[Buildbot-devel] [SECURITY ALERT] Cross-site scripting vulnerability

Dustin J. Mitchell dustin at zmanda.com
Wed Aug 12 19:32:06 UTC 2009 

SUMMARY

Nicolas Sylvain reported a cross-site scripting vulnerability in the
waterfall web status view.  This vulnerability allows an attacker to
craft a URL targetting a specific Buildbot instance, and run arbitrary
browser-side code in the context of that Buildbot instance.  This
constitutes a security risk both for the Buildbot instance and for any
other services hosted on the same domain as that Buildbot instance,
and is a particular threat when browsers' same-origin policy is used
to protect sensitive information such as cookies.

Note that Buildbot itself does not use cookies (even in the IAuth
framework), so the risk for a standalone buildbot instance is somewhat
limited.  Even so, all users are urged to upgrade or apply the patch
given in the MITIGATION section, below.

This vulnerability is limited to the waterfall view, and does not
affect Buildbot slaves.

AFFECTED VERSIONS

  buildbot-0.7.6
  buildbot-0.7.7
  buildbot-0.7.8
  buildbot-0.7.9
  buildbot-0.7.10
  buildbot-0.7.10p1
  buildbot-0.7.11
  buildbot-0.7.11p1

UNAFFECTED VERSIONS

  buildbot-0.7.5 and earlier
  buildbot-0.7.11p2

MITIGATION

The fix for this vulnerability is a simple, one-line patch:
  http://github.com/djmitche/buildbot/commit/ad13a16bbdec535c8edebdbba4f77ae39b19c84c

Users of buildbot-0.7.11p1 are encouraged to upgrade to
buildbot-0.7.11p2, which contains this patch.  For others, the simpler
solution may be to apply the patch directly.  The patch applies
cleanly to all vulnerable versions of Buildbot, and will also apply to
an installed copy of Buildbot.

NEW RELEASE

Buildbot-0.7.11p2 is now released and available for download on pypi:

 http://pypi.python.org/pypi/buildbot/0.7.11p2

This release is equivalent to release 0.7.11p1 with the sole addition
of the patch described above.

File checksums are as follows.  This buildbot release is signed by my
GPG public key (7F0D15B1) (available from keyservers):

 buildbot-0.7.11p2.tar.gz
 md5: eda5b9649d4c079cf835d885965dbafd

 buildbot-0.7.11p2.zip
 md5: 317796bce69bc61eb225e6f088125981

Dustin

-- 
Open Source Storage Engineer
http://www.zmanda.com

More information about the devel mailing list