[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#748669: wheezy-pu: package sks/1.1.3-2

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

I have prepared a patch for "Bug#746626: sks: CVE-2014-3207:
non-persistent XSS". It also fixes Bugs 709322 and 741912 to make
an upgrade work better.

I have attached a debdiff. Please consider including it in wheezy
proposed updates..

Christoph

-- 
============================================================================
Christoph Martin, Zentrum für Datenverarbeitung, Uni-Mainz, Germany
 Anselm Franz von Bentzel-Weg 12, 55128 Mainz
 Telefon: +49(6131)3926337
 Instant-Messaging: Jabber: martin@uni-mainz.de
  (Siehe http://www.zdv.uni-mainz.de/4010.php)

diff -Nru sks-1.1.3/debian/changelog sks-1.1.3/debian/changelog
--- sks-1.1.3/debian/changelog	2013-03-11 16:48:17.000000000 +0100
+++ sks-1.1.3/debian/changelog	2014-05-19 13:36:05.000000000 +0200
@@ -1,3 +1,14 @@
+sks (1.1.3-2+deb7u1) stable; urgency=high
+
+  [ Daniel Kahn Gillmor ]
+  * avoid trying to upgrade DB_CONFIG (Closes: #709322)
+
+  [ Christoph Martin ]
+  * fix crosssite scripting bug (CVE-2014-3207) (closes: 746626)
+  * note active Berkely DB on new install (closes: 741912)
+
+ -- Martin <christoph.martin@uni-mainz.de>  Mon, 19 May 2014 13:36:04 +0200
+
 sks (1.1.3-2) unstable; urgency=high
 
   * add Vcs tags to control file
diff -Nru sks-1.1.3/debian/control sks-1.1.3/debian/control
--- sks-1.1.3/debian/control	2012-10-15 11:45:50.000000000 +0200
+++ sks-1.1.3/debian/control	2014-05-19 12:01:00.000000000 +0200
@@ -3,10 +3,11 @@
 Priority: optional
 Standards-Version: 3.9.1
 Maintainer: Christoph Martin <christoph.martin@uni-mainz.de>
-Uploaders: Fabio M. Di Nitto <fabbione@fabbione.net>
+Uploaders: Fabio M. Di Nitto <fabbione@fabbione.net>,
+ Daniel Kahn Gillmor <dkg@fifthhorseman.net>
 Build-Depends: ocaml (>= 3.08), camlp4, libdb-dev, debhelper (>= 7.0.50~), zlib1g-dev, libcryptokit-ocaml-dev (>= 1.2-4), ocaml-nox (>= 1.3-4), perl, perl-doc, dh-ocaml (>= 0.9~)
-Vcs-Browser: http://svn.debian.org/wsvn/pkg-sks
-Vcs-Svn: svn://svn.debian.org/pkg-sks/
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-sks/pkg-sks.git
+Vcs-Git: git://anonscm.debian.org/pkg-sks/pkg-sks.git
 
