CVE-2007-5615: CRLF injection vulnerability

Debian Bug report logs - #454529
CVE-2007-5615: CRLF injection vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2007-5615: CRLF injection vulnerability

Date: Wed, 05 Dec 2007 23:37:42 +0100

Package: jetty
Severity: normal
Tags: security

Hi

The following CVE[0] has been issued against jetty:

CVE-2007-5615:

CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows
remote attackers to inject arbitrary HTTP headers and conduct HTTP
response splitting attacks via unspecified vectors. 

Please mention the CVE id in the changelog, when you fix this bug.
Thanks for your efforts.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615

Message #10 received at 454529@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: 454529@bugs.debian.org

Subject: two more CVEs

Date: Wed, 5 Dec 2007 23:45:41 +0100

[Message part 1 (text/plain, inline)]

Hi

There have been two more CVEs[0][1] for jetty:

CVE-2007-5613:

Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty 
before 6.1.6rc1 allows remote attackers to inject arbitrary web script or 
HTML via unspecified parameters and cookies.


CVE-2007-5614:

Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote 
sequences" in HTML cookie parameters, which allows remote attackers to hijack 
browser sessions via unspecified vectors.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613

[1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 454529@bugs.debian.org (full text, mbox, reply):

From: Michael Koch <konqueror@gmx.de>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 454529@bugs.debian.org

Subject: Re: Bug#454529: two more CVEs

Date: Wed, 19 Dec 2007 14:34:15 +0100

On Wed, Dec 05, 2007 at 11:45:41PM +0100, Steffen Joeris wrote:
> Hi
> 
> There have been two more CVEs[0][1] for jetty:
> 
> CVE-2007-5613:
> 
> Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty 
> before 6.1.6rc1 allows remote attackers to inject arbitrary web script or 
> HTML via unspecified parameters and cookies.
> 
> 
> CVE-2007-5614:
> 
> Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote 
> sequences" in HTML cookie parameters, which allows remote attackers to hijack 
> browser sessions via unspecified vectors.

I have spoken with upstream about these three issues and they are
working on a solution for Jetty 5.1 for this. For Jetty 6 (which is not
yet in Debian) the issue was easy to fix due to its design. Jetty 5.1
needs some major work.


Cheers,
Michael

Message #22 received at 454529@bugs.debian.org (full text, mbox, reply):

From: Greg Wilkins <gregw@mortbay.com>

To: 454529@bugs.debian.org

Subject: fixes for jetty

Date: Fri, 04 Jul 2008 09:28:51 +1000

[Message part 1 (text/plain, inline)]

Hi,

I see that debian is still shipping Jetty 5 rather than jetty 6 (which has these issues
fixed).

Long overdue, I've created a patch for jetty 5 to fix these minor security issues.

see: http://docs.codehaus.org/display/JETTY/Jetty+Security

patch attached.

regards

[CERT438616-CERT237888-CERT21284.patch (text/x-diff, inline)]

? .classpath
? .project
? .settings
? CERT438616-CERT237888-CERT21284.patch
? t404.jsp
? t404.jsp.1
? demo/webapps/jetty/LICENSE.TXT
? demo/webapps/jetty/readme.txt
? demo/webapps/jetty/t404.jsp
? demo/webapps/jetty/versions.txt
? demo/webapps/root/XMLSchema.dtd
? demo/webapps/root/configure_1_3.dtd
? demo/webapps/root/datatypes.dtd
? etc/test.xml
? etc/webdefault.xml
? lib/org.mortbay.jmx.jar
? webapps/template/WEB-INF/classes
Index: src/org/mortbay/http/HttpFields.java
===================================================================
RCS file: /cvsroot/jetty/Jetty/src/org/mortbay/http/HttpFields.java,v
retrieving revision 1.77
diff -r1.77 HttpFields.java
1461a1462
>                 value=StringUtil.noCRLF(value);
Index: src/org/mortbay/http/HttpResponse.java
===================================================================
RCS file: /cvsroot/jetty/Jetty/src/org/mortbay/http/HttpResponse.java,v
retrieving revision 1.62
diff -r1.62 HttpResponse.java
21a22
> import java.util.Date;
22a24
> import java.util.List;
462a465,519
>     public void addDateField(String name, Date date)
>     {
>         super.addDateField(sanitize(name),date);
>     }
> 
>     public void addDateField(String name, long date)
>     {
>         super.addDateField(sanitize(name),date);
>     }
> 
>     public void addField(String name, String value) throws IllegalStateException
>     {
>         super.addField(sanitize(name),sanitize(value));
>     }
> 
>     public void addIntField(String name, int value)
>     {
>         super.addIntField(sanitize(name),value);
>     }
> 
>     public void setContentType(String contentType)
>     {
>         super.setContentType(sanitize(contentType));
>     }
> 
>     public void setDateField(String name, Date date)
>     {
>         super.setDateField(sanitize(name),date);
>     }
> 
>     public void setDateField(String name, long date)
>     {
>         super.setDateField(sanitize(name),date);
>     }
> 
>     public void setField(String name, List value)
>     {
>         super.setField(sanitize(name),value);
>     }
> 
>     public String setField(String name, String value)
>     {
>         return super.setField(sanitize(name),sanitize(value));
>     }
> 
>     public void setIntField(String name, int value)
>     {
>         super.setIntField(sanitize(name),value);
>     }
> 
>     private String sanitize(String s)
>     {
>         return StringUtil.noCRLF(s);
>     }
>     
Index: src/org/mortbay/servlet/Dump.java
===================================================================
RCS file: /cvsroot/jetty/Jetty/src/org/mortbay/servlet/Dump.java,v
retrieving revision 1.42
diff -r1.42 Dump.java
46a47
> import org.mortbay.util.StringUtil;
169a171,173
>         response.setHeader("Ok","value");
>         response.setHeader("ztu\r\n\r\npid","val\r\n\r\nue");
>         response.addCookie(new Cookie("Stu'pid","val\r\n\r\nue"));
177c181,198
<             Table table= new Table(0).cellPadding(0).cellSpacing(0);
---
>             Table table= new Table(0)
>             {
>                 public Table addCell(Object o)
>                 {
>                     if (o!=null && o instanceof String)
>                     {
>                         String s = (String)o;
>                         s=StringUtil.replace(s,"\r\n","<br/>");
>                         s=StringUtil.replace(s,"\n","<br/>");
>                         s=StringUtil.replace(s,"<","&lt;");
>                         s=StringUtil.replace(s,">","&gt;");
>                         o=s;
>                     }
>                     return super.addCell(o);
>                 }
>             };
>             
>             table.cellPadding(0).cellSpacing(0);
360c381
<                 table.addCell("<pre>" + toString(request.getAttribute(name)) + "</pre>");
---
>                 table.addCell(toString(request.getAttribute(name)));
378c399
<                 table.addCell("<pre>" + toString(getInitParameter(name)) + "</pre>");
---
>                 table.addCell(toString(getInitParameter(name)));
395c416
<                 table.addCell("<pre>" + toString(getServletContext().getInitParameter(name)) + "</pre>");
---
>                 table.addCell(toString(getServletContext().getInitParameter(name)));
412c433
<                 table.addCell("<pre>" + toString(getServletContext().getAttribute(name)) + "</pre>");
---
>                 table.addCell(toString(getServletContext().getAttribute(name)));
435c456
<                     table.addCell("<pre>" + multi.getString(parts[p]) + "</pre>");
---
>                     table.addCell(multi.getString(parts[p]));
Index: src/org/mortbay/util/StringUtil.java
===================================================================
RCS file: /cvsroot/jetty/Jetty/src/org/mortbay/util/StringUtil.java,v
retrieving revision 1.16
diff -r1.16 StringUtil.java
286a287,292
> 
>     /* ------------------------------------------------------------ */
>     public static String noCRLF(String s)
>     {
>         if (s==null || s.length()==0)
>             return s;
287a294,334
>         StringBuffer buf = null;
>         int i=0;
>         loop:
>         for (;i<s.length();i++)
>         {
>             char c = s.charAt(i);
>             switch(c)
>             {
>                 case 0:
>                 case '\n':
>                 case '\r':
>                 {
>                     buf=new StringBuffer(s.length());
>                     buf.append(s,0,i);
>                     buf.append('.');
>                     break loop;
>                 }
>                 default:
>             }
>         }
>         
>         if (buf==null)
>             return s;
> 
>         for (;i<s.length();i++)
>         {
>             char c = s.charAt(i);
>             switch(c)
>             {
>                 case 0:
>                 case '\n':
>                 case '\r':
>                     buf.append('.');
>                     break;
>                 default:
>                     buf.append(c);
>             }
>         }
>        
>         return buf.toString();
>     }

