[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1089984: marked as done (bookworm-pu: package librabbitmq/0.11.0-1+deb12u1)

Your message dated Sat, 15 Mar 2025 09:44:44 +0000
with message-id <E1ttO4S-005Kk7-Cr@coccia.debian.org>
and subject line Close 1089984
has caused the Debian Bug report #1089984,
regarding bookworm-pu: package librabbitmq/0.11.0-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1089984: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089984
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: librabbitmq@packages.debian.org
Control: affects -1 + src:librabbitmq

[ Reason ]
https://security-tracker.debian.org/tracker/CVE-2023-35789
Until RabbitMQ 0.13.0 users had no other choice to provide credentials
to certain tools than exposing them on the command line, making them
visible to local attackers by listing a process and its arguments.

[ Impact ]
This update allows users to provide credentials via an authfile. Without
this update users will remain stuck in the previous situation, but with
it they have a *chance* to address the vulnerability with minimal
changes on their side.

[ Tests ]
There are no specific tests which cover the affected code. However, this
patch has been available upstream since June 2023 and released since
2024-03-18 and available in Debian ever since 0.14.0 had been uploaded
2024-07-29. The same patch has also already been released in RHEL9 in
RHSA-2023:6482 from 2023-11-07.


[ Risks ]
The added code is rather trivial and part of upstream (and other
distributions) for quite a while, see above.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037322#45 mentions
some considerations for alternative solutions. But the greater risk lies
with hiding the actual vulnerability by providing a package update for
it, as I will further elaborate on below under "Other info".

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The upstream patch providing an option to read credentials from an
authfile is added, and I adjusted Maintainer/Uploaders to match the
current situation.

[ Other info ]
This update only addresses the vulnerability insofar as it gives users a
*chance* to fix it with minimal changes on their side. But if users just
apply the update without starting to make use of the authfile, they will
remain in fact vulnerable.
For that reason I have so far refrained from making this update
available in Bookworm, in order to point users to the real problem once
they in turn got pointed to it by the usual suspects of (more or less
dumb) vulnerability reporters, and to avoid having them apply an update
and feeling safe when the actual vulnerability has not been addressed at
all. But a recent enquiry in #1037322 made me rethink the situation, and
I now wish to give users the *chance* to fix the vulnerability in place
without having to resort to the more cumbersome alternatives. If they
are affected at all, that is, and I presume many / most users are not
even affected as they don't use the affected CLI tools, but they just
got scared by automatic vulnerability reports.

Cheers,
Flo

diff -Nru librabbitmq-0.11.0/debian/changelog librabbitmq-0.11.0/debian/changelog
--- librabbitmq-0.11.0/debian/changelog	2022-02-21 23:42:45.000000000 +0100
+++ librabbitmq-0.11.0/debian/changelog	2024-12-15 07:32:03.000000000 +0100
@@ -1,3 +1,12 @@
+librabbitmq (0.11.0-1+deb12u1) bookworm; urgency=medium
+
+  * [4e71ff7] d/patches/CVE-2023-35789.patch: added for addressing
+    CVE-2023-35789 (Closes: #1037322)
+  * [c4d0d0b] d/control: adjust Maintainer/Uploaders to match current
+    situation
+
+ -- Florian Ernst <florian@debian.org>  Sun, 15 Dec 2024 07:32:03 +0100
+
 librabbitmq (0.11.0-1) unstable; urgency=low
 