 Package: sks
 Architecture: any
diff -Nru sks-1.1.3/debian/patches/530_cve-2014-3207_xss.patch sks-1.1.3/debian/patches/530_cve-2014-3207_xss.patch
--- sks-1.1.3/debian/patches/530_cve-2014-3207_xss.patch	1970-01-01 01:00:00.000000000 +0100
+++ sks-1.1.3/debian/patches/530_cve-2014-3207_xss.patch	2014-05-19 12:01:00.000000000 +0200
@@ -0,0 +1,67 @@
+# https://bitbucket.org/skskeyserver/sks-keyserver/commits/88d453cdc858d1352c61a4d4a6cd5b1ac17f2724/raw/
+diff --git a/CHANGELOG b/CHANGELOG
+index 9ccd738..4b9e9aa 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -1,3 +1,7 @@
++1.1.5 backport to 1.1.3
++  - Fix a non-persistent cross-site scripting possibility resulting from 
++    improper input sanitation before writing to client. (BB Issue #26 | [CVE-2014-3207])
++  
+ 1.1.3
+   - Makefile fix for 'make dep' if .depend does not exist. Issue #4
+   - Makefile fix: sks and sks_add_mail fail to link w/o '-ccopt -pg'
+diff --git a/htmlTemplates.ml b/htmlTemplates.ml
+index ece9276..f488fad 100644
+--- a/htmlTemplates.ml
++++ b/htmlTemplates.ml
+@@ -33,6 +33,8 @@ let html_quote string =
+ 	| '>' -> sout#write_string "&gt;"
+ 	| '&' -> sout#write_string "&amp;"
+ 	| '"' -> sout#write_string "&quot;"
++        | '\''-> sout#write_string "&#x27;"
++        | '/'-> sout#write_string "&#x2F;"
+ 	| c -> sout#write_char c  
+     done;
+     ""
+diff --git a/wserver.ml b/wserver.ml
+index 2c22dd2..b3d51bd 100644
+--- a/wserver.ml
++++ b/wserver.ml
+@@ -279,7 +279,7 @@ let accept_connection f ~recover_timeout addr cin cout =
+ 	    let output = 
+ 	      HtmlTemplates.page ~title:"Not implemented"
+ 		~body:(sprintf "Error handling request %s: %s not implemented." 
+-			 (request_to_string request) s)
++			 (request_to_string request) (HtmlTemplates.html_quote s))
+ 	    in
+ 	    send_result cout ~error_code:501 output
+ 	      
+@@ -287,7 +287,7 @@ let accept_connection f ~recover_timeout addr cin cout =
+ 	    ignore (Unix.alarm recover_timeout);
+ 	    plerror 2 "Page not found: %s" s;
+ 	    let output = HtmlTemplates.page ~title:"Page not found"
+-		 ~body:(sprintf "Page not found: %s" s)
++		 ~body:(sprintf "Page not found: %s" (HtmlTemplates.html_quote s))
+ 	    in
+ 	    send_result cout ~error_code:404 output
+ 
+@@ -296,7 +296,7 @@ let accept_connection f ~recover_timeout addr cin cout =
+ 	    plerror 2 "Error handling request %s: %s" 
+ 	      (request_to_string request) s;
+ 	    let output = HtmlTemplates.page ~title:"Error handling request"
+-		 ~body:(sprintf "Error handling request: %s" s)
++		 ~body:(sprintf "Error handling request: %s" (HtmlTemplates.html_quote s))
+ 	    in
+ 	    send_result cout ~error_code:500 output
+ 
+@@ -306,8 +306,7 @@ let accept_connection f ~recover_timeout addr cin cout =
+ 	      (request_to_string request) (Common.err_to_string e);
+ 	    let output = 
+ 	      (HtmlTemplates.page ~title:"Error handling request"
+-		 ~body:(sprintf "Error handling request.  Exception raised: %s"
+-			  (Common.err_to_string e)))
++		 ~body:(sprintf "Error handling request.  Exception raised."))
+ 	    in
+ 	    send_result cout ~error_code:500 output
+     with
diff -Nru sks-1.1.3/debian/patches/series sks-1.1.3/debian/patches/series
--- sks-1.1.3/debian/patches/series	2012-06-14 19:05:39.000000000 +0200
+++ sks-1.1.3/debian/patches/series	2014-05-19 12:42:15.000000000 +0200
@@ -6,6 +6,7 @@
 #508_build_fastbuild.patch 
 #509-content-types.patch 
 #510-allowed-chars.patch 
-511_gcc44.patch 
+#511_gcc44.patch 
 #512_no_XA_berkeleydb.patch
 #520_fix_non-compliant_POST.patch
+530_cve-2014-3207_xss.patch
diff -Nru sks-1.1.3/debian/sks.postinst sks-1.1.3/debian/sks.postinst
--- sks-1.1.3/debian/sks.postinst	2012-06-20 10:41:30.000000000 +0200
+++ sks-1.1.3/debian/sks.postinst	2014-05-19 13:34:30.000000000 +0200
@@ -51,6 +51,9 @@
     chgrp -R adm /var/log/sks
     chmod -R g+rX /var/log/sks
     chmod    g+s  /var/log/sks
+
+    # Note the active Berkeley DB version
+    cp -f /usr/lib/sks/berkeley_db.txt /var/lib/sks/berkeley_db.active
 else
     if [ "$1" = "configure" ]; then
 	# fix permissions of logs after 1.0.9-0.1
@@ -120,8 +123,12 @@
 		cp -a ${SKS_DIR}/${DBHOME}/$log_file ${BACKUP_DIR}/${DBHOME}/
 	    done
 
+            if [ -e "${SKS_DIR}/${DBHOME}/DB_CONFIG" ]; then
+                cp -a ${SKS_DIR}/${DBHOME}/DB_CONFIG ${BACKUP_DIR}/${DBHOME}/
+            fi
+
 	    # Backup & upgrade database files
-	    for db in $(cd ${SKS_DIR}/${DBHOME}; ls -1 | grep -Ev "^(__|log\.)"); do
+	    for db in $(cd ${SKS_DIR}/${DBHOME}; ls -1 | grep -Ev "^(__|log\.|DB_CONFIG$)"); do
 		# Backup database file
 		su debian-sks -c "cp ${SKS_DIR}/${DBHOME}/${db} ${BACKUP_DIR}/${DBHOME}/"
 		# Upgrade database file
@@ -136,6 +143,8 @@
 	# Note the active Berkeley DB version
 	cp -f /usr/lib/sks/berkeley_db.txt /var/lib/sks/berkeley_db.active
 
+	elif [ ! -e /var/lib/sks/berkeley_db.active ]; then
+	    cp -f /usr/lib/sks/berkeley_db.txt /var/lib/sks/berkeley_db.active
 	fi
     fi
 fi

begin:vcard
fn:Christoph Martin
n:Martin;Christoph
org;quoted-printable;quoted-printable:Johannes Gutenberg-Universit=C3=A4t;Zentrum f=C3=BCr Datenverarbeitung
adr:;;Anselm Franz von Bentzel-Weg 12;Mainz;;55128;Germany
email;internet:martin@uni-mainz.de
tel;work:+49-6131-3926337
tel;fax:+49-6131-3926407
tel;cell:+49-179-7952652
x-mozilla-html:FALSE
version:2.1
end:vcard

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: