Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: librabbi...@packages.debian.org Control: affects -1 + src:librabbitmq
[ Reason ] https://security-tracker.debian.org/tracker/CVE-2023-35789 Until RabbitMQ 0.13.0 users had no other choice to provide credentials to certain tools than exposing them on the command line, making them visible to local attackers by listing a process and its arguments. [ Impact ] This update allows users to provide credentials via an authfile. Without this update users will remain stuck in the previous situation, but with it they have a *chance* to address the vulnerability with minimal changes on their side. [ Tests ] There are no specific tests which cover the affected code. However, this patch has been available upstream since June 2023 and released since 2024-03-18 and available in Debian ever since 0.14.0 had been uploaded 2024-07-29. The same patch has also already been released in RHEL9 in RHSA-2023:6482 from 2023-11-07. [ Risks ] The added code is rather trivial and part of upstream (and other distributions) for quite a while, see above. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037322#45 mentions some considerations for alternative solutions. But the greater risk lies with hiding the actual vulnerability by providing a package update for it, as I will further elaborate on below under "Other info". [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The upstream patch providing an option to read credentials from an authfile is added, and I adjusted Maintainer/Uploaders to match the current situation. [ Other info ] This update only addresses the vulnerability insofar as it gives users a *chance* to fix it with minimal changes on their side. But if users just apply the update without starting to make use of the authfile, they will remain in fact vulnerable. For that reason I have so far refrained from making this update available in Bookworm, in order to point users to the real problem once they in turn got pointed to it by the usual suspects of (more or less dumb) vulnerability reporters, and to avoid having them apply an update and feeling safe when the actual vulnerability has not been addressed at all. But a recent enquiry in #1037322 made me rethink the situation, and I now wish to give users the *chance* to fix the vulnerability in place without having to resort to the more cumbersome alternatives. If they are affected at all, that is, and I presume many / most users are not even affected as they don't use the affected CLI tools, but they just got scared by automatic vulnerability reports. Cheers, Flo
diff -Nru librabbitmq-0.11.0/debian/changelog librabbitmq-0.11.0/debian/changelog --- librabbitmq-0.11.0/debian/changelog 2022-02-21 23:42:45.000000000 +0100 +++ librabbitmq-0.11.0/debian/changelog 2024-12-15 07:32:03.000000000 +0100 @@ -1,3 +1,12 @@ +librabbitmq (0.11.0-1+deb12u1) bookworm; urgency=medium + + * [4e71ff7] d/patches/CVE-2023-35789.patch: added for addressing + CVE-2023-35789 (Closes: #1037322) + * [c4d0d0b] d/control: adjust Maintainer/Uploaders to match current + situation + + -- Florian Ernst <flor...@debian.org> Sun, 15 Dec 2024 07:32:03 +0100 + librabbitmq (0.11.0-1) unstable; urgency=low * New upstream release (Closes: #1004590, #1006244). diff -Nru librabbitmq-0.11.0/debian/control librabbitmq-0.11.0/debian/control --- librabbitmq-0.11.0/debian/control 2022-02-21 23:42:45.000000000 +0100 +++ librabbitmq-0.11.0/debian/control 2024-12-15 07:29:31.000000000 +0100 @@ -1,9 +1,7 @@ Source: librabbitmq Priority: optional Section: libs -Maintainer: Michael Fladischer <fl...@debian.org> -Uploaders: - Brian May <b...@debian.org>, +Maintainer: Florian Ernst <flor...@debian.org> Build-Depends: cmake, debhelper-compat (= 13), diff -Nru librabbitmq-0.11.0/debian/patches/CVE-2023-35789.patch librabbitmq-0.11.0/debian/patches/CVE-2023-35789.patch --- librabbitmq-0.11.0/debian/patches/CVE-2023-35789.patch 1970-01-01 01:00:00.000000000 +0100 +++ librabbitmq-0.11.0/debian/patches/CVE-2023-35789.patch 2024-12-15 07:29:25.000000000 +0100 @@ -0,0 +1,125 @@ +Applied-Upstream: 463054383fbeef889b409a7f843df5365288e2a0 +Author: Christian Kastner <c...@kvr.at> +Date: Tue Jun 13 14:21:52 2023 +0200 +Description: Add option to read username/password from file (#781), CVE-2023-35789 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037322 +Forwarded: https://github.com/alanxz/rabbitmq-c/issues/575 +Origin: https://github.com/alanxz/rabbitmq-c/pull/781 + +Index: git/tools/common.c +=================================================================== +--- git.orig/tools/common.c ++++ git/tools/common.c +@@ -54,6 +54,11 @@ + #include "compat.h" + #endif + ++/* For when reading auth data from a file */ ++#define MAXAUTHTOKENLEN 128 ++#define USERNAMEPREFIX "username:" ++#define PASSWORDPREFIX "password:" ++ + void die(const char *fmt, ...) { + va_list ap; + va_start(ap, fmt); +@@ -161,6 +166,7 @@ static char *amqp_vhost; + static char *amqp_username; + static char *amqp_password; + static int amqp_heartbeat = 0; ++static char *amqp_authfile; + #ifdef WITH_SSL + static int amqp_ssl = 0; + static char *amqp_cacert = "/etc/ssl/certs/cacert.pem"; +@@ -183,6 +189,8 @@ struct poptOption connect_options[] = { + "the password to login with", "password"}, + {"heartbeat", 0, POPT_ARG_INT, &amqp_heartbeat, 0, + "heartbeat interval, set to 0 to disable", "heartbeat"}, ++ {"authfile", 0, POPT_ARG_STRING, &amqp_authfile, 0, ++ "path to file containing username/password for authentication", "file"}, + #ifdef WITH_SSL + {"ssl", 0, POPT_ARG_NONE, &amqp_ssl, 0, "connect over SSL/TLS", NULL}, + {"cacert", 0, POPT_ARG_STRING, &amqp_cacert, 0, +@@ -194,6 +202,50 @@ struct poptOption connect_options[] = { + #endif /* WITH_SSL */ + {NULL, '\0', 0, NULL, 0, NULL, NULL}}; + ++void read_authfile(const char *path) { ++ size_t n; ++ FILE *fp = NULL; ++ char token[MAXAUTHTOKENLEN]; ++ ++ if ((amqp_username = malloc(MAXAUTHTOKENLEN)) == NULL || ++ (amqp_password = malloc(MAXAUTHTOKENLEN)) == NULL) { ++ die("Out of memory"); ++ } else if ((fp = fopen(path, "r")) == NULL) { ++ die("Could not read auth data file %s", path); ++ } ++ ++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL || ++ strncmp(token, USERNAMEPREFIX, strlen(USERNAMEPREFIX))) { ++ die("Malformed auth file (missing username)"); ++ } ++ strncpy(amqp_username, &token[strlen(USERNAMEPREFIX)], MAXAUTHTOKENLEN); ++ /* Missing newline means token was cut off */ ++ n = strlen(amqp_username); ++ if (amqp_username[n - 1] != '\n') { ++ die("Username too long"); ++ } else { ++ amqp_username[n - 1] = '\0'; ++ } ++ ++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL || ++ strncmp(token, PASSWORDPREFIX, strlen(PASSWORDPREFIX))) { ++ die("Malformed auth file (missing password)"); ++ } ++ strncpy(amqp_password, &token[strlen(PASSWORDPREFIX)], MAXAUTHTOKENLEN); ++ /* Missing newline means token was cut off */ ++ n = strlen(amqp_password); ++ if (amqp_password[n - 1] != '\n') { ++ die("Password too long"); ++ } else { ++ amqp_password[n - 1] = '\0'; ++ } ++ ++ (void)fgetc(fp); ++ if (!feof(fp)) { ++ die("Malformed auth file (trailing data)"); ++ } ++} ++ + static void init_connection_info(struct amqp_connection_info *ci) { + ci->user = NULL; + ci->password = NULL; +@@ -269,6 +321,8 @@ static void init_connection_info(struct + if (amqp_username) { + if (amqp_url) { + die("--username and --url options cannot be used at the same time"); ++ } else if (amqp_authfile) { ++ die("--username and --authfile options cannot be used at the same time"); + } + + ci->user = amqp_username; +@@ -277,11 +331,23 @@ static void init_connection_info(struct + if (amqp_password) { + if (amqp_url) { + die("--password and --url options cannot be used at the same time"); ++ } else if (amqp_authfile) { ++ die("--password and --authfile options cannot be used at the same time"); + } + + ci->password = amqp_password; + } + ++ if (amqp_authfile) { ++ if (amqp_url) { ++ die("--authfile and --url options cannot be used at the same time"); ++ } ++ ++ read_authfile(amqp_authfile); ++ ci->user = amqp_username; ++ ci->password = amqp_password; ++ } ++ + if (amqp_vhost) { + if (amqp_url) { + die("--vhost and --url options cannot be used at the same time"); diff -Nru librabbitmq-0.11.0/debian/patches/series librabbitmq-0.11.0/debian/patches/series --- librabbitmq-0.11.0/debian/patches/series 2022-02-21 23:42:45.000000000 +0100 +++ librabbitmq-0.11.0/debian/patches/series 2024-12-15 07:29:25.000000000 +0100 @@ -2,3 +2,4 @@ 0002-use_cmake_package.patch 0003-disable-test-basic.patch 0004-Fix-typo-in-amqp-publish.1-manpage.patch +CVE-2023-35789.patch
signature.asc
Description: PGP signature
