Issue 3446

Title
File extension not santized
Priority
bug
Status
resolved
Nosy list
ajacoutot, bch, ced, daniel, mmcallis, nicoe, sharkcz, yangoon
Assigned to
ced
Keywords
patch

Created on 2013-10-27.15:28:57 by ced, last changed 100 months ago by ced.

Files

File name Uploaded Type Details
news.patch.diff yangoon, 2013-11-01.20:03:48 text/plain view
news.patch ced, 2013-10-31.22:58:23 text/plain view
patch ced, 2013-10-27.15:28:56 text/plain view

Messages

Author: [hidden] (mmcallis)
Date: 2013-11-05.01:34:00
Morning,

This issue was assigned CVE-2013-4510 on the oss-security list:

http://www.openwall.com/lists/oss-security/2013/11/04/21

(Sorry if I am adding this comment the wrong way!)
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2013-11-03.18:55:11
Fixed with rev 357d0a4d9cb8
Author: [hidden] (yangoon) Tryton translator
Date: 2013-11-03.13:19:04
JFTR: Debian packages for stable and oldstable were uploaded to security-master
Author: [hidden] (yangoon) Tryton translator
Date: 2013-11-01.20:03:48
> Here is the news that will be published, thanks to review it.

Diff of review attached.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2013-10-31.22:58:23
Here is the news that will be published, thanks to review it.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2013-10-31.16:19:33
On 31/10/13 16:12 +0100, Mathias Behrle wrote:
> > Cédric Krier <cedric.krier@b2ck.com> added the comment:
> > 
> > So I propose this scheduling:
> > 
> > - security release the 3rd November (applying the patch and release tryton)
> > - publish a news the 4th November (to let packager update their repositories)
> 
> I would recommend to not schedule any important dates on weekend days. People
> working for distributions don't necessarily work on those days.

The opposite applies also: people working for distributions don't
necessarily work on the week.
In many projects I follow I see people more active the weekend.
Author: [hidden] (yangoon) Tryton translator
Date: 2013-10-31.16:12:40
> Cédric Krier <cedric.krier@b2ck.com> added the comment:
> 
> So I propose this scheduling:
> 
> - security release the 3rd November (applying the patch and release tryton)
> - publish a news the 4th November (to let packager update their repositories)

I would recommend to not schedule any important dates on weekend days. People
working for distributions don't necessarily work on those days.
 
@ajacoutot, @ced: Could you please share the information published on OpenBSD
ports? Was a CVE assigned via OpenBSD?
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2013-10-31.10:57:14
So I propose this scheduling:

- security release the 3rd November (applying the patch and release tryton)
- publish a news the 4th November (to let packager update their repositories)

The security release will contain this fix and the other fixes already
backported on today (they are all older than 1 week).
Author: [hidden] (yangoon) Tryton translator
Date: 2013-10-30.23:03:19
> Do we do a quick security release or we just let the fix join the next
maintenance release?

Maintenance releases just were done and the next seem too far away for me. I
would prefer a security release.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2013-10-30.20:07:28
On 30/10/13 19:57 +0100, Mathias Behrle wrote:
> AFAIS a malicious server could play with ssh keys, authorized_keys of the user
> etc..

I'm not sure to follow you.

> Being not sure I tend to evaluate this as a security fix deserving a CVE.

I tend to think like you.
Do we do a quick security release or we just let the fix join the next
maintenance release?
Author: [hidden] (yangoon) Tryton translator
Date: 2013-10-30.19:56:59
AFAIS a malicious server could play with ssh keys, authorized_keys of the user
etc.. Being not sure I tend to evaluate this as a security fix deserving a CVE.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2013-10-30.19:22:25
@ajacoutot, I see that you already pushed (and make public) this security issue
on OpenBSD ports. The idea behind this issue is to synchronize the publication
of security fixes.

@all, what do we do? Are we doing a security release with this fix this week?
does it deserve a CVE?
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2013-10-27.15:28:56
I have discovered that the file extension received from the server to store
temporary the report and open it is not correctly sanitized.
It means that a malicious server could send as result of a report and extension
that could contain filesystem path separator. So it can force the client to
write any files on the client host with the right of the user.
Here is a patch that fixes the issue.

I don't know if it deserves the label of security fixes or if it should follow
the normal path as it requires to connect to a malicious server.
History
Date User Action Args
2013-11-05 09:45:10cedsetstatus: chatting -> resolved
2013-11-05 01:34:01mmcallissetstatus: resolved -> chatting
nosy: + mmcallis
messages: + msg14547
2013-11-03 18:55:11cedsetstatus: in-progress -> resolved
messages: + msg14523
2013-11-03 13:19:05yangoonsetmessages: + msg14520
2013-11-01 20:03:49yangoonsetfiles: + news.patch.diff
messages: + msg14517
2013-10-31 22:58:24cedsetstatus: chatting -> in-progress
assignedto: ced
messages: + msg14513
files: + news.patch
keyword: + patch
2013-10-31 16:19:34cedsetmessages: + msg14509
2013-10-31 16:12:41yangoonsetstatus: in-progress -> chatting
assignedto: ced -> (no value)
messages: + msg14507
2013-10-31 10:57:14cedsetstatus: chatting -> in-progress
assignedto: ced
messages: + msg14498
2013-10-30 23:03:19yangoonsetmessages: + msg14496

Showing 10 items. Show all history (warning: this could be VERY long)