On 06/29/2016 11:24 AM, Moritz Muehlenhoff wrote: > Hi Thomas, > https://bugs.launchpad.net/bugs/1567673 has been assigned CVE-2016-4428 and I > think we should fix > it in jessie-security. Can you please prepare an update? unstable also needs > the patch. > > Cheers, > Moritz >
Hi Moritz, I have uploaded fixes for both Sid and Experimental, and the fix for Stable is committed to Git in here: http://anonscm.debian.org/cgit/openstack/horizon.git/commit/?h=debian/icehouse&id=d74e751ce93f03240f3ad4206e93d6e7e05da55f Since you may prefer a diff to read from your mail client, I have attached it to this message. I also uploaded the built package here: http://sid.gplhost.com/jessie-proposed-updates/horizon/ Please allow me to upload it. Cheers, Thomas Goirand (zigo)
From d74e751ce93f03240f3ad4206e93d6e7e05da55f Mon Sep 17 00:00:00 2001 From: Thomas Goirand <z...@debian.org> Date: Wed, 29 Jun 2016 15:28:37 +0200 Subject: * CVE-2016-4428: Possible client side template injection in horizon. Applied upstream patch: "Escape angularjs templating in unsafe HTML" after rebasing it for Icehouse (Closes: #828967). --- debian/changelog | 8 +++ ...Escape_angularjs_templating_in_unsafe_HTML.patc | 74 ++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 83 insertions(+) create mode 100644 debian/patches/CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patc diff --git a/debian/changelog b/debian/changelog index 9c30c37..276e48e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +horizon (2014.1.3-7+deb8u2) jessie-security; urgency=medium + + * CVE-2016-4428: Possible client side template injection in horizon. Applied + upstream patch: "Escape angularjs templating in unsafe HTML" after rebasing + it for Icehouse (Closes: #828967). + + -- Thomas Goirand <z...@debian.org> Wed, 29 Jun 2016 15:24:16 +0200 + horizon (2014.1.3-7+deb8u1) jessie-security; urgency=high * Fix CVE-2015-3219 with upstream patch (Closes: 788306). diff --git a/debian/patches/CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patc b/debian/patches/CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patc new file mode 100644 index 0000000..f626e46 --- /dev/null +++ b/debian/patches/CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patc @@ -0,0 +1,74 @@ +Description: CVE-2016-4428: Escape angularjs templating in unsafe HTML + This code extends the unsafe (typically user-supplied) HTML escape + built into Django to also escape angularjs templating markers. Safe + HTML will be unaffected. +Bug-Ubuntu: https://launchpad.net/bugs/1567673 +Bug-Debian: https://bugs.debian.org/828967 +Origin: upstream, https://review.openstack.org/#/c/329997/ +Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7 +Author: Richard Jones <r1chardj0...@gmail.com> +Date: Tue, 3 May 2016 05:51:49 +0000 (+1000) +X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=d585e5eb9acf92d10d39b6c2038917a7e8ac71bb +Last-Update: 2016-06-29 + +--- /dev/null ++++ horizon-2014.1.3/horizon/utils/escape.py +@@ -0,0 +1,31 @@ ++# Copyright 2016, Rackspace, US, Inc. ++# ++# Licensed under the Apache License, Version 2.0 (the "License"); ++# you may not use this file except in compliance with the License. ++# You may obtain a copy of the License at ++# ++# http://www.apache.org/licenses/LICENSE-2.0 ++# ++# Unless required by applicable law or agreed to in writing, software ++# distributed under the License is distributed on an "AS IS" BASIS, ++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++# See the License for the specific language governing permissions and ++# limitations under the License. ++ ++import django.utils.html ++ ++ ++def escape(text, existing=django.utils.html.escape): ++ # Replace our angular markup string with a different string ++ # (which just happens to be the Django comment string) ++ # this prevents user-supplied data from being intepreted in ++ # our pages by angularjs, thus preventing it from being used ++ # for XSS attacks. Note that we use {$ $} instead of the ++ # standard {{ }} - this is configured in horizon.framework ++ # angularjs module through $interpolateProvider ++ return existing(text).replace('{$', '{%').replace('$}', '%}') ++ ++ ++# this will be invoked as early as possible in settings.py ++def monkeypatch_escape(): ++ django.utils.html.escape = escape +--- horizon-2014.1.3.orig/openstack_dashboard/settings.py ++++ horizon-2014.1.3/openstack_dashboard/settings.py +@@ -27,6 +27,10 @@ from django.utils.translation import uge + + from openstack_dashboard import exceptions + ++from horizon.utils.escape import monkeypatch_escape ++ ++monkeypatch_escape() ++ + warnings.formatwarning = lambda message, category, *args, **kwargs: \ + '%s: %s' % (category.__name__, message) + +--- horizon-2014.1.3.orig/openstack_dashboard/test/settings.py ++++ horizon-2014.1.3/openstack_dashboard/test/settings.py +@@ -17,6 +17,11 @@ from horizon.utils import secret_key + + from openstack_dashboard import exceptions + ++from horizon.utils.escape import monkeypatch_escape ++ ++# this is used to protect from client XSS attacks, but it's worth ++# enabling in our test setup to find any issues it might cause ++monkeypatch_escape() + + TEST_DIR = os.path.dirname(os.path.abspath(__file__)) + ROOT_PATH = os.path.abspath(os.path.join(TEST_DIR, "..")) diff --git a/debian/patches/series b/debian/patches/series index 7e7a328..3c10d66 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ Update_WSGI_app_creation_to_be_compatible_with_Django_1.7.patch CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch fix-moscow-tz-test.patch CVE-2015-3219_XSS_in_Horizon_Heat_stack_creation.patch +CVE-2016-4428_Escape_angularjs_templating_in_unsafe_HTML.patc -- cgit v0.12
signature.asc
Description: OpenPGP digital signature
