Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2016-5397

Related Vulnerabilities: CVE-2016-5397  

Source

Debian Bug report logs - #894577
CVE-2016-5397

version graph

Package: thrift-compiler; Maintainer for thrift-compiler is Laszlo Boszormenyi (GCS) <gcs@debian.org>; Source for thrift-compiler is src:thrift (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Sun, 1 Apr 2018 20:39:03 UTC

Severity: grave

Tags: fixed-upstream, security

Fixed in version thrift/0.11.0-1

Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://issues.apache.org/jira/browse/THRIFT-3893

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#894577; Package thrift-compiler. (Sun, 01 Apr 2018 20:39:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>. (Sun, 01 Apr 2018 20:39:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2016-5397
Date: Sun, 01 Apr 2018 22:38:03 +0200
Package: thrift-compiler
Severity: grave
Tags: security

This was assigned CVE-2016-5397: https://issues.apache.org/jira/browse/THRIFT-3893

Fix: https://github.com/apache/thrift/commit/2007783e874d524a46b818598a45078448ecc53e

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#894577; Package thrift-compiler. (Sun, 01 Apr 2018 20:57:05 GMT) (full text, mbox, link).

Acknowledgement sent to László Böszörményi (GCS) <gcs@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>. (Sun, 01 Apr 2018 20:57:05 GMT) (full text, mbox, link).

Message #10 received at 894577@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 894577@bugs.debian.org
Subject: Re: Bug#894577: CVE-2016-5397
Date: Sun, 1 Apr 2018 22:52:59 +0200
Hi Moritz,

On Sun, Apr 1, 2018 at 10:38 PM, Moritz Muehlenhoff <jmm@debian.org> wrote:
> Package: thrift-compiler
> Severity: grave
> Tags: security
>
> This was assigned CVE-2016-5397: https://issues.apache.org/jira/browse/THRIFT-3893
 This affects the Go compiler component only if I see it right. That's
packaged only with 0.9.3-2 and later versions. As such, it affects
only thrift which is still in experimental only. I need to check every
usage scenario of course - but I'm going to do that in daytime and not
at the moment. :-/

> Fix: https://github.com/apache/thrift/commit/2007783e874d524a46b818598a45078448ecc53e
 I don't really consider this as a fix, it disables the
format_go_output function instead of input sanitizing. :-(

Thanks anyway,
Laszlo/GCS

Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#894577; Package thrift-compiler. (Sun, 01 Apr 2018 21:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>. (Sun, 01 Apr 2018 21:03:03 GMT) (full text, mbox, link).

Message #15 received at 894577@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: László Böszörményi (GCS) <gcs@debian.org>
Cc: Moritz Muehlenhoff <jmm@debian.org>, 894577@bugs.debian.org
Subject: Re: Bug#894577: CVE-2016-5397
Date: Sun, 1 Apr 2018 22:58:46 +0200
On Sun, Apr 01, 2018 at 10:52:59PM +0200, László Böszörményi (GCS) wrote:
> Hi Moritz,
> 
> On Sun, Apr 1, 2018 at 10:38 PM, Moritz Muehlenhoff <jmm@debian.org> wrote:
> > Package: thrift-compiler
> > Severity: grave
> > Tags: security
> >
> > This was assigned CVE-2016-5397: https://issues.apache.org/jira/browse/THRIFT-3893
>  This affects the Go compiler component only if I see it right. That's
> packaged only with 0.9.3-2 and later versions. As such, it affects
> only thrift which is still in experimental only. I need to check every
> usage scenario of course - but I'm going to do that in daytime and not
> at the moment. :-/

Thanks, I wasn't aware of that. If you can confirm that, please update the
security tracker to mark it as not-affected.

Cheers,
        Moritz

Set Bug forwarded-to-address to 'https://issues.apache.org/jira/browse/THRIFT-3893'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 08 Apr 2018 08:09:03 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Mon, 09 Jul 2018 17:31:37 GMT) (full text, mbox, link).

Reply sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility. (Thu, 11 Oct 2018 11:03:29 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Thu, 11 Oct 2018 11:03:30 GMT) (full text, mbox, link).

Message #24 received at 894577-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>
To: 894577-close@bugs.debian.org
Subject: Bug#894577: fixed in thrift 0.11.0-1
Date: Thu, 11 Oct 2018 11:00:38 +0000
Source: thrift
Source-Version: 0.11.0-1

We believe that the bug you reported is fixed in the latest version of
thrift, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 894577@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated thrift package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 20 Sep 2018 18:16:39 +0000
Source: thrift
Binary: libthrift-0.11.0 libthrift-dev libthrift-c-glib0 libthrift-c-glib-dev thrift-compiler python-thrift python-thrift-dbg php7.2-thrift libthrift-perl golang-thrift-dev
Architecture: source amd64 all
Version: 0.11.0-1
Distribution: experimental
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 golang-thrift-dev - Go language support for Thrift
 libthrift-0.11.0 - Thrift C++ library
 libthrift-c-glib-dev - Thrift glib library (development headers)
 libthrift-c-glib0 - Thrift glib library
 libthrift-dev - Thrift C++ library (development headers)
 libthrift-perl - Perl language support for Thrift
 php7.2-thrift - PHP language support for Thrift
 python-thrift - Python library for Thrift
 python-thrift-dbg - Python library for Thrift (debug symbols)
 thrift-compiler - code generator/compiler for Thrift definitions
Closes: 877126 894577 909067
Changes:
 thrift (0.11.0-1) experimental; urgency=medium
 .
   * New major upstream release.
   * Fixes  CVE-2016-5397: command injection in format_go_output
     (closes: #894577).
   * Fix FTBFS problems (closes: #909067).
   * Rename related packages to -0.11.0 suffix.
   * Build with PHP 7.2 version.
   * Remove libmaven-ant-tasks-java build dependency (closes: #877126).
   * Update patches.
   * Use auto-generated debug packages.
   * Change package priority to optional.
   * Update Standards-Version to 4.2.1 .
Checksums-Sha1:
 24ad58b7f17a14a474847573d27ad389f2628d95 2977 thrift_0.11.0-1.dsc
 bdf159ef455c6d3c71e95dba15a6d05f6aaca2a9 3667154 thrift_0.11.0.orig.tar.gz
 53b45ca5c5c5eb0bba20e8d4ffab0ad5c13167a3 76632 thrift_0.11.0-1.debian.tar.xz
 5ab4c5179ebcbcd08239f4dac0402fce8a6492bd 105124 golang-thrift-dev_0.11.0-1_amd64.deb
 21c18423278d36e69c40788b1bf24458a053e6c5 6746008 libthrift-0.11.0-dbgsym_0.11.0-1_amd64.deb
 6c9015ce91a1e3e10cb8d55bddd070dcded59377 433516 libthrift-0.11.0_0.11.0-1_amd64.deb
 03b8c88cb9beef359470467e2bf9b66c7087566c 118396 libthrift-c-glib-dev_0.11.0-1_amd64.deb
 41e61d19eae4ac783f1ab3d6c3a546fdd9d4733c 193068 libthrift-c-glib0-dbgsym_0.11.0-1_amd64.deb
 98b4b2cfbd509d1e69921935edba2f75bf7322a9 102420 libthrift-c-glib0_0.11.0-1_amd64.deb
 08159a0d82b05fc825a23734266ad918d6c95f69 1012432 libthrift-dev_0.11.0-1_amd64.deb
 2145c0b1164ad5865ea13a31522962aef97284d8 77480 libthrift-perl_0.11.0-1_all.deb
 9cd45413d5896a0fcd09c55847ae0935dbb39da6 93404 php7.2-thrift_0.11.0-1_amd64.deb
 099794054389b623155ea781a87616350e9c59ea 228312 python-thrift-dbg_0.11.0-1_amd64.deb
 b2b17d547ada642a6c925eee9a40aac91f2b0e5a 115900 python-thrift_0.11.0-1_amd64.deb
 689d7bc694ad7a09e929a8d989d2f3c051bad20a 26114928 thrift-compiler-dbgsym_0.11.0-1_amd64.deb
 a9ae6cd88cd09640b0cb0e70ae97e73b195e13a3 1325832 thrift-compiler_0.11.0-1_amd64.deb
 0b9af30eb2a4999a9e931b37aeccd5417d19b0b9 26149 thrift_0.11.0-1_amd64.buildinfo
Checksums-Sha256:
 be96417a872dc220f9487c03e3b7c9a870a95b81a68265f5d40056cb69148db0 2977 thrift_0.11.0-1.dsc
 c4ad38b6cb4a3498310d405a91fef37b9a8e79a50cd0968148ee2524d2fa60c2 3667154 thrift_0.11.0.orig.tar.gz
 24064924ee8054adf46f1f61c0615ad7db3f8f9545f8e67a7cf38fea8c7d5bb3 76632 thrift_0.11.0-1.debian.tar.xz
 00b0f40d1169c3cb6be32022a8b494c69cac7c8cba4b121a059dee6f430e8859 105124 golang-thrift-dev_0.11.0-1_amd64.deb
 faa1048af6a206d9a4774dd7def0c36c4531cce4f2649cd621889242b17fa506 6746008 libthrift-0.11.0-dbgsym_0.11.0-1_amd64.deb
 ed3a61f4e1690fbc37335bf71e30b2e58ec0b8b0fcb446441fa5372adc797235 433516 libthrift-0.11.0_0.11.0-1_amd64.deb
 104f2c363faf4d68b2dbdfdb69cee61c80ef8893f7669c6437d84aa25e476d08 118396 libthrift-c-glib-dev_0.11.0-1_amd64.deb
 3dffa1fd1ffed44c5c6658e13fbab4ae7c23330bb16abd3f90b758fd7ab6698d 193068 libthrift-c-glib0-dbgsym_0.11.0-1_amd64.deb
 87b87a2de8f5be8297c935d31de97e10789f0d3ac895088dd410d67f6959511e 102420 libthrift-c-glib0_0.11.0-1_amd64.deb
 4dbf2a0a12b47b069f96e136168d6b61940cd7f772c0ecf6b0bec92856a24125 1012432 libthrift-dev_0.11.0-1_amd64.deb
 3c284a6513ebcc8daa1064f74403a3e18a6fa758c68c366cd9b6321033f76aa2 77480 libthrift-perl_0.11.0-1_all.deb
 ffb5d43a01b98aaf3a150011acc8b607d7f571944f4ba601d97abcdf9ec7540f 93404 php7.2-thrift_0.11.0-1_amd64.deb
 af7bafc3d84483ecc02591740e482a1388af48f665196e015a63ba2a7a796b6a 228312 python-thrift-dbg_0.11.0-1_amd64.deb
 01ac5f5472cc9ee728773fb8353de854080f8f97a09aad1df54c8491f03d0942 115900 python-thrift_0.11.0-1_amd64.deb
 a7885c5b804db212b012d0c537e254d88b264b7567c054ca4a6866d5a86c8693 26114928 thrift-compiler-dbgsym_0.11.0-1_amd64.deb
 e762297ba9e67fd58c95f60ebdabcfabaacd16e8b9d922d8654e250d11ebb454 1325832 thrift-compiler_0.11.0-1_amd64.deb
 96604692056adf1daadf6de8ddbdefc1df6894d7729b7f2936ff8cfc4f6b0b98 26149 thrift_0.11.0-1_amd64.buildinfo
Files:
 e53ec810a02c04e4daa5d9eb11407524 2977 devel optional thrift_0.11.0-1.dsc
 0be59730ebce071eceaf6bfdb8d3a20e 3667154 devel optional thrift_0.11.0.orig.tar.gz
 51f78d49550f6c7efefc0d6099261ea6 76632 devel optional thrift_0.11.0-1.debian.tar.xz
 b7d662b1d1ac4f7cc069b17f782b8e38 105124 devel optional golang-thrift-dev_0.11.0-1_amd64.deb
 26bc89b2da993b3d1b3022afcce05097 6746008 debug optional libthrift-0.11.0-dbgsym_0.11.0-1_amd64.deb
 b90231584f8c6c7170fad0be8fabc753 433516 devel optional libthrift-0.11.0_0.11.0-1_amd64.deb
 c76a2a7286824017c3a5fd14f141ffc9 118396 libdevel optional libthrift-c-glib-dev_0.11.0-1_amd64.deb
 3af44c7d9d04fdeb58c6ca933c2ca0ae 193068 debug optional libthrift-c-glib0-dbgsym_0.11.0-1_amd64.deb
 a37b3b25adc1f0389af4983ca3337caf 102420 devel optional libthrift-c-glib0_0.11.0-1_amd64.deb
 fe7cac5404b6ede94a1895f2334d844a 1012432 libdevel optional libthrift-dev_0.11.0-1_amd64.deb
 86715ce52583c53871a982aa1f2a5990 77480 perl optional libthrift-perl_0.11.0-1_all.deb
 cf866f8330005a131c8534cfff2e5b2c 93404 php optional php7.2-thrift_0.11.0-1_amd64.deb
 1ba261c75debdc7170713ac0da1ee457 228312 debug optional python-thrift-dbg_0.11.0-1_amd64.deb
 9d1d544619954f32011f1f2661a70229 115900 python optional python-thrift_0.11.0-1_amd64.deb
 88a58cb1386f472a541c565e073b3612 26114928 debug optional thrift-compiler-dbgsym_0.11.0-1_amd64.deb
 899c822c407bfba3eb5b37730d0407f4 1325832 devel optional thrift-compiler_0.11.0-1_amd64.deb
 4f18e7a4c2cd5c6f08851f2a78924b9f 26149 devel optional thrift_0.11.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAluqwUEACgkQ3OMQ54ZM
yL/NZw/+J2b3Ng6dNSOctOqfjPMtkmcvNu6mmK5porZUmxSdaxa5zLq0ziECaieO
oVidH02ntRlmgM3KCCL48ViLa1YnBsAk9Ob8a4rU9p2lzNvfae6YRJwgtvqMfwn4
X4O1qHf93ojIVKHi4aFnhi6ZPV8pJwtMegxKB5issYoP17aYgn6q0SZMPR1xaNri
tj65xAN5HLnyPiSwUsXZfWG8TxMZf60oyxz8Y6q0OEooR0MyWAiU1pIGyjaA11RO
NlaJrTVax3eeO1RSX5SqcrvB5no9Z95rX31qjhGx8WlPlpRDoRne06ss+89mfmdL
WqRR6N0VPvJEkzDnPScY5fdFrtf7MNFrRjZqdpcCoDBoG6HJ9gtfNxaSD5KuhOnS
qr/eHeh85KdwnF51q1RS19LjDbgvoDQZ2fiHrLJaXKY6bo+OAKXzgtJTgAErzCle
r8E99VyzrwINdTYD/4pm3ozvyga23N9QeMMFbzQD2njsN4FCndv6Zgi0wZ2jo1v9
aw11jD6dogNejp1n57dZGChzYbBxDHYYljezpu5dyuwM53WeoEeXuocFRfdklk9K
2Ywbu5LZBZ7CZjTMXEDdTn2qdUWjXgU3wkHWVpr6lrD3KDFn5iIHTHAhZhGZ3JSV
+Hny19IMnGLYbtXjQQkmno46HnH/hsja8qjoshnDMCmC7qHuCFk=
=atGM
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 09 Nov 2018 07:29:48 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:28:23 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started