[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#942524: marked as done (buster-pu: package graphite-web/1.1.4-3 CVE-2017-18638)

Your message dated Sat, 16 Nov 2019 10:08:47 +0000
with message-id <83c9ffab6f08361485f70dda4733a7a24aeec09b.camel@adam-barratt.org.uk>
and subject line Closing bugs for 10.2 point release fixes
has caused the Debian Bug report #942524,
regarding buster-pu: package graphite-web/1.1.4-3 CVE-2017-18638
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
942524: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942524
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

We would like to update graphite-web to fix 2 issues: the first one is
a message sent every hour if there's no whisper db, and is debian
specific. The 2nd one is a fix for CVE-2017-18638, where there is
an SSRF possible attack against graphite-web (the patch just removes
the send_email route and associated code.

The debdiff is attached to this message.
Sid has already been updated.

Please let us update graphite-web/1.1.4-3 in Buster,
Cheers,

Thomas Goirand (zigo)

diff -Nru graphite-web-1.1.4/debian/bin/graphite-build-search-index graphite-web-1.1.4/debian/bin/graphite-build-search-index
--- graphite-web-1.1.4/debian/bin/graphite-build-search-index	2019-06-07 09:39:24.000000000 +0200
+++ graphite-web-1.1.4/debian/bin/graphite-build-search-index	2019-10-17 02:17:35.000000000 +0200
@@ -9,12 +9,14 @@
 WHISPER_DIR="/var/lib/graphite/whisper"
 
 
-cd ${WHISPER_DIR} && find -L . -name '*.wsp' | sed \
-	-e 's@\.wsp$@@' \
-	-e 's@^\./@@' \
-	-e 's@/@.@g' > ${INDEX_FILE_TMP}
+if [ -d ${WHISPER_DIR} ]; then
+    cd ${WHISPER_DIR} && find -L . -name '*.wsp' | sed \
+        -e 's@\.wsp$@@' \
+        -e 's@^\./@@' \
+        -e 's@/@.@g' > ${INDEX_FILE_TMP}
 
-chmod 0640 ${INDEX_FILE_TMP}
-chown _graphite:_graphite ${INDEX_FILE_TMP}
+    chmod 0640 ${INDEX_FILE_TMP}
+    chown _graphite:_graphite ${INDEX_FILE_TMP}
 
-mv -f ${INDEX_FILE_TMP} ${INDEX_FILE}
+    mv -f ${INDEX_FILE_TMP} ${INDEX_FILE}
+fi
diff -Nru graphite-web-1.1.4/debian/changelog graphite-web-1.1.4/debian/changelog
--- graphite-web-1.1.4/debian/changelog	2019-06-07 09:39:24.000000000 +0200
+++ graphite-web-1.1.4/debian/changelog	2019-10-17 02:17:35.000000000 +0200
@@ -1,3 +1,16 @@
+graphite-web (1.1.4-3+deb10u1) buster; urgency=high
+
+  [ Utkarsh Gupta ]
+  * Add patch to remove the 'send_email' function to avoid SSRF attack.
+    This was insecure, not used in the code, and was undocumented as well.
+    (Fixes: CVE-2017-18638)
+
+  [ Thomas Goirand ]
+  * Avoid hourly error in cron with no whisper db (Closes: #940554). Thanks to
+    Alexandre Rossi <niol@zincube.net> for the patch.
+
+ -- Thomas Goirand <zigo@debian.org>  Thu, 17 Oct 2019 05:47:35 +0530
+
 graphite-web (1.1.4-3) unstable; urgency=medium
 
   * Fix shebang of /usr/bin/graphite-manage. (Closes: #925240)
diff -Nru graphite-web-1.1.4/debian/patches/CVE-2017-18638.patch graphite-web-1.1.4/debian/patches/CVE-2017-18638.patch
--- graphite-web-1.1.4/debian/patches/CVE-2017-18638.patch	1970-01-01 01:00:00.000000000 +0100
+++ graphite-web-1.1.4/debian/patches/CVE-2017-18638.patch	2019-10-17 02:17:35.000000000 +0200
@@ -0,0 +1,83 @@
+Description: This patch removes the 'send_email' function.
+ graphite.composer.views.send_email was vulnerable to SSRF.
+ This was insecure, not used in the code, and was undocumented as well.
+Author: Utkarsh Gupta <guptautkarsh2102@gmail.com>
+Origin: https://github.com/graphite-project/graphite-web/pull/2499
+Bug: https://github.com/graphite-project/graphite-web/issues/2008
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2017-18638
+Last-Update: 2019-10-16
+
+--- a/webapp/graphite/composer/urls.py
++++ b/webapp/graphite/composer/urls.py
+@@ -16,7 +16,6 @@
+ from . import views
+ 
+ urlpatterns = [
+-    url(r'^/send_email', views.send_email, name='composer_send_email'),
+     url(r'^/mygraph', views.mygraph, name='composer_mygraph'),
+     url(r'^/?$', views.composer, name='composer'),
+ ]
+--- a/webapp/graphite/composer/views.py
++++ b/webapp/graphite/composer/views.py
+@@ -13,15 +13,6 @@
+ limitations under the License."""
+ 
+ import os
+-from smtplib import SMTP
+-from socket import gethostname
+-from email.mime.multipart import MIMEMultipart
+-from email.mime.text import MIMEText
+-from email.mime.image import MIMEImage
+-from six.moves.http_client import HTTPConnection
+-from six.moves.urllib.parse import urlsplit
+-from time import ctime, strftime
+-from traceback import format_exc
+ from graphite.user_util import getProfile
+ from graphite.logger import log
+ from graphite.account.models import MyGraph
+@@ -90,35 +81,3 @@
+ 
+   else:
+     return HttpResponse("Invalid operation '%s'" % action)
+-
+-
+-def send_email(request):
+-  try:
+-    recipients = request.GET['to'].split(',')
+-    url = request.GET['url']
+-    proto, server, path, query, frag = urlsplit(url)
+-    if query: path += '?' + query
+-    conn = HTTPConnection(server)
+-    conn.request('GET',path)
+-    try: # Python 2.7+, use buffering of HTTP responses
+-      resp = conn.getresponse(buffering=True)
+-    except TypeError:  # Python 2.6 and older
+-      resp = conn.getresponse()
+-    assert resp.status == 200, "Failed HTTP response %s %s" % (resp.status, resp.reason)
+-    rawData = resp.read()
+-    conn.close()
+-    message = MIMEMultipart()
+-    message['Subject'] = "Graphite Image"
+-    message['To'] = ', '.join(recipients)
+-    message['From'] = 'composer@%s' % gethostname()
+-    text = MIMEText( "Image generated by the following graphite URL at %s\r\n\r\n%s" % (ctime(),url) )
+-    image = MIMEImage( rawData )
+-    image.add_header('Content-Disposition', 'attachment', filename="composer_" + strftime("%b%d_%I%M%p.png"))
+-    message.attach(text)
+-    message.attach(image)
+-    s = SMTP(settings.SMTP_SERVER)
+-    s.sendmail('composer@%s' % gethostname(),recipients,message.as_string())
+-    s.quit()
+-    return HttpResponse( "OK" )
+-  except Exception:
+-    return HttpResponse(format_exc())
+--- a/webapp/graphite/settings.py
++++ b/webapp/graphite/settings.py
+@@ -126,7 +126,6 @@
+ REMOTE_RENDER_CONNECT_TIMEOUT = 1.0
+ 
+ #Miscellaneous settings
+-SMTP_SERVER = "localhost"
+ DOCUMENTATION_VERSION = 'latest' if 'dev' in WEBAPP_VERSION else WEBAPP_VERSION
+ DOCUMENTATION_URL = 'https://graphite.readthedocs.io/en/{}/'.format(DOCUMENTATION_VERSION)
+ ALLOW_ANONYMOUS_CLI = True
diff -Nru graphite-web-1.1.4/debian/patches/series graphite-web-1.1.4/debian/patches/series
--- graphite-web-1.1.4/debian/patches/series	2019-06-07 09:39:24.000000000 +0200
+++ graphite-web-1.1.4/debian/patches/series	2019-10-17 02:17:35.000000000 +0200
@@ -1,2 +1,3 @@
 local_settings.patch
 settings_debian.patch
+CVE-2017-18638.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.2

Hi,

The fixes referenced by these bugs were included in today's 10.2 stable
point release.

Regards,

Adam

--- End Message ---
Reply to: