Your message dated Sat, 15 Mar 2025 09:44:44 +0000 with message-id <E1ttO4S-005Kk7-Cr@coccia.debian.org> and subject line Close 1089984 has caused the Debian Bug report #1089984, regarding bookworm-pu: package librabbitmq/0.11.0-1+deb12u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1089984: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089984 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package librabbitmq/0.11.0-1+deb12u1
- From: Florian Ernst <florian_ernst@gmx.net>
- Date: Sun, 15 Dec 2024 08:08:45 +0100
- Message-id: <Z16AfUNOXCMYEmX4@fernst.no-ip.org>
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: librabbitmq@packages.debian.org Control: affects -1 + src:librabbitmq [ Reason ] https://security-tracker.debian.org/tracker/CVE-2023-35789 Until RabbitMQ 0.13.0 users had no other choice to provide credentials to certain tools than exposing them on the command line, making them visible to local attackers by listing a process and its arguments. [ Impact ] This update allows users to provide credentials via an authfile. Without this update users will remain stuck in the previous situation, but with it they have a *chance* to address the vulnerability with minimal changes on their side. [ Tests ] There are no specific tests which cover the affected code. However, this patch has been available upstream since June 2023 and released since 2024-03-18 and available in Debian ever since 0.14.0 had been uploaded 2024-07-29. The same patch has also already been released in RHEL9 in RHSA-2023:6482 from 2023-11-07. [ Risks ] The added code is rather trivial and part of upstream (and other distributions) for quite a while, see above. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037322#45 mentions some considerations for alternative solutions. But the greater risk lies with hiding the actual vulnerability by providing a package update for it, as I will further elaborate on below under "Other info". [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The upstream patch providing an option to read credentials from an authfile is added, and I adjusted Maintainer/Uploaders to match the current situation. [ Other info ] This update only addresses the vulnerability insofar as it gives users a *chance* to fix it with minimal changes on their side. But if users just apply the update without starting to make use of the authfile, they will remain in fact vulnerable. For that reason I have so far refrained from making this update available in Bookworm, in order to point users to the real problem once they in turn got pointed to it by the usual suspects of (more or less dumb) vulnerability reporters, and to avoid having them apply an update and feeling safe when the actual vulnerability has not been addressed at all. But a recent enquiry in #1037322 made me rethink the situation, and I now wish to give users the *chance* to fix the vulnerability in place without having to resort to the more cumbersome alternatives. If they are affected at all, that is, and I presume many / most users are not even affected as they don't use the affected CLI tools, but they just got scared by automatic vulnerability reports. Cheers, Flodiff -Nru librabbitmq-0.11.0/debian/changelog librabbitmq-0.11.0/debian/changelog --- librabbitmq-0.11.0/debian/changelog 2022-02-21 23:42:45.000000000 +0100 +++ librabbitmq-0.11.0/debian/changelog 2024-12-15 07:32:03.000000000 +0100 @@ -1,3 +1,12 @@ +librabbitmq (0.11.0-1+deb12u1) bookworm; urgency=medium + + * [4e71ff7] d/patches/CVE-2023-35789.patch: added for addressing + CVE-2023-35789 (Closes: #1037322) + * [c4d0d0b] d/control: adjust Maintainer/Uploaders to match current + situation + + -- Florian Ernst <florian@debian.org> Sun, 15 Dec 2024 07:32:03 +0100 + librabbitmq (0.11.0-1) unstable; urgency=low * New upstream release (Closes: #1004590, #1006244). diff -Nru librabbitmq-0.11.0/debian/control librabbitmq-0.11.0/debian/control --- librabbitmq-0.11.0/debian/control 2022-02-21 23:42:45.000000000 +0100 +++ librabbitmq-0.11.0/debian/control 2024-12-15 07:29:31.000000000 +0100 @@ -1,9 +1,7 @@ Source: librabbitmq Priority: optional Section: libs -Maintainer: Michael Fladischer <fladi@debian.org> -Uploaders: - Brian May <bam@debian.org>, +Maintainer: Florian Ernst <florian@debian.org> Build-Depends: cmake, debhelper-compat (= 13), diff -Nru librabbitmq-0.11.0/debian/patches/CVE-2023-35789.patch librabbitmq-0.11.0/debian/patches/CVE-2023-35789.patch --- librabbitmq-0.11.0/debian/patches/CVE-2023-35789.patch 1970-01-01 01:00:00.000000000 +0100 +++ librabbitmq-0.11.0/debian/patches/CVE-2023-35789.patch 2024-12-15 07:29:25.000000000 +0100 @@ -0,0 +1,125 @@ +Applied-Upstream: 463054383fbeef889b409a7f843df5365288e2a0 +Author: Christian Kastner <ckk@kvr.at> +Date: Tue Jun 13 14:21:52 2023 +0200 +Description: Add option to read username/password from file (#781), CVE-2023-35789 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037322 +Forwarded: https://github.com/alanxz/rabbitmq-c/issues/575 +Origin: https://github.com/alanxz/rabbitmq-c/pull/781 + +Index: git/tools/common.c +=================================================================== +--- git.orig/tools/common.c ++++ git/tools/common.c +@@ -54,6 +54,11 @@ + #include "compat.h" + #endif + ++/* For when reading auth data from a file */ ++#define MAXAUTHTOKENLEN 128 ++#define USERNAMEPREFIX "username:" ++#define PASSWORDPREFIX "password:" ++ + void die(const char *fmt, ...) { + va_list ap; + va_start(ap, fmt); +@@ -161,6 +166,7 @@ static char *amqp_vhost; + static char *amqp_username; + static char *amqp_password; + static int amqp_heartbeat = 0; ++static char *amqp_authfile; + #ifdef WITH_SSL + static int amqp_ssl = 0; + static char *amqp_cacert = "/etc/ssl/certs/cacert.pem"; +@@ -183,6 +189,8 @@ struct poptOption connect_options[] = { + "the password to login with", "password"}, + {"heartbeat", 0, POPT_ARG_INT, &amqp_heartbeat, 0, + "heartbeat interval, set to 0 to disable", "heartbeat"}, ++ {"authfile", 0, POPT_ARG_STRING, &amqp_authfile, 0, ++ "path to file containing username/password for authentication", "file"}, + #ifdef WITH_SSL + {"ssl", 0, POPT_ARG_NONE, &amqp_ssl, 0, "connect over SSL/TLS", NULL}, + {"cacert", 0, POPT_ARG_STRING, &amqp_cacert, 0, +@@ -194,6 +202,50 @@ struct poptOption connect_options[] = { + #endif /* WITH_SSL */ + {NULL, '\0', 0, NULL, 0, NULL, NULL}}; + ++void read_authfile(const char *path) { ++ size_t n; ++ FILE *fp = NULL; ++ char token[MAXAUTHTOKENLEN]; ++ ++ if ((amqp_username = malloc(MAXAUTHTOKENLEN)) == NULL || ++ (amqp_password = malloc(MAXAUTHTOKENLEN)) == NULL) { ++ die("Out of memory"); ++ } else if ((fp = fopen(path, "r")) == NULL) { ++ die("Could not read auth data file %s", path); ++ } ++ ++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL || ++ strncmp(token, USERNAMEPREFIX, strlen(USERNAMEPREFIX))) { ++ die("Malformed auth file (missing username)"); ++ } ++ strncpy(amqp_username, &token[strlen(USERNAMEPREFIX)], MAXAUTHTOKENLEN); ++ /* Missing newline means token was cut off */ ++ n = strlen(amqp_username); ++ if (amqp_username[n - 1] != '\n') { ++ die("Username too long"); ++ } else { ++ amqp_username[n - 1] = '\0'; ++ } ++ ++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL || ++ strncmp(token, PASSWORDPREFIX, strlen(PASSWORDPREFIX))) { ++ die("Malformed auth file (missing password)"); ++ } ++ strncpy(amqp_password, &token[strlen(PASSWORDPREFIX)], MAXAUTHTOKENLEN); ++ /* Missing newline means token was cut off */ ++ n = strlen(amqp_password); ++ if (amqp_password[n - 1] != '\n') { ++ die("Password too long"); ++ } else { ++ amqp_password[n - 1] = '\0'; ++ } ++ ++ (void)fgetc(fp); ++ if (!feof(fp)) { ++ die("Malformed auth file (trailing data)"); ++ } ++} ++ + static void init_connection_info(struct amqp_connection_info *ci) { + ci->user = NULL; + ci->password = NULL; +@@ -269,6 +321,8 @@ static void init_connection_info(struct + if (amqp_username) { + if (amqp_url) { + die("--username and --url options cannot be used at the same time"); ++ } else if (amqp_authfile) { ++ die("--username and --authfile options cannot be used at the same time"); + } + + ci->user = amqp_username; +@@ -277,11 +331,23 @@ static void init_connection_info(struct + if (amqp_password) { + if (amqp_url) { + die("--password and --url options cannot be used at the same time"); ++ } else if (amqp_authfile) { ++ die("--password and --authfile options cannot be used at the same time"); + } + + ci->password = amqp_password; + } + ++ if (amqp_authfile) { ++ if (amqp_url) { ++ die("--authfile and --url options cannot be used at the same time"); ++ } ++ ++ read_authfile(amqp_authfile); ++ ci->user = amqp_username; ++ ci->password = amqp_password; ++ } ++ + if (amqp_vhost) { + if (amqp_url) { + die("--vhost and --url options cannot be used at the same time"); diff -Nru librabbitmq-0.11.0/debian/patches/series librabbitmq-0.11.0/debian/patches/series --- librabbitmq-0.11.0/debian/patches/series 2022-02-21 23:42:45.000000000 +0100 +++ librabbitmq-0.11.0/debian/patches/series 2024-12-15 07:29:25.000000000 +0100 @@ -2,3 +2,4 @@ 0002-use_cmake_package.patch 0003-disable-test-basic.patch 0004-Fix-typo-in-amqp-publish.1-manpage.patch +CVE-2023-35789.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 1089984-done@bugs.debian.org
- Subject: Close 1089984
- From: jmw@debian.org
- Date: Sat, 15 Mar 2025 09:44:44 +0000
- Message-id: <E1ttO4S-005Kk7-Cr@coccia.debian.org>
Version: 12.10 This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---