CVE-2012-0790: XSS

Debian Bug report logs - #659899
CVE-2012-0790: XSS

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2011-0790: XSS

Date: Tue, 14 Feb 2012 18:03:03 +0100

Package: smokeping
Severity: grave
Tags: security

This has been assigned CVE-2011-0790:
http://holisticinfosec.org/content/view/188/45/

Patch:
https://bugzilla.redhat.com/attachment.cgi?id=556619&action=diff&context=patch&collapsed=&headers=1&format=raw

Cheers,
        Moritz

Message #10 received at 659899@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 659899@bugs.debian.org

Subject: Re: Bug#659899: CVE-2011-0790: XSS

Date: Tue, 14 Feb 2012 13:36:52 -0500

[Message part 1 (text/plain, inline)]

I'll work on uploading 2.6.7 to unstable, since it's trivial changes
From 2.6.5, including the security fix.

Then I'll prepare a package for stable. I am not sure it is actually
vulnerable but will try the supplied patch.

I am not sure how to coordinate with the security team here, can you
help me out on that?

Thanks for the report,

A.

-- 
We have no friends but the mountains.
            			- Kurdish saying

[Message part 2 (application/pgp-signature, inline)]

Message #15 received at 659899-close@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: 659899-close@bugs.debian.org

Subject: Bug#659899: fixed in smokeping 2.6.7-1

Date: Tue, 14 Feb 2012 19:03:45 +0000

Source: smokeping
Source-Version: 2.6.7-1

We believe that the bug you reported is fixed in the latest version of
smokeping, which is due to be installed in the Debian FTP archive:

smokeping_2.6.7-1.debian.tar.gz
  to main/s/smokeping/smokeping_2.6.7-1.debian.tar.gz
smokeping_2.6.7-1.dsc
  to main/s/smokeping/smokeping_2.6.7-1.dsc
smokeping_2.6.7-1_all.deb
  to main/s/smokeping/smokeping_2.6.7-1_all.deb
smokeping_2.6.7.orig.tar.gz
  to main/s/smokeping/smokeping_2.6.7.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 659899@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antoine Beaupré <anarcat@debian.org> (supplier of updated smokeping package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Feb 2012 13:30:29 -0500
Source: smokeping
Binary: smokeping
Architecture: source all
Version: 2.6.7-1
Distribution: unstable
Urgency: high
Maintainer: Antoine Beaupré <anarcat@debian.org>
Changed-By: Antoine Beaupré <anarcat@debian.org>
Description: 
 smokeping  - latency logging and graphing system
Closes: 659899
Changes: 
 smokeping (2.6.7-1) unstable; urgency=high
 .
   * New upstream release to fix CVE-2012-0790 (Closes: #659899)
Checksums-Sha1: 
 5f69d2c67ba4ce69c170a62f6791820e677ba354 2095 smokeping_2.6.7-1.dsc
 2f03211f6bfca8cf35e8fdb04aaafec8bacbe537 411650 smokeping_2.6.7.orig.tar.gz
 fa3995f22b884f4e917a0ce2d9a586455aec62ff 21432 smokeping_2.6.7-1.debian.tar.gz
 65484512035ffb4eb4cf3ad28c581fccd6842a72 425616 smokeping_2.6.7-1_all.deb
Checksums-Sha256: 
 099a4a67ed78effb0630d2059002436a9154b310e22f67b5a6724f98002a640e 2095 smokeping_2.6.7-1.dsc
 410c564a02f9bc816aa3cd22e91a99bb64a55adebd221f2c6d61b5d67a824611 411650 smokeping_2.6.7.orig.tar.gz
 5e10066b3efd7a209377eafa53ee1cabad52c4ba9284d170ee30e2fef50a1aa3 21432 smokeping_2.6.7-1.debian.tar.gz
 54f7cfab925f6f1788abda5a72d635dce81b8c9b1effc59e259ec4f33697cb92 425616 smokeping_2.6.7-1_all.deb
Files: 
 d84c07b5dd97dbccec5cfc5bf4cd2ff8 2095 net extra smokeping_2.6.7-1.dsc
 3aeedd7cc030194241224872f8ca8ef3 411650 net extra smokeping_2.6.7.orig.tar.gz
 f9837d128d4cadbeabb9bf63933904d3 21432 net extra smokeping_2.6.7-1.debian.tar.gz
 65520fb1525c57d89812a85c87952bd2 425616 net extra smokeping_2.6.7-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJPOqztAAoJEHkhUlJ7dZIe+VMQAKGqZCv4nzVdJVluNpdQOcDZ
EGgu2z41udv22ev+qcguAvf4bCNJo9GXBa8GNyH/l6ssiGXGsdmBw92Rs7/7ILCG
w13F/R5HZyZ9w2Jrow0cIO3qfUyJCscxLnXw9yMvQCwik1+nEgF2H8bjLQjGV7gr
JX1kUA2V5NQYq16WiRCg60AJeovgda87wSGIe6s7Y9ucV9ocE0sMFU599PxCNgC0
Now49heyyjZ6lQka0pimdnUTVPa3zERH945QI5EkmHaT03BWQvnswXGGQYo/+s2p
lQaL+Y6QLHARxw3tiKnE5dztbduyd8MPRP0Bavg8L9V3UrRXLDnVC9//pTD+YB5X
HrDdI+pyolkl8ZNEqXYJQdqii6wRd3AHB6TJjxtzKnoBn3KoMKSr7/TOB1II1VRI
Z59ZzaPnugIo1p+zE96Wx/F0bPu+1BqoL6uXz6xHlL1im756YAsmoXesWdvFbnPV
RW9Old9a2iN5HEkfxpQLyzWP/IdN+Bp4yENmZZsHpSXbIV2tJzi6IlX0T7ycxLiw
IK9GGGmq9z+25eqebVhvhTA3FK26I7IEiwlhqSEIbN3/FJ0EaSkiikpPz8ulkwNC
JEADe61t5RqcxYeq1TDdBGbamEle6HYIR7MtSUAkyi0DrP6/Lt8nSf4FIKpttQB3
XzxYCq/8chKjnOo2NX2h
=k/wK
-----END PGP SIGNATURE-----

Message #20 received at 659899@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 659899@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#659899: CVE-2011-0790: XSS

Date: Tue, 14 Feb 2012 14:39:05 -0500

[Message part 1 (text/plain, inline)]

Here's a debdiff to fix this issue. I can upload this to stable-security
if it is okay for you guys.

I had to fiddle a bit with the patch to make it fit with 2.3, but I
think it will work. Not sure it is *complete* however, the way 2.3
treats some arguments is different than 2.6, so it may have more
vulnerabilities that could be discovered with a more thorough audit.

Also note that I cannot actually test this patch as do not run the 2.3
release in production - too old! Besides, the wheezy package runs fine
in squeeze, I don't even need to backport...

A.

[smokeping_2.3.6-5+squeeze.debdiff (text/x-diff, inline)]

diff -u smokeping-2.3.6/debian/changelog smokeping-2.3.6/debian/changelog
--- smokeping-2.3.6/debian/changelog
+++ smokeping-2.3.6/debian/changelog
@@ -1,3 +1,9 @@
+smokeping (2.3.6-5+squeeze1) stable-security; urgency=high
+
+  * Security upgrade to fix CVE-2012-0790 (Closes: #659899)
+
+ -- Antoine Beaupré <anarcat@debian.org>  Tue, 14 Feb 2012 14:02:49 -0500
+
 smokeping (2.3.6-5) unstable; urgency=medium
 
   * debian/patches/20_html-parser.dpatch: fix an incompatibility with
diff -u smokeping-2.3.6/debian/patches/00list smokeping-2.3.6/debian/patches/00list
--- smokeping-2.3.6/debian/patches/00list
+++ smokeping-2.3.6/debian/patches/00list
@@ -3,0 +4 @@
+30_cve-2012-0790.dpatch
only in patch4:
unchanged:
--- smokeping-2.3.6.orig/debian/patches/30_cve-2012-0790.dpatch
+++ smokeping-2.3.6/debian/patches/30_cve-2012-0790.dpatch
@@ -0,0 +1,73 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## cve-2012-0790.dpatch by Vincent Danen, ported to 2.3 by Antoine Beaupré
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix for CVE-2012-0790
+
+@DPATCH@
+diff --git a/lib/Smokeping.pm b/lib/Smokeping.pm
+index d29a547..b74c3fc 100644
+--- a/lib/Smokeping.pm
++++ b/lib/Smokeping.pm
+@@ -134,8 +134,10 @@ sub cgiurl {
+ sub hierarchy ($){
+     my $q = shift;
+     my $hierarchy = '';
++    my $h = $q->param('hierarchy');
+     if ($q->param('hierarchy')){
+-       $hierarchy = 'hierarchy='.$q->param('hierarchy').';';
++       $h =~ s/[<>&%]/./g;
++       $hierarchy = 'hierarchy='.$h.';';
+     }; 
+     return $hierarchy;
+ }        
+@@ -176,6 +178,7 @@ sub update_dynaddr ($$){
+     my $address = $ENV{REMOTE_ADDR};
+     my $targetptr = $cfg->{Targets};
+     foreach my $step (@target){
++        $step =~ s/[<>&%]/./g; 
+         return "Error: Unknown target $step" 
+           unless defined $targetptr->{$step};
+         $targetptr =  $targetptr->{$step};
+@@ -979,6 +982,7 @@ sub get_detail ($$$