--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1
- From: Ludovico Cavedon <cavedon@debian.org>
- Date: Mon, 25 Dec 2017 21:26:58 +0100
- Message-id: <20171225202658.GA22055@palladio.local>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I would like to submit to your consideration an update to ntopng in
stretch.
The main bug that triggered this upload is #856048, which causes the
user management and preferences section of the web interface to
be unusuable.
The fix is already in version 2.4+dfsg1-4 in unstable.
There are three additional important issues from 2.4+dfsg1-4 that I
think it would make sense to include:
- #859653 which causes ntopng to crash if the mysql backend is selected.
This change only affects mysql users. On the other side it is an
obvious usage-after-free and out-of-bound memeory access issues.
- #866721 and #866719, which are securirity-related issues. Do you want
me to reach out to the security team about these first? Do we need to
treat the whole update as a security one instead, or split it?
debdiff attached.
Thank you,
Ludovico
-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (470, 'unstable'), (460, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru ntopng-2.4+dfsg1/debian/changelog ntopng-2.4+dfsg1/debian/changelog
--- ntopng-2.4+dfsg1/debian/changelog 2017-02-04 04:43:00.000000000 +0100
+++ ntopng-2.4+dfsg1/debian/changelog 2017-12-24 21:18:54.000000000 +0100
@@ -1,8 +1,22 @@
-ntopng (2.4+dfsg1-3) unstable; urgency=high
+ntopng (2.4+dfsg1-3+deb9u1) stretch; urgency=medium
+
+ * Update Check-for-presence-of-crsf-in-admin-scripts.patch to avoid the
+ 'Missing CSRF parameter' error (Closes: #856048).
+ * Add CVE-2017-7458.patch to prevent an empty host to crash ntopng
+ (Closes: #866721, CVE-2017-7458).
+ * Add CVE-2017-7459.patch to prevent \r\n from being injected into HTTP URIs
+ (Closes: #866719, CVE-2017-7459).
+ * Add Avoid-access-after-free.patch and
+ Avoid-access-to-unintialized-memory.patch to fix crash with mysql (thanks
+ to Bernhard Übelacker, Closes: #859653).
+
+ -- Ludovico Cavedon <cavedon@debian.org> Sun, 24 Dec 2017 21:18:54 +0100
+
+ntopng (2.4+dfsg1-3) unstable; urgency=medium
* Import upstream patches fixing CVE-2017-5473. (Closes: #852109)
- -- Ludovico Cavedon <cavedon@debian.org> Fri, 03 Feb 2017 19:43:00 -0800
+ -- Ludovico Cavedon <cavedon@debian.org> Sun, 24 Dec 2017 21:14:54 +0100
ntopng (2.4+dfsg1-2) unstable; urgency=high
diff -Nru ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch
--- ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch 1970-01-01 01:00:00.000000000 +0100
+++ ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch 2017-12-24 21:17:07.000000000 +0100
@@ -0,0 +1,48 @@
+Description: Avoid access after free
+Author: Bernhard Übelacker <bernhardu@mailbox.org>
+Bug-Debian: https://bugs.debian.org/859653
+Applied-Upstream: yes
+
+Found while investigating for https://bugs.debian.org/859653
+
+==10143== Invalid read of size 8
+==10143== at 0x616E301: mysql_num_rows (client.c:4561)
+==10143== by 0x11C1AD: MySQLDB::exec_sql_query(st_mysql*, char*, bool, bool, bool) (MySQLDB.cpp:593)
+==10143== by 0x11CF4F: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:295)
+==10143== by 0x13F5EF: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133)
+==10143== by 0x122041: Prefs::add_default_interfaces() (Prefs.cpp:1059)
+==10143== by 0x1187D3: main (main.cpp:117)
+==10143== Address 0x144527a8 is 8 bytes inside a block of size 208 free'd
+==10143== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
+==10143== by 0x11C1A5: MySQLDB::exec_sql_query(st_mysql*, char*, bool, bool, bool) (MySQLDB.cpp:592)
+==10143== by 0x11CF4F: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:295)
+==10143== by 0x13F5EF: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133)
+==10143== by 0x122041: Prefs::add_default_interfaces() (Prefs.cpp:1059)
+==10143== by 0x1187D3: main (main.cpp:117)
+==10143== Block was alloc'd at
+==10143== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
+==10143== by 0x61A7D95: my_malloc (my_malloc.c:101)
+==10143== by 0x616C1D5: mysql_store_result (client.c:4094)
+==10143== by 0x11C190: MySQLDB::exec_sql_query(st_mysql*, char*, bool, bool, bool) (MySQLDB.cpp:589)
+==10143== by 0x11CF4F: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:295)
+==10143== by 0x13F5EF: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133)
+==10143== by 0x122041: Prefs::add_default_interfaces() (Prefs.cpp:1059)
+==10143== by 0x1187D3: main (main.cpp:117)
+---
+ src/MySQLDB.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: ntopng/src/MySQLDB.cpp
+===================================================================
+--- ntopng.orig/src/MySQLDB.cpp
++++ ntopng/src/MySQLDB.cpp
+@@ -589,8 +589,8 @@ int MySQLDB::exec_sql_query(MYSQL *conn,
+ if((result = mysql_store_result(&mysql)) == NULL)
+ rc = 0; // unable to retrieve the result but still the query succeded
+ else{
+- mysql_free_result(result);
+ rc = mysql_num_rows(result);
++ mysql_free_result(result);
+ }
+ }
+
diff -Nru ntopng-2.4+dfsg1/debian/patches/Avoid-access-to-unintialized-memory.patch ntopng-2.4+dfsg1/debian/patches/Avoid-access-to-unintialized-memory.patch
--- ntopng-2.4+dfsg1/debian/patches/Avoid-access-to-unintialized-memory.patch 1970-01-01 01:00:00.000000000 +0100
+++ ntopng-2.4+dfsg1/debian/patches/Avoid-access-to-unintialized-memory.patch 2017-12-24 21:17:07.000000000 +0100
@@ -0,0 +1,54 @@
+Description: Avoid access to unintialized memory
+Author: Bernhard Übelacker <bernhardu@mailbox.org>
+Bug-Debian: https://bugs.debian.org/859653
+Applied-Upstream: yes
+
+Found while investigating for https://bugs.debian.org/859653
+
+==14371== Use of uninitialised value of size 8
+==14371== at 0x7B0A16B: _itoa_word (_itoa.c:179)
+==14371== by 0x7B0E869: vfprintf (vfprintf.c:1636)
+==14371== by 0x7BBC8F5: __vsnprintf_chk (vsnprintf_chk.c:63)
+==14371== by 0x7BBC857: __snprintf_chk (snprintf_chk.c:34)
+==14371== by 0x11D2EA: snprintf (stdio2.h:65)
+==14371== by 0x11D2EA: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:294)
+==14371== by 0x1496CF: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133)
+==14371== by 0x122791: Prefs::add_default_interfaces() (Prefs.cpp:1059)
+==14371== by 0x1188F3: main (main.cpp:117)
+
+==19200== Use of uninitialised value of size 8
+==19200== at 0x7B0A16B: _itoa_word (_itoa.c:179)
+==19200== by 0x7B0E869: vfprintf (vfprintf.c:1636)
+==19200== by 0x7BBC8F5: __vsnprintf_chk (vsnprintf_chk.c:63)
+==19200== by 0x7BBC857: __snprintf_chk (snprintf_chk.c:34)
+==19200== by 0x11D474: snprintf (stdio2.h:65)
+==19200== by 0x11D474: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:321)
+==19200== by 0x14980F: NetworkInterface::NetworkInterface(char const*) (NetworkInterface.cpp:133)
+==19200== by 0x1228D1: Prefs::add_default_interfaces() (Prefs.cpp:1059)
+==19200== by 0x1188F3: main (main.cpp:117)
+---
+ src/MySQLDB.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: ntopng/src/MySQLDB.cpp
+===================================================================
+--- ntopng.orig/src/MySQLDB.cpp
++++ ntopng/src/MySQLDB.cpp
+@@ -289,7 +289,7 @@ MySQLDB::MySQLDB(NetworkInterface *_ifac
+ // Move column BYTES to BYTES_IN and add BYTES_OUT
+ // note that this operation will arbitrarily move the old BYTES contents to BYTES_IN
+ const u_int16_t ipvers[2] = {4, 6};
+- for (u_int16_t i = 0; i < sizeof(ipvers); i++){
++ for (u_int16_t i = 0; i < sizeof(ipvers)/sizeof(*ipvers); i++){
+ snprintf(sql, sizeof(sql), "SHOW COLUMNS FROM `%sv%hu` LIKE 'BYTES'",
+ ntop->getPrefs()->get_mysql_tablename(), ipvers[i]);
+ if(exec_sql_query(&mysql, sql, true, true) > 0){
+@@ -309,7 +309,7 @@ MySQLDB::MySQLDB(NetworkInterface *_ifac
+ }
+
+ // Modify database engine to MyISAM (that is much faster in non-transactional environments)
+- for (u_int16_t i = 0; i < sizeof(ipvers); i++){
++ for (u_int16_t i = 0; i < sizeof(ipvers)/sizeof(*ipvers); i++){
+ snprintf(sql, sizeof(sql),
+ "SELECT 1 "
+ "FROM information_schema.TABLES "
diff -Nru ntopng-2.4+dfsg1/debian/patches/Check-for-presence-of-crsf-in-admin-scripts.patch ntopng-2.4+dfsg1/debian/patches/Check-for-presence-of-crsf-in-admin-scripts.patch
--- ntopng-2.4+dfsg1/debian/patches/Check-for-presence-of-crsf-in-admin-scripts.patch 2017-02-04 04:38:07.000000000 +0100
+++ ntopng-2.4+dfsg1/debian/patches/Check-for-presence-of-crsf-in-admin-scripts.patch 2017-12-24 21:16:57.000000000 +0100
@@ -44,17 +44,25 @@
}
lua_push_str_table_entry(L, tok, decoded_buf);
-@@ -5034,6 +5037,13 @@ int Lua::handle_script_request(struct mg
+@@ -5034,6 +5037,9 @@ int Lua::handle_script_request(struct mg
} else
ntop->getTrace()->traceEvent(TRACE_WARNING, "Not enough memory");
}
+
-+ if(strstr(request_info->uri, "/admin/") && (!csrf_found)) {
-+ const char *msg = "Missing CSRF parameter";
-+
-+ return(send_error(conn, 500 /* Internal server error */, msg, PAGE_ERROR, request_info->uri, msg));
-+ }
++ lua_push_bool_table_entry(L, "valid_csrf", csrf_found);
+
lua_setglobal(L, "_GET"); /* Like in php */
/* _SERVER */
+Index: ntopng/scripts/lua/modules/lua_utils.lua
+===================================================================
+--- ntopng.orig/scripts/lua/modules/lua_utils.lua
++++ ntopng/scripts/lua/modules/lua_utils.lua
+@@ -1649,6 +1649,7 @@ end
+
+
+ function getInterfaceNameAlias(interface_name)
++ if(interface_name == nil) then return("") end
+ -- io.write(debug.traceback().."\n")
+ label = ntop.getCache('ntopng.prefs.'..interface_name..'.name')
+ if((label == nil) or (label == "")) then
diff -Nru ntopng-2.4+dfsg1/debian/patches/CVE-2017-7458.patch ntopng-2.4+dfsg1/debian/patches/CVE-2017-7458.patch
--- ntopng-2.4+dfsg1/debian/patches/CVE-2017-7458.patch 1970-01-01 01:00:00.000000000 +0100
+++ ntopng-2.4+dfsg1/debian/patches/CVE-2017-7458.patch 2017-12-24 21:16:36.000000000 +0100
@@ -0,0 +1,32 @@
+Description: Prevent empty host from causing a crash (CVE-2017-7458).
