Bug#908165: sympa: CVE-2018-1000671

Abhijith PA Wed, 19 Sep 2018 13:00:35 -0700

Hi.


I've prepared an update for the oldstable-security from upstream commits.


abhijith.

diff -Nru sympa-6.1.23~dfsg/debian/changelog sympa-6.1.23~dfsg/debian/changelog
--- sympa-6.1.23~dfsg/debian/changelog  2018-07-24 21:14:39.000000000 +0200
+++ sympa-6.1.23~dfsg/debian/changelog  2018-09-19 19:15:20.000000000 +0200
@@ -1,3 +1,10 @@
+sympa (6.1.23~dfsg-2+deb8u3) jessie-security; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS Security Team.
+  * Fix CVE-2018-1000671: Open redirection vulnerability (Closes: #908165)
+
+ -- Abhijith PA <abhij...@disroot.org>  Wed, 19 Sep 2018 22:45:20 +0530
+
 sympa (6.1.23~dfsg-2+deb8u2) jessie-security; urgency=high
 
   * Non-maintainer upload by the LTS team.
diff -Nru sympa-6.1.23~dfsg/debian/patches/CVE-2018-1000671.patch 
sympa-6.1.23~dfsg/debian/patches/CVE-2018-1000671.patch
--- sympa-6.1.23~dfsg/debian/patches/CVE-2018-1000671.patch     1970-01-01 
01:00:00.000000000 +0100
+++ sympa-6.1.23~dfsg/debian/patches/CVE-2018-1000671.patch     2018-09-19 
19:15:20.000000000 +0200
@@ -0,0 +1,95 @@
+Description: CVE-2018-1000671
+ URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The
+ "referer" parameter of the wwsympa.fcgi login action. that can result in Open
+ redirection and reflected XSS via data URIs.
+
+Author: Abhijith PA <abhij...@disroot.org>
+Origin: 
https://github.com/sympa-community/sympa/commit/c6ce32a6c203070702eac45a4442a17d2bf7b0c1
+        
https://github.com/sympa-community/sympa/commit/03314a9baf7f7903283253829877afd0ae50e325
+Bug: https://github.com/sympa-community/sympa/issues/268
+Bug-Debian: https://bugs.debian.org/908165
+Last-Update: 2018-09-19
+
+--- sympa-6.1.23~dfsg.orig/wwsympa/wwsympa.fcgi.in
++++ sympa-6.1.23~dfsg/wwsympa/wwsympa.fcgi.in
+@@ -3029,8 +3029,9 @@ sub do_ticket {
+      my $user;
+      my $next_action;     
+ 
+-     if ($in{'referer'}) {
+-       $param->{'redirect_to'} = &tools::unescape_chars($in{'referer'});
++     my $url_redirect;
++     if ($url_redirect = _clean_referer($in{'referer'})) {
++       $param->{'redirect_to'} = $url_redirect;
+      }elsif ($in{'previous_action'} && 
+            $in{'previous_action'} !~ /^(login|logout|loginrequest)$/) {
+        $next_action = $in{'previous_action'};
+@@ -3076,8 +3077,8 @@ sub do_ticket {
+        if($url_redirect = &is_ldap_user($in{'email'})){
+            $param->{'redirect_to'} = $url_redirect
+                if ($url_redirect && ($url_redirect != 1));
+-       }elsif ($in{'failure_referer'}) {
+-           $param->{'redirect_to'} = $in{'failure_referer'};      
++       } elsif ($url_redirect = _clean_referer($in{'failure_referer'})) {
++           $param->{'redirect_to'} = $url_redirect;       
+        }else{
+            $in{'init_email'} = $in{'email'};
+            $param->{'init_email'} = $in{'email'};
+@@ -3118,12 +3119,14 @@ sub do_ticket {
+        }else{
+            $param->{'login_error'} = 'wrong_password';
+        }
++      
++       my $url_redirect;
+        if ($in{'previous_action'}) {
+            delete $in{'passwd'};
+            $in{'list'} = $in{'previous_list'};
+            return  $in{'previous_action'};
+-       }elsif ($in{'failure_referer'}) {
+-           $param->{'redirect_to'} = $in{'failure_referer'};      
++       } elsif ($url_redirect = _clean_referer($in{'failure_referer'})) {
++           $param->{'redirect_to'} = $url_redirect;       
+        }else {
+            return  'renewpasswd';
+        }
+@@ -3204,6 +3207,29 @@ sub do_ticket {
+ 
+  }
+ 
++sub _clean_referer {
++    my $referer = shift;
++
++    return undef
++        unless $referer and $referer =~ m{\Ahttps?://}i;
++
++    # Allow referer within scope of cookie domain.
++    my $host  = lc(URI->new($referer)->host);
++    my $mydom = lc($param->{'cookie_domain'} || 'localhost');
++    if ($mydom eq 'localhost') {
++        my $myhost = Sympa::WWW::Tools::get_http_host() || '';
++        $myhost =~ s/:\d+\z//;
++        return undef
++            unless $host eq $myhost;
++    } else {
++        $mydom =~ s/\A(?![.])/./;
++        return undef
++            unless substr($host, -length $mydom) eq $mydom
++            or ".$host" eq $mydom;
++    }
++    return $referer;
++}
++
+ ## Login WWSympa
+ ## The sso_login action is made of 4 subactions that make a complete workflow.
+ ## Note that this comlexe workflow is only used if the SSO server does not 
provide
+@@ -17002,7 +17028,9 @@ sub new_d_read {
+      ### File or directory ?
+      if ($document->{'type'} eq 'url') { 
+        $param->{'file_extension'} = $document->{'file_extension'};
+-       $param->{'redirect_to'} = $document->{'url'};
++       $param->{'redirect_to'} = $document->{'url'}
++           if $document->{'url'}
++           and $document->{'url'} =~ m{\Ahttps?://}i;
+        return 1;
+ 
+      }elsif ($document->{'type'} eq 'file') {
diff -Nru sympa-6.1.23~dfsg/debian/patches/series 
sympa-6.1.23~dfsg/debian/patches/series
--- sympa-6.1.23~dfsg/debian/patches/series     2018-07-24 21:14:39.000000000 
+0200
+++ sympa-6.1.23~dfsg/debian/patches/series     2018-09-19 19:15:20.000000000 
+0200
@@ -9,3 +9,4 @@
 2001_ca_bundle_check_as_warning.patch
 2006_disable_cssupdated_email_on_update.patch
 CVE-2018-1000550.patch
+CVE-2018-1000671.patch

Bug#908165: sympa: CVE-2018-1000671

Reply via email to