[Buildbot-devel] Cross-site scripting vulnerability

Thu Aug 13 15:18:20 UTC 2009

On 12/08/09 15:32 -0400, Dustin J. Mitchell wrote:
>SUMMARY
>
>Nicolas Sylvain reported a cross-site scripting vulnerability in the
>waterfall web status view.  This vulnerability allows an attacker to
>craft a URL targetting a specific Buildbot instance, and run arbitrary
>browser-side code in the context of that Buildbot instance.  This
>constitutes a security risk both for the Buildbot instance and for any
>other services hosted on the same domain as that Buildbot instance,
>and is a particular threat when browsers' same-origin policy is used
>to protect sensitive information such as cookies.
>
>Note that Buildbot itself does not use cookies (even in the IAuth
>framework), so the risk for a standalone buildbot instance is somewhat
>limited.  Even so, all users are urged to upgrade or apply the patch
>given in the MITIGATION section, below.
>
>This vulnerability is limited to the waterfall view, and does not
>affect Buildbot slaves.
>
>AFFECTED VERSIONS
>
>  buildbot-0.7.6
>  buildbot-0.7.7
>  buildbot-0.7.8
>  buildbot-0.7.9
>  buildbot-0.7.10
>  buildbot-0.7.10p1
>  buildbot-0.7.11
>  buildbot-0.7.11p1
>
>UNAFFECTED VERSIONS
>
>  buildbot-0.7.5 and earlier
>  buildbot-0.7.11p2
>
>MITIGATION
>
>The fix for this vulnerability is a simple, one-line patch:
>  http://github.com/djmitche/buildbot/commit/ad13a16bbdec535c8edebdbba4f77ae39b19c84c
>
>Users of buildbot-0.7.11p1 are encouraged to upgrade to
>buildbot-0.7.11p2, which contains this patch.  For others, the simpler
>solution may be to apply the patch directly.  The patch applies
>cleanly to all vulnerable versions of Buildbot, and will also apply to
>an installed copy of Buildbot.
>
>NEW RELEASE
>
>Buildbot-0.7.11p2 is now released and available for download on pypi:
>
> http://pypi.python.org/pypi/buildbot/0.7.11p2
>
>This release is equivalent to release 0.7.11p1 with the sole addition
>of the patch described above.
>
>File checksums are as follows.  This buildbot release is signed by my
>GPG public key (7F0D15B1) (available from keyservers):
>
> buildbot-0.7.11p2.tar.gz
> md5: eda5b9649d4c079cf835d885965dbafd
>
> buildbot-0.7.11p2.zip
> md5: 317796bce69bc61eb225e6f088125981
>
>Dustin
>
>-- 
>Open Source Storage Engineer
>http://www.zmanda.com

Rebuilt Fedora packages with new release. They are in request for
testing.
https://admin.fedoraproject.org/updates/buildbot-0.7.11p2-1.fc11
https://admin.fedoraproject.org/updates/buildbot-0.7.11p2-1.fc10

If anyone using Fedora wants to help test the updated packages, have at it :-).
-- 
kthxbye!
Steve 'Ashcrow' Milner
Agent of Infosec
IRC: ashcrow
GnuPG ID: 28DFD4BE

"In the heat of conversation I may have said certain things I believe 
to be untrue. The alleged lie that you might have heard me saying 
allegedly moments ago ... that's a parasite that lives in my neck." 
     -- Tad Ghostal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://buildbot.net/pipermail/devel/attachments/20090813/62e8d079/attachment.bin>