Bug 202940 - sysutils/ganglia-webfrontend: update to 3.7.1 (fix Ganglia-web auth bypass CVE-2015-6816)
Summary: sysutils/ganglia-webfrontend: update to 3.7.1 (fix Ganglia-web auth bypass CV...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Jason Unovitch
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2015-09-07 02:36 UTC by Jason Unovitch
Modified: 2015-10-02 22:19 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (jrm)


Attachments
svn diff to upgrade to 3.7.1 (54.75 KB, patch)
2015-10-02 18:27 UTC, Joseph Mingrone
no flags Details | Diff
poudriere testport output (29.37 KB, text/x-log)
2015-10-02 18:29 UTC, Joseph Mingrone
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer 2015-09-07 02:36:16 UTC
Maintainer of sysutils/ganglia-webfrontend,

A security issue has been reported against this port.

References:
http://seclists.org/oss-sec/2015/q3/494

"It's easy to bypass auth by using boolean serialization like this:
$ php -r "echo urlencode(serialize(array('user'=>'admin',
'group'=>'admin', 'token'=>true)));
// Found by d90.andrew
// Exploit: curl -H 'Cookie:
a%3A3%3A%7Bs%3A4%3A%22user%22%3Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22group%22%3Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22token%22%3Bb%3A1%3B%7D'"

http://seclists.org/oss-sec/2015/q3/502

"Use CVE-2015-6816."

https://github.com/ganglia/ganglia-web/issues/267
Comment 1 Jason Unovitch freebsd_committer 2015-09-07 02:37:03 UTC
Take for follow on after initial report to maintainer. Note that there isn't an upstream fix for this just yet.
Comment 2 Joseph Mingrone freebsd_committer 2015-09-07 12:24:37 UTC
I'll try pinging some of the authors to see if there is an ETA for a fix.
Comment 3 Jason Unovitch freebsd_committer 2015-10-01 02:44:34 UTC
It looks like the issue in the Github issue tracker has been quiet.  Have you heard any updates?
Comment 4 Joseph Mingrone freebsd_committer 2015-10-01 02:55:03 UTC
My queries went unanswered.  I'll post a comment on the issue tracker.  

Assuming we don't hear back, how should we proceed?  I'm not much of a webdev, but I can try making a patch using the description in the issue comments.  Maybe the consequences of breaking Ganglia's login isn't so severe, but I'm concerned leaving this as is much longer.
Comment 5 Jason Unovitch freebsd_committer 2015-10-01 03:00:48 UTC
(In reply to Joseph Mingrone from comment #4)
Basically it's an "it depends".  It's always going to be best to have a consensus on a fix with upstream.  If needed we can backport/test a fix.  Alternately we can explore what other downstream users and work out a solution that way (i.e. start with poking around Red Hat or Debian bug trackers).
Comment 6 Joseph Mingrone freebsd_committer 2015-10-02 18:27:20 UTC
Created attachment 161653 [details]
svn diff to upgrade to 3.7.1
Comment 7 Joseph Mingrone freebsd_committer 2015-10-02 18:29:32 UTC
Created attachment 161654 [details]
poudriere testport output
Comment 8 commit-hook freebsd_committer 2015-10-02 21:55:49 UTC
A commit references this bug:

Author: junovitch
Date: Fri Oct  2 21:54:56 UTC 2015
New revision: 398450
URL: https://svnweb.freebsd.org/changeset/ports/398450

Log:
  sysutils/ganglia-webfrontend: security update 3.7.0 -> 3.7.1

  PR:		202940
  Submitted by:	Joseph Mingrone <jrm@ftfl.ca> (maintainer)
  Security:	d68df01b-564e-11e5-9ad8-14dae9d210b8
  Security:	CVE-2015-6816
  MFH:		2015Q4

Changes:
  head/sysutils/ganglia-webfrontend/Makefile
  head/sysutils/ganglia-webfrontend/distinfo
  head/sysutils/ganglia-webfrontend/pkg-plist
Comment 9 commit-hook freebsd_committer 2015-10-02 22:16:52 UTC
A commit references this bug:

Author: junovitch
Date: Fri Oct  2 22:16:45 UTC 2015
New revision: 398451
URL: https://svnweb.freebsd.org/changeset/ports/398451

Log:
  MFH: r398450

  sysutils/ganglia-webfrontend: security update 3.7.0 -> 3.7.1

  PR:		202940
  Submitted by:	Joseph Mingrone <jrm@ftfl.ca> (maintainer)
  Approved by:	portmgr (erwin)
  Security:	d68df01b-564e-11e5-9ad8-14dae9d210b8
  Security:	CVE-2015-6816

Changes:
_U  branches/2015Q4/
  branches/2015Q4/sysutils/ganglia-webfrontend/Makefile
  branches/2015Q4/sysutils/ganglia-webfrontend/distinfo
  branches/2015Q4/sysutils/ganglia-webfrontend/pkg-plist
Comment 10 Jason Unovitch freebsd_committer 2015-10-02 22:19:37 UTC
(In reply to Joseph Mingrone from comment #6)
Joseph,
Thanks for working this!  Patch committed as is and MFH'd to quarterly.  VuXML was already committed when this was first announced so all work on this PR is done and I am closing it now.