Your message dated Wed, 30 Sep 2015 21:17:06 +0000
with message-id <e1zhokm-0001ma...@franck.debian.org>
and subject line Bug#791467: fixed in plowshare4 1.0.5-1+deb8u1
has caused the Debian Bug report #791467,
regarding plowshare: javascript usage puts user at risk of remote code execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
791467: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791467
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: plowshare4
Version: 1.0.5-1
Severity: grave
Tags: security
(Rationale for severity grave: introduces a security hole
allowing access to the accounts of users who use the package.
plowshare4 is a command-line tool for downloading files from
cyberlocker-type sites. For some sites, this requires evaluating
snippets of javascript code, to this end the plowshare4 package
depends on rhino, a JVM-based javascript implementation.
According to the rhino documentation, the rhino command-line tool is
capable of loading arbitrary java classes, accessing the filesystem
and executing shell commands
(see https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Shell ).
This has obvious security implications: If the individual plowshare4
download modules are not carefully implemented, a malicious download
site could emit javascript code which causes arbitrary commands to be
run on the user's system. Where the javascript is downloaded via http
rather than https, a malicious 3rd party (man-in-the-middle) could do
the same.
In order to prevent this, the javascript interpreter should be invoked
in such a way that the code is evaluated in a sandbox, i.e. loading
arbitrary java classes, accessing the filesystem and executing shell
commands are not possible. There does seem to be some support for this
in rhino, judging by the documentation
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Overview#Security
Moreover, the javascript code snippets should be filtered to check for
malicious code before being passed to the javascript interpreter;
ideally, any code that doesn't match a specific, known-good pattern
should be rejected.
Until these things have been implemented, I suggest disabling
javascript support in plowshare4 completely to prevent putting users
at risk.
--- End Message ---
--- Begin Message ---
Source: plowshare4
Source-Version: 1.0.5-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
plowshare4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 791...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carl Suster <c...@contraflo.ws> (supplier of updated plowshare4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 26 Jul 2015 16:04:26 +1000
Source: plowshare4
Binary: plowshare4
Architecture: source all
Version: 1.0.5-1+deb8u1
Distribution: stable
Urgency: high
Maintainer: Carl Suster <c...@contraflo.ws>
Changed-By: Carl Suster <c...@contraflo.ws>
Description:
plowshare4 - Download and upload files from file sharing websites
Closes: 791467
Changes:
plowshare4 (1.0.5-1+deb8u1) stable; urgency=high
.
* Disable javascript support (Closes: #791467)
Checksums-Sha1:
192952e7c8a26e4cf0e1fdc71c7717262193126f 1867 plowshare4_1.0.5-1+deb8u1.dsc
42253329190e1cae5479b379a48bb3749faea060 4484
plowshare4_1.0.5-1+deb8u1.debian.tar.xz
766456f0e3c9882342bbc21650874d2b78a483c9 181590
plowshare4_1.0.5-1+deb8u1_all.deb
Checksums-Sha256:
78281062008ae1e83f022a9f7e647029b27ff84ef606a9bdd2f809885434e59b 1867
plowshare4_1.0.5-1+deb8u1.dsc
e60a64a0765bace5372418208956e4b0419e201614cbbbf35651138c74c944ca 4484
plowshare4_1.0.5-1+deb8u1.debian.tar.xz
a35f92d65489ad0ae59db3ee0a5bc744691a4e089a40986cf90823bdff1dfae3 181590
plowshare4_1.0.5-1+deb8u1_all.deb
Files:
d2161419ee3f203204365ca5ee5ce23e 1867 web optional
plowshare4_1.0.5-1+deb8u1.dsc
79d22aad249ec7441672a7586ff19a51 4484 web optional
plowshare4_1.0.5-1+deb8u1.debian.tar.xz
9bc84d309ffcd8c4d7a4504e0a8981dc 181590 web optional
plowshare4_1.0.5-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWCkTgAAoJEI7tzBuqHzL/VR0P/0HRA5g2aB7djKfLlIOe3WMS
kSwDAPfdc0YuZAqjvA2srj9faAub9pFGqPC71WY2o7LMMVEu5uAXjfA565MJ7Z3x
tRvXkyyiT6ZGYrMEPt8F+U/gF1A1aw8vnECIHlLgkl7GhLcC+MDtnS4xuou6ST0z
gZLWuh3TQibgeFGwzkz6LiqBD93rbvCPCJooGueAMrLGNjBObU71DAGhbtPS5+SN
NOspfAZXeMf7qMGQOheB6YKDmbPNShmOUQRGVTECfwibXvWXphdPuE01ajFhFjkY
tgq+RexEyLxZqpLhzzRD7LEpQ/hcW7jcf4WAsV81NAQHLCroidxLJ1DbMvYKYzmN
BVRMJCLPDot2gb1s5jyTiKXAXWX3mPYFyyhFZfzzSwSz/EabOvtsPMIu421f3TtG
uRR+YqUuMOVSfCBoXit/39nIB+3mZU5qFaHnB9+p4A6W0sy1Y6rITr5R1XIYv5Ee
I7lWWEYCVDEODMDitGhR75dBEbf+IRej4ioVPJ8TUTJK0dmVAEBAwE6L/ubKTL54
pCDud060T0PrK9Vo4h3NEG+27JbYG6v50/uwiz1luWBPjjWVIcyytZhGA0MiUoVH
IRqGPn0szStN8ve1gv5oMt3jaWB6/1S/QS7Ecl+nV+IqmATStQ0bBVsIAhOxV4bF
fGJ5Kzc8082fSiCjZ09N
=QGhS
-----END PGP SIGNATURE-----
--- End Message ---
