[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1111733: trixie-pu: package rabbitmq-server/4.0.5-6+deb13u1 (CVE-2025-50200)

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: rabbitmq-server@packages.debian.org
Control: affects -1 + src:rabbitmq-server
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

[ Reason ]
This is a fix for CVE-2025-50200:
https://bugs.debian.org/1108075

I'm sorry because I completely missed it. The CVE is about rabbitmq, in some
cases, logging a base64 version of a login token (ie: login:password). I
simply applied upstream patch.

[ Impact ]
Login token appears in the log (encoded as base64).

[ Tests ]
Tested that rabbitmq-server continues working. It does, but I didn't check
for the specific CVE.

[ Risks ]
I have to admit I don't understand a thing about Erlang, though the patch
seemed to be easy to backport (small patch, easy to understand where to
patch).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Please allow me to upload rabbitmq-server 4.0.5-6+deb13u2 to Trixie pu.

Cheers,

Thomas Goirand (zigo)

diff -Nru rabbitmq-server-4.0.5/debian/changelog rabbitmq-server-4.0.5/debian/changelog
--- rabbitmq-server-4.0.5/debian/changelog	2025-08-11 14:31:10.000000000 +0200
+++ rabbitmq-server-4.0.5/debian/changelog	2025-08-21 16:06:08.000000000 +0200
@@ -1,3 +1,16 @@
+rabbitmq-server (4.0.5-6+deb13u2) trixie; urgency=medium
+
+  * CVE-2025-50200: In versions 3.13.7 and prior, RabbitMQ is logging
+    authorization headers in plaintext encoded in base64. When querying
+    RabbitMQ api with HTTP/s with basic authentication it creates logs with all
+    headers in request, including authorization headers which show base64
+    encoded username:password. This is easy to decode and afterwards could be
+    used to obtain control to the system depending on credentials.
+    Added upstream patch: Fix_Cowboy_crashes_caused_by_double_reply.patch.
+    (Closes: #1108075)
+
+ -- Thomas Goirand <zigo@debian.org>  Thu, 21 Aug 2025 16:06:08 +0200
+
 rabbitmq-server (4.0.5-6+deb13u1) trixie; urgency=medium
 
   * Fix rabbitmq-server broken plugin versions by applying patch from the BTS.
diff -Nru rabbitmq-server-4.0.5/debian/patches/CVE-2025-50200_Fix_Cowboy_crashes_caused_by_double_reply.patch rabbitmq-server-4.0.5/debian/patches/CVE-2025-50200_Fix_Cowboy_crashes_caused_by_double_reply.patch
--- rabbitmq-server-4.0.5/debian/patches/CVE-2025-50200_Fix_Cowboy_crashes_caused_by_double_reply.patch	1970-01-01 01:00:00.000000000 +0100
+++ rabbitmq-server-4.0.5/debian/patches/CVE-2025-50200_Fix_Cowboy_crashes_caused_by_double_reply.patch	2025-08-21 16:06:08.000000000 +0200
@@ -0,0 +1,166 @@
+Description: [PATCH] Fix Cowboy crashes caused by double reply
+ Issue introduced in 383ddb16341.
+Author: Loic Hoguin <loic.hoguin@broadcom.com>
+Date: Tue, 25 Mar 2025 12:33:00 +0100
+Origin: upstream, https://patch-diff.githubusercontent.com/raw/rabbitmq/rabbitmq-server/pull/13612.patch
+Last-Update: 2025-08-18
+
+Index: rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
+===================================================================
+--- rabbitmq-server.orig/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
++++ rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
+@@ -51,6 +51,8 @@
+ 
+ -export([disable_stats/1, enable_queue_totals/1]).
+ 
++-export([set_resp_not_found/2]).
++
+ -import(rabbit_misc, [pget/2]).
+ 
+ -include("rabbit_mgmt.hrl").
+@@ -1175,3 +1177,18 @@ catch_no_such_user_or_vhost(Fun, Replace
+ %% error is thrown when the request is out of range
+ sublist(List, S, L) when is_integer(L), L >= 0 ->
+     lists:sublist(lists:nthtail(S-1, List), L).
++
++-spec set_resp_not_found(binary(), cowboy_req:req()) -> cowboy_req:req().
++set_resp_not_found(NotFoundBin, ReqData) ->
++    ErrorMessage = case rabbit_mgmt_util:vhost(ReqData) of
++        not_found ->
++            <<"vhost_not_found">>;
++        _ ->
++            NotFoundBin
++    end,
++    ReqData1 = cowboy_req:set_resp_header(
++        <<"content-type">>, <<"application/json">>, ReqData),
++    cowboy_req:set_resp_body(rabbit_json:encode(#{
++        <<"error">> => <<"not_found">>,
++        <<"reason">> => ErrorMessage
++    }), ReqData1).
+Index: rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_wm_exchange_publish.erl
+===================================================================
+--- rabbitmq-server.orig/deps/rabbitmq_management/src/rabbit_mgmt_wm_exchange_publish.erl
++++ rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_wm_exchange_publish.erl
+@@ -29,11 +29,14 @@ allowed_methods(ReqData, Context) ->
+ content_types_provided(ReqData, Context) ->
+    {rabbit_mgmt_util:responder_map(to_json), ReqData, Context}.
+ 
+-resource_exists(ReqData, Context) ->
+-    {case rabbit_mgmt_wm_exchange:exchange(ReqData) of
+-         not_found -> raise_not_found(ReqData, Context);
+-         _         -> true
+-     end, ReqData, Context}.
++resource_exists(ReqData0, Context) ->
++    case rabbit_mgmt_wm_exchange:exchange(ReqData0) of
++        not_found ->
++            ReqData1 = rabbit_mgmt_util:set_resp_not_found(<<"exchange_not_found">>, ReqData0),
++            {false, ReqData1, Context};
++        _ ->
++            {true, ReqData0, Context}
++    end.
+ 
+ allow_missing_post(ReqData, Context) ->
+     {false, ReqData, Context}.
+@@ -104,18 +107,6 @@ bad({{coordinator_unavailable, _}, _}, R
+ is_authorized(ReqData, Context) ->
+     rabbit_mgmt_util:is_authorized_vhost(ReqData, Context).
+ 
+-raise_not_found(ReqData, Context) ->
+-    ErrorMessage = case rabbit_mgmt_util:vhost(ReqData) of
+-        not_found -> 
+-            "vhost_not_found";
+-        _ ->
+-            "exchange_not_found"
+-    end,
+-    rabbit_mgmt_util:not_found(
+-        rabbit_data_coercion:to_binary(ErrorMessage),
+-        ReqData,
+-        Context).
+-
+ %%--------------------------------------------------------------------
+ 
+ decode(Payload, <<"string">>) -> Payload;
+Index: rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_actions.erl
+===================================================================
+--- rabbitmq-server.orig/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_actions.erl
++++ rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_actions.erl
+@@ -25,11 +25,14 @@ variances(Req, Context) ->
+ allowed_methods(ReqData, Context) ->
+     {[<<"POST">>, <<"OPTIONS">>], ReqData, Context}.
+ 
+-resource_exists(ReqData, Context) ->
+-    {case rabbit_mgmt_wm_queue:queue(ReqData) of
+-         not_found -> raise_not_found(ReqData, Context);
+-         _         -> true
+-     end, ReqData, Context}.
++resource_exists(ReqData0, Context) ->
++    case rabbit_mgmt_wm_queue:queue(ReqData0) of
++        not_found ->
++            ReqData1 = rabbit_mgmt_util:set_resp_not_found(<<"queue_not_found">>, ReqData0),
++            {false, ReqData1, Context};
++        _ ->
++            {true, ReqData0, Context}
++    end.
+ 
+ allow_missing_post(ReqData, Context) ->
+     {false, ReqData, Context}.
+@@ -54,17 +57,6 @@ do_it(ReqData0, Context) ->
+ is_authorized(ReqData, Context) ->
+     rabbit_mgmt_util:is_authorized_admin(ReqData, Context).
+ 
+-raise_not_found(ReqData, Context) ->
+-    ErrorMessage = case rabbit_mgmt_util:vhost(ReqData) of
+-        not_found -> 
+-            "vhost_not_found";
+-        _ ->
+-            "queue_not_found"
+-    end,
+-    rabbit_mgmt_util:not_found(
+-        rabbit_data_coercion:to_binary(ErrorMessage),
+-        ReqData,
+-        Context).
+ %%--------------------------------------------------------------------
+ 
+ action(Else, _Q, ReqData, Context) ->
+Index: rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_get.erl
+===================================================================
+--- rabbitmq-server.orig/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_get.erl
++++ rabbitmq-server/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_get.erl
+@@ -29,11 +29,14 @@ allowed_methods(ReqData, Context) ->
+ content_types_provided(ReqData, Context) ->
+    {rabbit_mgmt_util:responder_map(to_json), ReqData, Context}.
+ 
+-resource_exists(ReqData, Context) ->
+-    {case rabbit_mgmt_wm_queue:queue(ReqData) of
+-         not_found -> raise_not_found(ReqData, Context);
+-         _         -> true
+-     end, ReqData, Context}.
++resource_exists(ReqData0, Context) ->
++    case rabbit_mgmt_wm_queue:queue(ReqData0) of
++        not_found ->
++            ReqData1 = rabbit_mgmt_util:set_resp_not_found(<<"queue_not_found">>, ReqData0),
++            {false, ReqData1, Context};
++        _ ->
++            {true, ReqData0, Context}
++    end.
+ 
+ allow_missing_post(ReqData, Context) ->
+     {false, ReqData, Context}.
+@@ -152,17 +155,6 @@ basic_get(Ch, Q, AckMode, Enc, Trunc) ->
+ is_authorized(ReqData, Context) ->
+     rabbit_mgmt_util:is_authorized_vhost(ReqData, Context).
+ 
+-raise_not_found(ReqData, Context) ->
+-    ErrorMessage = case rabbit_mgmt_util:vhost(ReqData) of
+-        not_found -> 
+-            "vhost_not_found";
+-        _ ->
+-            "queue_not_found"
+-    end,
+-    rabbit_mgmt_util:not_found(
+-        rabbit_data_coercion:to_binary(ErrorMessage),
+-        ReqData,
+-        Context).
+ %%--------------------------------------------------------------------
+ 
+ maybe_truncate(Payload, none)                         -> Payload;
diff -Nru rabbitmq-server-4.0.5/debian/patches/series rabbitmq-server-4.0.5/debian/patches/series
--- rabbitmq-server-4.0.5/debian/patches/series	2025-08-11 14:31:10.000000000 +0200
+++ rabbitmq-server-4.0.5/debian/patches/series	2025-08-21 16:06:08.000000000 +0200
@@ -1,3 +1,4 @@
 lets-use-python3-not-python-binary.patch
 rabbitmq-dist.mk.patch
 elixir-1.18-compat.patch
+CVE-2025-50200_Fix_Cowboy_crashes_caused_by_double_reply.patch
Reply to: