Re: Wheezy update of twisted?

[Brian May]

Guido Günther  writes:

> Thanks for having a look! I've added twisted-web to dla-needed.txt as
> well (Salvatore already updated data/CVE/list).

My conclusions (for wheezy-security) are that:

* Neither twisted or twisted-web actually have a vulnerability.

* It is possible applications that depend on twisted or twisted-web do
  have this vulnerability, however I do not consider it worthwhile use
  of my time trying to check or test each dependancy to find out.

* Upstream chose to mitigate this by removing the twcgi file, required
  for CGI support.

* The CGI support is required for non-python languages, such as
  PHP/Perl/CGI.

* If nothing using this CGI interface we are not vulnerable, there is no
  need to make any changes.

* If something does use this CGI interface, and we haven't removed this
  code, we are vulnerable. Vulnerable to a "minor" security threat.

* If something does use this CGI interface, and we have remove this
  code, we not not vulnerable because the application is now (most
  likely) completely broken.

Note: this code that uses CGI may not be in the Debian archive. It could
be installed locally or created locally.

As such, I tend to feel the risks of removing this code exceed the risks
of not removing it. I am going to do the same thing as the security team
and mark this as no-dsa.
-- 
Brian May 

Re: Wheezy update of twisted?

[Guido Günther]

On Tue, Aug 09, 2016 at 06:24:40PM +1000, Brian May wrote:
> Salvatore Bonaccorso  writes:
> 
> > Hi,
> >
> > Just a quick comment on:
> >
> > On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
> >> I am inclined to say that no version of twisted, by itself, has this
> >> vulnerability. However like I said earlier it is possible that
> >> applications that use twisted have this vulnerability.
> >
> > Looking at the upstream ticket
> > https://twistedmatrix.com/trac/ticket/8623 I suspect that Twisted
> > 16.3.1 will have something to help mitigating the issue in application
> > that use twisted.
> 
> I believe this is the upstream patch:
> 
> https://github.com/twisted/twisted/commit/bcac75e6180c9eee4337322c109eb5d1cac51165
> 
> Looks like it removes CGI support.
> 
> Hmmm. My test was flawed, I don't think I tested CGI. I imagine the
> results would be the same however.
> 
> > For Jessie, we do not plan to release any DSA related to this for
> > src:twisted. Don't know if you want to follow that on LTS side.
> 
> Yes, I tend to agree. Don't much like the idea of removing a feature in
> what is suppose to be a stable distribution.
> 
> Then again, scratch that, looks like none of the files patched exist in
> the wheezy version anyway...
> 
> But there is a reference to twisted/web/twcgi.py in ./ChangeLog.Old -
> and twisted/web/twcgi.py is in the upstream git repository for the
> twisted-12.0.0 tag.
> 
> Oh, I see, it looks like the source was split up for the Debian
> packaging. So the twisted-web source contains the file in question, not
> the twisted package.

Thanks for having a look! I've added twisted-web to dla-needed.txt as
well (Salvatore already updated data/CVE/list).

Cheers,
 -- Guido

Re: Wheezy update of twisted?

[Salvatore Bonaccorso]

Hi,

On Tue, Aug 09, 2016 at 06:24:40PM +1000, Brian May wrote:
> But there is a reference to twisted/web/twcgi.py in ./ChangeLog.Old -
> and twisted/web/twcgi.py is in the upstream git repository for the
> twisted-12.0.0 tag.
> 
> Oh, I see, it looks like the source was split up for the Debian
> packaging. So the twisted-web source contains the file in question, not
> the twisted package.

Yes this might be true for wheezy. But for jessie and above the file
looks is again in src:twisted. I have added now the twisted-web source
package as well for the entry.

Regards,
Salvatore

Re: Wheezy update of twisted?

[Brian May]

Salvatore Bonaccorso  writes:

> Hi,
>
> Just a quick comment on:
>
> On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
>> I am inclined to say that no version of twisted, by itself, has this
>> vulnerability. However like I said earlier it is possible that
>> applications that use twisted have this vulnerability.
>
> Looking at the upstream ticket
> https://twistedmatrix.com/trac/ticket/8623 I suspect that Twisted
> 16.3.1 will have something to help mitigating the issue in application
> that use twisted.

I believe this is the upstream patch:

https://github.com/twisted/twisted/commit/bcac75e6180c9eee4337322c109eb5d1cac51165

Looks like it removes CGI support.

Hmmm. My test was flawed, I don't think I tested CGI. I imagine the
results would be the same however.

> For Jessie, we do not plan to release any DSA related to this for
> src:twisted. Don't know if you want to follow that on LTS side.

Yes, I tend to agree. Don't much like the idea of removing a feature in
what is suppose to be a stable distribution.

Then again, scratch that, looks like none of the files patched exist in
the wheezy version anyway...

But there is a reference to twisted/web/twcgi.py in ./ChangeLog.Old -
and twisted/web/twcgi.py is in the upstream git repository for the
twisted-12.0.0 tag.

Oh, I see, it looks like the source was split up for the Debian
packaging. So the twisted-web source contains the file in question, not
the twisted package.
-- 
Brian May 

Re: Wheezy update of twisted?

[Salvatore Bonaccorso]

Hi,

Just a quick comment on:

On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
> I am inclined to say that no version of twisted, by itself, has this
> vulnerability. However like I said earlier it is possible that
> applications that use twisted have this vulnerability.

