Debian Bug report logs -
#386519
sql-ledger: Security vulnerability CVE-2006-4244
Reported by: Chris Morris <c.i.morris@durham.ac.uk>
Date: Fri, 8 Sep 2006 08:33:01 UTC
Severity: grave
Tags: security
Fixed in versions sql-ledger/2.6.18-1, sql-ledger/2.4.7-2sarge1
Done: Raphael Hertzog <hertzog@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Finn-Arne Johansen <faj@bzz.no>:
Bug#386519; Package sql-ledger.
(full text, mbox, link).
Acknowledgement sent to Chris Morris <c.i.morris@durham.ac.uk>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Finn-Arne Johansen <faj@bzz.no>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: sql-ledger
Severity: grave
Tags: security
Justification: user security hole
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4244
Recently fully disclosed at
http://www.securityfocus.com/archive/1/445512/30/0/threaded
Looking at the source of menu.pl it appears to work exactly as Chris
Travers describes it.
Apparently all versions from 2.4.4 onwards are affected, which includes
the version in sarge.
Information forwarded to debian-bugs-dist@lists.debian.org, Finn-Arne Johansen <faj@bzz.no>:
Bug#386519; Package sql-ledger.
(full text, mbox, link).
Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Finn-Arne Johansen <faj@bzz.no>.
(full text, mbox, link).
Message #10 received at 386519@bugs.debian.org (full text, mbox, reply):
On Fri, 08 Sep 2006, Chris Morris wrote:
> Package: sql-ledger
> Severity: grave
> Tags: security
> Justification: user security hole
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4244
> Recently fully disclosed at
> http://www.securityfocus.com/archive/1/445512/30/0/threaded
>
> Looking at the source of menu.pl it appears to work exactly as Chris
> Travers describes it.
>
> Apparently all versions from 2.4.4 onwards are affected, which includes
> the version in sarge.
I uploaded the new upstream version 2.6.18-1 to sid, it fixes this issue.
For sarge, I created 2.4.7-2sarge1 and I uploaded it here:
http://people.debian.org/~hertzog/sql-ledger/
It's a full (signed) upload which can simply be uploaded to the security
archive (dist="stable-security" as per devel ref 5.8.5.3).
The patch used is here:
http://people.debian.org/~hertzog/sql-ledger/sql-ledger.patch
I simply applied the relevant changes between 2.6.17 and 2.6.18 to the old
2.4.7-2 and it applied immediately. However I haven't had the time to test
if the package upgrades fine and if it still works well.
I'd like other people from pkg-sql-ledger-discussion@l.a.d.o to help out
with the testing. Can people confirm that the updated package works fine?
Cheers,
--
Raphaël Hertzog
Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/
Reply sent to Raphael Hertzog <hertzog@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Chris Morris <c.i.morris@durham.ac.uk>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 386519-close@bugs.debian.org (full text, mbox, reply):
Source: sql-ledger
Source-Version: 2.6.18-1
We believe that the bug you reported is fixed in the latest version of
sql-ledger, which is due to be installed in the Debian FTP archive:
sql-ledger_2.6.18-1.diff.gz
to pool/main/s/sql-ledger/sql-ledger_2.6.18-1.diff.gz
sql-ledger_2.6.18-1.dsc
to pool/main/s/sql-ledger/sql-ledger_2.6.18-1.dsc
sql-ledger_2.6.18-1_all.deb
to pool/main/s/sql-ledger/sql-ledger_2.6.18-1_all.deb
sql-ledger_2.6.18.orig.tar.gz
to pool/main/s/sql-ledger/sql-ledger_2.6.18.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 386519@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphael Hertzog <hertzog@debian.org> (supplier of updated sql-ledger package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 10 Sep 2006 21:08:15 +0200
Source: sql-ledger
Binary: sql-ledger
Architecture: source all
Version: 2.6.18-1
Distribution: unstable
Urgency: low
Maintainer: Finn-Arne Johansen <faj@bzz.no>
Changed-By: Raphael Hertzog <hertzog@debian.org>
Description:
sql-ledger - A web based double-entry accounting program
Closes: 386519
Changes:
sql-ledger (2.6.18-1) unstable; urgency=low
.
* New upstream release.
- fix security issue with sessions cookies: CVE-2006-4244
Closes: #386519
* Updated watch file, sourceforge is not really up-to-date.