+Origin: backport, https://github.com/ntop/ntopng/commit/01f47e04fd7c8d54399c9e465f823f0017069f8f, https://github.com/ntop/ntopng/commit/971e0e46afdf242ac2a1c990edfe9036bf7efccd
+Bug-Debian: https://bugs.debian.org/866721
+Applied-Upstream: yes
+
+Index: ntopng/src/NetworkInterface.cpp
+===================================================================
+--- ntopng.orig/src/NetworkInterface.cpp
++++ ntopng/src/NetworkInterface.cpp
+@@ -1762,6 +1762,8 @@ Host* NetworkInterface::getHost(char *ho
+ struct in6_addr a6;
+ Host *h = NULL;
+
++ if(!host_ip) return(NULL);
++
+ /* Check if address is invalid */
+ if((inet_pton(AF_INET, (const char*)host_ip, &a4) == 0)
+ && (inet_pton(AF_INET6, (const char*)host_ip, &a6) == 0)) {
+Index: ntopng/src/Lua.cpp
+===================================================================
+--- ntopng.orig/src/Lua.cpp
++++ ntopng/src/Lua.cpp
+@@ -1133,6 +1133,9 @@ static void get_host_vlan_info(char* lua
+ if(((*host_ip) = strtok_r(buf, "@", &where)) != NULL)
+ vlan = strtok_r(NULL, "@", &where);
+
++ if(host_ip == NULL)
++ *host_ip = lua_ip;
++
+ if(vlan)
+ (*vlan_id) = (u_int16_t)atoi(vlan);
+ }
diff -Nru ntopng-2.4+dfsg1/debian/patches/CVE-2017-7459.patch ntopng-2.4+dfsg1/debian/patches/CVE-2017-7459.patch
--- ntopng-2.4+dfsg1/debian/patches/CVE-2017-7459.patch 1970-01-01 01:00:00.000000000 +0100
+++ ntopng-2.4+dfsg1/debian/patches/CVE-2017-7459.patch 2017-12-24 21:16:45.000000000 +0100
@@ -0,0 +1,48 @@
+Description: Prevent \r\n from being injected into HTTP URIs (CVE-2017-7459).
+Origin: backport, https://github.com/ntop/ntopng/commit/9469e58f07e043da712e6d6c41244852a11bcaeb
+Bug-Debian: https://bugs.debian.org/866719
+Applied-Upstream: yes
+
+Index: ntopng/src/HTTPserver.cpp
+===================================================================
+--- ntopng.orig/src/HTTPserver.cpp
++++ ntopng/src/HTTPserver.cpp
+@@ -325,9 +325,15 @@ static void uri_encode(const char *src,
+
+ static int handle_lua_request(struct mg_connection *conn) {
+ struct mg_request_info *request_info = mg_get_request_info(conn);
+- u_int len = (u_int)strlen(request_info->uri);
++ char *crlf;
++ u_int len;
+ char username[33] = { 0 };
+
++ if((crlf = strstr(request_info->uri, "\r\n")))
++ *crlf = '\0'; /* Prevents HTTP splitting attacks */
++
++ len = (u_int)strlen(request_info->uri);
++
+ if((ntop->getGlobals()->isShutdown())
+ //|| (strcmp(request_info->request_method, "GET"))
+ || (ntop->getRedis() == NULL /* Starting up... */)
+@@ -373,7 +379,7 @@ static int handle_lua_request(struct mg_
+ bool found;
+
+ snprintf(path, sizeof(path), "%s%s", httpserver->get_scripts_dir(),
+- Utils::getURL((strlen(request_info->uri) == 1) ? (char*)"/lua/index.lua" : request_info->uri,
++ Utils::getURL(len == 1 ? (char*)"/lua/index.lua" : request_info->uri,
+ uri, sizeof(uri)));
+
+ ntop->fixPath(path);
+Index: ntopng/src/Lua.cpp
+===================================================================
+--- ntopng.orig/src/Lua.cpp
++++ ntopng/src/Lua.cpp
+@@ -4870,7 +4870,7 @@ void Lua::purifyHTTPParameter(char *para
+
+ default:
+ if(!Utils::isPrintableChar(c)) {
+- ntop->getTrace()->traceEvent(TRACE_WARNING, "Discarded char '%c' in URI [%s]", c, param);
++ ntop->getTrace()->traceEvent(TRACE_WARNING, "Discarded char '0x%02x' in URI [%s]", c, param);
+ ampercent[0] = '\0';
+ return;
+ }
diff -Nru ntopng-2.4+dfsg1/debian/patches/series ntopng-2.4+dfsg1/debian/patches/series
--- ntopng-2.4+dfsg1/debian/patches/series 2017-02-04 04:35:00.000000000 +0100
+++ ntopng-2.4+dfsg1/debian/patches/series 2017-12-24 21:17:32.000000000 +0100
@@ -6,3 +6,7 @@
no-pwd.patch
kfreebsd-tap.patch
reproducible-build.patch
+CVE-2017-7458.patch
+CVE-2017-7459.patch
+Avoid-access-after-free.patch
+Avoid-access-to-unintialized-memory.patch
--- End Message ---