Looking at the upstream ticket
https://twistedmatrix.com/trac/ticket/8623 I suspect that Twisted
16.3.1 will have something to help mitigating the issue in application
that use twisted.

For Jessie, we do not plan to release any DSA related to this for
src:twisted. Don't know if you want to follow that on LTS side.

Regards,
Salvatore

Re: Wheezy update of twisted?

[Brian May]

Free Ekanayaka  writes:

> I had a quick look at the code too (both in wheezy and jessie), but I
> couldn't find the offending bits. Perhaps it'd be good to put together a
> small web server and see what happens when you pass the 'Proxy'
> header.

So I created the following code:

=== cut ===
from twisted.internet import reactor
from twisted.web.server import Site
from twisted.web.resource import Resource
import time
import os


class ClockPage(Resource):
isLeaf = True

def render_GET(self, request):
print(os.environ)
return "%s" % (time.ctime(),)

resource = ClockPage()
factory = Site(resource)
reactor.listenTCP(8880, factory)
reactor.run()
=== cut ===

Then I attempted to run from wheezy. In particular, I used the following
command:

curl -H "Proxy: http://meow/; http://localhost:8880/

I inspected the console output, but could not find any references to
meow or HTTP_PROXY:

{'TERM': 'xterm-256color', 'SHELL': '/bin/bash', 'SCHROOT_UID': '1000', 
'SCHROOT_COMMAND': '-bash', 'SHLVL': '1', 'OLDPWD': '/root', 
'SCHROOT_CHROOT_NAME': 'wheezy-amd64-default', 'PWD': 
'/home/brian/tree/debian/debian-lts/wheezy/twisted/test', 'SCHROOT_SESSION_ID': 
'wheezy-amd64-default-76337752-1661-47c2-b322-f2a73ff7314b', 'SCHROOT_USER': 
'brian', 'USER': 'root', 'HOME': '/root', 'SCHROOT_GID': '1000', 'PATH': 
'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'LOGNAME': 
'root', 'SCHROOT_GROUP': 'brian', 'SCHROOT_ALIAS_NAME': 'wheezy-amd64-default', 
'_': '/usr/bin/python'}

I get similar results when testing on stretch. It looks like sid is the
same version 16.3.0-1.

I am inclined to say that no version of twisted, by itself, has this
vulnerability. However like I said earlier it is possible that
applications that use twisted have this vulnerability.
-- 
Brian May 

Re: Wheezy update of twisted?

[Free Ekanayaka]

Hi,

I had a quick look at the code too (both in wheezy and jessie), but I
couldn't find the offending bits. Perhaps it'd be good to put together a
small web server and see what happens when you pass the 'Proxy' header.

Free

On 5 August 2016 at 10:26, Brian May  wrote:

> This security vulnerability is described here:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1357345
>
> as:
>
> "sets environmental variable based on user supplied Proxy request
> header"
>
> In particular it is talking about HTTP_PROXY, and it only a problem if
> the server makes an outgoing HTTP request using this value.
>
> Looking at this, I am inclined to say this isn't a security issue in
> twisted itself, rather some unspecified applications that use twisted.
>
> Just trying to double check this. I can't find any references
> (case-insensitive) of "HTTP_PROXY" in the twisted source however.
>
> This appears to be confirmed by the first sentence in the redhat bug
> report:
>
> "Many software projects and vendors have implemented support for the
> “Proxy” request header in their respective CGI implementations and
> languages by creating the “HTTP_PROXY” environmental variable based on
> the header value."
>
> There are a number of projects in Debian that use twisted, should we
> check each one?
>
> Sure would be good if I had an example application that was confirmed
> vulnerable.
> --
> Brian May 
>

Re: Wheezy update of twisted?

[Brian May]

This security vulnerability is described here:

https://bugzilla.redhat.com/show_bug.cgi?id=1357345

as:

"sets environmental variable based on user supplied Proxy request
header"

In particular it is talking about HTTP_PROXY, and it only a problem if
the server makes an outgoing HTTP request using this value.

Looking at this, I am inclined to say this isn't a security issue in
twisted itself, rather some unspecified applications that use twisted.

Just trying to double check this. I can't find any references
(case-insensitive) of "HTTP_PROXY" in the twisted source however.

This appears to be confirmed by the first sentence in the redhat bug
report:

"Many software projects and vendors have implemented support for the
“Proxy” request header in their respective CGI implementations and
languages by creating the “HTTP_PROXY” environmental variable based on
the header value."

There are a number of projects in Debian that use twisted, should we
check each one?

Sure would be good if I had an example application that was confirmed
vulnerable.
-- 
Brian May 

Re: Wheezy update of twisted?

[Free Ekanayaka]

Hello,

I'm going on vacation shortly, and likely won't have time to address the
bug timely enough. So unless Matthias has cycles to work on it, I'd say yes
go ahead please. Thanks

Free

On 28 July 2016 at 22:37, Thorsten Alteholz  wrote:

> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of twisted:
> https://security-tracker.debian.org/tracker/CVE-2016-1000111
>
> Would you like to take care of this yourself?
>
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
>
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
>
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
>
> Thank you very much.
>
> Thorsten Alteholz,
>   on behalf of the Debian LTS team.
>
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
>
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
>
>
>

Wheezy update of twisted?

[Thorsten Alteholz]

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of twisted:
https://security-tracker.debian.org/tracker/CVE-2016-1000111

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Thorsten Alteholz,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup