Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 597740

Summary: <www-servers/tornado-4.4.2-r1: cookie parser vulnerability, bypass XSRF protection
Product: Gentoo Security Reporter: Brian Dolbec (RETIRED) <dolsen>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alunduil, dolsen, python
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.tornadoweb.org/en/stable/releases/v4.4.2.html
Whiteboard: B4 [noglsa]
Package list:
=dev-python/backports-ssl-match-hostname-3.5.0.1-r1 =www-servers/tornado-4.4.2-r1
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 530622    

Description Brian Dolbec (RETIRED) gentoo-dev 2016-10-22 00:13:49 UTC 
As I'm unfamiliar with these types of security issues, I can't tell the extent of the affected versions.  I've removed the 4.4.1 ebuild, but don't know if the vulnerability extends to the other older releases.

Here is the info from the 4.4.2 release notes:

What’s new in Tornado 4.4.2
Oct 1, 2016
Security fixes
A difference in cookie parsing between Tornado and web browsers (especially when combined with Google Analytics) could allow an attacker to set arbitrary cookies and bypass XSRF protection. The cookie parser has been rewritten to fix this attack.
Backwards-compatibility notes
Cookies containing certain special characters (in particular semicolon and square brackets) are now parsed differently.
If the cookie header contains a combination of valid and invalid cookies, the valid ones will be returned (older versions of Tornado would reject the entire header for a single invalid cookie).

Reproducible: Always
Comment 1 Brian Dolbec (RETIRED) gentoo-dev 2016-10-22 00:32:16 UTC 
More detailed info is available in commit:
https://github.com/tornadoweb/tornado/commit/cb247cb8db7903fda0ca26531c1526e895e10800

which links to: https://hackerone.com/reports/26647  with details of the original vulnerability.
Comment 2 Brian Dolbec (RETIRED) gentoo-dev 2016-10-23 17:16:31 UTC 
I've asked for clarification of the affected versions.

upstream bug: https://github.com/tornadoweb/tornado/issues/1865
Comment 3 Brian Dolbec (RETIRED) gentoo-dev 2016-11-04 18:51:42 UTC 
I've now heard back from upstream.  All previous versions are considered vulnerable. This vulnerability is not specific to the 4.4 or even the 4.x series.

So, I've opened a fast stabilization bug for the new version.
Comment 4 Brian Dolbec (RETIRED) gentoo-dev 2016-11-04 19:09:05 UTC 
I updated the 2 pkgs versions needed for stabilization, removed the vulnerable versions, and made a PR against the tree to shake out any tree breakage.

https://github.com/gentoo/gentoo/pull/2742

All tests passed, so no tree breakage reported.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-11-05 10:30:57 UTC 
*** Bug 598956 has been marked as a duplicate of this bug. ***
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2016-11-05 10:31:18 UTC 
*** Bug 598948 has been marked as a duplicate of this bug. ***
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2016-11-05 10:33:15 UTC 
(In reply to Brian Dolbec from comment #3)
> So, I've opened a fast stabilization bug for the new version.

Why? Really. We don't need more bug reports.
Comment 8 Brian Dolbec (RETIRED) gentoo-dev 2016-11-06 15:33:42 UTC 
(In reply to Jeroen Roovers from comment #7)
> (In reply to Brian Dolbec from comment #3)
> > So, I've opened a fast stabilization bug for the new version.
> 
> Why? Really. We don't need more bug reports.

So, we don't need to stabilize anything, just close the stabilize bugs and ignore the security vulnerability?  With nothing to indicate that this version needs to be stabilized?


...

I Give up
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-11-07 09:42:52 UTC 
(In reply to Brian Dolbec from comment #8)
> (In reply to Jeroen Roovers from comment #7)
> > (In reply to Brian Dolbec from comment #3)
> > > So, I've opened a fast stabilization bug for the new version.
> > 
> > Why? Really. We don't need more bug reports.
> 
> So, we don't need to stabilize anything, just close the stabilize bugs and
> ignore the security vulnerability?  With nothing to indicate that this
> version needs to be stabilized?
> 
> 
> ...
> 
> I Give up

Brian, the established process when dealing with security vulnerabilities is that all work is done within the security bug.  The report is made detailing the vulnerability as you did here, the package is dealt with accordingly, the maintainer determines whether to stabilize or hold for testing, then arches are CC'ed accordingly for stabilization.  This includes whiteboard updates along the way, which is not your responsibility but helps in the long run if you are willing.  Please see [1] for the complete overview of the security process.  

[1]: https://wiki.gentoo.org/wiki/Project:Security/GLSA_Coordinator_Guide

This guideline is of course for GLSA coordinators/security project members, but it will help you understand our process so we may better assist fellow developers and maintainers.  Additionally, the arch teams generally prioritize security related bugs in their workflows.  So ensuring it is assigned to security and the maintainers are CC'ed ensures that workflow is effective.

I hope this helps.  -Aaron
Comment 10 Agostino Sarubbo gentoo-dev 2016-11-07 15:38:00 UTC 
amd64 stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2016-11-12 11:11:16 UTC 
Stable for HPPA PPC64.
Comment 12 Tobias Klausmann (RETIRED) gentoo-dev 2016-11-14 14:54:07 UTC 
Stable on alpha.
Comment 13 Agostino Sarubbo gentoo-dev 2016-11-20 13:46:54 UTC 
x86 stable
Comment 14 Markus Meier gentoo-dev 2016-12-01 20:52:19 UTC 
arm stable
Comment 15 Stabilization helper bot gentoo-dev 2017-01-04 14:06:49 UTC 
An automated check of this bug failed - repoman reported dependency errors (39 lines truncated): 

> dependency.bad www-servers/tornado/tornado-4.4.2-r1.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['dev-python/backports-ssl-match-hostname[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-)]']
> dependency.bad www-servers/tornado/tornado-4.4.2-r1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['dev-python/backports-ssl-match-hostname[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-)]']
> dependency.bad www-servers/tornado/tornado-4.4.2-r1.ebuild: DEPEND: ia64(default/linux/ia64/13.0/desktop) ['dev-python/backports-ssl-match-hostname[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-)]']
Comment 16 Agostino Sarubbo gentoo-dev 2017-01-15 16:01:07 UTC 
ppc stable
Comment 17 Agostino Sarubbo gentoo-dev 2017-01-17 14:37:20 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 18 Brian Dolbec (RETIRED) gentoo-dev 2017-01-17 16:27:21 UTC 
Done, vulnerable versions removed.
Comment 19 Aaron Bauman (RETIRED) gentoo-dev 2017-01-17 19:40:25 UTC 
GLSA Vote: No