Bug 718736 (CVE-2020-11728, CVE-2020-11729)

Summary:	dev-php/awl: Multiple vulnerabilities (CVE-2020-{11728,11729})
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	mjo, php-bugs, proxy-maint, till2.schaefer
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://gitlab.com/davical-project/awl/-/commit/6bdacad0b4fc51583c040d3bbefdd052ed863611
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=718750
Whiteboard:	~3 [noglsa]
Package list:		Runtime testing required:	---

Description Sam James archtester

2020-04-21 12:09:13 UTC

1) CVE-2020-11728

Description:
"An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Session management does not use a sufficiently hard-to-guess session key. Anyone who can guess the microsecond time (and the incrementing session_id) can impersonate a session."

Bug: https://gitlab.com/davical-project/awl/-/issues/19
Patch: https://gitlab.com/davical-project/awl/-/commit/c2e808cc2420f8d870ac0a4aa9cc1f2c90562428

2) CVE-2020-11729

Description:
"An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Long-term session cookies, uses to provide long-term session continuity, are not generated securely, enabling a brute-force attack that may be successful."


Bug: https://gitlab.com/davical-project/awl/-/issues/18
Patch: https://gitlab.com/davical-project/awl/-/commit/535505c9acd0dda9cf664c38f5f8cb8dd61dc0cd

----
Fixed in 0.61: https://gitlab.com/davical-project/awl/-/commit/6bdacad0b4fc51583c040d3bbefdd052ed863611

Comment 1 Michael Orlitzky gentoo-dev

2020-04-21 13:33:53 UTC

It looks like an easy fix. These are the only changes in v0.61:

2020-04-13 Florian Schlichting <fsfs@debian.org>
	* release awl 0.61
	* Update AUTHORS and ChangeLog

2020-04-04 Florian Schlichting <fsfs@debian.org>
	* Disallow current time as a session key (fix: #19, CVE-2020-11728)
	* Drop LSIDLogin function (fix: #18, CVE-2020-11729)

2019-02-27 Jamie McClymont <jamiemcclymont@catalyst.net.nz>
	* Make olson_from_tzstring faster by caching timezone_identifiers_list

2019-12-06 Florian Schlichting <fsfs@debian.org>
	* myComponentTest.php: drop empty setUp function, which causes make test to fail with PHPUnit 8
	* use foreach() instead of deprecated each() (see davical-project/davical#190)

2019-01-30 Florian Schlichting <fsfs@debian.org>
	* release awl 0.60
	* Update AUTHORS and ChangeLog

Comment 2 Larry the Git Cow gentoo-dev

2020-04-21 13:39:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9eab139bd32fb43fb2d42f02a942a1e2baccfebd

commit 9eab139bd32fb43fb2d42f02a942a1e2baccfebd
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-04-21 13:37:04 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-04-21 13:38:45 +0000

    dev-php/awl: remove old vulnerable versions.
    
    Bug: https://bugs.gentoo.org/718736
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/awl/Manifest        |  2 --
 dev-php/awl/awl-0.59.ebuild | 33 ---------------------------------
 dev-php/awl/awl-0.60.ebuild | 33 ---------------------------------
 3 files changed, 68 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53db769dc5145930f52953843761c4b81225060c

commit 53db769dc5145930f52953843761c4b81225060c
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-04-21 13:36:00 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-04-21 13:38:44 +0000

    dev-php/awl: new v0.61 to address CVE-2020-{11728,11729}.
    
    Bug: https://bugs.gentoo.org/718736
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/awl/Manifest        |  1 +
 dev-php/awl/awl-0.61.ebuild | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)

Comment 3 Michael Orlitzky gentoo-dev

2020-04-21 13:39:56 UTC

All done.

Comment 4 Sam James archtester

2020-04-21 13:41:49 UTC

Thanks mjo, very quick. :)

Comment 5 Till Schäfer 2020-04-21 14:15:44 UTC

uh, davical needs to be updated to 1.1.9.3 at the same time, which is the only reason for awl to exist in the portage tree afaik .. 
why not wait a day for the proxy maintainer to comment on this?

see https://gitlab.com/davical-project/davical/-/commit/55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50e70c

Comment 6 Till Schäfer 2020-04-21 14:16:32 UTC

(In reply to Till Schäfer from comment #5)
> uh, davical needs to be updated to 1.1.9.3 at the same time, which is the
> only reason for awl to exist in the portage tree afaik .. 
> why not wait a day for the proxy maintainer to comment on this?
> 
> see
> https://gitlab.com/davical-project/davical/-/commit/
> 55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50
> e70c

will create a pull request on github

Comment 7 Sam James archtester

2020-04-21 14:19:35 UTC

(In reply to Till Schäfer from comment #5)
> uh, davical needs to be updated to 1.1.9.3 at the same time, which is the
> only reason for awl to exist in the portage tree afaik .. 
> why not wait a day for the proxy maintainer to comment on this?
> 
> see
> https://gitlab.com/davical-project/davical/-/commit/
> 55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50
> e70c

I saw a vulnerability in AWL and reported it. I hadn't seen DAViCal is also in tree.

Obviously this has already been cleaned up so this needs a new bug. I assume DAViCal isn't vulnerable, just currently left in a broken state? 

If it depends on a specific version, it should be specified in the ebuild (is it? have not checked) so removals would trigger a CI problem.

Comment 8 Till Schäfer 2020-04-21 14:33:36 UTC

Typically, davical is compatible with newer awl version, thus there is a >= dependency. But this time LSID was removed.

create Bug 718750 to track this.

Comment 9 Michael Orlitzky gentoo-dev

2020-04-21 14:51:04 UTC

(In reply to Till Schäfer from comment #5) 
> why not wait a day for the proxy maintainer to comment on this?
> 
> see
> https://gitlab.com/davical-project/davical/-/commit/
> 55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50
> e70c

I apologize, I tested the update on our davical-1.1.8 and it didn't hurt anything. That commit above looks only cosmetic? In any case, I didn't mean to step on your toes, just stuck at home overly-bored.

Comment 10 Till Schäfer 2020-04-21 15:01:56 UTC

(In reply to Michael Orlitzky from comment #9)
> (In reply to Till Schäfer from comment #5) 
> > why not wait a day for the proxy maintainer to comment on this?
> > 
> > see
> > https://gitlab.com/davical-project/davical/-/commit/
> > 55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50
> > e70c
> 
> I apologize, I tested the update on our davical-1.1.8 and it didn't hurt
> anything. That commit above looks only cosmetic? In any case, I didn't mean
> to step on your toes, just stuck at home overly-bored.

I guess it is not utterly broken, just some corner cases. Just created the pull request (see the referenced bug). All fine, stay healthy! Thee is no need for another virus stepping through a awl vulnerability here, too :).

BTW: is there a reason you are sticking with an outdated, not in tree version of davical with other security flaws (e.g. CVE-2019-18345)? If so, please report a bug report (maybe it is fixable from my side).

Comment 11 Michael Orlitzky gentoo-dev

2020-04-21 15:04:47 UTC

(In reply to Till Schäfer from comment #10)
> 
> BTW: is there a reason you are sticking with an outdated, not in tree
> version of davical with other security flaws (e.g. CVE-2019-18345)? If so,
> please report a bug report (maybe it is fixable from my side).

Personal laziness, I'll upgrade today, I promise.