[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#885183: marked as done (stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1)

Your message dated Sun, 31 Mar 2019 15:06:29 +0100
with message-id <1554041189.2650.38.camel@adam-barratt.org.uk>
and subject line Re: Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1
has caused the Debian Bug report #885183,
regarding stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
885183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885183
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I would like to submit to your consideration an update to ntopng in
stretch.

The main bug that triggered this upload is #856048, which causes the
user management and preferences section of the web interface to
be unusuable.

The fix is already in version 2.4+dfsg1-4 in unstable.

There are three additional important issues from 2.4+dfsg1-4 that I
think it would make sense to include:
- #859653 which causes ntopng to crash if the mysql backend is selected.
  This change only affects mysql users. On the other side it is an
  obvious usage-after-free and out-of-bound memeory access issues.
- #866721 and #866719, which are securirity-related issues. Do you want
  me to reach out to the security team about these first? Do we need to
  treat the whole update as a security one instead, or split it?

debdiff attached.

Thank you,
Ludovico


-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (470, 'unstable'), (460, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru ntopng-2.4+dfsg1/debian/changelog ntopng-2.4+dfsg1/debian/changelog
--- ntopng-2.4+dfsg1/debian/changelog	2017-02-04 04:43:00.000000000 +0100
+++ ntopng-2.4+dfsg1/debian/changelog	2017-12-24 21:18:54.000000000 +0100
@@ -1,8 +1,22 @@
-ntopng (2.4+dfsg1-3) unstable; urgency=high
+ntopng (2.4+dfsg1-3+deb9u1) stretch; urgency=medium
+
+  * Update Check-for-presence-of-crsf-in-admin-scripts.patch to avoid the
+    'Missing CSRF parameter' error (Closes: #856048).
+  * Add CVE-2017-7458.patch to prevent an empty host to crash ntopng
+    (Closes: #866721, CVE-2017-7458).
+  * Add CVE-2017-7459.patch to prevent \r\n from being injected into HTTP URIs
+    (Closes: #866719, CVE-2017-7459).
+  * Add Avoid-access-after-free.patch and
+    Avoid-access-to-unintialized-memory.patch to fix crash with mysql (thanks
+    to Bernhard Übelacker, Closes: #859653).
+
+ -- Ludovico Cavedon <cavedon@debian.org>  Sun, 24 Dec 2017 21:18:54 +0100
+
+ntopng (2.4+dfsg1-3) unstable; urgency=medium
 
   * Import upstream patches fixing CVE-2017-5473. (Closes: #852109)
 
- -- Ludovico Cavedon <cavedon@debian.org>  Fri, 03 Feb 2017 19:43:00 -0800
+ -- Ludovico Cavedon <cavedon@debian.org>  Sun, 24 Dec 2017 21:14:54 +0100
 
 ntopng (2.4+dfsg1-2) unstable; urgency=high
 
diff -Nru ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch
--- ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch	1970-01-01 01:00:00.000000000 +0100
+++ ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch	2017-12-24 21:17:07.000000000 +0100
@@ -0,0 +1,48 @@
+Description: Avoid access after free
+Author: Bernhard Übelacker <bernhardu@mailbox.org>
+Bug-Debian: https://bugs.debian.org/859653
+Applied-Upstream: yes
+
+Found while investigating for https://bugs.debian.org/859653
+
+==10143== Invalid read of size 8
+==10143==    at 0x616E301: mysql_num_rows (client.c:4561)
+==10143==    by 0x11C1AD: MySQLDB::exec_sql_query(st_mysql*, char*, bool, bool, bool) (MySQLDB.cpp:593)
+==10143==    by 0x11CF4F: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:295)
+==10143==    by 0x13F5EF: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133)
+==10143==    by 0x122041: Prefs::add_default_interfaces() (Prefs.cpp:1059)
+==10143==    by 0x1187D3: main (main.cpp:117)
+==10143==  Address 0x144527a8 is 8 bytes inside a block of size 208 free'd
+==10143==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
+==10143==    by 0x11C1A5: MySQLDB::exec_sql_query(st_mysql*, char*, bool, bool, bool) (MySQLDB.cpp:592)
+==10143==    by 0x11CF4F: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:295)
+==10143==    by 0x13F5EF: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133)
+==10143==    by 0x122041: Prefs::add_default_interfaces() (Prefs.cpp:1059)
+==10143==    by 0x1187D3: main (main.cpp:117)
+==10143==  Block was alloc'd at
+==10143==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
+==10143==    by 0x61A7D95: my_malloc (my_malloc.c:101)
+==10143==    by 0x616C1D5: mysql_store_result (client.c:4094)
+==10143==    by 0x11C190: MySQLDB::exec_sql_query(st_mysql*, char*, bool, bool, bool) (MySQLDB.cpp:589)
+==10143==    by 0x11CF4F: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:295)
+==10143==    by 0x13F5EF: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133)
+==10143==    by 0x122041: Prefs::add_default_interfaces() (Prefs.cpp:1059)
+==10143==    by 0x1187D3: main (main.cpp:117)
+---
+ src/MySQLDB.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: ntopng/src/MySQLDB.cpp
+===================================================================
+--- ntopng.orig/src/MySQLDB.cpp
++++ ntopng/src/MySQLDB.cpp
+@@ -589,8 +589,8 @@ int MySQLDB::exec_sql_query(MYSQL *conn,
+     if((result = mysql_store_result(&mysql)) == NULL)
+       rc = 0;  // unable to retrieve the result but still the query succeded
+     else{
+-      mysql_free_result(result);
+       rc = mysql_num_rows(result);
++      mysql_free_result(result);
+     }
+   }
+ 
diff -Nru ntopng-2.4+dfsg1/debian/patches/Avoid-access-to-unintialized-memory.patch ntopng-2.4+dfsg1/debian/patches/Avoid-access-to-unintialized-memory.patch
--- ntopng-2.4+dfsg1/debian/patches/Avoid-access-to-unintialized-memory.patch	1970-01-01 01:00:00.000000000 +0100
+++ ntopng-2.4+dfsg1/debian/patches/Avoid-access-to-unintialized-memory.patch	2017-12-24 21:17:07.000000000 +0100
@@ -0,0 +1,54 @@
+Description: Avoid access to unintialized memory
+Author: Bernhard Übelacker <bernhardu@mailbox.org>
+Bug-Debian: https://bugs.debian.org/859653
+Applied-Upstream: yes
+
+Found while investigating for https://bugs.debian.org/859653
+
+==14371== Use of uninitialised value of size 8
+==14371==    at 0x7B0A16B: _itoa_word (_itoa.c:179)
+==14371==    by 0x7B0E869: vfprintf (vfprintf.c:1636)
+==14371==    by 0x7BBC8F5: __vsnprintf_chk (vsnprintf_chk.c:63)
+==14371==    by 0x7BBC857: __snprintf_chk (snprintf_chk.c:34)
+==14371==    by 0x11D2EA: snprintf (stdio2.h:65)
+==14371==    by 0x11D2EA: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:294)
+==14371==    by 0x1496CF: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133)
+==14371==    by 0x122791: Prefs::add_default_interfaces() (Prefs.cpp:1059)
+==14371==    by 0x1188F3: main (main.cpp:117)
+
+==19200== Use of uninitialised value of size 8
+==19200==    at 0x7B0A16B: _itoa_word (_itoa.c:179)
+==19200==    by 0x7B0E869: vfprintf (vfprintf.c:1636)
+==19200==    by 0x7BBC8F5: __vsnprintf_chk (vsnprintf_chk.c:63)
+==19200==    by 0x7BBC857: __snprintf_chk (snprintf_chk.c:34)
+==19200==    by 0x11D474: snprintf (stdio2.h:65)
+==19200==    by 0x11D474: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:321)
+==19200==    by 0x14980F: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133)
+==19200==    by 0x1228D1: Prefs::add_default_interfaces() (Prefs.cpp:1059)
+==19200==    by 0x1188F3: main (main.cpp:117)
+---
+ src/MySQLDB.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: ntopng/src/MySQLDB.cpp
+===================================================================
+--- ntopng.orig/src/MySQLDB.cpp
++++ ntopng/src/MySQLDB.cpp
+@@ -289,7 +289,7 @@ MySQLDB::MySQLDB(NetworkInterface *_ifac
+   // Move column BYTES to BYTES_IN and add BYTES_OUT
+   // note that this operation will arbitrarily move the old BYTES contents to BYTES_IN
+   const u_int16_t ipvers[2] = {4, 6};
+-  for (u_int16_t i = 0; i < sizeof(ipvers); i++){
++  for (u_int16_t i = 0; i < sizeof(ipvers)/sizeof(*ipvers); i++){
+     snprintf(sql, sizeof(sql), "SHOW COLUMNS FROM `%sv%hu` LIKE 'BYTES'",
+ 	     ntop->getPrefs()->get_mysql_tablename(), ipvers[i]);
+     if(exec_sql_query(&mysql, sql, true, true) > 0){
+@@ -309,7 +309,7 @@ MySQLDB::MySQLDB(NetworkInterface *_ifac
+   }
+ 
+   // Modify database engine to MyISAM (that is much faster in non-transactional environments)
+-  for (u_int16_t i = 0; i < sizeof(ipvers); i++){
++  for (u_int16_t i = 0; i < sizeof(ipvers)/sizeof(*ipvers); i++){
+     snprintf(sql, sizeof(sql),
+ 	     "SELECT 1 "
+ 	     "FROM information_schema.TABLES "
diff -Nru ntopng-2.4+dfsg1/debian/patches/Check-for-presence-of-crsf-in-admin-scripts.patch ntopng-2.4+dfsg1/debian/patches/Check-for-presence-of-crsf-in-admin-scripts.patch
--- ntopng-2.4+dfsg1/debian/patches/Check-for-presence-of-crsf-in-admin-scripts.patch	2017-02-04 04:38:07.000000000 +0100
+++ ntopng-2.4+dfsg1/debian/patches/Check-for-presence-of-crsf-in-admin-scripts.patch	2017-12-24 21:16:57.000000000 +0100
@@ -44,17 +44,25 @@
  	      }
  
  	      lua_push_str_table_entry(L, tok, decoded_buf);
-@@ -5034,6 +5037,13 @@ int Lua::handle_script_request(struct mg
+@@ -5034,6 +5037,9 @@ int Lua::handle_script_request(struct mg
      } else
        ntop->getTrace()->traceEvent(TRACE_WARNING, "Not enough memory");
    }
 +
-+  if(strstr(request_info->uri, "/admin/") && (!csrf_found)) {
-+    const char *msg = "Missing CSRF parameter";
-+    
-+    return(send_error(conn, 500 /* Internal server error */, msg, PAGE_ERROR, request_info->uri, msg));
-+  }
++  lua_push_bool_table_entry(L, "valid_csrf", csrf_found);
 +  
    lua_setglobal(L, "_GET"); /* Like in php */
  
    /* _SERVER */
+Index: ntopng/scripts/lua/modules/lua_utils.lua
+===================================================================
+--- ntopng.orig/scripts/lua/modules/lua_utils.lua
++++ ntopng/scripts/lua/modules/lua_utils.lua
+@@ -1649,6 +1649,7 @@ end
+ 
+ 
+ function getInterfaceNameAlias(interface_name)
++   if(interface_name == nil) then return("") end
+    -- io.write(debug.traceback().."\n")
+    label = ntop.getCache('ntopng.prefs.'..interface_name..'.name')
+    if((label == nil) or (label == "")) then
diff -Nru ntopng-2.4+dfsg1/debian/patches/CVE-2017-7458.patch ntopng-2.4+dfsg1/debian/patches/CVE-2017-7458.patch
--- ntopng-2.4+dfsg1/debian/patches/CVE-2017-7458.patch	1970-01-01 01:00:00.000000000 +0100
+++ ntopng-2.4+dfsg1/debian/patches/CVE-2017-7458.patch	2017-12-24 21:16:36.000000000 +0100
@@ -0,0 +1,32 @@
+Description: Prevent empty host from causing a crash (CVE-2017-7458).
+Origin: backport, https://github.com/ntop/ntopng/commit/01f47e04fd7c8d54399c9e465f823f0017069f8f, https://github.com/ntop/ntopng/commit/971e0e46afdf242ac2a1c990edfe9036bf7efccd
+Bug-Debian: https://bugs.debian.org/866721
+Applied-Upstream: yes
+
+Index: ntopng/src/NetworkInterface.cpp
+===================================================================
+--- ntopng.orig/src/NetworkInterface.cpp
++++ ntopng/src/NetworkInterface.cpp
+@@ -1762,6 +1762,8 @@ Host* NetworkInterface::getHost(char *ho
+   struct in6_addr a6;
+   Host *h = NULL;
+ 
++  if(!host_ip) return(NULL);
++
+   /* Check if address is invalid */
+   if((inet_pton(AF_INET, (const char*)host_ip, &a4) == 0)
+      && (inet_pton(AF_INET6, (const char*)host_ip, &a6) == 0)) {
+Index: ntopng/src/Lua.cpp
+===================================================================
+--- ntopng.orig/src/Lua.cpp
++++ ntopng/src/Lua.cpp
+@@ -1133,6 +1133,9 @@ static void get_host_vlan_info(char* lua
+   if(((*host_ip) = strtok_r(buf, "@", &where)) != NULL)
+     vlan = strtok_r(NULL, "@", &where);
+ 
++  if(host_ip == NULL)
++    *host_ip = lua_ip;
++
+   if(vlan)
+     (*vlan_id) = (u_int16_t)atoi(vlan);
+ }
diff -Nru ntopng-2.4+dfsg1/debian/patches/CVE-2017-7459.patch ntopng-2.4+dfsg1/debian/patches/CVE-2017-7459.patch
--- ntopng-2.4+dfsg1/debian/patches/CVE-2017-7459.patch	1970-01-01 01:00:00.000000000 +0100
+++ ntopng-2.4+dfsg1/debian/patches/CVE-2017-7459.patch	2017-12-24 21:16:45.000000000 +0100
@@ -0,0 +1,48 @@
+Description: Prevent \r\n from being injected into HTTP URIs (CVE-2017-7459).
+Origin: backport, https://github.com/ntop/ntopng/commit/9469e58f07e043da712e6d6c41244852a11bcaeb
+Bug-Debian: https://bugs.debian.org/866719
+Applied-Upstream: yes
+
+Index: ntopng/src/HTTPserver.cpp
+===================================================================
+--- ntopng.orig/src/HTTPserver.cpp
++++ ntopng/src/HTTPserver.cpp
+@@ -325,9 +325,15 @@ static void uri_encode(const char *src,
+ 
+ static int handle_lua_request(struct mg_connection *conn) {
+   struct mg_request_info *request_info = mg_get_request_info(conn);
+-  u_int len = (u_int)strlen(request_info->uri);
++  char *crlf;
++  u_int len;
+   char username[33] = { 0 };
+ 
++  if((crlf = strstr(request_info->uri, "\r\n")))
++    *crlf = '\0'; /* Prevents HTTP splitting attacks */
++
++  len = (u_int)strlen(request_info->uri);
++
+   if((ntop->getGlobals()->isShutdown())
+      //|| (strcmp(request_info->request_method, "GET"))
+      || (ntop->getRedis() == NULL /* Starting up... */)
+@@ -373,7 +379,7 @@ static int handle_lua_request(struct mg_
+     bool found;
+ 
+     snprintf(path, sizeof(path), "%s%s", httpserver->get_scripts_dir(),
+-	     Utils::getURL((strlen(request_info->uri) == 1) ? (char*)"/lua/index.lua" : request_info->uri,
++	     Utils::getURL(len == 1 ? (char*)"/lua/index.lua" : request_info->uri,
+ 			   uri, sizeof(uri)));
+ 
+     ntop->fixPath(path);
+Index: ntopng/src/Lua.cpp
+===================================================================
+--- ntopng.orig/src/Lua.cpp
++++ ntopng/src/Lua.cpp
+@@ -4870,7 +4870,7 @@ void Lua::purifyHTTPParameter(char *para
+ 
+       default:
+ 	if(!Utils::isPrintableChar(c)) {
+-	  ntop->getTrace()->traceEvent(TRACE_WARNING, "Discarded char '%c' in URI [%s]", c, param);
++	  ntop->getTrace()->traceEvent(TRACE_WARNING, "Discarded char '0x%02x' in URI [%s]", c, param);
+ 	  ampercent[0] = '\0';
+ 	  return;
+ 	}
diff -Nru ntopng-2.4+dfsg1/debian/patches/series ntopng-2.4+dfsg1/debian/patches/series
--- ntopng-2.4+dfsg1/debian/patches/series	2017-02-04 04:35:00.000000000 +0100
+++ ntopng-2.4+dfsg1/debian/patches/series	2017-12-24 21:17:32.000000000 +0100
@@ -6,3 +6,7 @@
 no-pwd.patch
 kfreebsd-tap.patch
 reproducible-build.patch
+CVE-2017-7458.patch
+CVE-2017-7459.patch
+Avoid-access-after-free.patch
+Avoid-access-to-unintialized-memory.patch

--- End Message ---
--- Begin Message --- 
On Sat, 2019-03-09 at 16:22 +0000, Adam D. Barratt wrote:
> On Fri, 2018-11-09 at 06:55 +0100, Salvatore Bonaccorso wrote:
> > Hi Ludovico,
> > 
> > On Sat, Feb 10, 2018 at 10:25:47AM +0100, Julien Cristau wrote:
[...]
> > > Assuming this has been properly tested in a stretch environment,
> > > please
> > > go ahead and upload.
> > 
> > Friendly ping ;-)
> 
> Re-ping.
> 
> If nothing happens within a couple of weeks then I plan on closing
> this
> bug.

Doing so with this mail.

Regards,

Adam

--- End Message ---
Reply to: