Re: Analysis of issue for phpmyadmin and request for comment on XSS issues

[Ben Hutchings]

On Sun, 2016-06-26 at 23:47 +0200, Ola Lundqvist wrote:
> Hi LTS team
> 
> I have done some analysis of the issues for phpmyadmin.
> 
> It would be good to know what your opinion about XSS issues for admin
> software like phpmyadmin is. I do not see how that can be very important. I
> mean you know the URL and do not really use external links for accessing it.
> Or do anyone have another opinion?
[...]

So long as Javascript is enabled, there are many ways for a rogue site
to generate HTTP requests to another site, and to obscure where a link
really leads.  Not many DBAs are going to turn Javascript off *and*
check every link target before following it.

However, I think XSS issues are generally treated as not meriting a
DSA/DLA by themselves.

Ben.

-- 

Ben Hutchings
Humour is the best antidote to reality.


signature.asc
Description: This is a digitally signed message part

Accepted java-common 0.47+deb7u2 (source all amd64) into oldstable

[dak]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 26 Jun 2016 20:40:32 +0200
Source: java-common
Binary: java-common default-jre default-jre-headless default-jdk 
default-jdk-doc gcj-native-helper
Architecture: source all amd64
Version: 0.47+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Java Mailing List 
Changed-By: Markus Koschany 
Description: 
 default-jdk - Standard Java or Java compatible Development Kit
 default-jdk-doc - Standard Java or Java compatible Development Kit 
(documentation)
 default-jre - Standard Java or Java compatible Runtime
 default-jre-headless - Standard Java or Java compatible Runtime (headless)
 gcj-native-helper - Standard helper tools for creating gcj native packages
 java-common - Base of all Java packages
Changes: 
 java-common (0.47+deb7u2) wheezy-security; urgency=high
 .
   * Team upload.
   * Switch default Java environment from OpenJDK 6 to OpenJDK 7 in Wheezy LTS.
Checksums-Sha1: 
 7faa4e956da6ed96236c31f60ef9dc2edae629ca 2176 java-common_0.47+deb7u2.dsc
 2d6a3595206c8ff296b552e6cd5f5e593035e77c 53746 java-common_0.47+deb7u2.tar.gz
 c51eb82c03323aa2896cd5fb7a300c82269c1479 138622 java-common_0.47+deb7u2_all.deb
 0206eda901c1162cadd5ce219f2684ad491c025b 8522 
default-jdk-doc_0.47+deb7u2_all.deb
 9f96e94c700ca0aac3c7175bfd938d9d3485fc1d 842 
default-jre_1.7-47+deb7u2_amd64.deb
 35fd653665e3b3698c7dfe89e0867e753b2cae04 8794 
default-jre-headless_1.7-47+deb7u2_amd64.deb
 78faceb5812c0734cfd3042698006eca9822d138 844 
default-jdk_1.7-47+deb7u2_amd64.deb
 09a7880655db73b9decb6a6e0a2ca6ba81956b2b 988 
gcj-native-helper_1.7-47+deb7u2_amd64.deb
Checksums-Sha256: 
 44d2499989edba7b747c7eb1a56db962f7b99ed750490ce5f631e503edfc399d 2176 
java-common_0.47+deb7u2.dsc
 95bf99e22e505b877c053b9c9b024282c29fae9a6b3dfda4cc9a54bb195402fb 53746 
java-common_0.47+deb7u2.tar.gz
 86294d904db138c76412e3056b1e2755ec0452ce4b3f462170718a9f32f25cfa 138622 
java-common_0.47+deb7u2_all.deb
 4fbe9c0b6a46ca94ffc074dc6833549b55d66b7505719f22cb83b39552b90168 8522 
default-jdk-doc_0.47+deb7u2_all.deb
 4a8bd3322429ebf121c31524382baf17ba8639cafd321728158d842bb79de3a7 842 
default-jre_1.7-47+deb7u2_amd64.deb
 31ba1fe88ac41b069e35931c643b3cb9ee87306e3141263fe1514820debe398e 8794 
default-jre-headless_1.7-47+deb7u2_amd64.deb
 dc81fb0ca9362e21445a37969a9cc94d8dfee89cdd1d4abdb506b50523510a3d 844 
default-jdk_1.7-47+deb7u2_amd64.deb
 ae890f551439e93e910be8328a54890f924ba9a0646358e507c9b11fb003e7a1 988 
gcj-native-helper_1.7-47+deb7u2_amd64.deb
Files: 
 aeae57d59502d621ee72550647b873f6 2176 java optional java-common_0.47+deb7u2.dsc
 e2393afb22443c585eee5cf545a5401e 53746 java optional 
java-common_0.47+deb7u2.tar.gz
 fa7a74e896021480a6ee5089fb9dc1fd 138622 java optional 
java-common_0.47+deb7u2_all.deb
 3de1829f3904b8c7fb87387cdb1aa3a0 8522 doc optional 
default-jdk-doc_0.47+deb7u2_all.deb
 578f2e35322b6d5e46e6122fb8ff810c 842 java optional 
default-jre_1.7-47+deb7u2_amd64.deb
 b0b77b5b370e94dba03c6f666ca4978d 8794 java optional 
default-jre-headless_1.7-47+deb7u2_amd64.deb
 ef36aee7b01ae0f16a1314de156ba6cc 844 java optional 
default-jdk_1.7-47+deb7u2_amd64.deb
 98718dbbdcf9ce20bfdd03899c844342 988 java optional 
gcj-native-helper_1.7-47+deb7u2_amd64.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQJ8BAEBCgBmBQJXcCOZXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hkpp4QAJwEh8fH7sPqhRRVuRzW9VLP
sbW6bvYO1W9JR83uChlCqzps0g6t4w4/Vi8NAaG/c81YG61/+ivWwDHZlD8Mwwrh
dOoHwUPEi4cQvMQ74x2EmBxuY1Dn3dqWRzN+uyFizfc7ZDY18HEcwEMv+ns8GqGI
S4wR8G7zSGplz3ufxHZgPVJKsuI9tvgoCVWLc5POFaVwSaF3Y5KaWrbdS0yJWYqO
gndo80UziIzWhA75fsggqEvd75+LqjqMR6JUgxlTQOxH/fItiEg1WDiGNyyFoGWF
LLjOW90s7Aw49foXhrG1Aq0BYED2qBHBAmWewBhHY4qF7FFz/lM1QGDJv7JG6Aa1
UI7vbMOGaMtkWGo93YS4+KYbJpXGX/G2KdmSB65o3JmVfRDDNx8YTIcDhAW2BaxG
Q3PmVocvjgbCckwPylkZy+GwetsPIQrFl9UbMisZ1y3aGqHwFM2Ggiv08WbSkLXo
4pi96hqIKu9yQZ/zKg9NVqyHnIMLj1TQaBs6gsjOlC/0LsVGRyWWPr/C00m90/I5
XtpY/ZI/hH5sc5QBQjZCPANWBXVv43k0CQ96Nm0d5I+O/FWmCuSej53TgxWn0NO1
Pn4XTyXwT18Iop0B3O/QIyoGvvCaWZRquyktkGTRHwJUm8f5PzxiofUQqghSBHCk
ElG4pdOEwMpOYZVgy3ua
=f7Aw
-END PGP SIGNATURE-

Accepted tomcat7 7.0.28-4+deb7u5 (source all) into oldstable

[dak]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 26 Jun 2016 19:23:57 +0200
Source: tomcat7
Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java 
libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs
Architecture: source all
Version: 7.0.28-4+deb7u5
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description: 
 libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes
 libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation
 libtomcat7-java - Servlet and JSP engine -- core libraries
 tomcat7- Servlet and JSP engine
 tomcat7-admin - Servlet and JSP engine -- admin web applications
 tomcat7-common - Servlet and JSP engine -- common files
 tomcat7-docs - Servlet and JSP engine -- documentation
 tomcat7-examples - Servlet and JSP engine -- example web applications
 tomcat7-user - Servlet and JSP engine -- tools to create user instances
Changes: 
 tomcat7 (7.0.28-4+deb7u5) wheezy-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2016-3092.
 A denial of service vulnerability was identified in Commons FileUpload that
 occurred when the length of the multipart boundary was just below the size
 of the buffer (4096 bytes) used to read the uploaded file. This caused the
 file upload process to take several orders of magnitude longer than if the
 boundary was the typical tens of bytes long. Tomcat's internal fork of
 Commons File Upload is also affected.
Checksums-Sha1: 
 399521e131ff936e482d5857a5fa28c52b8b802c 2777 tomcat7_7.0.28-4+deb7u5.dsc
 ecf3d5a35582e8a0f397f24f275ae3e8ce9babd8 128925 
tomcat7_7.0.28-4+deb7u5.debian.tar.gz
 f6dcd7495a87c95f0f1e99d3f2f5a5c492e8e7a7 64812 
tomcat7-common_7.0.28-4+deb7u5_all.deb
 a8b3f5d435d2da51ef430179b9a12354ee0fccce 52048 tomcat7_7.0.28-4+deb7u5_all.deb
 ec9ba33a777d1c5b7d0861b2c661f7072b84a933 40076 
tomcat7-user_7.0.28-4+deb7u5_all.deb
 bb459ff658786840c85432df7f136efd89dbf252 3511556 
libtomcat7-java_7.0.28-4+deb7u5_all.deb
 ab0fa46960c468d868d3db1bd8f4f9d73d4eb27a 306170 
libservlet3.0-java_7.0.28-4+deb7u5_all.deb
 696a6ac58890d10dedd39d86a11b897ffb16d749 304382 
libservlet3.0-java-doc_7.0.28-4+deb7u5_all.deb
 e7668367ceee49a83f86d327b286455d156cdde7 52754 
tomcat7-admin_7.0.28-4+deb7u5_all.deb
 9c70f6173c314d6f2b51f017f11a233246ad9fea 206400 
tomcat7-examples_7.0.28-4+deb7u5_all.deb
 773c92d13f375d7fc0bdff3dde729c6dc2256e25 647984 
tomcat7-docs_7.0.28-4+deb7u5_all.deb
Checksums-Sha256: 
 6be47e4442b1e2177dbce7511dc64e05e7409efa4534f22132e023c4c3f8f0ba 2777 
tomcat7_7.0.28-4+deb7u5.dsc
 89d4e1f487c1235cb2a6da0bfdcf3bef54af1445db543b1f13096a703c143467 128925 
tomcat7_7.0.28-4+deb7u5.debian.tar.gz
 645b738e05a117ffbf747c38aa1ec31110d7757f1d376569691996e8c3252f22 64812 
tomcat7-common_7.0.28-4+deb7u5_all.deb
 97437780ca5933cf3efab41756ff9e0bbf93077cb5f20fd30c5268c9ce0021dd 52048 
tomcat7_7.0.28-4+deb7u5_all.deb
 3725fa64b1019d03efcadbfdfed0236f9e5254e6c483c474d55e0e2e2d23cd9b 40076 
tomcat7-user_7.0.28-4+deb7u5_all.deb
 ba2c5f356f6cbe630364efb1f7a421f94c5779d3d63ba414ee3062c179e3504b 3511556 
libtomcat7-java_7.0.28-4+deb7u5_all.deb
 fb1c46322366c3967e3074bebf24bec430267df83a2b541c879fba4219275f0b 306170 
libservlet3.0-java_7.0.28-4+deb7u5_all.deb
 5155f0eb5359a1ca9f6e1e71bbf5467d5339025e9edc3d12a7c16674c2fe999e 304382 
libservlet3.0-java-doc_7.0.28-4+deb7u5_all.deb
 86880df6746bcfee9f96895c7c438612c0930247943c04b4b8bc071475068d9e 52754 
tomcat7-admin_7.0.28-4+deb7u5_all.deb
 c78a7daef4981cee880c83bd135158dabfbc0652a09686fef5c848ba6993a18c 206400 
tomcat7-examples_7.0.28-4+deb7u5_all.deb
 06a2720b85309d0572acc5d4a15b21edb96dc05fa930c2e45b4e325e2387c8d0 647984 
tomcat7-docs_7.0.28-4+deb7u5_all.deb
Files: 
 5ecf326656bf71b8ed5c33534521411b 2777 java optional tomcat7_7.0.28-4+deb7u5.dsc
 49acdc682f147ceb1474d63d0c5847ce 128925 java optional 
tomcat7_7.0.28-4+deb7u5.debian.tar.gz
 94020e198090736770001b11ef8c1e41 64812 java optional 
tomcat7-common_7.0.28-4+deb7u5_all.deb
 544f797131117994455f4a8e4a7518b0 52048 java optional 
tomcat7_7.0.28-4+deb7u5_all.deb
 71eea9197d1dd3c7506b4b6b80340ad9 40076 java optional 
tomcat7-user_7.0.28-4+deb7u5_all.deb
 0a32c3178aa54b281bb9c4fac83f2fab 3511556 java optional 
libtomcat7-java_7.0.28-4+deb7u5_all.deb
 13bcff283b433f83fcd31c7857afa0a4 306170 java optional 
libservlet3.0-java_7.0.28-4+deb7u5_all.deb
 44f16fd3ed40eb39029329b1938bdef8 304382 doc optional 
libservlet3.0-java-doc_7.0.28-4+deb7u5_all.deb
 616c05e230e71752da06304608c4f659 52754 java optional 
tomcat7-admin_7.0.28-4+deb7u5_all.deb
 d51934c1860fd9448b4d2b0671f05595 206400 java optional 
tomcat7-examples_7.0.28-4+deb7u5_all.deb
 c8f0ce318b988ca23578e512c6512a0b 647984 doc optional 
tomcat7-docs_7.0.28-4+deb7u5_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

Accepted libcommons-fileupload-java 1.2.2-1+deb7u3 (source all) into oldstable

[dak]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 26 Jun 2016 17:41:55 +0200
Source: libcommons-fileupload-java
Binary: libcommons-fileupload-java libcommons-fileupload-java-doc
Architecture: source all
Version: 1.2.2-1+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description: 
 libcommons-fileupload-java - File upload capability to your servlets and web 
applications
 libcommons-fileupload-java-doc - Javadoc API documentation for Commons 
FileUploads
Changes: 
 libcommons-fileupload-java (1.2.2-1+deb7u3) wheezy-security; urgency=high
 .
   * Team upload
   * Fix CVE-2016-3092:
 A denial of service vulnerability was identified in Commons FileUpload that
 occurred when the length of the multipart boundary was just below the size
 of the buffer (4096 bytes) used to read the uploaded file. This caused the
 file upload process to take several orders of magnitude longer than if the
 boundary was the typical tens of bytes long.
Checksums-Sha1: 
 577de36d18286be237c67bf85f7ffb1252140627 2552 
libcommons-fileupload-java_1.2.2-1+deb7u3.dsc
 e37cba3cbe6f236c07316513de2f7c7e451dd95a 9883 
libcommons-fileupload-java_1.2.2-1+deb7u3.debian.tar.gz
 030e2d918fa8debf331db8f3734e583bbdb0f7b6 54574 
libcommons-fileupload-java_1.2.2-1+deb7u3_all.deb
 612d991b998a77caeadb634053493b309dd9beea 372994 
libcommons-fileupload-java-doc_1.2.2-1+deb7u3_all.deb
Checksums-Sha256: 
 13e1f0223d92977112c4bb6adb6219029b45dec9edea22bb274b4cff4c4e4fe2 2552 
libcommons-fileupload-java_1.2.2-1+deb7u3.dsc
 2193b4eade1f1f2903e34eed5cf4727ec65620ad55d73988e6ed2397872e0456 9883 
libcommons-fileupload-java_1.2.2-1+deb7u3.debian.tar.gz
 5dcab617af7a39e58a19282153f9944d96ea0e8feb89633d64e04dfb64dce09f 54574 
libcommons-fileupload-java_1.2.2-1+deb7u3_all.deb
 4cfb10390ec76bed64d4260923ed379fa24f743c1442dcb8b5a6b9969f7c6314 372994 
libcommons-fileupload-java-doc_1.2.2-1+deb7u3_all.deb
Files: 
 f7a6fe975ddc0b54ed04dafc5aaae814 2552 java optional 
libcommons-fileupload-java_1.2.2-1+deb7u3.dsc
 18dbfdeeaa791084e6d348e76b5f083d 9883 java optional 
libcommons-fileupload-java_1.2.2-1+deb7u3.debian.tar.gz
 ac951b51b59c37684e4bf39707b8d5f3 54574 java optional 
libcommons-fileupload-java_1.2.2-1+deb7u3_all.deb
 9ceee4eaa7dbb3a6f34650de53eb70ff 372994 doc optional 
libcommons-fileupload-java-doc_1.2.2-1+deb7u3_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQJ8BAEBCgBmBQJXcBmUXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hkto4QAK/HPMGD4uUilHGhBdRtGafZ
ucMPP1H+nN7JSMKbZl79jKk5ZH9kDSWHW4wEjmuP7uWaQ/L5Eji/AWSn7sg9WZbZ
+sWhZ9kFEuleIWQ0bPCAGjhHeTvfoliHDXwRZNtm/AwX7liAj1DRU8GzaydXHadQ
8Rg/DTXQEcX+5mkj3prXLTQ3rm8se9dTBiiy8bqXSVjvCpi37IGJ8nfXbZC55EAB
F0Adh/o5aIANDw+IDfpLzeH9d3y5Zm8i1XXl8gz4QSz8lx/Rl/iSgMDstk8qilCm
bR52yy/vDiRO1DlgBukSxW6CpQnLZPZHARBfj9WC4ttPzyE+SfLDLr8pjM1Z6KBq
Cl4d+hq1mvcnqsxab+YVaIVD/kCwOQZuhSIBF0q4qnacFp8WWxAgELvV3AgBs1d4
IaH/bCxQYYNlx1gTIgsePou4r87d/3mFWbUkmw7q52UFCyYZkUsgzjyMQMUVEfz6
bb2Ut4qD5BgMQBWn0qXEsVKMKQGFugmbpuMH9cESGR5uiBN/uDWxFjRa06PBAuvs
El1pOcIXkeoyLmRyAb38y+2x1LnXyvTwUk1kDw92lqGzqNV4+0UB3hQcppu5sAbN
uj1vjiKGsi+CYY0hgo8Tots3BZcYHFuWLdcALaYBp5fhz+cS5yb6nG5A2USbSaUF
EQIApjwuI6L4I928EraN
=Ts6H
-END PGP SIGNATURE-

Re: claiming tiff

[Emilio Pozuelo Monfort]

On 26/06/16 16:10, Bálint Réczey wrote:
> Added that information in dla-needed.txt.

Thanks. I added links to each cve in data/CVE/list but forgot to add a note to
dla-needed.

> In that case I don't claim them yet. Let's see how upstream responds.

OK.

Cheers,
Emilio

Re: claiming tiff

[Bálint Réczey]

Hi Emilio,

2016-06-26 9:58 GMT+02:00 Emilio Pozuelo Monfort :
> On 26/06/16 02:19, Bálint Réczey wrote:
>> Hi,
>>
>> There are newly discovered vulnerabilities in tiff [1].
>>
>> I no one objects I plan looking into them and working with the
>> maintainer(s) to get them fixed in Wheezy LTS and in newer
>> releases.
>
> I looked at this yesterday. These CVEs aren't fixed upstream yet. I forwarded
> all the new CVEs (and some old ones) to upstream yesterday, so hopefully that
> will change.

Added that information in dla-needed.txt.
In that case I don't claim them yet. Let's see how upstream responds.

Thanks!

Cheers,
Balint

Re: cacti LTS

[Paul Gevers]

Hi Emilio

[By the way, I read debian-lts, so no need to mail me directly, dropped
your To: as well].

On 26-06-16 10:40, Emilio Pozuelo Monfort wrote:
>> I believe CVE-2016-2313 should be included in this fix.
> 
> Certainly! I have backported the fix and included in this new debdiff.

Looks good to me (but I haven't tested).

> Unfortunately I'm not sure how to trigger the bug.

For one thing, you have to change the authentication scheme, (maybe
remove the template, not sure if one is included by default), and log
into cacti with a valid http user (but non-existing cacti user).

> Ah, nice. I don't think we have ci.debian.net running for wheezy, but this can
> be useful to do some basic testing after an update.

It was for the last point that I mentioned it. As cacti before the
current stretch package didn't run out-of-the-box, it would require
additional logic to even work on a CI framework (such as making sure
that the admin password is the same as the cacti/www-data password and
actually configuring the cacti pages). But if cacti works on your VM, it
should be simple to run the test (usually takes several minutes though).
My intention is to add tests for all the CVE's that I fix as well, but
as you can see in the test, I wasn't successful with CVE-2016-3659,
however, a check for CVE-2016-3172 is in.

Paul



signature.asc
Description: OpenPGP digital signature

Re: testing php5 for Wheezy LTS

[Stefan]

Hi,

I installed some packages [1] and smoke tested with owncloud, no problems so
far.

I used the webclient, davdroid on android and a windows owncloud client to test.

HTH

Stefan

[1] libapache2-mod-php5_5.4.45-0+deb7u4_i386.deb
php-pear_5.4.45-0+deb7u4_all.deb
php5_5.4.45-0+deb7u4_all.deb
php5-cgi_5.4.45-0+deb7u4_i386.deb
php5-cli_5.4.45-0+deb7u4_i386.deb
php5-common_5.4.45-0+deb7u4_i386.deb
php5-curl_5.4.45-0+deb7u4_i386.deb
php5-gd_5.4.45-0+deb7u4_i386.deb
php5-intl_5.4.45-0+deb7u4_i386.deb
php5-ldap_5.4.45-0+deb7u4_i386.deb
php5-mcrypt_5.4.45-0+deb7u4_i386.deb
php5-mysql_5.4.45-0+deb7u4_i386.deb
php5-pgsql_5.4.45-0+deb7u4_i386.deb
php5-sqlite_5.4.45-0+deb7u4_i386.deb

On Sat, Jun 25, 2016 at 03:49:13PM +0200, Thorsten Alteholz wrote:
> Hi,
> 
> it is this time of the month again, so I uploaded version
> 5.4.45-0+deb7u4 of php5 to:
>  https://people.debian.org/~alteholz/packages/wheezy-lts/php5/amd64/
>  https://people.debian.org/~alteholz/packages/wheezy-lts/php5/i386/
> 
> Please give it a try and tell me about any problems you met.
> 
> Thanks!
>  Thorsten
> 
> 
> 
>* CVE-2016-5093.patch
>  Absence of null character causes unexpected zend_string length and
>  leaks heap memory. The test script uses locale_get_primary_language
>  to reach get_icu_value_internal but there are some other functions
>  that also trigger this issue:
>locale_canonicalize, locale_filter_matches,
>locale_lookup, locale_parse
>* CVE-2016-5094.patch
>  don't create strings with lengths outside int range
>* CVE-2016-5095.patch
>  similar to CVE-2016-5094
>  don't create strings with lengths outside int range
>* CVE-2016-5096.patch
>  int/size_t confusion in fread
>* CVE-TEMP-bug-70661.patch
>  bug70661: Use After Free Vulnerability in WDDX Packet Deserialization
>* CVE-TEMP-bug-70728.patch
>  bug70728: Type Confusion Vulnerability in PHP_to_XMLRPC_worker()
>* CVE-TEMP-bug-70741.patch
>  bug70741: Session WDDX Packet Deserialization Type Confusion
>Vulnerability
>* CVE-TEMP-bug-70480-raw.patch
>  bug70480: php_url_parse_ex() buffer overflow read
> 
> 

-- 
BOFH excuse #382:

Someone was smoking in the computer room and set off the halon systems.

Re: cacti LTS

[Emilio Pozuelo Monfort]

On 26/06/16 09:23, Paul Gevers wrote:
> Hi Emilio
> 
> On 25-06-16 22:03, Emilio Pozuelo Monfort wrote:
>>> Just in case somebody starts working on it, I'd like to review proposed
>>> uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a
>>> sledgehammer for a simple nail). CVE-2016-3659 still needs reproducing
>>> in Debian and a check if the fix by a contributer in the upstream bug
>>> report is causing other damage. The third CVE has a trivial patch.
>>
>> I've had a look at this. I set up cacti on a wheezy VM, and I could reproduce
>> CVE-2016-3172. However, like you, I couldn't reproduce CVE-2016-3659. I don't
>> know if we are vulnerable or not, maybe we are and the attack needs some
>> changes. In any case, I think the fix is very safe, sanitizing parenthesis, 
>> so I
>> think we can just ship it. What do you think? Please see the attached 
>> debdiff.
> 
> The patch for CVE-2016-3659 is accepted by upstream, so should be OK to
> apply.
> 
> The issue with CVE-2016-2313 has been resolved upstream, the
> sledgehammer has been replaced by an appropriate hammer for the size of
> the nail:
> https://github.com/Cacti/cacti/commit/6e5f3be49b3f52e30c88ec75a576f89bb72c4e52
> 
> I believe CVE-2016-2313 should be included in this fix.

Certainly! I have backported the fix and included in this new debdiff.
Unfortunately I'm not sure how to trigger the bug.

> Please be advised that since my previous e-mail, I actually created a
> brute force regression test for cacti, see
> http://anonscm.debian.org/cgit/pkg-cacti/cacti.git/tree/debian/tests/check-all-pages

Ah, nice. I don't think we have ci.debian.net running for wheezy, but this can
be useful to do some basic testing after an update.

Cheers,
Emilio
diff -Nru cacti-0.8.8a+dfsg/debian/changelog cacti-0.8.8a+dfsg/debian/changelog
--- cacti-0.8.8a+dfsg/debian/changelog  2016-02-24 21:00:15.0 +0100
+++ cacti-0.8.8a+dfsg/debian/changelog  2016-06-26 10:18:07.0 +0200
@@ -1,3 +1,15 @@
+cacti (0.8.8a+dfsg-5+deb7u9) wheezy-security; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches/CVE-2016-3172-sql-injection.patch:
++ CVE-2016-3172: Fix sql injection in tree.php.
+  * debian/patches/CVE-2016-3659-sql-injection.patch:
++ CVE-2016-3659: Fix sql injection in graph_view.php.
+  * debian/patches/CVE-2016-2313-authentication-bypass.patch:
++ CVE-2016-2313: Fix authentication bypass.
+
+ -- Emilio Pozuelo Monfort   Sun, 26 Jun 2016 10:18:04 +0200
+
 cacti (0.8.8a+dfsg-5+deb7u8) wheezy-security; urgency=high
 
