Tryton - Issues

 

Issue3446

Title File extension not santized
Priority bug Status resolved
Superseder Nosy List ajacoutot, bch, ced, daniel, mmcallis, nicoe, sharkcz, yangoon
Type security Components tryton
Assigned To ced Keywords patch
Reviews

Created on 2013-10-27.15:28:57 by ced, last changed by ced.

Files
File name Uploaded Type Edit Remove
news.patch ced, 2013-10-31.22:58:23 text/plain
news.patch.diff yangoon, 2013-11-01.20:03:48 text/plain
patch ced, 2013-10-27.15:28:56 text/plain
Messages
msg14547 (view) Author: [hidden] (mmcallis) Date: 2013-11-05.01:34:00
Morning,

This issue was assigned CVE-2013-4510 on the oss-security list:

http://www.openwall.com/lists/oss-security/2013/11/04/21

(Sorry if I am adding this comment the wrong way!)
msg14523 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2013-11-03.18:55:11
Fixed with rev 357d0a4d9cb8
msg14520 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2013-11-03.13:19:04
JFTR: Debian packages for stable and oldstable were uploaded to security-master
msg14517 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2013-11-01.20:03:48
> Here is the news that will be published, thanks to review it.

Diff of review attached.
msg14513 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2013-10-31.22:58:23
Here is the news that will be published, thanks to review it.
msg14509 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2013-10-31.16:19:33
On 31/10/13 16:12 +0100, Mathias Behrle wrote:
> > Cédric Krier <cedric.krier@b2ck.com> added the comment:
> > 
> > So I propose this scheduling:
> > 
> > - security release the 3rd November (applying the patch and release tryton)
> > - publish a news the 4th November (to let packager update their repositories)
> 
> I would recommend to not schedule any important dates on weekend days. People
> working for distributions don't necessarily work on those days.

The opposite applies also: people working for distributions don't
necessarily work on the week.
In many projects I follow I see people more active the weekend.
msg14507 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2013-10-31.16:12:40
> Cédric Krier <cedric.krier@b2ck.com> added the comment:
> 
> So I propose this scheduling:
> 
> - security release the 3rd November (applying the patch and release tryton)
> - publish a news the 4th November (to let packager update their repositories)

I would recommend to not schedule any important dates on weekend days. People
working for distributions don't necessarily work on those days.
 
@ajacoutot, @ced: Could you please share the information published on OpenBSD
ports? Was a CVE assigned via OpenBSD?
msg14498 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2013-10-31.10:57:14
So I propose this scheduling:

- security release the 3rd November (applying the patch and release tryton)
- publish a news the 4th November (to let packager update their repositories)

The security release will contain this fix and the other fixes already
backported on today (they are all older than 1 week).
msg14496 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2013-10-30.23:03:19
> Do we do a quick security release or we just let the fix join the next
maintenance release?

Maintenance releases just were done and the next seem too far away for me. I
would prefer a security release.
msg14495 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2013-10-30.20:07:28
On 30/10/13 19:57 +0100, Mathias Behrle wrote:
> AFAIS a malicious server could play with ssh keys, authorized_keys of the user
> etc..

I'm not sure to follow you.

> Being not sure I tend to evaluate this as a security fix deserving a CVE.

I tend to think like you.
Do we do a quick security release or we just let the fix join the next
maintenance release?
msg14494 (view) Author: [hidden] (yangoon) (Tryton translator) Date: 2013-10-30.19:56:59
AFAIS a malicious server could play with ssh keys, authorized_keys of the user
etc.. Being not sure I tend to evaluate this as a security fix deserving a CVE.
msg14493 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2013-10-30.19:22:25
@ajacoutot, I see that you already pushed (and make public) this security issue
on OpenBSD ports. The idea behind this issue is to synchronize the publication
of security fixes.

@all, what do we do? Are we doing a security release with this fix this week?
does it deserve a CVE?
msg14444 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2013-10-27.15:28:56
I have discovered that the file extension received from the server to store
temporary the report and open it is not correctly sanitized.
It means that a malicious server could send as result of a report and extension
that could contain filesystem path separator. So it can force the client to
write any files on the client host with the right of the user.
Here is a patch that fixes the issue.

I don't know if it deserves the label of security fixes or if it should follow
the normal path as it requires to connect to a malicious server.
History
Date User Action Args
2013-11-05 09:45:10cedsetstatus: chatting -> resolved
2013-11-05 01:34:01mmcallissetstatus: resolved -> chatting
nosy: + mmcallis
messages: + msg14547
2013-11-03 18:55:11cedsetstatus: in-progress -> resolved
messages: + msg14523
2013-11-03 13:19:05yangoonsetmessages: + msg14520
2013-11-01 20:03:49yangoonsetfiles: + news.patch.diff
messages: + msg14517
2013-10-31 22:58:24cedsetstatus: chatting -> in-progress
assignedto: ced
messages: + msg14513
keyword: + patch
files: + news.patch
2013-10-31 16:19:34cedsetmessages: + msg14509
2013-10-31 16:12:41yangoonsetstatus: in-progress -> chatting
assignedto: ced -> (no value)
messages: + msg14507
2013-10-31 10:57:14cedsetstatus: chatting -> in-progress
assignedto: ced
messages: + msg14498
2013-10-30 23:03:19yangoonsetmessages: + msg14496

Showing 10 items. Show all history (warning: this could be VERY long)