Message #31 received at 454529-done@bugs.debian.org (full text, mbox, reply):

From: Niels Thykier <niels@thykier.net>

To: 454529-done@bugs.debian.org

Subject: Fixed - just not closed.

Date: Tue, 25 Aug 2009 09:43:59 +0200

[Message part 1 (text/plain, inline)]

Hi
	
This was fixed in 6.1.19-1, but never closed. The CVE was not in the
changelog, however I have filed a new bug asking the jetty uploaders to
fix this (#543462).
	
~Niels

[signature.asc (application/pgp-signature, attachment)]

Message #36 received at 454529-close@bugs.debian.org (full text, mbox, reply):

From: Torsten Werner <twerner@debian.org>

To: 454529-close@bugs.debian.org

Subject: Bug#454529: fixed in jetty 6.1.20-1

Date: Sun, 06 Sep 2009 21:34:39 +0000

Source: jetty
Source-Version: 6.1.20-1

We believe that the bug you reported is fixed in the latest version of
jetty, which is due to be installed in the Debian FTP archive:

jetty_6.1.20-1.diff.gz
  to pool/main/j/jetty/jetty_6.1.20-1.diff.gz
jetty_6.1.20-1.dsc
  to pool/main/j/jetty/jetty_6.1.20-1.dsc
jetty_6.1.20-1_all.deb
  to pool/main/j/jetty/jetty_6.1.20-1_all.deb
jetty_6.1.20.orig.tar.gz
  to pool/main/j/jetty/jetty_6.1.20.orig.tar.gz
libjetty-extra-java_6.1.20-1_all.deb
  to pool/main/j/jetty/libjetty-extra-java_6.1.20-1_all.deb
libjetty-java-doc_6.1.20-1_all.deb
  to pool/main/j/jetty/libjetty-java-doc_6.1.20-1_all.deb
libjetty-java_6.1.20-1_all.deb
  to pool/main/j/jetty/libjetty-java_6.1.20-1_all.deb
libjetty-setuid-java_6.1.20-1_amd64.deb
  to pool/main/j/jetty/libjetty-setuid-java_6.1.20-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 454529@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Torsten Werner <twerner@debian.org> (supplier of updated jetty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 06 Sep 2009 23:06:45 +0200
Source: jetty
Binary: libjetty-java libjetty-java-doc libjetty-extra-java libjetty-setuid-java jetty
Architecture: source all amd64
Version: 6.1.20-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Torsten Werner <twerner@debian.org>
Description: 
 jetty      - Java servlet engine and webserver
 libjetty-extra-java - Java servlet engine and webserver -- extra libraries
 libjetty-java - Java servlet engine and webserver -- core libraries
 libjetty-java-doc - Javadoc for the Jetty API
 libjetty-setuid-java - Java servlet engine and webserver -- extra libraries
Closes: 425152 452586 454529 454529 458399 498582 527571 527571 528389 528389 530720 540861 543462
Changes: 
 jetty (6.1.20-1) unstable; urgency=medium
 .
   [ Niels Thykier ]
   * New upstream release.
   * Stop using Build-Depends-Indep, since the policy and the build
     daemons disagree on when it should be used (Closes: #540861).
   * Corrected jetty.install to reflect the move of some license files
     in the source tree.
   * Bumped to Standard-Versions 3.8.3 - no changes required.
   * Updated jetty.post{install,rm} scripts to use "set -e" instead of
     passing it to sh.
   * Installed "VERSION.txt" as upstream changelog.
   * A previous version (6.1.18-1) fixed the following security problems, which
     were not mentioned in the changelog: CVE-2007-5613, CVE-2007-5614,
     CVE-2007-5615, CVE-2009-1523, and CVE-2009-1524 (see below for more
     information).
 .
   [ Torsten Werner ]
   * Set urgency to medium because this version fixes a FTBFS.
 .
 jetty (6.1.19-2) unstable; urgency=low
 .
   * Upload to unstable.
 .
 jetty (6.1.19-1) experimental; urgency=low
 .
   [ Ludovic Claude ]
   * New upstream release fixing a security vulnerability
     (cookies are not secure if you are running behind a netscaler).
   * Remove the bootstrap patch as it has been added upstream and update
     the build to use the new start-daemon component.
   * Remove the Build-Depend on quilt as the patch is not needed anymore.
   * Add the Maven POM to the package.
   * Add a Build-Depends dependency on maven-repo-helper.
   * Use mh_installpom and mh_installjar to install the POM and the jar to the
     Maven repository.
   * Add optional support for web applications located in /usr/share/webapps.
   * Add a cron job that cleans up the old log files in /var/log/jetty.
   * Register the Javadoc into Debian documentation and put it in a
     separate package (libjetty-java-doc).
   * Use openjdk-6-jdk for the build; add a Build-Depends on this
     package. Required to build the javadoc.
   * Update debian/copyright (patch provided by Jan Pascal Vanbest
     <janpascal@vanbest.org>).
 .
   [ Torsten Werner ]
   * Add myself to Uploaders.
   * Update Standards-Version: 3.8.2.
   * Move package libjetty-java-doc to Section: doc.
   * Fix init script: check for /etc/default/rcS before reading it.
 .
 jetty (6.1.18-1) unstable; urgency=low
 .
   [Ludovic Claude]
   * Add myself to Uploaders.
   * Change the build dependency on java-gcj to default-jdk.
   * Add init.d startup script.
   * Add dependencies on ant, libslf4j-java, libxerces2-java, libtomcat6-java
     for libjetty-extra-java, add links for the lib folder.
   * Add dependency on jsvc to run jetty as a daemon.
   * Add the package libjetty-setuid-java for the Setuid module (with native
     code).
   * Add an index page used when Jetty starts.
   * Use latest jasper from Tomcat to provide jsp 2.1 instead of
     Glassfish JSP implementation as in the standard distribution.
   * Add tools.jar to the classpath to be able to run JSP (Closes: #452586).
   * Fix Lintian warnings: add ${misc:Depends} to all Depends.
   * Move jetty to main as all its dependencies are in main,
     and jetty contains only code that complies with Debian guidelines,
     use java section like tomcat6
     (Closes: #498582).
   * Do not depend on tomcat 5.5 (Closes: #530720, #458399).
   * Remove empty prerm and preinst scripts.
   * Remove old patches that don't apply anymore.
   * Update copyright and remove full text of Apache license.
   * Bump up compat to 6 and Standards-Version to 3.8.1.
 .
   [David Yu]
   * New upstream release for jetty
     (Closes: #528389, #527571, #454529, #425152).
   * Fixed jetty.links. Now delegates install of start.jar to libjetty-java.
 .
   [ Torsten Werner ]
   * fixes several security issues:
     - CVE-2007-5613: Cross-site scripting (XSS) vulnerability in Dump Servlet.
     - CVE-2007-5614: Quote Sequence vulnerability.
     - CVE-2007-5615: CRLF injection vulnerability.
     - CVE-2009-1523: Directory traversal vulnerability in the HTTP server in
     Mort Bay Jetty.
     - CVE-2009-1524: Cross-site scripting (XSS) vulnerability in Mort
     Bay Jetty.
     (Closes: #454529, #528389, #527571, #543462).
Checksums-Sha1: 
 cc9fa191dd73d66aedcef05acee5e2d9b1d8016c 1605 jetty_6.1.20-1.dsc
 cc2c8784dd9d25be5a89fe3315ef1ab481d0cdba 2051081 jetty_6.1.20.orig.tar.gz
 fd0b083a6b199d0aebf6b15f5796f006f4333460 18125 jetty_6.1.20-1.diff.gz
 e31651813c90383cb7ddc1cc8069fdfbe082ef5e 769390 libjetty-java_6.1.20-1_all.deb
 29182c16ef3ae40947429305ebc251f7d2b34985 745354 libjetty-java-doc_6.1.20-1_all.deb
 cf455696221952ccee11e5fb04399792a28fe582 254872 libjetty-extra-java_6.1.20-1_all.deb
 4f55ca9d4a04773025e26ab7ba410934f4a6e7d1 848986 jetty_6.1.20-1_all.deb
 7642167b67aed0614c2c6eb3f9d92abff97ab4eb 68278 libjetty-setuid-java_6.1.20-1_amd64.deb
Checksums-Sha256: 
 270ee8453b154f2c9c41e99c14328da7e68eabdfeb1a8bc403e0e8ac4cfbc80a 1605 jetty_6.1.20-1.dsc
 213a436999ce5614869a359335c834a7dbb61c4aa94e018e9a801fbc59ffcb49 2051081 jetty_6.1.20.orig.tar.gz
 dce11b30abcfda11e9b943d3d5cdf560018c020b411e33b42fd1851fa9dbb1fa 18125 jetty_6.1.20-1.diff.gz
 70a60804575b8fd95d730a29d5990140d09a7c046a3fccd13064d1590344bdc4 769390 libjetty-java_6.1.20-1_all.deb
 00ac7ffc3c7df0a0ad539c36e65dc8043d62a199c29c200bcff999c5b17b3922 745354 libjetty-java-doc_6.1.20-1_all.deb
 2139cb11284b339c8c88f94c3dba37fd30696896edad54caddd534437935342e 254872 libjetty-extra-java_6.1.20-1_all.deb
 fae4889da4f0e8769557943164325ead0e2ba0fc5b01d1845171dc4e4764ec8a 848986 jetty_6.1.20-1_all.deb
 5b7e3056d86908840d213320485c73d2fce10fc4b383f3ea8338853e70e94636 68278 libjetty-setuid-java_6.1.20-1_amd64.deb
Files: 
 6951ff5cd4d591e4ecdc3fde42ce1d8b 1605 java optional jetty_6.1.20-1.dsc
 891a807131b74b67e2ebaf3c631614e1 2051081 java optional jetty_6.1.20.orig.tar.gz
 c1f0540c34722f8c70001a47525f6c1a 18125 java optional jetty_6.1.20-1.diff.gz
 4252291b405972d97b2434e22d99a7ab 769390 java optional libjetty-java_6.1.20-1_all.deb
 8aa6ee5712c6ad84057cd0aec4223740 745354 doc optional libjetty-java-doc_6.1.20-1_all.deb
 20fe0fb192e5a6b7b98abc0e692f5a8d 254872 java optional libjetty-extra-java_6.1.20-1_all.deb
 508bf888d8d5f68e6320c5dafdc39541 848986 java optional jetty_6.1.20-1_all.deb
 4084484c2e3bd42fd01199f6d1c9986e 68278 java optional libjetty-setuid-java_6.1.20-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqkJ2MACgkQfY3dicTPjsOt4ACgjKmi/dkLbrgo+WbHmryTATFG
/VkAn2OKy6HFaZe6ChA28efD7B+fa26S
=vKvG
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.