Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 511624 (CVE-2014-3924) - <app-admin/webmin-1.690: Multiple Cross-Site Scripting Vulnerabilities (CVE-2014-{3885,3886,3924})
Summary: <app-admin/webmin-1.690: Multiple Cross-Site Scripting Vulnerabilities (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2014-3924
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/58919/
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-27 15:29 UTC by Agostino Sarubbo
Modified: 2014-12-28 22:55 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
The new ebuild for webmin 1.690 (diff) (webmin-1.690.ebuild.diff,4.70 KB, patch)
2014-06-01 09:05 UTC, PhobosK
no flags Details | Diff
The new systemd service file for webmin (webmin.service.diff,665 bytes, patch)
2014-06-01 09:06 UTC, PhobosK
no flags Details | Diff
The new fixed init.d script for webmin (init.d.webmin.diff,1.07 KB, patch)
2014-06-01 09:08 UTC, PhobosK
no flags Details | Diff
The new setup script for webmin (gentoo-setup.diff,1.63 KB, patch)
2014-06-01 09:09 UTC, PhobosK
no flags Details | Diff
The new systemd service file for webmin (diff) (webmin.service.diff,618 bytes, patch)
2014-06-01 15:21 UTC, PhobosK
no flags Details | Diff
The new ebuild for webmin 1.690 (diff) (webmin-1.690.ebuild.diff,4.10 KB, patch)
2014-06-01 15:22 UTC, PhobosK
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-05-27 15:29:36 UTC
From ${URL} :

Description

Some vulnerabilities have been reported in Webmin, which can be exploited by malicious people to conduct cross-site scripting.

1) Certain input passed to the search functionality is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are reported in versions prior to 1.690.


Solution:
Update to version 1.690.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://freecode.com/projects/webmin/releases/363920


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 PhobosK 2014-06-01 09:03:21 UTC
The new upstream version of webmin 1.690 fixes this.

Since webmin doesn't include systemd support till now, instead of version bumping, I am proposing a new ebuild that adds systemd support. The changes in the ebuild are:

1. Moved to EAPI 4
2. Added systemd IUSE flag that controls the service file needed for systemd (file included in upload) - Requested in http://forums.gentoo.org/viewtopic-p-7479434.html
3. Altered the way the service stop/start/reload/restart commands are handled when using systemd
4. Fixed an eprefix issue with /etc/webmin/config in the init.d script

I am uploading the diffs for the files.
The webmin-1.680.ebuild should be removed.

Thanks
Comment 2 PhobosK 2014-06-01 09:05:23 UTC
Created attachment 377976 [details, diff]
The new ebuild for webmin 1.690 (diff)
Comment 3 PhobosK 2014-06-01 09:06:45 UTC
Created attachment 377982 [details, diff]
The new systemd service file for webmin
Comment 4 PhobosK 2014-06-01 09:08:23 UTC
Created attachment 377984 [details, diff]
The new fixed init.d script for webmin
Comment 5 PhobosK 2014-06-01 09:09:52 UTC
Created attachment 377986 [details, diff]
The new setup script for webmin

Fixes start/stop/reload/restart webmin's own command on a systemd
Comment 6 PhobosK 2014-06-01 09:12:51 UTC
@Markos,
can you please review and commit the changes.
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2014-06-01 09:13:56 UTC
(In reply to PhobosK from comment #1)
> The new upstream version of webmin 1.690 fixes this.
> 
> Since webmin doesn't include systemd support till now, instead of version
> bumping, I am proposing a new ebuild that adds systemd support. The changes
> in the ebuild are:
I am not sure I understand that.

Your ebuild is indeed a version bump and adds a custom systemd file. So I am a bit confused. If 1.690 includes a systemd file from upstream maybe we can use that?
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2014-06-01 09:16:38 UTC
(In reply to PhobosK from comment #5)
> Created attachment 377986 [details, diff] [details, diff]
> The new setup script for webmin
> 
> Fixes start/stop/reload/restart webmin's own command on a systemd

to be honest, I am not sure if this is the best way to write cross-init scripts, so let me CC systemd@ for a comment here
Comment 9 PhobosK 2014-06-01 09:19:01 UTC
(In reply to Markos Chandras from comment #7)
> Your ebuild is indeed a version bump and adds a custom systemd file. So I am
> a bit confused. If 1.690 includes a systemd file from upstream maybe we can
> use that?

No upstream doesn't include any systemd service file. There is no unified one, so I'm adding this one for Gentoo (and I will contact upstream).
And the ebuild fixes some other things too including the setup and reconfigure processes.

So isn't that a new ebuild with fixes or its named a bump?
Comment 10 PhobosK 2014-06-01 09:21:19 UTC
Generally speaking the user may have +systemd flag globally, but still he can use openrc instead of systemd...

Anyway you are totally right let the systemd@ see it :)
Comment 11 Markos Chandras (RETIRED) gentoo-dev 2014-06-01 09:36:35 UTC
(In reply to PhobosK from comment #9)
> (In reply to Markos Chandras from comment #7)
> > Your ebuild is indeed a version bump and adds a custom systemd file. So I am
> > a bit confused. If 1.690 includes a systemd file from upstream maybe we can
> > use that?
> 
> No upstream doesn't include any systemd service file. There is no unified
> one, so I'm adding this one for Gentoo (and I will contact upstream).
> And the ebuild fixes some other things too including the setup and
> reconfigure processes.
> 
> So isn't that a new ebuild with fixes or its named a bump?

Well the version has changed (680->690) so it's a version bump :)
Comment 12 Pacho Ramos gentoo-dev 2014-06-01 12:03:55 UTC
- Why not bump to eapi5 directly?
- Install the unit file unconditionally (without systemd USE flag)
- Looks like webmin uses fork by default... what are the problems with running it in non-forking mode? (even not being the default)
Comment 13 Markos Chandras (RETIRED) gentoo-dev 2014-06-01 13:11:29 UTC
(In reply to Pacho Ramos from comment #12)
> - Why not bump to eapi5 directly?
> - Install the unit file unconditionally (without systemd USE flag)
> - Looks like webmin uses fork by default... what are the problems with
> running it in non-forking mode? (even not being the default)

Thanks for the comments Pacho. Any suggestions regarding the latest attachment in creating a cross-init script? Is there an official way to detect what init systems is running on the host or do we simply assume that if systemd is present the user runs systemd?
Comment 14 Pacho Ramos gentoo-dev 2014-06-01 14:13:13 UTC
The init script is checking for /run/systemd/system that is ok to detect it running
Comment 15 PhobosK 2014-06-01 15:19:44 UTC
(In reply to Pacho Ramos from comment #12)
> - Why not bump to eapi5 directly?

Right... Fixed..

> - Install the unit file unconditionally (without systemd USE flag)

Done...

> - Looks like webmin uses fork by default... what are the problems with
> running it in non-forking mode? (even not being the default)

Right. It's best the service's type to be set to simple, 'cause if webmin's nofork is enabled, the service will block till timeout.

Uploading changes...
Comment 16 PhobosK 2014-06-01 15:21:50 UTC
Created attachment 378010 [details, diff]
The new systemd service file for webmin (diff)

Service type set to default (simple), because when Webmin is configured with nofork option, the service will block till timeout
Comment 17 PhobosK 2014-06-01 15:22:48 UTC
Created attachment 378012 [details, diff]
The new ebuild for webmin 1.690 (diff)

Moved to EAPI 5 and removed IUSE systemd flag
Comment 18 Pacho Ramos gentoo-dev 2014-06-01 15:39:01 UTC
PIDFile is not needed if it's Type=simple. Apart of that, it looks ok to me
Comment 19 PhobosK 2014-06-01 16:20:04 UTC
(In reply to Pacho Ramos from comment #18)
> PIDFile is not needed if it's Type=simple. Apart of that, it looks ok to me

I know PIDFile is recommended only in Type=forking, but because Webmin has some strange handling of the processes/children/etc (especially in nofork mode), I prefer it to stay if possible....

Is that ok with you @Pacho?
Comment 20 Pacho Ramos gentoo-dev 2014-06-01 17:01:17 UTC
I think nothing will use PIDFile, I remember we had a similar issue some weeks ago with other package and we concluded it wasn't needed at all. But maybe other team members can clarify :/
Comment 21 PhobosK 2014-06-04 17:12:06 UTC
@Pacho,
I have a problem here, that is a bit strange and I guess it is because of the forking mode webmin runs by default.

When the unit is set to Type=simple, during boot up webmin starts but at the end, ends up dead with exit status 0. But if started/restarted manually after the system is up and running, everything is ok and webmin doesn't end up dead.

So a solution would be to add the RemainAfterExit=yes for Type=simple, or to turn back to Type=forking and change the config of webmin to always use the default forking mode (always forcing the nofork=0 option in webmin's config)


So my questions are:
1. Which solution we should choose (RemainAfterExit=yes seems to me best since it supports both forking and non-forking webmin mode, but I am not quite aware of the implications this option leads to)

2. Is it normal in this situation (without the RemainAfterExit=yes for Type=simple) during boot up the webmin service to behave like this (ending up dead) or it is some kinda bug in systemd... or maybe a different set of After= and Wants=/Requires= is needed (though Type=idle doesn't help)?

BTW in the Webmin debug, there is no error shown after it has ended during the boot up of the machine.

And something else: I've tried Type=idle(which is supposed to run the service at the end of all others?), but it doesn't help with the problem.


Thanks
Comment 22 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-05 09:15:33 UTC
While I do appreciate your efforts on fixing the ebuild, could I ask you to do so on a separate bug or in private? The large number of security@ subscribers are most likely not interested in the gory details.
It would be great if you could report back here when a finished updated ebuild is ready. Thanks!
Comment 23 Markos Chandras (RETIRED) gentoo-dev 2014-06-07 11:29:41 UTC
+*webmin-1.690 (07 Jun 2014)
+
+  07 Jun 2014; Markos Chandras <hwoarang@gentoo.org> +files/webmin.service,
+  +webmin-1.690.ebuild, -webmin-1.680.ebuild, files/gentoo-setup,
+  files/init.d.webmin:
+  Version bump. Fixes bug #511624 thanks to PhobosK <phobosk@fastmail.fm> and
+  Pacho Ramos <pacho@gentoo.org>
+
Comment 24 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-07 16:44:46 UTC
Maintainer(s), Thank you for cleanup!

No GLSA needed as there are no stable versions.
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2014-12-28 22:54:42 UTC
CVE-2014-3886 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3886):
  Cross-site scripting (XSS) vulnerability in Webmin before 1.690, when
  referrer checking is disabled, allows remote attackers to inject arbitrary
  web script or HTML via unspecified vectors.  NOTE: this might overlap
  CVE-2014-3924.

CVE-2014-3885 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3885):
  Cross-site scripting (XSS) vulnerability in Webmin before 1.690 allows
  remote authenticated users to inject arbitrary web script or HTML via
  unspecified vectors.  NOTE: this might overlap CVE-2014-3924.
Comment 26 GLSAMaker/CVETool Bot gentoo-dev 2014-12-28 22:55:55 UTC
CVE-2014-3924 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3924):
  Multiple cross-site scripting (XSS) vulnerabilities in Webmin before 1.690
  and Usermin before 1.600 allow remote attackers to inject arbitrary web
  script or HTML via vectors related to popup windows.