Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Dear Release Team, I would like to make an upload to stable in order to fix bug #941895 (CSRF check) in the monit package. Package on mentors.d.n: https://mentors.debian.net/package/monit The full patch between this new package version and the version 1:5.20.0-6 currently in Stretch is attached.
diff -Nru monit-5.20.0/debian/changelog monit-5.20.0/debian/changelog --- monit-5.20.0/debian/changelog 2017-01-11 16:48:27.000000000 +0300 +++ monit-5.20.0/debian/changelog 2019-10-09 15:47:31.000000000 +0300 @@ -1,3 +1,9 @@ +monit (1:5.20.0-6+deb9u1) stretch; urgency=medium + + * Implement position independent CSRF cookie value (Closes: #941895). + + -- Sergey B Kirpichev <skirpic...@gmail.com> Wed, 09 Oct 2019 15:47:31 +0300 + monit (1:5.20.0-6) unstable; urgency=medium * Fix regression from #849886, test monit.log existence (Closes: #850829) diff -Nru monit-5.20.0/debian/patches/12_PID_CSRF.patch monit-5.20.0/debian/patches/12_PID_CSRF.patch --- monit-5.20.0/debian/patches/12_PID_CSRF.patch 1970-01-01 03:00:00.000000000 +0300 +++ monit-5.20.0/debian/patches/12_PID_CSRF.patch 2019-10-09 15:47:31.000000000 +0300 @@ -0,0 +1,109 @@ +Origin: https://bitbucket.org/tildeslash/monit/commits/f9a9a7a92 +Description: Position independent CSRF cookie value +Bug-Debian: https://bugs.debian.org/941895 + +--- + src/http/processor.c | 61 +++++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 45 insertions(+), 16 deletions(-) + +--- a/src/http/processor.c ++++ b/src/http/processor.c +@@ -258,7 +258,7 @@ void set_header(HttpResponse res, const + for (n = p = res->headers; p; n = p, p = p->next) { + if (IS(p->name, name)) { + FREE(p->value); +- p->value = Str_dup(value); ++ p->value = Str_dup(h->value); + destroy_entry(h); + return; + } +@@ -288,6 +288,7 @@ void set_status(HttpResponse res, int co + * @param mime Mime content type, e.g. text/html + */ + void set_content_type(HttpResponse res, const char *mime) { ++ ASSERT(mime); + set_header(res, "Content-Type", "%s", mime); + } + +@@ -720,9 +721,11 @@ static void destroy_entry(void *p) { + /* ----------------------------------------------------- Checkers/Validators */ + + +-/** +- * Do Basic Authentication if this auth. style is allowed. +- */ ++static boolean_t _isCookieSeparator(int c) { ++ return (c == ' ' || c == '\n' || c == ';' || c == ','); ++} ++ ++ + static boolean_t is_authenticated(HttpRequest req, HttpResponse res) { + if (Run.httpd.credentials) { + if (! basic_authenticate(req)) { +@@ -734,28 +737,54 @@ static boolean_t is_authenticated(HttpRe + } + if (IS(req->method, METHOD_POST)) { + // Check CSRF double-submit cookie (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookie) +- const char *cookie = get_header(req, "Cookie"); + const char *token = get_parameter(req, "securitytoken"); +- if (! cookie) { +- LogError("HttpRequest: access denied -- client [%s]: missing CSRF token cookie\n", NVLSTR(Socket_getRemoteHost(req->S))); +- send_error(req, res, SC_FORBIDDEN, "Invalid CSRF Token"); +- return false; +- } + if (! token) { + LogError("HttpRequest: access denied -- client [%s]: missing CSRF token in HTTP parameter\n", NVLSTR(Socket_getRemoteHost(req->S))); + send_error(req, res, SC_FORBIDDEN, "Invalid CSRF Token"); + return false; + } +- if (! Str_startsWith(cookie, "securitytoken=")) { +- LogError("HttpRequest: access denied -- client [%s]: no CSRF token in cookie\n", NVLSTR(Socket_getRemoteHost(req->S))); ++ const char *cookie = get_header(req, "Cookie"); ++ if (! cookie) { ++ LogError("HttpRequest: access denied -- client [%s]: missing CSRF token cookie\n", NVLSTR(Socket_getRemoteHost(req->S))); + send_error(req, res, SC_FORBIDDEN, "Invalid CSRF Token"); + return false; + } +- if (Str_compareConstantTime(cookie + 14, token)) { +- LogError("HttpRequest: access denied -- client [%s]: CSRF token mismatch\n", NVLSTR(Socket_getRemoteHost(req->S))); +- send_error(req, res, SC_FORBIDDEN, "Invalid CSRF Token"); +- return false; ++ const char *cookieName = "securitytoken="; ++ for (int i = 0, j = 0; cookie[i]; i++) { ++ if (_isCookieSeparator(cookie[i])) { ++ // Cookie separator ++ j = 0; ++ continue; ++ } ++ if (j < 14) { ++ // Cookie name ++ if (cookie[i] == cookieName[j]) { ++ j++; ++ continue; ++ } else { ++ j = 0; ++ } ++ } else if (j == 14) { ++ // Cookie value ++ char cookieValue[STRLEN] = {}; ++ strncpy(cookieValue, cookie + i, sizeof(cookieValue) - 1); ++ for (int k = 0; cookieValue[k]; k++) { ++ if (_isCookieSeparator(cookieValue[k])) { ++ cookieValue[k] = 0; ++ break; ++ } ++ } ++ if (Str_compareConstantTime(cookieValue, token)) { ++ LogError("HttpRequest: access denied -- client [%s]: CSRF token mismatch\n", NVLSTR(Socket_getRemoteHost(req->S))); ++ send_error(req, res, SC_FORBIDDEN, "Invalid CSRF Token"); ++ return false; ++ } ++ return true; ++ } + } ++ LogError("HttpRequest: access denied -- client [%s]: no CSRF token in cookie\n", NVLSTR(Socket_getRemoteHost(req->S))); ++ send_error(req, res, SC_FORBIDDEN, "Invalid CSRF Token"); ++ return false; + } + return true; + } diff -Nru monit-5.20.0/debian/patches/series monit-5.20.0/debian/patches/series --- monit-5.20.0/debian/patches/series 2017-01-11 16:48:27.000000000 +0300 +++ monit-5.20.0/debian/patches/series 2019-10-09 15:47:31.000000000 +0300 @@ -3,3 +3,4 @@ 06_ssl.patch 07_cross.patch 11_enable_hurd.patch +12_PID_CSRF.patch