Hi Salvatore, Thanks for your hints.
Am 10.10.20 um 23:02 schrieb Salvatore Bonaccorso: > Hi Bastian, > > [Please do send such requests always to team@s.d.o, dev-ref gives as > well some further hints at > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#handling-security-related-bugs] > > On Thu, Oct 08, 2020 at 04:25:55PM +0200, Bastian Germann wrote: >> On Tue, 01 Sep 2020 10:51:48 +0200 Salvatore Bonaccorso >> <car...@debian.org> wrote: >>> The following vulnerability was published for python-flask-cors. >>> >>> CVE-2020-25032[0]: >>> | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) >>> | before 3.0.9. It allows ../ directory traversal to access private >>> | resources because resource matching does not ensure that pathnames are >>> | in a canonical format. >>> >>> >>> If you fix the vulnerability please also make sure to include the >>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. >>> >>> For further information see: >>> >>> [0] https://security-tracker.debian.org/tracker/CVE-2020-25032 >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25032 >>> [1] >>> https://github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895 >> >> I have prepared a buster-security release at >> >> https://salsa.debian.org/python-team/packages/python-flask-cors/-/tags/debian%2F3.0.7-2 > > As for the update, please do send always as a debdiff from a built > (and tested) package (this request is similarly to what stable release > managers would expect for point release updates, it helps us as well > to archive discussion and debdiffs to review). The debdiff is enclosed. Also available at: https://salsa.debian.org/python-team/packages/python-flask-cors/-/tags/debian%2F3.0.7-1+deb10u1 > > But I can give already a first feedback: debian/changelog uses 3.0.7-2 > as version. Even though 3.0.7-2 might never have been seen in the > archive, please do use 3.0.7-1+deb10u1 instead following the usual > convention. While at it use urgency=high (for consistency in security > updates). > > For the bug closer I think you will need to use "Closes: #969362)". I applied all suggestions. > Furthermore: what kind of testing did the update recieve, were you > able to test the update in production environments, are there any > problems spotted? I'm asking in particular as the modfied tests seem > to pass ok as well without the patch (but I only quickly gave it a > test from the git repository, might be something else strange here). I ran the built package on buster but did not try to confirm that the security issue is closed as claimed by upstream. No problems spotted. >> The new upstream release is waiting in the master branch to be published >> in sid. > > Ok, although not required, if you have that already ok to be uploaded > I would say to go ahead with the unstable upload and have the fixes > exposed there already. I cannot upload because I am not a DD. It would be nice if someone could sponsor the new version. It also closes a FTBFS, which got me interested in the package in the first place. Regards, Bastian
diff -Nru python-flask-cors-3.0.7/debian/changelog python-flask-cors-3.0.7/debian/changelog --- python-flask-cors-3.0.7/debian/changelog 2018-12-05 21:51:05.000000000 +0100 +++ python-flask-cors-3.0.7/debian/changelog 2020-10-08 21:40:11.000000000 +0200 @@ -1,3 +1,10 @@ +python-flask-cors (3.0.7-1+deb10u1) buster-security; urgency=high + + * Team upload. + * Fix CVE-2020-25032 (Closes: #969362) with upstream patch + + -- Bastian Germann <bastiangerm...@fishpost.de> Thu, 08 Oct 2020 21:40:11 +0200 + python-flask-cors (3.0.7-1) unstable; urgency=medium * Initial release (Closes: #915789) diff -Nru python-flask-cors-3.0.7/debian/patches/cve-2020-25032 python-flask-cors-3.0.7/debian/patches/cve-2020-25032 --- python-flask-cors-3.0.7/debian/patches/cve-2020-25032 1970-01-01 01:00:00.000000000 +0100 +++ python-flask-cors-3.0.7/debian/patches/cve-2020-25032 2020-10-08 21:40:11.000000000 +0200 @@ -0,0 +1,34 @@ +Origin: https://github.com/corydolphin/flask-cors/commit/67c4b2cc98ae87cf1fa7df4f97fd81b40c79b895 +From: Cory Dolphin <corydolp...@users.noreply.github.com> +Date: Sun, 30 Aug 2020 15:32:54 -0600 +Subject: Fix request path normalization (#272) + +* Normalize path before evaluating resource rules +--- +diff --git a/flask_cors/extension.py b/flask_cors/extension.py +index 6a585aa..466869e 100644 +--- a/flask_cors/extension.py ++++ b/flask_cors/extension.py +@@ -10,6 +10,10 @@ + """ + from flask import request + from .core import * ++try: ++ from urllib.parse import unquote_plus ++except ImportError: ++ from urllib import unquote_plus + + LOG = logging.getLogger(__name__) + +@@ -173,9 +177,9 @@ def cors_after_request(resp): + if resp.headers is not None and resp.headers.get(ACL_ORIGIN): + LOG.debug('CORS have been already evaluated, skipping') + return resp +- ++ normalized_path = unquote_plus(request.path) + for res_regex, res_options in resources: +- if try_match(request.path, res_regex): ++ if try_match(normalized_path, res_regex): + LOG.debug("Request to '%s' matches CORS resource '%s'. Using options: %s", + request.path, get_regexp_pattern(res_regex), res_options) + set_cors_headers(resp, res_options) diff -Nru python-flask-cors-3.0.7/debian/patches/series python-flask-cors-3.0.7/debian/patches/series --- python-flask-cors-3.0.7/debian/patches/series 2018-12-05 21:51:05.000000000 +0100 +++ python-flask-cors-3.0.7/debian/patches/series 2020-10-08 21:40:11.000000000 +0200 @@ -1,3 +1,4 @@ +cve-2020-25032 remove_badges_from_doc redirect_api_links_locally spelling_error_in_manpage
