Bug#942524: buster-pu: package graphite-web/1.1.4-3 CVE-2017-18638
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
We would like to update graphite-web to fix 2 issues: the first one is
a message sent every hour if there's no whisper db, and is debian
specific. The 2nd one is a fix for CVE-2017-18638, where there is
an SSRF possible attack against graphite-web (the patch just removes
the send_email route and associated code.
The debdiff is attached to this message.
Sid has already been updated.
Please let us update graphite-web/1.1.4-3 in Buster,
Cheers,
Thomas Goirand (zigo)
diff -Nru graphite-web-1.1.4/debian/bin/graphite-build-search-index graphite-web-1.1.4/debian/bin/graphite-build-search-index
--- graphite-web-1.1.4/debian/bin/graphite-build-search-index 2019-06-07 09:39:24.000000000 +0200
+++ graphite-web-1.1.4/debian/bin/graphite-build-search-index 2019-10-17 02:17:35.000000000 +0200
@@ -9,12 +9,14 @@
WHISPER_DIR="/var/lib/graphite/whisper"
-cd ${WHISPER_DIR} && find -L . -name '*.wsp' | sed \
- -e 's@\.wsp$@@' \
- -e 's@^\./@@' \
- -e 's@/@.@g' > ${INDEX_FILE_TMP}
+if [ -d ${WHISPER_DIR} ]; then
+ cd ${WHISPER_DIR} && find -L . -name '*.wsp' | sed \
+ -e 's@\.wsp$@@' \
+ -e 's@^\./@@' \
+ -e 's@/@.@g' > ${INDEX_FILE_TMP}
-chmod 0640 ${INDEX_FILE_TMP}
-chown _graphite:_graphite ${INDEX_FILE_TMP}
+ chmod 0640 ${INDEX_FILE_TMP}
+ chown _graphite:_graphite ${INDEX_FILE_TMP}
-mv -f ${INDEX_FILE_TMP} ${INDEX_FILE}
+ mv -f ${INDEX_FILE_TMP} ${INDEX_FILE}
+fi
diff -Nru graphite-web-1.1.4/debian/changelog graphite-web-1.1.4/debian/changelog
--- graphite-web-1.1.4/debian/changelog 2019-06-07 09:39:24.000000000 +0200
+++ graphite-web-1.1.4/debian/changelog 2019-10-17 02:17:35.000000000 +0200
@@ -1,3 +1,16 @@
+graphite-web (1.1.4-3+deb10u1) buster; urgency=high
+
+ [ Utkarsh Gupta ]
+ * Add patch to remove the 'send_email' function to avoid SSRF attack.
+ This was insecure, not used in the code, and was undocumented as well.
+ (Fixes: CVE-2017-18638)
+
+ [ Thomas Goirand ]
+ * Avoid hourly error in cron with no whisper db (Closes: #940554). Thanks to
+ Alexandre Rossi <niol@zincube.net> for the patch.
+
+ -- Thomas Goirand <zigo@debian.org> Thu, 17 Oct 2019 05:47:35 +0530
+
graphite-web (1.1.4-3) unstable; urgency=medium
* Fix shebang of /usr/bin/graphite-manage. (Closes: #925240)
diff -Nru graphite-web-1.1.4/debian/patches/CVE-2017-18638.patch graphite-web-1.1.4/debian/patches/CVE-2017-18638.patch
--- graphite-web-1.1.4/debian/patches/CVE-2017-18638.patch 1970-01-01 01:00:00.000000000 +0100
+++ graphite-web-1.1.4/debian/patches/CVE-2017-18638.patch 2019-10-17 02:17:35.000000000 +0200
@@ -0,0 +1,83 @@
+Description: This patch removes the 'send_email' function.
+ graphite.composer.views.send_email was vulnerable to SSRF.
+ This was insecure, not used in the code, and was undocumented as well.
