Your message dated Sun, 13 Oct 2024 13:49:05 +0000
with message-id <[email protected]>
and subject line Bug#1031542: fixed in dbeacon 0.4.0-3
has caused the Debian Bug report #1031542,
regarding dbeacon: XSS Vulnerability in matrix.pl
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1031542: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031542
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dbeacon
Version: 0.4.0-2+b2
Severity: important
Tags: patch upstream
Dear Maintainer,
the included CGI script /usr/share/dbeacon/matrix.pl is vulnerable to
XSS attacks as it does not do proper input validation.
A patch that mitigates the problem is included.
Cheers,
Raoul
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-5-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dbeacon depends on:
ii adduser 3.131
ii libc6 2.36-8
ii libgcc-s1 12.2.0-14
ii libstdc++6 12.2.0-14
ii lsb-base 11.6
ii sysvinit-utils [lsb-base] 3.06-2
Versions of packages dbeacon recommends:
ii libxml-parser-perl 2.46-4
ii perl 5.36.0-7
Versions of packages dbeacon suggests:
pn librrds-perl <none>
-- no debconf information
--- /usr/share/dbeacon/matrix.pl 2016-06-20 13:46:15.000000000 +0200
+++ matrix.pl 2023-02-18 09:20:28.861711524 +0100
@@ -10,7 +10,7 @@
#
# Perl code improvement suggestions by Marco d'Itri
-use CGI;
+use CGI; use HTML::Entities;
use XML::Parser;
use POSIX qw(strftime);
use Time::HiRes qw(gettimeofday tv_interval);
@@ -97,13 +97,13 @@
my $page = new CGI;
my $url = $page->script_name().'?';
-my $dst = $page->param('dst');
-my $src = $page->param('src');
-my $type = $page->param('type');
-my $age = $page->param('age');
-my $at = $page->param('at');
+my $dst = $page->param('dst'); $dst = HTML::Entities::encode($dst);
+my $src = $page->param('src'); $src = HTML::Entities::encode($src);
+my $type = $page->param('type'); $type = HTML::Entities::encode($type);
+my $age = $page->param('age'); $age = HTML::Entities::encode($age);
+my $at = $page->param('at'); $at = HTML::Entities::encode($at);
-my $beacon_id = $page->param('id');
+my $beacon_id = $page->param('id'); $beacon_id =
HTML::Entities::encode($beacon_id);
if ($beacon_id) {
-d $beacon_config_base && -f "$beacon_config_base/$beacon_id/matrix.conf"
&& do "$beacon_config_base/$beacon_id/matrix.conf";
@@ -171,11 +171,11 @@
sub build_vertex_one {
my ($dstaddr, $srcaddr, $index, $path) = @_;
- my ($start, $step, $names, $data);
+ my ($start, $step, $names, $data); my $at = $page->param('at'); $at =
HTML::Entities::encode($at);
($start, $step, $names, $data) =
$RRDs::{fetch}($path, 'AVERAGE', '-s',
- $page->param('at'), '-e', $page->param('at'));
+ $at, '-e', $at);
return [-1, -1] if $RRDs::{error};
@@ -497,7 +497,7 @@
printx '<select name="offset" style="margin-left: 0.5em;
margin-right: 0.5em">'."\n";
- my $ammount = $page->param('ammount');
+ my $ammount = $page->param('ammount'); $ammount =
HTML::Entities::encode($ammount);
$ammount ||= 60;
my @ammounts = ([60, '60 s'], [600, '10m'], [3600, '1h'],
[14400, '4h'], [43200, '12h'], [86400, '24h'], [604800, '7d'], [2592000,
'30d']);
@@ -718,11 +718,11 @@
sub render_matrix {
my ($start, $step) = @_;
- my $attname = $page->param('att');
- my $atthideinfo = $page->param('hideinfo');
- my $attwhat = $page->param('what');
- my $full_matrix = $page->param('full');
- my $show_lastupdate = $page->param('showlastupdate');
+ my $attname = $page->param('att'); $attname =
HTML::Entities::encode($attname);
+ my $atthideinfo = $page->param('hideinfo'); $atthideinfo =
HTML::Entities::encode($atthideinfo);
+ my $attwhat = $page->param('what'); $attwhat =
HTML::Entities::encode($attwhat);
+ my $full_matrix = $page->param('full'); $full_matrix =
HTML::Entities::encode($full_matrix);
+ my $show_lastupdate = $page->param('showlastupdate');
$show_lastupdate = HTML::Entities::encode($show_lastupdate);
$attname ||= 'ttl';
$atthideinfo ||= $default_hideinfo;
@@ -733,7 +733,7 @@
$what_td = 'colspan="2"' if $attwhat eq 'both';
- my $attat = $page->param('at');
+ my $attat = $page->param('at'); $attat = HTML::Entities::encode($attat);
$attat = 0 if not defined $attat or $attat eq '';
my $addinfo = '';
--- End Message ---
--- Begin Message ---
Source: dbeacon
Source-Version: 0.4.0-3
Done: Andreas Tille <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dbeacon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Tille <[email protected]> (supplier of updated dbeacon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 13 Oct 2024 15:28:52 +0200
Source: dbeacon
Architecture: source
Version: 0.4.0-3
Distribution: unstable
Urgency: medium
Maintainer: Package Salvaging Team <[email protected]>
Changed-By: Andreas Tille <[email protected]>
Closes: 986958 1031542
Changes:
dbeacon (0.4.0-3) unstable; urgency=medium
.
* Team upload.
.
[ Andreas Tille ]
* Remove retired Uploader, make Package Salvage team Maintainer since
pkg-netmeasure team does not yet exist any more
Closes: #986958
* Add debian/README.Debian
* Add watch file
* Standards-Version: 4.7.0 (routine-update)
* debhelper-compat 13 (routine-update)
* Remove trailing whitespace in debian/control (routine-update)
* Remove trailing whitespace in debian/copyright (routine-update)
* Rules-Requires-Root: no (routine-update)
* Trim trailing whitespace.
* Drop unnecessary dh arguments: --with=systemd
* Fix day-of-week for changelog entry 0.1-1.
* Drop lsb-base from Depends
* DEP5
.
[ Raoul Gunnar Borenius ]
* Fix XSS Vulnerability in matrix.pl
Closes: #1031542
Checksums-Sha1:
b147337f3767406367784e6536510eecf9d5a2b4 1869 dbeacon_0.4.0-3.dsc
891a9a4d3471c606f5e90daf2e6d23f1addad3dd 5000 dbeacon_0.4.0-3.debian.tar.xz
4a03db98a8ce038ea2e8b2734aa89e21177f2540 6163 dbeacon_0.4.0-3_amd64.buildinfo
Checksums-Sha256:
334baac58a2904a8a819f2415983bd6dd87893de02ef8afbeb28aaf35f86aaf1 1869
dbeacon_0.4.0-3.dsc
ee5499a8c09aaf331e66ecdeb47970afbdbd3558dbfc09b90be78629f76e4ef4 5000
dbeacon_0.4.0-3.debian.tar.xz
d219c4dceb3f6a46512cec41108f8866bd84abab6121c4fa037edc41d2b206e6 6163
dbeacon_0.4.0-3_amd64.buildinfo
Files:
b9ab112dce7db2b841f6927e7ca5b3c8 1869 net optional dbeacon_0.4.0-3.dsc
7c3f56498b1993b0f06592019db6c235 5000 net optional
dbeacon_0.4.0-3.debian.tar.xz
df9823713e1b44a553fadc8d1e59774c 6163 net optional
dbeacon_0.4.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmcLy50RHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtExxw/9HcFHIcYhKY+OdS+FLoSu6hLPKlS/Rq8Q
Y9OS4E/yVbcpKCN59OkyaSyvps2iNwHx4xe4l2juZGKro3IpHSnUsz58Kyr8bzGt
IUswtOUOWM0sC/mjtbGvCeGGd8nqzGNLme6+BUKLwgGDeK2769b4ns/x1WjM/Nxc
Bik2QDPB3QTR4ONOABXNJjVZWS8h6VDzHGpE+Fq6q4Y21kHeIdeMFkWTjBddF1HE
RqjxrnjJ58x1OiYYi0CI9BD04+sQ6BC7IC90ediVYlJic20cAmyXp3cXmhCzLJmF
QSsJJFfOua2oKiA1RhP+z/q2HchFXAY9zT4H/u2zrWKym3o3bVuA/LDGp5R8YeEk
FKdwEnYWQIT36q1FOqck13vFmCFWySLI06iaYW3UvoZUtzRV3Oo+M8Cx2KhsfanR
npL+X4Vc4GmsKySv/Img++/hu9mosNQzzG6i9y2P4vIggbwaV8YB7zVTbrn2VkNX
vI4ImRdVsXt4VGiM9Ykcr5ApGq/jAFCq91+fLIKQ6ZgPcNFOEUU/irwQ3PrTtksx
9r9nXde7YUaFCBg1r9glyxvssrbTsdLVOKucO1QsnhkIFIWuPB6gLG0FScecFTjM
6UtUj9WKBuHW/oYX3/76WjNnbqlwbjLSai8TYRO1plxf1MYCJlupNoChaFM41OwF
RisRNuDWuWs=
=krEp
-----END PGP SIGNATURE-----
pgpQkNhvb_yqA.pgp
Description: PGP signature
--- End Message ---