   * New upstream release (Closes: #1004590, #1006244).
diff -Nru librabbitmq-0.11.0/debian/control librabbitmq-0.11.0/debian/control
--- librabbitmq-0.11.0/debian/control	2022-02-21 23:42:45.000000000 +0100
+++ librabbitmq-0.11.0/debian/control	2024-12-15 07:29:31.000000000 +0100
@@ -1,9 +1,7 @@
 Source: librabbitmq
 Priority: optional
 Section: libs
-Maintainer: Michael Fladischer <fladi@debian.org>
-Uploaders:
- Brian May <bam@debian.org>,
+Maintainer: Florian Ernst <florian@debian.org>
 Build-Depends:
  cmake,
  debhelper-compat (= 13),
diff -Nru librabbitmq-0.11.0/debian/patches/CVE-2023-35789.patch librabbitmq-0.11.0/debian/patches/CVE-2023-35789.patch
--- librabbitmq-0.11.0/debian/patches/CVE-2023-35789.patch	1970-01-01 01:00:00.000000000 +0100
+++ librabbitmq-0.11.0/debian/patches/CVE-2023-35789.patch	2024-12-15 07:29:25.000000000 +0100
@@ -0,0 +1,125 @@
+Applied-Upstream: 463054383fbeef889b409a7f843df5365288e2a0
+Author: Christian Kastner <ckk@kvr.at>
+Date: Tue Jun 13 14:21:52 2023 +0200
+Description: Add option to read username/password from file (#781), CVE-2023-35789
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037322
+Forwarded: https://github.com/alanxz/rabbitmq-c/issues/575
+Origin: https://github.com/alanxz/rabbitmq-c/pull/781
+
+Index: git/tools/common.c
+===================================================================
+--- git.orig/tools/common.c
++++ git/tools/common.c
+@@ -54,6 +54,11 @@
+ #include "compat.h"
+ #endif
+ 
++/* For when reading auth data from a file */
++#define MAXAUTHTOKENLEN 128
++#define USERNAMEPREFIX "username:"
++#define PASSWORDPREFIX "password:"
++
+ void die(const char *fmt, ...) {
+   va_list ap;
+   va_start(ap, fmt);
+@@ -161,6 +166,7 @@ static char *amqp_vhost;
+ static char *amqp_username;
+ static char *amqp_password;
+ static int amqp_heartbeat = 0;
++static char *amqp_authfile;
+ #ifdef WITH_SSL
+ static int amqp_ssl = 0;
+ static char *amqp_cacert = "/etc/ssl/certs/cacert.pem";
+@@ -183,6 +189,8 @@ struct poptOption connect_options[] = {
+      "the password to login with", "password"},
+     {"heartbeat", 0, POPT_ARG_INT, &amqp_heartbeat, 0,
+      "heartbeat interval, set to 0 to disable", "heartbeat"},
++    {"authfile", 0, POPT_ARG_STRING, &amqp_authfile, 0,
++     "path to file containing username/password for authentication", "file"},
+ #ifdef WITH_SSL
+     {"ssl", 0, POPT_ARG_NONE, &amqp_ssl, 0, "connect over SSL/TLS", NULL},
+     {"cacert", 0, POPT_ARG_STRING, &amqp_cacert, 0,
+@@ -194,6 +202,50 @@ struct poptOption connect_options[] = {
+ #endif /* WITH_SSL */
+     {NULL, '\0', 0, NULL, 0, NULL, NULL}};
+ 
++void read_authfile(const char *path) {
++  size_t n;
++  FILE *fp = NULL;
++  char token[MAXAUTHTOKENLEN];
++
++  if ((amqp_username = malloc(MAXAUTHTOKENLEN)) == NULL ||
++      (amqp_password = malloc(MAXAUTHTOKENLEN)) == NULL) {
++    die("Out of memory");
++  } else if ((fp = fopen(path, "r")) == NULL) {
++    die("Could not read auth data file %s", path);
++  }
++
++  if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL ||
++      strncmp(token, USERNAMEPREFIX, strlen(USERNAMEPREFIX))) {
++    die("Malformed auth file (missing username)");
++  }
++  strncpy(amqp_username, &token[strlen(USERNAMEPREFIX)], MAXAUTHTOKENLEN);
++  /* Missing newline means token was cut off */
++  n = strlen(amqp_username);
++  if (amqp_username[n - 1] != '\n') {
++    die("Username too long");
++  } else {
++    amqp_username[n - 1] = '\0';
++  }
++
++  if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL ||
++      strncmp(token, PASSWORDPREFIX, strlen(PASSWORDPREFIX))) {
++    die("Malformed auth file (missing password)");
++  }
++  strncpy(amqp_password, &token[strlen(PASSWORDPREFIX)], MAXAUTHTOKENLEN);
++  /* Missing newline means token was cut off */
++  n = strlen(amqp_password);
++  if (amqp_password[n - 1] != '\n') {
++    die("Password too long");
++  } else {
++    amqp_password[n - 1] = '\0';
++  }
++
++  (void)fgetc(fp);
++  if (!feof(fp)) {
++    die("Malformed auth file (trailing data)");
++  }
++}
++
+ static void init_connection_info(struct amqp_connection_info *ci) {
+   ci->user = NULL;
+   ci->password = NULL;
+@@ -269,6 +321,8 @@ static void init_connection_info(struct
+   if (amqp_username) {
+     if (amqp_url) {
+       die("--username and --url options cannot be used at the same time");
++    } else if (amqp_authfile) {
++      die("--username and --authfile options cannot be used at the same time");
+     }
+ 
+     ci->user = amqp_username;
+@@ -277,11 +331,23 @@ static void init_connection_info(struct
+   if (amqp_password) {
+     if (amqp_url) {
+       die("--password and --url options cannot be used at the same time");
++    } else if (amqp_authfile) {
++      die("--password and --authfile options cannot be used at the same time");
+     }
+ 
+     ci->password = amqp_password;
+   }
+ 
++  if (amqp_authfile) {
++    if (amqp_url) {
++      die("--authfile and --url options cannot be used at the same time");
++    }
++
++    read_authfile(amqp_authfile);
++    ci->user = amqp_username;
++    ci->password = amqp_password;
++  }
++
+   if (amqp_vhost) {
+     if (amqp_url) {
+       die("--vhost and --url options cannot be used at the same time");
diff -Nru librabbitmq-0.11.0/debian/patches/series librabbitmq-0.11.0/debian/patches/series
--- librabbitmq-0.11.0/debian/patches/series	2022-02-21 23:42:45.000000000 +0100
+++ librabbitmq-0.11.0/debian/patches/series	2024-12-15 07:29:25.000000000 +0100
@@ -2,3 +2,4 @@
 0002-use_cmake_package.patch
 0003-disable-test-basic.patch
 0004-Fix-typo-in-amqp-publish.1-manpage.patch
+CVE-2023-35789.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 12.10
This update has been released as part of 12.10. Thank you for your contribution.

--- End Message ---
Reply to: