Bug#884816: RFS: frontaccounting/2.4.3-1 [ITA]

To: Janusz Dobrowolski <janusz@frontaccounting.eu>, 884816@bugs.debian.org
Subject: Bug#884816: RFS: frontaccounting/2.4.3-1 [ITA]
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Sat, 17 Feb 2018 10:26:26 -0500
Message-id: <[🔎] 87lgfreixp.fsf@curie.anarc.at>
Reply-to: Antoine Beaupré <anarcat@orangeseeds.org>, 884816@bugs.debian.org
In-reply-to: <[🔎] 4b455d18-480c-5af2-db86-40e030da63fd@frontaccounting.eu>
References: <23b6e4e9-eebf-5eea-8dc4-3b18a44a86e8@frontaccounting.eu> <[🔎] 20180216162234.xlp7yihklhbm7vs5@curie.anarc.at> <[🔎] 4b455d18-480c-5af2-db86-40e030da63fd@frontaccounting.eu> <23b6e4e9-eebf-5eea-8dc4-3b18a44a86e8@frontaccounting.eu>

Control: tags -1 -moreinfo -unreproducible

Could you please followup on the security issue in the actual bug report
(#890604)? This is the RFS, and I doubt you meant to mark the
sponsorship request as "unreproducible". :)

That said, I'm just a messenger: I wanted to make sure you were aware of
the security issues and considered it seriously. You might want to send
the same message to the bug report, and CC security@debian.org to make
sure the security issue is filed properly.

Thanks!

A.

On 2018-02-17 11:59:51, Janusz Dobrowolski wrote:
> control: tags -1 +moreinfo +unreproducible
>
> Hi,
>
> As far a I know all the old vulnerabilities reported on debian
> bugtracker has been fixed in the package made available on
> mentors.debian.org page. Anyway, to be sure I have tried to reproduce
> the bug mentioned on new installation version to no avail. CSRF
> countermeasures implemented long time ago in response also to CVE cited
> seems to work as expected, so exploit code available (e.g. here:
> https://securitywarrior9.blogspot.fr/2018/02/cross-site-request-forgery-front.html)
> does not work, returning 'Request from outside of this page is
> forbidden.' in the json payload returned, with no changes in application
> data.
>
> Saying that, maybe still there are some additional conditions, which
> allow attacker to omit csrf token checks, not stated in the
> vulnerabilities reports, so  moreinfo tag added.
>
> Janusz
>
>
>
> On 16.02.2018 17:22, Antoine Beaupre wrote:
>> Hi,
>>
>> I haven't reveiewed the package in details, but before this is accepted
>> into Debian, care should be taken to review the existing security
>> vulnerabilities that affect this package.
>>
>> For example, CVE-2018-7176 (bug #890604) currently affects the package
>> you are proposing to upload (2.4.3). It the package is uploaded as such,
>> you should clarify what the way forward is to fix that package. Either
>> it will be fixed in a subsequent release, or the package will have to be
>> marked as unsupported in Debian.
>>
>> https://security-tracker.debian.org/tracker/CVE-2018-7176
>>
>> Thank you for your attention.
>>
>> A.

-- 
Drowning people
Sometimes die
Fighting their rescuers.
                        - Octavia Butler

Reply to:

References:
- Bug#884816: RFS: frontaccounting/2.4.3-1 [ITA]
  - From: Antoine Beaupre <anarcat@orangeseeds.org>
- Bug#884816: RFS: frontaccounting/2.4.3-1 [ITA]
  - From: Janusz Dobrowolski <janusz@frontaccounting.eu>

Prev by Date: Bug#890666: RFS: mmh/0.3-3
Next by Date: Bug#884816: Bug#890604: Can't reproduce vulnerability on latest packaged FA version
Previous by thread: Bug#884816: RFS: frontaccounting/2.4.3-1 [ITA]
Next by thread: Bug#884816: Bug#890604: Can't reproduce vulnerability on latest packaged FA version
Index(es):
- Date
- Thread