Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 718736 (CVE-2020-11728, CVE-2020-11729) - dev-php/awl: Multiple vulnerabilities (CVE-2020-{11728,11729})
Summary: dev-php/awl: Multiple vulnerabilities (CVE-2020-{11728,11729})
Status: RESOLVED FIXED
Alias: CVE-2020-11728, CVE-2020-11729
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://gitlab.com/davical-project/aw...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-21 12:09 UTC by Sam James
Modified: 2020-04-21 15:05 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-04-21 12:09:13 UTC
1) CVE-2020-11728

Description:
"An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Session management does not use a sufficiently hard-to-guess session key. Anyone who can guess the microsecond time (and the incrementing session_id) can impersonate a session."

Bug: https://gitlab.com/davical-project/awl/-/issues/19
Patch: https://gitlab.com/davical-project/awl/-/commit/c2e808cc2420f8d870ac0a4aa9cc1f2c90562428

2) CVE-2020-11729

Description:
"An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Long-term session cookies, uses to provide long-term session continuity, are not generated securely, enabling a brute-force attack that may be successful."


Bug: https://gitlab.com/davical-project/awl/-/issues/18
Patch: https://gitlab.com/davical-project/awl/-/commit/535505c9acd0dda9cf664c38f5f8cb8dd61dc0cd

----
Fixed in 0.61: https://gitlab.com/davical-project/awl/-/commit/6bdacad0b4fc51583c040d3bbefdd052ed863611
Comment 1 Michael Orlitzky gentoo-dev 2020-04-21 13:33:53 UTC
It looks like an easy fix. These are the only changes in v0.61:

2020-04-13 Florian Schlichting <fsfs@debian.org>
	* release awl 0.61
	* Update AUTHORS and ChangeLog

2020-04-04 Florian Schlichting <fsfs@debian.org>
	* Disallow current time as a session key (fix: #19, CVE-2020-11728)
	* Drop LSIDLogin function (fix: #18, CVE-2020-11729)

2019-02-27 Jamie McClymont <jamiemcclymont@catalyst.net.nz>
	* Make olson_from_tzstring faster by caching timezone_identifiers_list

2019-12-06 Florian Schlichting <fsfs@debian.org>
	* myComponentTest.php: drop empty setUp function, which causes make test to fail with PHPUnit 8
	* use foreach() instead of deprecated each() (see davical-project/davical#190)

2019-01-30 Florian Schlichting <fsfs@debian.org>
	* release awl 0.60
	* Update AUTHORS and ChangeLog
Comment 2 Larry the Git Cow gentoo-dev 2020-04-21 13:39:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9eab139bd32fb43fb2d42f02a942a1e2baccfebd

commit 9eab139bd32fb43fb2d42f02a942a1e2baccfebd
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-04-21 13:37:04 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-04-21 13:38:45 +0000

    dev-php/awl: remove old vulnerable versions.
    
    Bug: https://bugs.gentoo.org/718736
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/awl/Manifest        |  2 --
 dev-php/awl/awl-0.59.ebuild | 33 ---------------------------------
 dev-php/awl/awl-0.60.ebuild | 33 ---------------------------------
 3 files changed, 68 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53db769dc5145930f52953843761c4b81225060c

commit 53db769dc5145930f52953843761c4b81225060c
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-04-21 13:36:00 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-04-21 13:38:44 +0000

    dev-php/awl: new v0.61 to address CVE-2020-{11728,11729}.
    
    Bug: https://bugs.gentoo.org/718736
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/awl/Manifest        |  1 +
 dev-php/awl/awl-0.61.ebuild | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
Comment 3 Michael Orlitzky gentoo-dev 2020-04-21 13:39:56 UTC
All done.
Comment 4 Sam James archtester gentoo-dev Security 2020-04-21 13:41:49 UTC
Thanks mjo, very quick. :)
Comment 5 Till Schäfer 2020-04-21 14:15:44 UTC
uh, davical needs to be updated to 1.1.9.3 at the same time, which is the only reason for awl to exist in the portage tree afaik .. 
why not wait a day for the proxy maintainer to comment on this?

see https://gitlab.com/davical-project/davical/-/commit/55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50e70c
Comment 6 Till Schäfer 2020-04-21 14:16:32 UTC
(In reply to Till Schäfer from comment #5)
> uh, davical needs to be updated to 1.1.9.3 at the same time, which is the
> only reason for awl to exist in the portage tree afaik .. 
> why not wait a day for the proxy maintainer to comment on this?
> 
> see
> https://gitlab.com/davical-project/davical/-/commit/
> 55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50
> e70c

will create a pull request on github
Comment 7 Sam James archtester gentoo-dev Security 2020-04-21 14:19:35 UTC
(In reply to Till Schäfer from comment #5)
> uh, davical needs to be updated to 1.1.9.3 at the same time, which is the
> only reason for awl to exist in the portage tree afaik .. 
> why not wait a day for the proxy maintainer to comment on this?
> 
> see
> https://gitlab.com/davical-project/davical/-/commit/
> 55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50
> e70c

I saw a vulnerability in AWL and reported it. I hadn't seen DAViCal is also in tree.

Obviously this has already been cleaned up so this needs a new bug. I assume DAViCal isn't vulnerable, just currently left in a broken state? 

If it depends on a specific version, it should be specified in the ebuild (is it? have not checked) so removals would trigger a CI problem.
Comment 8 Till Schäfer 2020-04-21 14:33:36 UTC
Typically, davical is compatible with newer awl version, thus there is a >= dependency. But this time LSID was removed.

create Bug 718750 to track this.
Comment 9 Michael Orlitzky gentoo-dev 2020-04-21 14:51:04 UTC
(In reply to Till Schäfer from comment #5) 
> why not wait a day for the proxy maintainer to comment on this?
> 
> see
> https://gitlab.com/davical-project/davical/-/commit/
> 55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50
> e70c

I apologize, I tested the update on our davical-1.1.8 and it didn't hurt anything. That commit above looks only cosmetic? In any case, I didn't mean to step on your toes, just stuck at home overly-bored.
Comment 10 Till Schäfer 2020-04-21 15:01:56 UTC
(In reply to Michael Orlitzky from comment #9)
> (In reply to Till Schäfer from comment #5) 
> > why not wait a day for the proxy maintainer to comment on this?
> > 
> > see
> > https://gitlab.com/davical-project/davical/-/commit/
> > 55d485045f43b52ccdbedbded2bfebb33b781d57#00fe7828d56d7a3ee4030d6cea057cf13f50
> > e70c
> 
> I apologize, I tested the update on our davical-1.1.8 and it didn't hurt
> anything. That commit above looks only cosmetic? In any case, I didn't mean
> to step on your toes, just stuck at home overly-bored.

I guess it is not utterly broken, just some corner cases. Just created the pull request (see the referenced bug). All fine, stay healthy! Thee is no need for another virus stepping through a awl vulnerability here, too :).

BTW: is there a reason you are sticking with an outdated, not in tree version of davical with other security flaws (e.g. CVE-2019-18345)? If so, please report a bug report (maybe it is fixable from my side).
Comment 11 Michael Orlitzky gentoo-dev 2020-04-21 15:04:47 UTC
(In reply to Till Schäfer from comment #10)
> 
> BTW: is there a reason you are sticking with an outdated, not in tree
> version of davical with other security flaws (e.g. CVE-2019-18345)? If so,
> please report a bug report (maybe it is fixable from my side).

Personal laziness, I'll upgrade today, I promise.