Files:
73f18dcefd10cb9ee41c8f56b6b192c4 706 web optional sql-ledger_2.6.18-1.dsc
adc51b3e1d1659877e450cb385b5b8ca 3003762 web optional sql-ledger_2.6.18.orig.tar.gz
6735b39789f9c03189c4223ce68a686c 12731 web optional sql-ledger_2.6.18-1.diff.gz
34552d8c82e1aace0c576f9c9e293bb2 2748706 web optional sql-ledger_2.6.18-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFBGZYvPbGD26BadIRAoGIAJ9hTyoKD8fOGSRwbPYfMGVwDjVtHQCgsrxU
5iA/rcuEyWMruymUT6JIQGI=
=Yi/h
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Finn-Arne Johansen <faj@bzz.no>:
Bug#386519; Package sql-ledger.
(full text, mbox, link).
Acknowledgement sent to faj@bzz.no:
Extra info received and forwarded to list. Copy sent to Finn-Arne Johansen <faj@bzz.no>.
(full text, mbox, link).
Message #20 received at 386519@bugs.debian.org (full text, mbox, reply):
Raphael Hertzog skrev:
> On Fri, 08 Sep 2006, Chris Morris wrote:
>> Package: sql-ledger
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>>
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4244
>> Recently fully disclosed at
>> http://www.securityfocus.com/archive/1/445512/30/0/threaded
>>
>> Looking at the source of menu.pl it appears to work exactly as Chris
>> Travers describes it.
>>
>> Apparently all versions from 2.4.4 onwards are affected, which includes
>> the version in sarge.
>
> I uploaded the new upstream version 2.6.18-1 to sid, it fixes this issue.
> For sarge, I created 2.4.7-2sarge1 and I uploaded it here:
> http://people.debian.org/~hertzog/sql-ledger/
>
> It's a full (signed) upload which can simply be uploaded to the security
> archive (dist="stable-security" as per devel ref 5.8.5.3).
>
> The patch used is here:
> http://people.debian.org/~hertzog/sql-ledger/sql-ledger.patch
>
> I simply applied the relevant changes between 2.6.17 and 2.6.18 to the old
> 2.4.7-2 and it applied immediately. However I haven't had the time to test
> if the package upgrades fine and if it still works well.
The upgrade did work ok, but I failed to see how it should fix the bug.
BUt I haven't had time to look closely at it.
I still have the same cookie, that tells when I logged in, the user-name
i used to log in with.
> I'd like other people from pkg-sql-ledger-discussion@l.a.d.o to help out
> with the testing. Can people confirm that the updated package works fine?
It works, but I fail to see how it fixes the bug.
--
Finn-Arne Johansen
faj@bzz.no http://bzz.no/
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642
Information forwarded to debian-bugs-dist@lists.debian.org, Finn-Arne Johansen <faj@bzz.no>:
Bug#386519; Package sql-ledger.
(full text, mbox, link).
Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Finn-Arne Johansen <faj@bzz.no>.
(full text, mbox, link).
Message #25 received at 386519@bugs.debian.org (full text, mbox, reply):
Hi,
On Mon, 11 Sep 2006, Finn-Arne Johansen wrote:
> > I simply applied the relevant changes between 2.6.17 and 2.6.18 to the old
> > 2.4.7-2 and it applied immediately. However I haven't had the time to test
> > if the package upgrades fine and if it still works well.
>
> The upgrade did work ok, but I failed to see how it should fix the bug.
> BUt I haven't had time to look closely at it.
>
> I still have the same cookie, that tells when I logged in, the user-name
> i used to log in with.
>
> > I'd like other people from pkg-sql-ledger-discussion@l.a.d.o to help out
> > with the testing. Can people confirm that the updated package works fine?
>
> It works, but I fail to see how it fixes the bug.
The upstream author said:
| This upgrade fixes a bug discovered with the sessionid.
|
| The new procedure is now without a visible sessionid but the login and
| password is compared. The cookie for the browser contains a scrambled
| string of the login, password and a time value. This scrambled string
| which is only visible to the browser is then assembled with the key stored
| in the user's config file. In order for someone to crack the code you need
| to have the cookie from the browser, which you can only get if someone
| eavesdrops, and you also need the key from the user.
|
| The session will also time out regardless if there is activity or not. So,
| if you have the timeout value set to 3600 you will have to enter your
| password every hour. I'll take another look at this if I can extend the
| session if there is activity. The way it is right now a new key is
| generated when a user enters a password.
I haven't checked the logic of Dieter's patch but I haven't seen any
complaint on the mailing list either.
<digress>
I'm quite unhappy with how this security incident has been handled by
Dieter as he was aware of the problem for several months!
Thus, we should seriously consider packaging ledger-smb (the new fork
of sql-ledger) for the future (and maybe drop sql-ledger if the fork
stays alive).
</digress>
Cheers,
--
Raphaël Hertzog
Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#386519; Package sql-ledger.
(full text, mbox, link).
Acknowledgement sent to Finn-Arne Johansen <faj@bzz.no>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #30 received at 386519@bugs.debian.org (full text, mbox, reply):
Dieter Simader skrev:
> The sessionid is still there but not used anymore.
>
> If you need more info let me know.
OK, as said - I've tested that the new package installs ok, but I have
not found the time to check how the bug is fixed.
Since I'm under a rather heavy workload now, I doubt that I can make the
time to verify anything else than that the upgrade went ok.
If Raphael understands the patch, I suggest it's uploaded to the
security mirror, and that a DSA is released.
--
Finn-Arne Johansen
faj@bzz.no http://bzz.no/
Debian-edu developer and Solution provider
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642
Information forwarded to debian-bugs-dist@lists.debian.org, Finn-Arne Johansen <faj@bzz.no>:
Bug#386519; Package sql-ledger.
(full text, mbox, link).
Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Finn-Arne Johansen <faj@bzz.no>.
(full text, mbox, link).
Message #35 received at 386519@bugs.debian.org (full text, mbox, reply):
On Tue, 12 Sep 2006, Finn-Arne Johansen wrote:
> Dieter Simader skrev:
> > The sessionid is still there but not used anymore.
> >
> > If you need more info let me know.
>
> OK, as said - I've tested that the new package installs ok, but I have
> not found the time to check how the bug is fixed.
>
> Since I'm under a rather heavy workload now, I doubt that I can make the
> time to verify anything else than that the upgrade went ok.
Same for me. I'm rather busy lately and I prepared this patch because it's
a security issue but I do not have time to test the old security-patched
package.
I have no reason to believe that it would cause major pains however.
Petter, maybe you have some time to test the sarge update?
> If Raphael understands the patch, I suggest it's uploaded to the
> security mirror, and that a DSA is released.
Indeed, but I just generated a new version of that update since a second
security issue has been fixed in 2.6.19 (a directory traversal bug). I
also applied applied the fix for the "new window" function which broke due
to the change in the session id handling.
Please checkout the updated package (and patch) at:
http://people.debian.org/~hertzog/sql-ledger/
As soon as Petter (or anyone else) confirm that the package is OK, we
should upload to the security mirror and release a DSA.
Cheers,
--
Raphaël Hertzog
Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#386519; Package sql-ledger.
(full text, mbox, link).
Acknowledgement sent to Finn-Arne Johansen <faj@bzz.no>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #40 received at 386519@bugs.debian.org (full text, mbox, reply):
Raphael Hertzog skrev:
> On Tue, 12 Sep 2006, Finn-Arne Johansen wrote:
>> Dieter Simader skrev:
>>> The sessionid is still there but not used anymore.
>>>
>>> If you need more info let me know.
>> OK, as said - I've tested that the new package installs ok, but I have
>> not found the time to check how the bug is fixed.
>>
>> Since I'm under a rather heavy workload now, I doubt that I can make the
>> time to verify anything else than that the upgrade went ok.
>
> Same for me. I'm rather busy lately and I prepared this patch because it's
> a security issue but I do not have time to test the old security-patched
> package.
>
> I have no reason to believe that it would cause major pains however.
> Petter, maybe you have some time to test the sarge update?
>
>> If Raphael understands the patch, I suggest it's uploaded to the
>> security mirror, and that a DSA is released.
>
> Indeed, but I just generated a new version of that update since a second
> security issue has been fixed in 2.6.19 (a directory traversal bug). I
> also applied applied the fix for the "new window" function which broke due
> to the change in the session id handling.
How did that break ?
I'm using 2.4.7-2sarge1, and the "new window" function works as far as I
can see.
So if "new window" should fail to work because of the patch, the patch
is not working, since "new window" works for me. I seldom use that
function, I rather right-click and selects "open in new TAB"
> Please checkout the updated package (and patch) at:
> http://people.debian.org/~hertzog/sql-ledger/
well, I do run the same version, but I guess you built a new version
with the same version number.
Here is the entry from the changelog on the version I'm using:
sql-ledger (2.4.7-2sarge1) stable-security; urgency=high
* Security upload.
* Fix bad handling of sessionid: CVE-2006-4244
Closes: #386519
-- Raphael Hertzog <hertzog@debian.org> Sun, 10 Sep 2006 21:56:34+0200
--
Finn-Arne Johansen
faj@bzz.no http://bzz.no/
Debian-edu developer and Solution provider
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642
Information forwarded to debian-bugs-dist@lists.debian.org, Finn-Arne Johansen <faj@bzz.no>:
Bug#386519; Package sql-ledger.
(full text, mbox, link).
Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Finn-Arne Johansen <faj@bzz.no>.
(full text, mbox, link).
Message #45 received at 386519@bugs.debian.org (full text, mbox, reply):
On Tue, 12 Sep 2006, Finn-Arne Johansen wrote:
> > Indeed, but I just generated a new version of that update since a second
> > security issue has been fixed in 2.6.19 (a directory traversal bug). I
> > also applied applied the fix for the "new window" function which broke due
> > to the change in the session id handling.
>
> How did that break ?
I don't have time to investigate the details, I expected it to be related
to a second login generating a new cookie and thus invalidating the one
used by the first window.
> I'm using 2.4.7-2sarge1, and the "new window" function works as far as I
> can see.
>
> So if "new window" should fail to work because of the patch, the patch
> is not working, since "new window" works for me. I seldom use that
> function, I rather right-click and selects "open in new TAB"
I don't know really. Dieter, any comment?
> > Please checkout the updated package (and patch) at:
> > http://people.debian.org/~hertzog/sql-ledger/
>
> well, I do run the same version, but I guess you built a new version
> with the same version number.
Yes, I rebuilt it with the same version number.
> * Security upload.
> * Fix bad handling of sessionid: CVE-2006-4244
> Closes: #386519
I've added this:
* Fix directory traversal security issues (backported from 2.6.19)
Cheers,
--
Raphaël Hertzog
Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/
Reply sent to Raphael Hertzog <hertzog@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Chris Morris <c.i.morris@durham.ac.uk>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #50 received at 386519-close@bugs.debian.org (full text, mbox, reply):
Source: sql-ledger
Source-Version: 2.4.7-2sarge1
We believe that the bug you reported is fixed in the latest version of
sql-ledger, which is due to be installed in the Debian FTP archive:
sql-ledger_2.4.7-2sarge1.diff.gz
to pool/main/s/sql-ledger/sql-ledger_2.4.7-2sarge1.diff.gz
sql-ledger_2.4.7-2sarge1.dsc
to pool/main/s/sql-ledger/sql-ledger_2.4.7-2sarge1.dsc
sql-ledger_2.4.7-2sarge1_all.deb
to pool/main/s/sql-ledger/sql-ledger_2.4.7-2sarge1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 386519@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphael Hertzog <hertzog@debian.org> (supplier of updated sql-ledger package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 26 Nov 2006 11:00:57 +0000
Source: sql-ledger
Binary: sql-ledger
Architecture: source all
Version: 2.4.7-2sarge1
Distribution: stable-security
Urgency: high
Maintainer: Finn-Arne Johansen <faj@bzz.no>
Changed-By: Raphael Hertzog <hertzog@debian.org>
Description:
sql-ledger - A web based double-entry accounting program
Closes: 386519
Changes:
sql-ledger (2.4.7-2sarge1) stable-security; urgency=high
.
* Security upload.
* Fix bad handling of sessionid: CVE-2006-4244
Closes: #386519 (backported from 2.6.18)
* Fix directory traversal security issues (backported from 2.6.19)
* Fix a remote execution vulnerability too (backported from 2.6.21).
Files:
0392c058e58df7deca105cddb2b40ca5 655 web optional sql-ledger_2.4.7-2sarge1.dsc
04c9ffe49045cad569c5a368d7ebaa76 1695610 web optional sql-ledger_2.4.7.orig.tar.gz
45d1d70cfa3c385bf74b38bcccbe584c 18423 web optional sql-ledger_2.4.7-2sarge1.diff.gz
9cd9a4cf9057efc57384fe952bf4751f 1796848 web optional sql-ledger_2.4.7-2sarge1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFFcxsbXm3vHE4uyloRAi14AJ98kBE8WyrwrNfWYZl1np0wIkwWhgCfefyT
CWthQSOMHdc/BAaruRIhiA0=
=+0Sh
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 19:29:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:41:15 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon