Hi Moritz,
On 16/12/2022 10:02, Moritz Mühlenhoff wrote:
If we're doing a stable update anyway, could we also piggyback the
fix https://security-tracker.debian.org/tracker/CVE-2022-46146 ?
Good point. I have just uploaded a 0.5.1-2+deb11u2 release containing a
backport of the fix, I am attaching the debdiff against 0.5.1-2 here. Do
I need to create a new bug for the release team?
--
Martina Ferrari (Tina)
diff -Nru golang-github-prometheus-exporter-toolkit-0.5.1/debian/changelog
golang-github-prometheus-exporter-toolkit-0.5.1/debian/changelog
--- golang-github-prometheus-exporter-toolkit-0.5.1/debian/changelog
2021-01-25 14:10:41.000000000 +0000
+++ golang-github-prometheus-exporter-toolkit-0.5.1/debian/changelog
2022-12-19 23:02:39.000000000 +0000
@@ -1,3 +1,16 @@
+golang-github-prometheus-exporter-toolkit (0.5.1-2+deb11u2) bullseye;
urgency=medium
+
+ * Backport fix for CVE-2022-46146. Closes: #1025127.
+
+ -- Martina Ferrari <t...@debian.org> Mon, 19 Dec 2022 23:02:39 +0000
+
+golang-github-prometheus-exporter-toolkit (0.5.1-2+deb11u1) bullseye;
urgency=medium
+
+ * Patch tests to avoid race condition. Closes: #1013578.
+ Thanks to Santiago Vila for the adjusted patch.
+
+ -- Martina Ferrari <t...@debian.org> Thu, 15 Dec 2022 22:33:17 +0000
+
golang-github-prometheus-exporter-toolkit (0.5.1-2) unstable; urgency=medium
* Team upload.
diff -Nru golang-github-prometheus-exporter-toolkit-0.5.1/debian/control
golang-github-prometheus-exporter-toolkit-0.5.1/debian/control
--- golang-github-prometheus-exporter-toolkit-0.5.1/debian/control
2021-01-19 14:44:59.000000000 +0000
+++ golang-github-prometheus-exporter-toolkit-0.5.1/debian/control
2022-12-19 23:02:39.000000000 +0000
@@ -1,6 +1,7 @@
Source: golang-github-prometheus-exporter-toolkit
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
-Uploaders: Daniel Swarbrick <daniel.swarbr...@cloud.ionos.com>
+Uploaders: Daniel Swarbrick <dswarbr...@debian.org>,
+ Martina Ferrari <t...@debian.org>,
Section: devel
Testsuite: autopkgtest-pkg-go
Priority: optional
diff -Nru
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/02-Avoid_race_in_test.patch
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/02-Avoid_race_in_test.patch
---
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/02-Avoid_race_in_test.patch
1970-01-01 00:00:00.000000000 +0000
+++
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/02-Avoid_race_in_test.patch
2022-12-19 23:02:39.000000000 +0000
@@ -0,0 +1,31 @@
+Author: Martina Ferrari <t...@debian.org>
+Description: Fix test failures due to race conditions
+Forwarded: https://github.com/prometheus/exporter-toolkit/issues/108
+Last-Updated: Mon, 29 Aug 2022 17:39:56 +0000
+
+--- a/web/users_test.go
++++ b/web/users_test.go
+@@ -18,6 +18,7 @@
+ "net/http"
+ "sync"
+ "testing"
++ "time"
+ )
+
+ // TestBasicAuthCache validates that the cache is working by calling a
password
+@@ -42,6 +43,7 @@
+ ListenAndServe(server,
"testdata/tls_config_users_noTLS.good.yml", testlogger)
+ close(done)
+ }()
++ time.Sleep(250 * time.Millisecond)
+
+ login := func(username, password string, code int) {
+ client := &http.Client{}
+@@ -106,6 +108,7 @@
+ ListenAndServe(server,
"testdata/tls_config_users_noTLS.good.yml", testlogger)
+ close(done)
+ }()
++ time.Sleep(250 * time.Millisecond)
+
+ login := func() {
+ client := &http.Client{}
diff -Nru
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/03-CVE-2022-46146.patch
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/03-CVE-2022-46146.patch
---
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/03-CVE-2022-46146.patch
1970-01-01 00:00:00.000000000 +0000
+++
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/03-CVE-2022-46146.patch
2022-12-19 23:02:39.000000000 +0000
@@ -0,0 +1,112 @@
+Author: Julien Pivotto <roidelapl...@o11y.eu>
+Date: Tue Nov 29 10:22:49 2022 +0100
+Forwarded: not-needed
+Last-Updated: Mon, 19 Dec 2022 20:11:12 +0000
+Description:
+ Backport of upstream commits 2528877 and 0af5c3f:
+
+ Merge pull request from GHSA-7rg2-cxvp-9p7p
+
+ * Fix authentication bypass if stored password hash is known
+
+ Signed-off-by: Julien Pivotto <roidelapl...@o11y.eu>
+
+ * Add test for CVE-2022-46146
+
+ Signed-off-by: Julien Pivotto <roidelapl...@o11y.eu>
+
+ * Fix tests
+
+ Signed-off-by: Julien Pivotto <roidelapl...@o11y.eu>
+
+--- a/web/users.go
++++ b/web/users.go
+@@ -18,6 +18,7 @@
+ import (
+ "encoding/hex"
+ "net/http"
++ "strings"
+ "sync"
+
+ "github.com/go-kit/kit/log"
+@@ -74,7 +75,12 @@
+ hashedPassword =
"$2y$10$QOauhQNbBCuQDKes6eFzPeMqBSjb7Mr5DUmpZ/VcEd00UAV/LDeSi"
+ }
+
+- cacheKey := hex.EncodeToString(append(append([]byte(user),
[]byte(hashedPassword)...), []byte(pass)...))
++ cacheKey := strings.Join(
++ []string{
++ hex.EncodeToString([]byte(user)),
++ hex.EncodeToString([]byte(hashedPassword)),
++ hex.EncodeToString([]byte(pass)),
++ }, ":")
+ authOk, ok := u.cache.get(cacheKey)
+
+ if !ok {
+@@ -83,7 +89,7 @@
+ err :=
bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass))
+ u.bcryptMtx.Unlock()
+
+- authOk = err == nil
++ authOk = validUser && err == nil
+ u.cache.set(cacheKey, authOk)
+ }
+
+--- a/web/users_test.go
++++ b/web/users_test.go
+@@ -131,3 +131,47 @@
+ // Login with the response cached.
+ login()
+ }
++
++// TestByPassBasicAuthVuln tests for CVE-2022-46146.
++func TestByPassBasicAuthVuln(t *testing.T) {
++ server := &http.Server{
++ Addr: port,
++ Handler: http.HandlerFunc(func(w http.ResponseWriter, r
*http.Request) {
++ w.Write([]byte("Hello World!"))
++ }),
++ }
++
++ done := make(chan struct{})
++ t.Cleanup(func() {
++ if err := server.Shutdown(context.Background()); err != nil {
++ t.Fatal(err)
++ }
++ <-done
++ })
++
++ go func() {
++ ListenAndServe(server,
"testdata/web_config_users_noTLS.good.yml", testlogger)
++ close(done)
++ }()
++
++ login := func(username, password string) {
++ client := &http.Client{}
++ req, err := http.NewRequest("GET", "http://localhost"+port, nil)
++ if err != nil {
++ t.Fatal(err)
++ }
++ req.SetBasicAuth(username, password)
++ r, err := client.Do(req)
++ if err != nil {
++ t.Fatal(err)
++ }
++ if r.StatusCode != 401 {
++ t.Fatalf("bad return code, expected %d, got %d", 401,
r.StatusCode)
++ }
++ }
++
++ // Poison the cache.
++
login("alice$2y$12$1DpfPeqF9HzHJt.EWswy1exHluGfbhnn3yXhR7Xes6m3WJqFg0Wby",
"fakepassword")
++ // Login with a wrong password.
++ login("alice",
"$2y$10$QOauhQNbBCuQDKes6eFzPeMqBSjb7Mr5DUmpZ/VcEd00UAV/LDeSifakepassword")
++}
+--- /dev/null
++++ b/web/testdata/web_config_users_noTLS.good.yml
+@@ -0,0 +1,5 @@
++basic_auth_users:
++ alice: $2y$12$1DpfPeqF9HzHJt.EWswy1exHluGfbhnn3yXhR7Xes6m3WJqFg0Wby
++ bob: $2y$18$4VeFDzXIoPHKnKTU3O3GH.N.vZu06CVqczYZ8WvfzrddFU6tGqjR.
++ carol: $2y$10$qRTBuFoULoYNA7AQ/F3ck.trZBPyjV64.oA4ZsSBCIWvXuvQlQTuu
++ dave: $2y$10$2UXri9cIDdgeKjBo4Rlpx.U3ZLDV8X1IxKmsfOvhcM5oXQt/mLmXq
diff -Nru golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/series
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/series
--- golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/series
1970-01-01 00:00:00.000000000 +0000
+++ golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/series
2022-12-19 23:02:39.000000000 +0000
@@ -0,0 +1,2 @@
+02-Avoid_race_in_test.patch
+03-CVE-2022-46146.patch
