Re: Analysis of issue for phpmyadmin and request for comment on XSS issues

2016-07-02 Thread Ola Lundqvist 
Hi Markus and Ben

Thanks to both of you for good insight.

Markus you gave a good reminder that XSS is also for people who have "write
permission" to the site.

I'll use both your inputs in the further patch work. The XSS issues looks
trivial so I should be able to fix all or most of them easily.

Best regards

// Ola

On Wed, Jun 29, 2016 at 12:20 AM, Markus Koschany  wrote:

> On 26.06.2016 23:47, Ola Lundqvist wrote:
> > Hi LTS team
>
> Hi!
>
> >
> > I have done some analysis of the issues for phpmyadmin.
> >
> > It would be good to know what your opinion about XSS issues for admin
> > software like phpmyadmin is. I do not see how that can be very
> > important. I mean you know the URL and do not really use external links
> > for accessing it.
> > Or do anyone have another opinion?
>
> XSS is not just about getting tricked into clicking the wrong site URL
> of the application. XSS is very common for web applications and in case
> of webapps like phpmyadmin, where usually multiple users have access to
> databases with various permissions, there are often multiple
> possibilities to inject Javascript or other code into HTML tags,
>

LTS report for June 2016

2016-07-02 Thread Emilio Pozuelo Monfort 
This month I was allocated 16 hours to work on Debian-LTS. I spent this time
doing the following:

- Prepared, tested and uploaded libxslt.
- Prepared and tested an update for clamav. However the maintainer asked me to
wait until a regression in the Jessie update can be addressed.
- Prepared, tested and uploaded nss.
- Triaged a lot of tiff security bugs, forwarding them upstream.
- Prepared and tested an update for cacti.

Thanks,
Emilio

sqlite3 package and debdiff [new-ish contributor, second attempt]

2016-07-02 Thread Roberto C . Sánchez 
Hello all,

As the ICU package was perhaps a bit much to try as a first attempt (I
am still waiting for feedback from upstream on the patches as I am
unable to test them), I have decided to tackle a less challenging
package for my training run: sqlite3.

Based on the security tracker, this CVE is recently made public:

https://security-tracker.debian.org/tracker/CVE-2016-6153

Based on the notes there, I worked from these three upstream commits:

http://www.sqlite.org/cgi/src/info/67985761aa93fb61
http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3
http://www.sqlite.org/cgi/src/info/614bb709d34e1148

I read the exploit details and a proof of concept here:

https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt

The debdiff of the changes I made is attached to this mail and I have
uploaded the complete source package here:

https://people.debian.org/~roberto/

Following the steps in the proof of concept (at the bottom of the
korelogic.com page), I installed the vulnerable version of sqlite3 in a
wheezy Docker image.

After following the steps, I found that sqlite3 had ignored the
directory I specified in TMPDIR:

miami:~#  ls -l /proc/$(pidof sqlite3)/fd/ |egrep tmp
lrwx-- 1 nobody nogroup 64 Jul  2 23:32 3 -> 
/var/tmp/etilqs_gtsvCDCYTxqchTi (deleted)
lrwx-- 1 nobody nogroup 64 Jul  2 23:32 4 -> 
/var/tmp/etilqs_hECZPuVuLGwZJIV (deleted)

I installed the newly build sqlite3 (3.7.13-1+deb7u3) and follwed the
same steps again, finding that this time sqlite correctly allowed
temporary file creation in a directory without read permissions for the
creating user:

miami:~#  ls -l /proc/$(pidof sqlite3)/fd/ |egrep tmp
lrwx-- 1 nobody nogroup 64 Jul  2 23:34 3 -> 
/tmp/safe/etilqs_qIv0PwmhyswdIUF (deleted)
lrwx-- 1 nobody nogroup 64 Jul  2 23:34 4 -> 
/tmp/safe/etilqs_Jtmaahr2v0UXa2I (deleted)

If I understand the workflow correctly, then at this point I stil need
run the gen-DLA script, mail the DLA announcement, and upload the
package.

This change seemed very straightforward and I am confident that it is
ready for upload.  I would appreciate it if someone could review my work
and confirm that I have the next steps correct.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
diff -Nru sqlite3-3.7.13/debian/changelog sqlite3-3.7.13/debian/changelog
--- sqlite3-3.7.13/debian/changelog	2015-06-14 05:23:43.0 -0400
+++ sqlite3-3.7.13/debian/changelog	2016-07-02 23:30:43.0 -0400
@@ -1,3 +1,11 @@
+sqlite3 (3.7.13-1+deb7u3) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2016-6153: Allow temporary directory without read permission as
+long as it has write and execute permissions.
+
+ -- Roberto C. Sanchez   Sat, 02 Jul 2016 23:00:45 -0400
+
 sqlite3 (3.7.13-1+deb7u2) wheezy-security; urgency=high
 
   * Properly handle precision and width values during floating-point
diff -Nru sqlite3-3.7.13/debian/patches/42-CVE-2016-6153.patch sqlite3-3.7.13/debian/patches/42-CVE-2016-6153.patch
--- sqlite3-3.7.13/debian/patches/42-CVE-2016-6153.patch	1969-12-31 19:00:00.0 -0500
+++ sqlite3-3.7.13/debian/patches/42-CVE-2016-6153.patch	2016-07-02 23:30:21.0 -0400
@@ -0,0 +1,62 @@
+Description: Allow temporary directory without read permission as long as it has write and execute permissions.
+Origin: upstream, http://www.sqlite.org/cgi/src/info/67985761aa93fb61 http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3 http://www.sqlite.org/cgi/src/info/614bb709d34e1148
+--- sqlite3-3.7.13.orig/src/os_unix.c
 sqlite3-3.7.13/src/os_unix.c
+@@ -4787,20 +4787,24 @@
+  "/tmp",
+  0/* List terminator */
+   };
+-  unsigned int i;
++  unsigned int i = 0;
+   struct stat buf;
+-  const char *zDir = 0;
++  const char *zDir = sqlite3_temp_directory;
+ 
+-  azDirs[0] = sqlite3_temp_directory;
++  if( !azDirs[0] ) azDirs[0] = getenv("SQLITE_TMPDIR");
+   if( !azDirs[1] ) azDirs[1] = getenv("TMPDIR");
+-  for(i=0; i=sizeof(azDirs)/sizeof(azDirs[0]) ) break;
++zDir = azDirs[i++];
+   }
+-  return zDir;
++  return 0;
+ }
+ 
+ /*
+@@ -4820,10 +4824,11 @@
+   ** using the io-error infrastructure to test that SQLite handles this
+   ** function failing. 
+   */
++  zBuf[0] = 0;
+   SimulateIOError( return SQLITE_IOERR );
+ 
+   zDir = unixTempFileDir();
+-  if( zDir==0 ) zDir = ".";
++  if( zDir==0 ) return SQLITE_IOERR_GETTEMPPATH;
+ 
+   /* Check that the output buffer is large enough for the temporary file 
+   ** name. If it is not, return SQLITE_ERROR.
+--- sqlite3-3.7.13.orig/src/sqlite.h.in
 sqlite3-3.7.13/src/sqlite.h.in
+@@ -450,6 +450,7 @@
+ #define SQLITE_IOERR_SHMLOCK   (SQLITE_IOERR | (20<<8))
+ #define SQLITE_IOERR_SHMMAP(SQLITE_IOERR | (21<<8))
+ #define SQLITE_IOERR_SEEK  (SQLITE_IOERR | (22<<8))
++#define SQLITE_IOERR_GETTEMPPATH   (SQLITE_IOERR | (25<<8))
+ #define SQLITE_LOCKED_SHAREDCACHE  (SQLITE_LOCKED |  (1<<8))
+ #