+Author: Utkarsh Gupta <guptautkarsh2102@gmail.com>
+Origin: https://github.com/graphite-project/graphite-web/pull/2499
+Bug: https://github.com/graphite-project/graphite-web/issues/2008
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2017-18638
+Last-Update: 2019-10-16
+
+--- a/webapp/graphite/composer/urls.py
++++ b/webapp/graphite/composer/urls.py
+@@ -16,7 +16,6 @@
+ from . import views
+
+ urlpatterns = [
+- url(r'^/send_email', views.send_email, name='composer_send_email'),
+ url(r'^/mygraph', views.mygraph, name='composer_mygraph'),
+ url(r'^/?$', views.composer, name='composer'),
+ ]
+--- a/webapp/graphite/composer/views.py
++++ b/webapp/graphite/composer/views.py
+@@ -13,15 +13,6 @@
+ limitations under the License."""
+
+ import os
+-from smtplib import SMTP
+-from socket import gethostname
+-from email.mime.multipart import MIMEMultipart
+-from email.mime.text import MIMEText
+-from email.mime.image import MIMEImage
+-from six.moves.http_client import HTTPConnection
+-from six.moves.urllib.parse import urlsplit
+-from time import ctime, strftime
+-from traceback import format_exc
+ from graphite.user_util import getProfile
+ from graphite.logger import log
+ from graphite.account.models import MyGraph
+@@ -90,35 +81,3 @@
+
+ else:
+ return HttpResponse("Invalid operation '%s'" % action)
+-
+-
+-def send_email(request):
+- try:
+- recipients = request.GET['to'].split(',')
+- url = request.GET['url']
+- proto, server, path, query, frag = urlsplit(url)
+- if query: path += '?' + query
+- conn = HTTPConnection(server)
+- conn.request('GET',path)
+- try: # Python 2.7+, use buffering of HTTP responses
+- resp = conn.getresponse(buffering=True)
+- except TypeError: # Python 2.6 and older
+- resp = conn.getresponse()
+- assert resp.status == 200, "Failed HTTP response %s %s" % (resp.status, resp.reason)
+- rawData = resp.read()
+- conn.close()
+- message = MIMEMultipart()
+- message['Subject'] = "Graphite Image"
+- message['To'] = ', '.join(recipients)
+- message['From'] = 'composer@%s' % gethostname()
+- text = MIMEText( "Image generated by the following graphite URL at %s\r\n\r\n%s" % (ctime(),url) )
+- image = MIMEImage( rawData )
+- image.add_header('Content-Disposition', 'attachment', filename="composer_" + strftime("%b%d_%I%M%p.png"))
+- message.attach(text)
+- message.attach(image)
+- s = SMTP(settings.SMTP_SERVER)
+- s.sendmail('composer@%s' % gethostname(),recipients,message.as_string())
+- s.quit()
+- return HttpResponse( "OK" )
+- except Exception:
+- return HttpResponse(format_exc())
+--- a/webapp/graphite/settings.py
++++ b/webapp/graphite/settings.py
+@@ -126,7 +126,6 @@
+ REMOTE_RENDER_CONNECT_TIMEOUT = 1.0
+
+ #Miscellaneous settings
+-SMTP_SERVER = "localhost"
+ DOCUMENTATION_VERSION = 'latest' if 'dev' in WEBAPP_VERSION else WEBAPP_VERSION
+ DOCUMENTATION_URL = 'https://graphite.readthedocs.io/en/{}/'.format(DOCUMENTATION_VERSION)
+ ALLOW_ANONYMOUS_CLI = True
diff -Nru graphite-web-1.1.4/debian/patches/series graphite-web-1.1.4/debian/patches/series
--- graphite-web-1.1.4/debian/patches/series 2019-06-07 09:39:24.000000000 +0200
+++ graphite-web-1.1.4/debian/patches/series 2019-10-17 02:17:35.000000000 +0200
@@ -1,2 +1,3 @@
local_settings.patch
settings_debian.patch
+CVE-2017-18638.patch
Reply to: