severity: important
> Tags: security
> 
> Hi.
> Maybe sql-ledger is affected by CVE-2007-0667.
> 
> Description:
> Separate from CVE-2006-5872, there is a possibility of causing arbitrary
> code execution during redirects. This requires a valid login to exploit
> and was discovered and brought to the attention of both the SQL-Ledger
> and LedgerSMB team in November. LedgerSMB 1.1.5 corred the problem, but
> it is still not corrected in SQL-Ledger.
> 
> Reference:
> http://www.frsirt.com/english/advisories/2007/0407
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0667

Indeed, none of the vulnerabilities which require an account have been
fixed in SQL-Ledger. Chris Travers promised to post an unofficial patch
for sql-ledger but I can't find on the sql-ledger mailing list...

Chris ? Can you point us to the patch ?

Cheers,
-- 
Raphaël Hertzog

Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/

Message #15 received at 409703@bugs.debian.org (full text, mbox, reply):

From: Chris Travers <chris@metatrontech.com>

To: Raphael Hertzog <hertzog@debian.org>

Cc: Alex de Oliveira Silva <enerv@host.sk>, 409703@bugs.debian.org

Subject: Re: Bug#409703: CVE-2007-0667: sql-ledger: Arbitrary Code Execution

Date: Mon, 05 Feb 2007 19:51:39 -0800

[Message part 1 (text/plain, inline)]

This patch was made against 2.6.18 but could be applicable to many other 
versions as well.  It alters the redirect() subroutine in the Form.pm to 
effectively whitelist scripts.

Raphael Hertzog wrote:
> Hello,
>
> On Sun, 04 Feb 2007, Alex de Oliveira Silva wrote:
>   
>> Package: sql-ledger
>> Version: 2.6.22-1
>> Severity: important
>> Tags: security
>>
>> Hi.
>> Maybe sql-ledger is affected by CVE-2007-0667.
>>
>> Description:
>> Separate from CVE-2006-5872, there is a possibility of causing arbitrary
>> code execution during redirects. This requires a valid login to exploit
>> and was discovered and brought to the attention of both the SQL-Ledger
>> and LedgerSMB team in November. LedgerSMB 1.1.5 corred the problem, but
>> it is still not corrected in SQL-Ledger.
>>
>> Reference:
>> http://www.frsirt.com/english/advisories/2007/0407
>> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0667
>>     
>
> Indeed, none of the vulnerabilities which require an account have been
> fixed in SQL-Ledger. Chris Travers promised to post an unofficial patch
> for sql-ledger but I can't find on the sql-ledger mailing list...
>
> Chris ? Can you point us to the patch ?
>
> Cheers,
>   

[sl-whitelist.patch (text/x-patch, inline)]

diff -C3 -r sql-ledger-orig/SL/Form.pm sql-ledger/SL/Form.pm
*** sql-ledger-orig/SL/Form.pm	2007-02-05 18:20:34.000000000 -0800
--- sql-ledger/SL/Form.pm	2007-02-05 18:23:06.000000000 -0800
***************
*** 311,318 ****
  
    if ($self->{callback}) {
  
!     my ($script, $argv) = split(/\?/, $self->{callback});
!     exec ("perl", $script, $argv);
     
    } else {
      
--- 311,327 ----
  
    if ($self->{callback}) {
  
! 	my ($script, $argv) = split(/\?/, $self->{callback});
! 	foreach (qw/admin.pl login.pl am.pl ap.pl ar.pl bp.pl ca.pl 
! 			cp.pl ct.pl menu.pl gl.pl hr.pl ic.pl ir.pl
! 			is.pl jc.pl oe.pl pe.pl ps.pl rc.pl rp.pl/) {
! 		if ($_ =~ /(?:custom_)?$script/) {
! 			exec ("perl", $script, $argv);
! 		}
! 	}
! 	# $script not in whitelist
! 	$self->error('Access Denied!')
! 
     
    } else {
      

[chris.vcf (text/x-vcard, attachment)]

Message #20 received at 409703@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Raphael Hertzog <hertzog@debian.org>

Cc: Alex de Oliveira Silva <enerv@host.sk>, 409703@bugs.debian.org, chris@metatrontech.com, control@bugs.debian.org

Subject: Re: Bug#409703: CVE-2007-0667: sql-ledger: Arbitrary Code Execution

Date: Wed, 28 Feb 2007 21:58:29 +0100

severity 409703 grave
thanks

Raphael Hertzog wrote:

> Indeed, none of the vulnerabilities which require an account have been
> fixed in SQL-Ledger. Chris Travers promised to post an unofficial patch
> for sql-ledger but I can't find on the sql-ledger mailing list...

We talked about this before in private mail. Please either

a) Document clearly in README.Debian that sql-ledger is not suitable
for public installations w/o completely trusted users (which could even
in ordner for an accounting solution) and readjust to non-RC severity
afterwards
or
b) Apply fixes for the outstanding issues

Cheers,
        Moritz

Message #27 received at 409703-close@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: 409703-close@bugs.debian.org

Subject: Bug#409703: fixed in sql-ledger 2.6.22-2

Date: Thu, 01 Mar 2007 15:02:26 +0000

Source: sql-ledger
Source-Version: 2.6.22-2

We believe that the bug you reported is fixed in the latest version of
sql-ledger, which is due to be installed in the Debian FTP archive:

sql-ledger_2.6.22-2.diff.gz
  to pool/main/s/sql-ledger/sql-ledger_2.6.22-2.diff.gz
sql-ledger_2.6.22-2.dsc
  to pool/main/s/sql-ledger/sql-ledger_2.6.22-2.dsc
sql-ledger_2.6.22-2_all.deb
  to pool/main/s/sql-ledger/sql-ledger_2.6.22-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 409703@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphael Hertzog <hertzog@debian.org> (supplier of updated sql-ledger package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  1 Mar 2007 15:34:36 +0100
Source: sql-ledger
Binary: sql-ledger
Architecture: source all
Version: 2.6.22-2
Distribution: unstable
Urgency: high
Maintainer: Finn-Arne Johansen <faj@bzz.no>
Changed-By: Raphael Hertzog <hertzog@debian.org>
Description: 
 sql-ledger - A web based double-entry accounting program
Closes: 409703
Changes: 
 sql-ledger (2.6.22-2) unstable; urgency=high
 .
   * Document the security problem of SQL-Ledger in the README.Debian file
     (and in NEWS). Closes: #409703
Files: 
 087dec9c5e83d07b458a7e06855e12a5 706 web optional sql-ledger_2.6.22-2.dsc
 a3ba2cb155fe830efddd3ee28a0bbdc2 13703 web optional sql-ledger_2.6.22-2.diff.gz
 6522fb8820fb31996615537e550a7362 2798738 web optional sql-ledger_2.6.22-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF5ubtvPbGD26BadIRAgCDAJ9Q1TEbnptR/cvgYkWSHRtUorJ9eACeMxv6
zcSEzGxCZ4P/ODRV5o9fLLU=
=8Un5
-----END PGP SIGNATURE-----

Message #32 received at 409703@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 409703@bugs.debian.org

Subject: Re: Bug#409703: CVE-2007-0667: sql-ledger: Arbitrary Code Execution

Date: Thu, 1 Mar 2007 15:57:51 +0100

On Wed, 28 Feb 2007, Moritz Muehlenhoff wrote:
> We talked about this before in private mail. Please either
> 
> a) Document clearly in README.Debian that sql-ledger is not suitable
> for public installations w/o completely trusted users (which could even
> in ordner for an accounting solution) and readjust to non-RC severity
> afterwards

I've done that but I closed the bug, so that its progression in etch can be
properly tracked. We ought to reopen it once it's in etch.

Cheers,
-- 
Raphaël Hertzog

Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/

Message #37 received at 409703@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Raphael Hertzog <hertzog@debian.org>, 409703@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: Bug#409703: CVE-2007-0667: sql-ledger: Arbitrary Code Execution

Date: Fri, 2 Mar 2007 17:25:16 -0800

reopen 409703
thanks

On Thu, Mar 01, 2007 at 03:57:51PM +0100, Raphael Hertzog wrote:
> On Wed, 28 Feb 2007, Moritz Muehlenhoff wrote:
> > We talked about this before in private mail. Please either

> > a) Document clearly in README.Debian that sql-ledger is not suitable
> > for public installations w/o completely trusted users (which could even
> > in ordner for an accounting solution) and readjust to non-RC severity
> > afterwards

> I've done that but I closed the bug, so that its progression in etch can be
> properly tracked. We ought to reopen it once it's in etch.

Please don't do this, it subverts the intent of version-tracking.

Instead:

- If you consider this to be two separate bugs, one about the documentation
  issue and one about the actual security holes, where only the
  documentation one is to be considered RC, please split the bug, adjust the
  severities, and close only the documentation bug in this version.
- If you consider this to be a single bug, please leave it open.  In that
  case, I suppose the current severity is still the wrong one, and it should
  be lowered?

