[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#942524: buster-pu: package graphite-web/1.1.4-3 CVE-2017-18638



Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

We would like to update graphite-web to fix 2 issues: the first one is
a message sent every hour if there's no whisper db, and is debian
specific. The 2nd one is a fix for CVE-2017-18638, where there is
an SSRF possible attack against graphite-web (the patch just removes
the send_email route and associated code.

The debdiff is attached to this message.
Sid has already been updated.

Please let us update graphite-web/1.1.4-3 in Buster,
Cheers,

Thomas Goirand (zigo)
diff -Nru graphite-web-1.1.4/debian/bin/graphite-build-search-index graphite-web-1.1.4/debian/bin/graphite-build-search-index
--- graphite-web-1.1.4/debian/bin/graphite-build-search-index	2019-06-07 09:39:24.000000000 +0200
+++ graphite-web-1.1.4/debian/bin/graphite-build-search-index	2019-10-17 02:17:35.000000000 +0200
@@ -9,12 +9,14 @@
 WHISPER_DIR="/var/lib/graphite/whisper"
 
 
-cd ${WHISPER_DIR} && find -L . -name '*.wsp' | sed \
-	-e 's@\.wsp$@@' \
-	-e 's@^\./@@' \
-	-e 's@/@.@g' > ${INDEX_FILE_TMP}
+if [ -d ${WHISPER_DIR} ]; then
+    cd ${WHISPER_DIR} && find -L . -name '*.wsp' | sed \
+        -e 's@\.wsp$@@' \
+        -e 's@^\./@@' \
+        -e 's@/@.@g' > ${INDEX_FILE_TMP}
 
-chmod 0640 ${INDEX_FILE_TMP}
-chown _graphite:_graphite ${INDEX_FILE_TMP}
+    chmod 0640 ${INDEX_FILE_TMP}
+    chown _graphite:_graphite ${INDEX_FILE_TMP}
 
-mv -f ${INDEX_FILE_TMP} ${INDEX_FILE}
+    mv -f ${INDEX_FILE_TMP} ${INDEX_FILE}
+fi
diff -Nru graphite-web-1.1.4/debian/changelog graphite-web-1.1.4/debian/changelog
--- graphite-web-1.1.4/debian/changelog	2019-06-07 09:39:24.000000000 +0200
+++ graphite-web-1.1.4/debian/changelog	2019-10-17 02:17:35.000000000 +0200
@@ -1,3 +1,16 @@
+graphite-web (1.1.4-3+deb10u1) buster; urgency=high
+
+  [ Utkarsh Gupta ]
+  * Add patch to remove the 'send_email' function to avoid SSRF attack.
+    This was insecure, not used in the code, and was undocumented as well.
+    (Fixes: CVE-2017-18638)
+
+  [ Thomas Goirand ]
+  * Avoid hourly error in cron with no whisper db (Closes: #940554). Thanks to
+    Alexandre Rossi <niol@zincube.net> for the patch.
+
+ -- Thomas Goirand <zigo@debian.org>  Thu, 17 Oct 2019 05:47:35 +0530
+
 graphite-web (1.1.4-3) unstable; urgency=medium
 
   * Fix shebang of /usr/bin/graphite-manage. (Closes: #925240)
diff -Nru graphite-web-1.1.4/debian/patches/CVE-2017-18638.patch graphite-web-1.1.4/debian/patches/CVE-2017-18638.patch
--- graphite-web-1.1.4/debian/patches/CVE-2017-18638.patch	1970-01-01 01:00:00.000000000 +0100
+++ graphite-web-1.1.4/debian/patches/CVE-2017-18638.patch	2019-10-17 02:17:35.000000000 +0200
@@ -0,0 +1,83 @@
+Description: This patch removes the 'send_email' function.
+ graphite.composer.views.send_email was vulnerable to SSRF.
+ This was insecure, not used in the code, and was undocumented as well.
+Author: Utkarsh Gupta <guptautkarsh2102@gmail.com>
+Origin: https://github.com/graphite-project/graphite-web/pull/2499
+Bug: https://github.com/graphite-project/graphite-web/issues/2008
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2017-18638
+Last-Update: 2019-10-16
+
+--- a/webapp/graphite/composer/urls.py
++++ b/webapp/graphite/composer/urls.py
+@@ -16,7 +16,6 @@
+ from . import views
+ 
+ urlpatterns = [
+-    url(r'^/send_email', views.send_email, name='composer_send_email'),
+     url(r'^/mygraph', views.mygraph, name='composer_mygraph'),
+     url(r'^/?$', views.composer, name='composer'),
+ ]
+--- a/webapp/graphite/composer/views.py
++++ b/webapp/graphite/composer/views.py
+@@ -13,15 +13,6 @@
+ limitations under the License."""
+ 
+ import os
+-from smtplib import SMTP
+-from socket import gethostname
+-from email.mime.multipart import MIMEMultipart
+-from email.mime.text import MIMEText
+-from email.mime.image import MIMEImage
+-from six.moves.http_client import HTTPConnection
+-from six.moves.urllib.parse import urlsplit
+-from time import ctime, strftime
+-from traceback import format_exc
+ from graphite.user_util import getProfile
+ from graphite.logger import log
+ from graphite.account.models import MyGraph
+@@ -90,35 +81,3 @@
+ 
+   else:
+     return HttpResponse("Invalid operation '%s'" % action)
+-
+-
+-def send_email(request):
+-  try:
+-    recipients = request.GET['to'].split(',')
+-    url = request.GET['url']
+-    proto, server, path, query, frag = urlsplit(url)
+-    if query: path += '?' + query
+-    conn = HTTPConnection(server)
+-    conn.request('GET',path)
+-    try: # Python 2.7+, use buffering of HTTP responses
+-      resp = conn.getresponse(buffering=True)
+-    except TypeError:  # Python 2.6 and older
+-      resp = conn.getresponse()
+-    assert resp.status == 200, "Failed HTTP response %s %s" % (resp.status, resp.reason)
+-    rawData = resp.read()
+-    conn.close()
+-    message = MIMEMultipart()
+-    message['Subject'] = "Graphite Image"
+-    message['To'] = ', '.join(recipients)
+-    message['From'] = 'composer@%s' % gethostname()
+-    text = MIMEText( "Image generated by the following graphite URL at %s\r\n\r\n%s" % (ctime(),url) )
+-    image = MIMEImage( rawData )
+-    image.add_header('Content-Disposition', 'attachment', filename="composer_" + strftime("%b%d_%I%M%p.png"))
+-    message.attach(text)
+-    message.attach(image)
+-    s = SMTP(settings.SMTP_SERVER)
+-    s.sendmail('composer@%s' % gethostname(),recipients,message.as_string())
+-    s.quit()
+-    return HttpResponse( "OK" )
+-  except Exception:
+-    return HttpResponse(format_exc())
+--- a/webapp/graphite/settings.py
++++ b/webapp/graphite/settings.py
+@@ -126,7 +126,6 @@
+ REMOTE_RENDER_CONNECT_TIMEOUT = 1.0
+ 
+ #Miscellaneous settings
+-SMTP_SERVER = "localhost"
+ DOCUMENTATION_VERSION = 'latest' if 'dev' in WEBAPP_VERSION else WEBAPP_VERSION
+ DOCUMENTATION_URL = 'https://graphite.readthedocs.io/en/{}/'.format(DOCUMENTATION_VERSION)
+ ALLOW_ANONYMOUS_CLI = True
diff -Nru graphite-web-1.1.4/debian/patches/series graphite-web-1.1.4/debian/patches/series
--- graphite-web-1.1.4/debian/patches/series	2019-06-07 09:39:24.000000000 +0200
+++ graphite-web-1.1.4/debian/patches/series	2019-10-17 02:17:35.000000000 +0200
@@ -1,2 +1,3 @@
 local_settings.patch
 settings_debian.patch
+CVE-2017-18638.patch

Reply to: