Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 109667

Summary: media-sound/gnump3d: XSS + Directory traversal (CAN-2005-312{2|3}
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ch.moellinger, dillavou, jscholefield, sound
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
gnump3d-dot-dot.diff
none
gnump3d-xss.diff
none
gnump3d-CAN-2005-3122.patch
none
gnump3d-CAN-2005-3123.patch
none
gnump3d-2.9.4-r1.ebuild
none
gnump3d-2.9.5.ebuild none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-17 22:50:12 UTC
Reported to Vendor-Sec by Steve Kemp from Debian:  
  
1. XSS Attacks [ CAN-2005-3122 ]  
--------------------------------  
  
  There are two XSS attack vectors in the handling of files.  
  
  When files are not found the requested URI isn't stripped from  
 the 404 page, allowing javascript execution via:  
  
        http://host:port/not-present/<script>..</script>  
  
  The second flaw comes from a similar refusal to serve any request ending  
 in the string '.password'.  Internally this is an identical vulnerability  
 as the request is coverted into a 404 response regardless of whether the  
 file exists or not:  
  
        http://host:port/any/path/<script>...</script>/.password  
  
  
    
  Patch attached 'gnump3d-xss.diff'.  
  
  
  
2. Directory Traversal [CAN-2005-3123]  
--------------------------------------  
  
  This is a far more serious flaw, which allows the reading of  
 arbitary files which the user the server is running as has access to.  
 (gnump3d - by default).  
  
  The flaw comes from the attempt to sanitize input paths, ironically  
 to prevent these very attacks.  
  
  The process looks like this:  
  
        Strip ".." from all inputted paths.  
        Then strip "//" from all inputted paths.  
  
  This allows the following conversion to happen:  
  
        /.//./  
        /../  
    
  So with the root set to /home/mp3 the following allows the password  
 file to be retrieved:  
  
GET /.//.///.//./etc/passwd HTTP/1.0  
  
  The solution chosen is to :  
  
        1.  Strip "/../" only from the input paths.  And for Windows: (\..\).  
  
  Patch attached, gnump3d-dot-dot.diff
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-17 22:51:32 UTC
Created attachment 70901 [details, diff]
gnump3d-dot-dot.diff
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-17 22:52:00 UTC
Created attachment 70902 [details, diff]
gnump3d-xss.diff
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-10-19 01:28:21 UTC
luckyduck: please prepare a new ebuild with included patches and attach it to
this bug (do not commit it to Portage before 20051028).
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-10-23 03:18:27 UTC
Opening to other members of the sound herd, since luckyduck is quite MIA.

Could one of you please prepare a new ebuild with included patches and attach it
to this bug (do not commit it to Portage before 20051028).
Comment 5 Jeremy Huddleston (RETIRED) gentoo-dev 2005-10-23 19:56:24 UTC
I'm on it... please /msg me when it's ok to commit.
Comment 6 Jeremy Huddleston (RETIRED) gentoo-dev 2005-10-23 20:08:48 UTC
Created attachment 71315 [details, diff]
gnump3d-CAN-2005-3122.patch

for those interested in testing, the patch needed some cleanup.
Comment 7 Jeremy Huddleston (RETIRED) gentoo-dev 2005-10-23 20:09:39 UTC
Created attachment 71316 [details, diff]
gnump3d-CAN-2005-3123.patch

ditto...
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-10-24 08:06:41 UTC
Thx Jeremy. When ready, please attach everything needed to test (ebuild + files)
so that we can call out arch testers on the bug.
Comment 9 Jeremy Huddleston (RETIRED) gentoo-dev 2005-10-25 13:09:57 UTC
Created attachment 71443 [details]
gnump3d-2.9.4-r1.ebuild
Comment 10 Jeremy Huddleston (RETIRED) gentoo-dev 2005-10-25 13:10:51 UTC
Created attachment 71444 [details]
gnump3d-2.9.5.ebuild
Comment 11 Stefan Cornelius (RETIRED) gentoo-dev 2005-10-25 22:36:59 UTC
Dear arch security-liaisons, plz test the ebuild and report back (remember it's
still confidential ;)
Btw, could somebody check if my CC'ed liaisons are the up-to-date ones?
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-10-26 00:35:32 UTC
Checking.... and adding rangerpb for ppc64
Comment 13 Simon Stelling (RETIRED) gentoo-dev 2005-10-26 10:01:49 UTC
the patch is unusable: with 2.9.4-r1, when i try to cd to a subdirectory called
'soul', the link points to http://soul/ instead of http://localhost:1234/soul.
2.9.4 works fine
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-10-27 00:38:47 UTC
Back to ebuild preperation as the attached one seems to fail.
If all else fails, there should be a new upstream release tomorrow.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-10-28 06:51:29 UTC
Now public with the release of upstream 2.9.6.

Jeremy/sound team: maybe simpler to bump to that version if we're unsure of
those patches.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-10-28 06:52:59 UTC
Cc cleanup to reduce pollution
Comment 17 Jeremy Huddleston (RETIRED) gentoo-dev 2005-10-28 08:50:14 UTC
2.9.6 in portage.  I've tested it to my satisfaction to put in portage, but I
don't have time at the moment to mark it stable for my archs.  I'll take care of
sparc, amd64, and x86 later tonight if someone else doesn't beat me to it.
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2005-10-28 10:42:03 UTC
Archs, please test and mark stable
Target KEYWORDS="alpha amd64 ~ppc ppc64 ~ppc-macos sparc x86"
Comment 19 Fernando J. Pereda (RETIRED) gentoo-dev 2005-10-28 13:21:20 UTC
alpha done

Cheers,
Ferdy
Comment 20 Simon Stelling (RETIRED) gentoo-dev 2005-10-28 15:02:50 UTC
i'm still encountering the same problems as in comment 13

i think it is related to this (gnump3d.conf):

directory_format = <tr><td width="10%">&nbsp;</td><td><a
href="$LINK">$DIR_NAME</a></td><td>$SONG_COUNT</td><td>$DIR_COUNT</td><td>[$RECURSE]</td></tr>

i tried to comment it out, but then gnump3d would just crash right after firing up

i also changed href="$LINK" to href="abc $LINK", then the link are looking like
this:

http://localhost:1234/abc Soul/
Comment 21 Simon Stelling (RETIRED) gentoo-dev 2005-10-28 15:21:12 UTC
from upstream changelog:

  2.9.7 [ 28th October 2005 ]
    - BUGFIX:  The previous release was broken.

indeed, after bumping the ebuild it worked fine. eradicator, could you commit it
with stable right away? kthxbye
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2005-10-29 02:25:42 UTC
Back to ebuild, we should definitely use 2.9.7 :)
Comment 23 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-10-30 08:09:50 UTC
*** Bug 110702 has been marked as a duplicate of this bug. ***
Comment 24 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-11-01 04:58:02 UTC
*** Bug 111122 has been marked as a duplicate of this bug. ***
Comment 25 Brent Baude (RETIRED) gentoo-dev 2005-11-01 17:30:28 UTC
Just catching up here a bit.  So are we waiting for a -2.9.7 ebuild to hit
portage so archs can test and mark stable?
Comment 26 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-01 22:16:08 UTC
Brent, yes that seems correct.  
Comment 27 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-11-02 10:32:13 UTC
*** Bug 111259 has been marked as a duplicate of this bug. ***
Comment 28 Justin Krejci 2005-11-02 16:26:53 UTC
(In reply to comment #25)
> Just catching up here a bit.  So are we waiting for a -2.9.7 ebuild to hit
> portage so archs can test and mark stable?

on amd64 bumping the version number of the ebuild filename to 2.9.7 in my
portage overlay directory and updating to that version works perfectly.
Comment 29 Thierry Carrez (RETIRED) gentoo-dev 2005-11-03 01:13:25 UTC
eradicator/sound herd: please bump to 2.9.7, we're getting late on that one.
Comment 30 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-11-03 03:12:52 UTC
I've bumped it, but I haven't neither tried to compile it (I don't have the 
material time to start looking at configuring and testing it). 
Just wanted to make sure that this wouldn't remain unaddressed (and I'm tired 
of dupes :P) 
Comment 31 Thierry Carrez (RETIRED) gentoo-dev 2005-11-03 04:32:39 UTC
Thx Flameeyes,
Arches please test and mark 2.9.7 stable :
Target KEYWORDS="alpha amd64 ~ppc ~ppc-macos ppc64 sparc x86"

Comment 32 Brent Baude (RETIRED) gentoo-dev 2005-11-03 06:43:03 UTC
Marked ppc64 stable.
Comment 33 Simon Stelling (RETIRED) gentoo-dev 2005-11-03 12:30:03 UTC
amd64 stable
Comment 34 Mark Loeser (RETIRED) gentoo-dev 2005-11-03 21:59:23 UTC
x86 stable
Comment 35 Gustavo Zacarias (RETIRED) gentoo-dev 2005-11-04 06:46:18 UTC
sparc stable.
Comment 36 Fernando J. Pereda (RETIRED) gentoo-dev 2005-11-04 13:55:26 UTC
alpha stable
Comment 37 Thierry Carrez (RETIRED) gentoo-dev 2005-11-04 14:06:37 UTC
Apparently the amd64 keyword was not committed...
Comment 38 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-11-04 15:22:07 UTC
re-keyworded amd64
Comment 39 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-06 08:30:55 UTC
GLSA 200511-05