Your message dated Sun, 26 Jul 2015 05:18:56 +0000
with message-id <e1zjeku-0000ol...@franck.debian.org>
and subject line Bug#791467: fixed in plowshare4 1.0.5-2
has caused the Debian Bug report #791467,
regarding plowshare: javascript usage puts user at risk of remote code execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
791467: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791467
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: plowshare4
Version: 1.0.5-1
Severity: grave
Tags: security
(Rationale for severity grave: introduces a security hole
allowing access to the accounts of users who use the package.
plowshare4 is a command-line tool for downloading files from
cyberlocker-type sites. For some sites, this requires evaluating
snippets of javascript code, to this end the plowshare4 package
depends on rhino, a JVM-based javascript implementation.
According to the rhino documentation, the rhino command-line tool is
capable of loading arbitrary java classes, accessing the filesystem
and executing shell commands
(see https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Shell ).
This has obvious security implications: If the individual plowshare4
download modules are not carefully implemented, a malicious download
site could emit javascript code which causes arbitrary commands to be
run on the user's system. Where the javascript is downloaded via http
rather than https, a malicious 3rd party (man-in-the-middle) could do
the same.
In order to prevent this, the javascript interpreter should be invoked
in such a way that the code is evaluated in a sandbox, i.e. loading
arbitrary java classes, accessing the filesystem and executing shell
commands are not possible. There does seem to be some support for this
in rhino, judging by the documentation
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Overview#Security
Moreover, the javascript code snippets should be filtered to check for
malicious code before being passed to the javascript interpreter;
ideally, any code that doesn't match a specific, known-good pattern
should be rejected.
Until these things have been implemented, I suggest disabling
javascript support in plowshare4 completely to prevent putting users
at risk.
--- End Message ---
--- Begin Message ---
Source: plowshare4
Source-Version: 1.0.5-2
We believe that the bug you reported is fixed in the latest version of
plowshare4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 791...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carl Suster <c...@contraflo.ws> (supplier of updated plowshare4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 14 Jul 2015 18:45:22 +1000
Source: plowshare4
Binary: plowshare4
Architecture: source all
Version: 1.0.5-2
Distribution: unstable
Urgency: high
Maintainer: Carl Suster <c...@contraflo.ws>
Changed-By: Carl Suster <c...@contraflo.ws>
Description:
plowshare4 - Download and upload files from file sharing websites
Closes: 791467
Changes:
plowshare4 (1.0.5-2) unstable; urgency=high
.
* Disable javascript support (Closes: #791467)
Checksums-Sha1:
80660ebf81240bd423d7fbdb21fffc2fadb1adbc 1839 plowshare4_1.0.5-2.dsc
a272ca90cc66b2bcbb59d6caa5f56db90633ef4d 4476 plowshare4_1.0.5-2.debian.tar.xz
d46fc1aa4269fbf7abb085c209d9729962259fa7 181374 plowshare4_1.0.5-2_all.deb
Checksums-Sha256:
558fc8f1fcc27419b23560123c6bea3ce30c740bb3a253e0a8ebf07c6f10b2bc 1839
plowshare4_1.0.5-2.dsc
49756c92ea983ad17fc842f89d161756200d6db420d43a45380ece6301196192 4476
plowshare4_1.0.5-2.debian.tar.xz
02a67ee491cb3ae5befcda8440b3de56200edd1d19d0f0bf2d1cba169ebcfdf5 181374
plowshare4_1.0.5-2_all.deb
Files:
14cf192a954c29f8365173743b27a5d1 1839 web optional plowshare4_1.0.5-2.dsc
14bc1f74424b3604ce712031dabec5db 4476 web optional
plowshare4_1.0.5-2.debian.tar.xz
a36451656aa16df04c47e859a6121703 181374 web optional plowshare4_1.0.5-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVtGmZAAoJEI7tzBuqHzL/os0QAMC5/X21HO5SX8SPnu1DdTjh
6/so7FRgeWxgFoA25YEviCh7qxYYD1fR5tNtjzYV0AS5D3pddFV9zl+oF7/YgcDH
UAWC8KoxxFb5mKSycMD4U0VFub6TGDR6Psknqr/GM6ODDl5aVyt/U9sKNFlEP/Yn
fG1V5zFfZgyVkwR3RlNTrph9AkqzUxTX2IPql+tSm4BmtyZ6XSDVpDFblj8cXKPs
+ZfayRMsCiUgdlJUG+Mx/vvyf1UU8ezC1Z3XtSsGN/hGq54BqMoAHe8Xt470MTNs
1LMwVDK9JV1UUuWjcWwDURmj900rLghYZQlbIZzt65KIRu8iLZJbtxaoCBOtTd3I
0EvWOeuxK+SNU4v6nTmcBq46gugo38ofADEh1vTFcMuYMp2bsKBLHDr5nXB+94+v
qfXCKeFqZE7VZQo/UVhfbbsNA1lU+kSBYE+7jO44cHQMmtLcA7PI7nDCnW9b59Dr
ZW8mvrXt9xu00a8u2HjTB1400dk78e4pujDb43BASREJ1RMNiNEqwCE3UEdOYxWl
W31UVA/kQaX5RBZZbd1jBvGBmc/BvCx7uO3gcQNYVgkSkp8dHQAavu7JGa98OYDG
KBuBv1mFwKaTkGftFV63x56XBUP3Y0VMpo7P+7ydecPTDWi6XXql9xF2Ks6CwnRZ
afzpPNxWGthWI6hCaHiT
=9cV3
-----END PGP SIGNATURE-----
--- End Message ---
