[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#929228: marked as done (security-tracker: MITRE descriptions containing non-ascii characters might cause issues on accessing CVE page)

Your message dated Fri, 1 May 2020 16:46:21 +0200
with message-id <[🔎] 20200501144621.GA19818@eldamar.local>
and subject line Re: Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page
has caused the Debian Bug report #929228,
regarding security-tracker: MITRE descriptions containing non-ascii characters might cause issues on accessing CVE page
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
929228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929228
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: security-tracker
Severity: normal

Found this while checking for other issues, but not time to further
properly investigate, but did now want to loose that initial tracking.

When a CVE description from MITRE contains non-ascii/non-valid
characters like

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2019-0976

> A tampering vulnerability exists in the NuGet Package Manager for Linux and Mac
> that could allow an authenticated attacker to modify contents of the
> intermediate build folder (by default ââ&#8218;¬Å&#8220;objââ&#8218;¬Â),
> aka 'NuGet Package Manager Tampering Vulnerability'.

this causes issue accessing the respective CVE page once the
description has been merged:

https://security-tracker.debian.org/tracker/CVE-2019-0976

Traceback (most recent call last):
  File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__
    self.handle()
  File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle
    self.handle_one_request()
  File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request
    method()
  File "../lib/python/web_support.py", line 805, in do_GET
    result = r.flatten_later()
  File "../lib/python/web_support.py", line 662, in flatten_later
    self.contents.flatten(buf.write)
  File "../lib/python/web_support.py", line 334, in flatten
    x.flatten(write)
  File "../lib/python/web_support.py", line 334, in flatten
    x.flatten(write)
  File "../lib/python/web_support.py", line 286, in flatten
    x.flatten(write)
  File "../lib/python/web_support.py", line 334, in flatten
    x.flatten(write)
  File "../lib/python/web_support.py", line 334, in flatten
    x.flatten(write)
  File "../lib/python/web_support.py", line 332, in flatten
    write(escapeHTML(x))
  File "../lib/python/web_support.py", line 242, in escapeHTML
    append(charToHTML[ord(ch)])
IndexError: list index out of range

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Hi Florian,

On Fri, May 01, 2020 at 04:01:39PM +0200, Florian Weimer wrote:
> * Salvatore Bonaccorso:
> 
> > Hi Florian,
> >
> > On Fri, May 01, 2020 at 02:33:21PM +0200, Florian Weimer wrote:
> >> * Salvatore Bonaccorso:
> >> 
> >> > Hi Florian,
> >> >
> >> > On Fri, May 01, 2020 at 02:11:50PM +0200, Florian Weimer wrote:
> >> >> * Florian Weimer:
> >> >> 
> >> >> > * Francesco Poli:
> >> >> >
> >> >> >> Please note that the CVE is mentioned in [DSA-4667-1].
> >> >> >>
> >> >> >> [DSA-4667-1]: <https://lists.debian.org/debian-security-announce/2020/msg00071.html>
> >> >> >>
> >> >> >> What's wrong with that tracker page?
> >> >> >
> >> >> > It's something in the NVD data that breaks the HTML escaping.
> >> >> 
> >> >> This patch adds basic Unicode support to the web framework.  I'm not
> >> >> sure if it is the right direction to move in, but it fixes the issue.
> >> >> 
> >> >> An alternative fix would be to change the NVD importer not to put
> >> >> Unicode strings into the database, by encoding them as byte strings
> >> >> first.
> >> >
> >> > Do you want to deploy that or rather investigate an alternative?
> >> 
> >> I'd appreciate if you could spot-check the changes (e.g., do we still
> >> do HTML escaping properly?) and deploy it.  It looks like I have
> >> forgotten how to do it.
> >
> > Looks good to me, and yes can deploy it if you want me to. Please have
> > a look at at attache git format-patch'ed version if you agree with the
> > slight rewrite, since I do not want to commit something in your name
> > you would not agree with).
> 
> Still looks fine.
> 
> Signed-off-by: Florian Weimer <fw@deneb.enyo.de>

Thanks, applied and deployed.

Regards,
Salvatore

--- End Message ---
Reply to: