Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, I would like to submit to your consideration an update to ntopng in stretch. The main bug that triggered this upload is #856048, which causes the user management and preferences section of the web interface to be unusuable. The fix is already in version 2.4+dfsg1-4 in unstable. There are three additional important issues from 2.4+dfsg1-4 that I think it would make sense to include: - #859653 which causes ntopng to crash if the mysql backend is selected. This change only affects mysql users. On the other side it is an obvious usage-after-free and out-of-bound memeory access issues. - #866721 and #866719, which are securirity-related issues. Do you want me to reach out to the security team about these first? Do we need to treat the whole update as a security one instead, or split it? debdiff attached. Thank you, Ludovico -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (470, 'unstable'), (460, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru ntopng-2.4+dfsg1/debian/changelog ntopng-2.4+dfsg1/debian/changelog --- ntopng-2.4+dfsg1/debian/changelog 2017-02-04 04:43:00.000000000 +0100 +++ ntopng-2.4+dfsg1/debian/changelog 2017-12-24 21:18:54.000000000 +0100 @@ -1,8 +1,22 @@ -ntopng (2.4+dfsg1-3) unstable; urgency=high +ntopng (2.4+dfsg1-3+deb9u1) stretch; urgency=medium + + * Update Check-for-presence-of-crsf-in-admin-scripts.patch to avoid the + 'Missing CSRF parameter' error (Closes: #856048). + * Add CVE-2017-7458.patch to prevent an empty host to crash ntopng + (Closes: #866721, CVE-2017-7458). + * Add CVE-2017-7459.patch to prevent \r\n from being injected into HTTP URIs + (Closes: #866719, CVE-2017-7459). + * Add Avoid-access-after-free.patch and + Avoid-access-to-unintialized-memory.patch to fix crash with mysql (thanks + to Bernhard Übelacker, Closes: #859653). + + -- Ludovico Cavedon <cave...@debian.org> Sun, 24 Dec 2017 21:18:54 +0100 + +ntopng (2.4+dfsg1-3) unstable; urgency=medium * Import upstream patches fixing CVE-2017-5473. (Closes: #852109) - -- Ludovico Cavedon <cave...@debian.org> Fri, 03 Feb 2017 19:43:00 -0800 + -- Ludovico Cavedon <cave...@debian.org> Sun, 24 Dec 2017 21:14:54 +0100 ntopng (2.4+dfsg1-2) unstable; urgency=high diff -Nru ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch --- ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch 1970-01-01 01:00:00.000000000 +0100 +++ ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch 2017-12-24 21:17:07.000000000 +0100 @@ -0,0 +1,48 @@ +Description: Avoid access after free +Author: Bernhard Übelacker <bernha...@mailbox.org> +Bug-Debian: https://bugs.debian.org/859653 +Applied-Upstream: yes + +Found while investigating for https://bugs.debian.org/859653 + +==10143== Invalid read of size 8 +==10143== at 0x616E301: mysql_num_rows (client.c:4561) +==10143== by 0x11C1AD: MySQLDB::exec_sql_query(st_mysql*, char*, bool, bool, bool) (MySQLDB.cpp:593) +==10143== by 0x11CF4F: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:295) +==10143== by 0x13F5EF: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133) +==10143== by 0x122041: Prefs::add_default_interfaces() (Prefs.cpp:1059) +==10143== by 0x1187D3: main (main.cpp:117) +==10143== Address 0x144527a8 is 8 bytes inside a block of size 208 free'd +==10143== at 0x4C2CDDB: free (vg_replace_malloc.c:530) +==10143== by 0x11C1A5: MySQLDB::exec_sql_query(st_mysql*, char*, bool, bool, bool) (MySQLDB.cpp:592) +==10143== by 0x11CF4F: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:295) +==10143== by 0x13F5EF: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133) +==10143== by 0x122041: Prefs::add_default_interfaces() (Prefs.cpp:1059) +==10143== by 0x1187D3: main (main.cpp:117) +==10143== Block was alloc'd at +==10143== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) +==10143== by 0x61A7D95: my_malloc (my_malloc.c:101) +==10143== by 0x616C1D5: mysql_store_result (client.c:4094) +==10143== by 0x11C190: MySQLDB::exec_sql_query(st_mysql*, char*, bool, bool, bool) (MySQLDB.cpp:589) +==10143== by 0x11CF4F: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:295) +==10143== by 0x13F5EF: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133) +==10143== by 0x122041: Prefs::add_default_interfaces() (Prefs.cpp:1059) +==10143== by 0x1187D3: main (main.cpp:117) +--- + src/MySQLDB.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: ntopng/src/MySQLDB.cpp +=================================================================== +--- ntopng.orig/src/MySQLDB.cpp ++++ ntopng/src/MySQLDB.cpp +@@ -589,8 +589,8 @@ int MySQLDB::exec_sql_query(MYSQL *conn, + if((result = mysql_store_result(&mysql)) == NULL) + rc = 0; // unable to retrieve the result but still the query succeded + else{ +- mysql_free_result(result); + rc = mysql_num_rows(result); ++ mysql_free_result(result); + } + } + diff -Nru ntopng-2.4+dfsg1/debian/patches/Avoid-access-to-unintialized-memory.patch ntopng-2.4+dfsg1/debian/patches/Avoid-access-to-unintialized-memory.patch --- ntopng-2.4+dfsg1/debian/patches/Avoid-access-to-unintialized-memory.patch 1970-01-01 01:00:00.000000000 +0100 +++ ntopng-2.4+dfsg1/debian/patches/Avoid-access-to-unintialized-memory.patch 2017-12-24 21:17:07.000000000 +0100 @@ -0,0 +1,54 @@ +Description: Avoid access to unintialized memory +Author: Bernhard Übelacker <bernha...@mailbox.org> +Bug-Debian: https://bugs.debian.org/859653 +Applied-Upstream: yes + +Found while investigating for https://bugs.debian.org/859653 + +==14371== Use of uninitialised value of size 8 +==14371== at 0x7B0A16B: _itoa_word (_itoa.c:179) +==14371== by 0x7B0E869: vfprintf (vfprintf.c:1636) +==14371== by 0x7BBC8F5: __vsnprintf_chk (vsnprintf_chk.c:63) +==14371== by 0x7BBC857: __snprintf_chk (snprintf_chk.c:34) +==14371== by 0x11D2EA: snprintf (stdio2.h:65) +==14371== by 0x11D2EA: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:294) +==14371== by 0x1496CF: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133) +==14371== by 0x122791: Prefs::add_default_interfaces() (Prefs.cpp:1059) +==14371== by 0x1188F3: main (main.cpp:117) + +==19200== Use of uninitialised value of size 8 +==19200== at 0x7B0A16B: _itoa_word (_itoa.c:179) +==19200== by 0x7B0E869: vfprintf (vfprintf.c:1636) +==19200== by 0x7BBC8F5: __vsnprintf_chk (vsnprintf_chk.c:63) +==19200== by 0x7BBC857: __snprintf_chk (snprintf_chk.c:34) +==19200== by 0x11D474: snprintf (stdio2.h:65) +==19200== by 0x11D474: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:321) +==19200== by 0x14980F: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133) +==19200== by 0x1228D1: Prefs::add_default_interfaces() (Prefs.cpp:1059) +==19200== by 0x1188F3: main (main.cpp:117) +--- + src/MySQLDB.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: ntopng/src/MySQLDB.cpp +=================================================================== +--- ntopng.orig/src/MySQLDB.cpp ++++ ntopng/src/MySQLDB.cpp +@@ -289,7 +289,7 @@ MySQLDB::MySQLDB(NetworkInterface *_ifac + // Move column BYTES to BYTES_IN and add BYTES_OUT + // note that this operation will arbitrarily move the old BYTES contents to BYTES_IN + const u_int16_t ipvers[2] = {4, 6}; +- for (u_int16_t i = 0; i < sizeof(ipvers); i++){ ++ for (u_int16_t i = 0; i < sizeof(ipvers)/sizeof(*ipvers); i++){ + snprintf(sql, sizeof(sql), "SHOW COLUMNS FROM `%sv%hu` LIKE 'BYTES'", + ntop->getPrefs()->get_mysql_tablename(), ipvers[i]); + if(exec_sql_query(&mysql, sql, true, true) > 0){ +@@ -309,7 +309,7 @@ MySQLDB::MySQLDB(NetworkInterface *_ifac + } + + // Modify database engine to MyISAM (that is much faster in non-transactional environments) +- for (u_int16_t i = 0; i < sizeof(ipvers); i++){ ++ for (u_int16_t i = 0; i < sizeof(ipvers)/sizeof(*ipvers); i++){ + snprintf(sql, sizeof(sql), + "SELECT 1 " + "FROM information_schema.TABLES " diff -Nru ntopng-2.4+dfsg1/debian/patches/Check-for-presence-of-crsf-in-admin-scripts.patch ntopng-2.4+dfsg1/debian/patches/Check-for-presence-of-crsf-in-admin-scripts.patch --- ntopng-2.4+dfsg1/debian/patches/Check-for-presence-of-crsf-in-admin-scripts.patch 2017-02-04 04:38:07.000000000 +0100 +++ ntopng-2.4+dfsg1/debian/patches/Check-for-presence-of-crsf-in-admin-scripts.patch 2017-12-24 21:16:57.000000000 +0100 @@ -44,17 +44,25 @@ } lua_push_str_table_entry(L, tok, decoded_buf); -@@ -5034,6 +5037,13 @@ int Lua::handle_script_request(struct mg +@@ -5034,6 +5037,9 @@ int Lua::handle_script_request(struct mg } else ntop->getTrace()->traceEvent(TRACE_WARNING, "Not enough memory"); } + -+ if(strstr(request_info->uri, "/admin/") && (!csrf_found)) { -+ const char *msg = "Missing CSRF parameter"; -+ -+ return(send_error(conn, 500 /* Internal server error */, msg, PAGE_ERROR, request_info->uri, msg)); -+ } ++ lua_push_bool_table_entry(L, "valid_csrf", csrf_found); + lua_setglobal(L, "_GET"); /* Like in php */ /* _SERVER */ +Index: ntopng/scripts/lua/modules/lua_utils.lua +=================================================================== +--- ntopng.orig/scripts/lua/modules/lua_utils.lua ++++ ntopng/scripts/lua/modules/lua_utils.lua +@@ -1649,6 +1649,7 @@ end + + + function getInterfaceNameAlias(interface_name) ++ if(interface_name == nil) then return("") end + -- io.write(debug.traceback().."\n") + label = ntop.getCache('ntopng.prefs.'..interface_name..'.name') + if((label == nil) or (label == "")) then diff -Nru ntopng-2.4+dfsg1/debian/patches/CVE-2017-7458.patch ntopng-2.4+dfsg1/debian/patches/CVE-2017-7458.patch --- ntopng-2.4+dfsg1/debian/patches/CVE-2017-7458.patch 1970-01-01 01:00:00.000000000 +0100 +++ ntopng-2.4+dfsg1/debian/patches/CVE-2017-7458.patch 2017-12-24 21:16:36.000000000 +0100 @@ -0,0 +1,32 @@ +Description: Prevent empty host from causing a crash (CVE-2017-7458). +Origin: backport, https://github.com/ntop/ntopng/commit/01f47e04fd7c8d54399c9e465f823f0017069f8f, https://github.com/ntop/ntopng/commit/971e0e46afdf242ac2a1c990edfe9036bf7efccd +Bug-Debian: https://bugs.debian.org/866721 +Applied-Upstream: yes + +Index: ntopng/src/NetworkInterface.cpp +=================================================================== +--- ntopng.orig/src/NetworkInterface.cpp ++++ ntopng/src/NetworkInterface.cpp +@@ -1762,6 +1762,8 @@ Host* NetworkInterface::getHost(char *ho + struct in6_addr a6; + Host *h = NULL; + ++ if(!host_ip) return(NULL); ++ + /* Check if address is invalid */ + if((inet_pton(AF_INET, (const char*)host_ip, &a4) == 0) + && (inet_pton(AF_INET6, (const char*)host_ip, &a6) == 0)) { +Index: ntopng/src/Lua.cpp +=================================================================== +--- ntopng.orig/src/Lua.cpp ++++ ntopng/src/Lua.cpp +@@ -1133,6 +1133,9 @@ static void get_host_vlan_info(char* lua + if(((*host_ip) = strtok_r(buf, "@", &where)) != NULL) + vlan = strtok_r(NULL, "@", &where); + ++ if(host_ip == NULL) ++ *host_ip = lua_ip; ++ + if(vlan) + (*vlan_id) = (u_int16_t)atoi(vlan); + } diff -Nru ntopng-2.4+dfsg1/debian/patches/CVE-2017-7459.patch ntopng-2.4+dfsg1/debian/patches/CVE-2017-7459.patch --- ntopng-2.4+dfsg1/debian/patches/CVE-2017-7459.patch 1970-01-01 01:00:00.000000000 +0100 +++ ntopng-2.4+dfsg1/debian/patches/CVE-2017-7459.patch 2017-12-24 21:16:45.000000000 +0100 @@ -0,0 +1,48 @@ +Description: Prevent \r\n from being injected into HTTP URIs (CVE-2017-7459). +Origin: backport, https://github.com/ntop/ntopng/commit/9469e58f07e043da712e6d6c41244852a11bcaeb +Bug-Debian: https://bugs.debian.org/866719 +Applied-Upstream: yes + +Index: ntopng/src/HTTPserver.cpp +=================================================================== +--- ntopng.orig/src/HTTPserver.cpp ++++ ntopng/src/HTTPserver.cpp +@@ -325,9 +325,15 @@ static void uri_encode(const char *src, + + static int handle_lua_request(struct mg_connection *conn) { + struct mg_request_info *request_info = mg_get_request_info(conn); +- u_int len = (u_int)strlen(request_info->uri); ++ char *crlf; ++ u_int len; + char username[33] = { 0 }; + ++ if((crlf = strstr(request_info->uri, "\r\n"))) ++ *crlf = '\0'; /* Prevents HTTP splitting attacks */ ++ ++ len = (u_int)strlen(request_info->uri); ++ + if((ntop->getGlobals()->isShutdown()) + //|| (strcmp(request_info->request_method, "GET")) + || (ntop->getRedis() == NULL /* Starting up... */) +@@ -373,7 +379,7 @@ static int handle_lua_request(struct mg_ + bool found; + + snprintf(path, sizeof(path), "%s%s", httpserver->get_scripts_dir(), +- Utils::getURL((strlen(request_info->uri) == 1) ? (char*)"/lua/index.lua" : request_info->uri, ++ Utils::getURL(len == 1 ? (char*)"/lua/index.lua" : request_info->uri, + uri, sizeof(uri))); + + ntop->fixPath(path); +Index: ntopng/src/Lua.cpp +=================================================================== +--- ntopng.orig/src/Lua.cpp ++++ ntopng/src/Lua.cpp +@@ -4870,7 +4870,7 @@ void Lua::purifyHTTPParameter(char *para + + default: + if(!Utils::isPrintableChar(c)) { +- ntop->getTrace()->traceEvent(TRACE_WARNING, "Discarded char '%c' in URI [%s]", c, param); ++ ntop->getTrace()->traceEvent(TRACE_WARNING, "Discarded char '0x%02x' in URI [%s]", c, param); + ampercent[0] = '\0'; + return; + } diff -Nru ntopng-2.4+dfsg1/debian/patches/series ntopng-2.4+dfsg1/debian/patches/series --- ntopng-2.4+dfsg1/debian/patches/series 2017-02-04 04:35:00.000000000 +0100 +++ ntopng-2.4+dfsg1/debian/patches/series 2017-12-24 21:17:32.000000000 +0100 @@ -6,3 +6,7 @@ no-pwd.patch kfreebsd-tap.patch reproducible-build.patch +CVE-2017-7458.patch +CVE-2017-7459.patch +Avoid-access-after-free.patch +Avoid-access-to-unintialized-memory.patch