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Message #44 received at 409703@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Steve Langasek <vorlon@debian.org>

Cc: 409703@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: Bug#409703: CVE-2007-0667: sql-ledger: Arbitrary Code Execution

Date: Sat, 3 Mar 2007 10:32:02 +0100

severity 409703 important
retitle 409703 SQL-ledger unsafe for use with untrusted users or public installations
tags 409703 + wontfix
thanks

On Fri, 02 Mar 2007, Steve Langasek wrote:
> > I've done that but I closed the bug, so that its progression in etch can be
> > properly tracked. We ought to reopen it once it's in etch.
> 
> Please don't do this, it subverts the intent of version-tracking.
> 
> Instead:
> 
> - If you consider this to be two separate bugs, one about the documentation
>   issue and one about the actual security holes, where only the
>   documentation one is to be considered RC, please split the bug, adjust the
>   severities, and close only the documentation bug in this version.

Right, I should have done that. Now it's a bit late. I'll simply leave that
bug open for documentation purpose.

The explanation for the tags and the subject are: the upstream developer
has written this software without having security implications in mind.
This means that there are numerous security vulnerabilities discovered
und undiscovered. Those which have been discovered have not been fixed
upstream. And we don't have the resources to take care of this by
ourselves.

However there's only few alternatives to do serious accounting that have
the level of features of SQL-ledger so we prefer keeping the software
despite this.

In the longer term, we're considering switching to LedgerSMB which is a
fork of SQL-Ledger and it should be a goal for lenny to provide a nice
upgrade path between both software.

Volunteers are welcome!

Cheers,
-- 
Raphaël Hertzog

Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/

Message #55 received at 409703@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Raphael Hertzog <hertzog@debian.org>

Cc: 409703@bugs.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: sql-ledger in testing

Date: Sun, 21 Oct 2007 18:26:15 +1000

[Message part 1 (text/plain, inline)]

Hi Raphael

I have read up on your discussion with the stable sec team. At the moment, 
sql-ledger is in testing and from what I have heard it would be possible to 
package and upload LedgerSMB, which fixes the security issues. Therefore, I 
would like to remove sql-ledger from testing. For lenny, ledgersmb could be 
used then. Any objections?

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Message #60 received at 409703@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>

Cc: 409703@bugs.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: sql-ledger in testing

Date: Sun, 21 Oct 2007 11:38:57 +0200

Hi Steffen,

On Sun, 21 Oct 2007, Steffen Joeris wrote:
> I have read up on your discussion with the stable sec team. At the moment, 
> sql-ledger is in testing and from what I have heard it would be possible to 
> package and upload LedgerSMB, which fixes the security issues. Therefore, I 
> would like to remove sql-ledger from testing. For lenny, ledgersmb could be 
> used then. Any objections?

Yes. Until someone has done the job of packaging LedgerSmb I would like to
keep sql-ledger. Please understand that we're speaking of a financial
application that companies are using... (mine included).

Also it won't be trivial to migrate from one to the other, so it's a fair
bit of work to create the package and offer a sane upgrade path.

We already documented the fact that sql-ledger is not safe to use in a
untrusted environment.

Cheers,
-- 
Raphaël Hertzog

Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/

Message #65 received at 409703@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Raphael Hertzog <hertzog@debian.org>

Cc: 409703@bugs.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: sql-ledger in testing

Date: Sun, 21 Oct 2007 22:04:22 +1000

[Message part 1 (text/plain, inline)]

Hi Raphael

On Sun, 21 Oct 2007 07:38:57 pm Raphael Hertzog wrote:
> Hi Steffen,
>
> On Sun, 21 Oct 2007, Steffen Joeris wrote:
> > I have read up on your discussion with the stable sec team. At the
> > moment, sql-ledger is in testing and from what I have heard it would be
> > possible to package and upload LedgerSMB, which fixes the security
> > issues. Therefore, I would like to remove sql-ledger from testing. For
> > lenny, ledgersmb could be used then. Any objections?
>
> Yes. Until someone has done the job of packaging LedgerSmb I would like to
> keep sql-ledger. Please understand that we're speaking of a financial
> application that companies are using... (mine included).
I totally understand that and I would also want to have other software 
packaged for debian and to be kept there, but unfortunately ...


> Also it won't be trivial to migrate from one to the other, so it's a fair
> bit of work to create the package and offer a sane upgrade path.
>
> We already documented the fact that sql-ledger is not safe to use in a
> untrusted environment.
Well my point is that sql-ledger is in stable (and not security supported), 
which is the way it is. For lenny this should, IMHO, not happen again. I 
personally see it that way:
ledgersmb is the one after sql-ledger and should be the new verison. For this, 
sql-ledger can be dropped in favour of ledgersmb. This somehow also makes it 
the responsibility of the sql-ledger maintainer to care for ledgersmb as a 
lenny version. If that is not the case, then the removal of sql-ledger 
(withough any alternative) should be considered.