   * CVE-2015-8377: Fix SQL Injection vulnerability in graphs_new.php
diff -Nru 
cacti-0.8.8a+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch 
cacti-0.8.8a+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch
--- cacti-0.8.8a+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch  
1970-01-01 01:00:00.0 +0100
+++ cacti-0.8.8a+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch  
2016-06-26 10:16:50.0 +0200
@@ -0,0 +1,23 @@
+Backport fix for CVE-2016-2313.
+
+This is http://svn.cacti.net/viewvc?view=rev=7770
+and 
https://github.com/Cacti/cacti/commit/6e5f3be49b3f52e30c88ec75a576f89bb72c4e52
+
+Bug: http://bugs.cacti.net/view.php?id=2656
+
+--- a/auth_login.php
 b/auth_login.php
+@@ -86,6 +86,13 @@
+   /* Locate user in database */
+   $user = db_fetch_row("SELECT * FROM user_auth WHERE username = 
" . $cnn_id->qstr($username) . " AND realm = 2");
+ 
++  if (!$user && read_config_option('user_template') == '0') {
++  cacti_log("ERROR: User '" . $username . "' 
authenticated by Web Server, but a Template User is not defined in Cacti.  
Exiting.", false, 'AUTH');
++  $username = htmlspecialchars($username);
++  auth_display_custom_error_message("$username 
authenticated by Web Server, but a Template User is not defined in Cacti.");
++  exit;   
++  }
++
+   break;
+   case "3":
+   /* LDAP Auth */
diff -Nru cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch 
cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch
--- cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch  
1970-01-01 01:00:00.0 +0100
+++ cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch  
2016-06-25 21:57:13.0 +0200
@@ -0,0 +1,10 @@
+--- a/tree.php 2016/05/08 15:10:45 7804
 a/tree.php 2016/05/08 15:35:30 7805
+@@ -153,6 +153,7 @@
+   /* = input validation = */
+   input_validate_input_number(get_request_var("id"));
+   input_validate_input_number(get_request_var("tree_id"));
++  input_validate_input_number(get_request_var("parent_id"));
+   /*  */
+ 
+   if (!empty($_GET["id"])) {
diff -Nru 

Re: claiming tiff

[Emilio Pozuelo Monfort]

On 26/06/16 02:19, Bálint Réczey wrote:
> Hi,
> 
> There are newly discovered vulnerabilities in tiff [1].
> 
> I no one objects I plan looking into them and working with the
> maintainer(s) to get them fixed in Wheezy LTS and in newer
> releases.

I looked at this yesterday. These CVEs aren't fixed upstream yet. I forwarded
all the new CVEs (and some old ones) to upstream yesterday, so hopefully that
will change.

Cheers,
Emilio

Re: cacti LTS

[Paul Gevers]

Hi Emilio

On 25-06-16 22:03, Emilio Pozuelo Monfort wrote:
>> Just in case somebody starts working on it, I'd like to review proposed
>> uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a
>> sledgehammer for a simple nail). CVE-2016-3659 still needs reproducing
>> in Debian and a check if the fix by a contributer in the upstream bug
>> report is causing other damage. The third CVE has a trivial patch.
> 
> I've had a look at this. I set up cacti on a wheezy VM, and I could reproduce
> CVE-2016-3172. However, like you, I couldn't reproduce CVE-2016-3659. I don't
> know if we are vulnerable or not, maybe we are and the attack needs some
> changes. In any case, I think the fix is very safe, sanitizing parenthesis, 
> so I
> think we can just ship it. What do you think? Please see the attached debdiff.

The patch for CVE-2016-3659 is accepted by upstream, so should be OK to
apply.

The issue with CVE-2016-2313 has been resolved upstream, the
sledgehammer has been replaced by an appropriate hammer for the size of
the nail:
https://github.com/Cacti/cacti/commit/6e5f3be49b3f52e30c88ec75a576f89bb72c4e52

I believe CVE-2016-2313 should be included in this fix.

Please be advised that since my previous e-mail, I actually created a
brute force regression test for cacti, see
http://anonscm.debian.org/cgit/pkg-cacti/cacti.git/tree/debian/tests/check-all-pages


Paul



signature.asc
Description: OpenPGP digital signature