Cheers
Steffen

P.S. Raphael please note that this is no personal criticism, you know that I 
am not up for such things. Just my two cents to the sql-ledger security 
debate.

[signature.asc (application/pgp-signature, inline)]

Message #70 received at 409703@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: secure-testing-team@lists.alioth.debian.org

Cc: Steffen Joeris <steffen.joeris@skolelinux.de>, Raphael Hertzog <hertzog@debian.org>, 409703@bugs.debian.org

Subject: Re: [Secure-testing-team] sql-ledger in testing

Date: Sun, 21 Oct 2007 15:17:58 +0200

[Message part 1 (text/plain, inline)]

On Sunday 21 October 2007 14:04, Steffen Joeris wrote:
> Well my point is that sql-ledger is in stable (and not security supported),
> which is the way it is. For lenny this should, IMHO, not happen again. I
> personally see it that way:

I respectfully disagree with this. In my opinion, when you cannot trust your 
authenticated users of sql-ledger, you've got a lot bigger problems than this 
security issue.

I'd like to see some real-world cases where this could be exploited before we 
start to remove things for which no adequate substitute is packaged yet.

Of course once there's a better package available, I'm all for deprecating 
this one. And also of course, it's still a bug which should be fixed when 
reasonably possible.


Thijs

[Message part 2 (application/pgp-signature, inline)]

Message #75 received at 409703@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>

Cc: 409703@bugs.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: sql-ledger in testing

Date: Sun, 21 Oct 2007 18:00:14 +0200

Hi,

On Sun, 21 Oct 2007, Steffen Joeris wrote:
> > Also it won't be trivial to migrate from one to the other, so it's a fair
> > bit of work to create the package and offer a sane upgrade path.
> >
> > We already documented the fact that sql-ledger is not safe to use in a
> > untrusted environment.
> Well my point is that sql-ledger is in stable (and not security supported), 
> which is the way it is. For lenny this should, IMHO, not happen again. I 
> personally see it that way:

I don't see the problem of having that package it it doesn't impose any
work on the security team as it's documented to be non-supported.

> ledgersmb is the one after sql-ledger and should be the new verison. For this, 
> sql-ledger can be dropped in favour of ledgersmb. This somehow also makes it 
> the responsibility of the sql-ledger maintainer to care for ledgersmb as a 
> lenny version. If that is not the case, then the removal of sql-ledger 
> (withough any alternative) should be considered.

I agree that ledgersmb should replace sql-ledger in the long term but they
are doing major changes to the infrastructure which makes it a quite
unstable fork at the time being.

As for the responsibility of the sql-ledger maintainer, well, in an ideal
world yes ... but the fact is that the sql-ledger maintainers are a bunch
of busy guys whose interest for accounting apps is purely required by the
necessity of accounting in companies and not really by passion...

So while I'd like to already have a working ledgersmb package with a
conversion script from sql-ledger to ledgersmb, but this is not the case and I
thus disagree with a forced removal of the package.

Cheers,
-- 
Raphaël Hertzog

Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/

Message #80 received at 409703@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Thijs Kinkhorst <thijs@debian.org>

Cc: secure-testing-team@lists.alioth.debian.org, Raphael Hertzog <hertzog@debian.org>, 409703@bugs.debian.org

Subject: Re: [Secure-testing-team] sql-ledger in testing

Date: Sun, 21 Oct 2007 18:49:11 +0200

On Sun, Oct 21, 2007 at 03:17:58PM +0200, Thijs Kinkhorst wrote:
> On Sunday 21 October 2007 14:04, Steffen Joeris wrote:
> > Well my point is that sql-ledger is in stable (and not security supported),
> > which is the way it is. For lenny this should, IMHO, not happen again. I
> > personally see it that way:
> 
> I respectfully disagree with this. In my opinion, when you cannot trust your 
> authenticated users of sql-ledger, you've got a lot bigger problems than this 
> security issue.

I agree.

Cheers,
        Moritz

Message #85 received at 409703-done@bugs.debian.org (full text, mbox, reply):

From: Nikolai Lusan <nikolai@lusan.id.au>

To: 409703-done@bugs.debian.org

Subject: Version: 2.6.22-2

Date: Mon, 02 Jul 2012 04:06:06 +1000

[Message part 1 (text/plain, inline)]

Package: sql-ledger
Version: 2.6.22-2


-- 
Nikolai Lusan <nikolai@lusan.id.au>

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.