[Debian-iot-maintainers] Bug#1001848: glewlwyd: Possible privilege escalation

Nicolas Mora babelouest at debian.org
Fri Dec 17 18:50:08 GMT 2021 

Package: glewlwyd
Version: 2.5.2-2+deb11u1
Severity: important
Tags: patch




-- System Information:
Debian Release: 11.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-10-amd64 (SMP w/4 CPU threads)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages glewlwyd depends on:
ii  dbconfig-pgsql         2.0.19
ii  debconf [debconf-2.0]  1.5.77
pn  glewlwyd-common        <none>
ii  init-system-helpers    1.60
ii  libc6                  2.31-13+deb11u2
ii  libcbor0               0.5.0+dfsg-2
ii  libconfig9             1.5-0.4
ii  libcrypt1              1:4.4.18-4
ii  libgnutls30            3.7.1-5
pn  libhoel1.4             <none>
pn  libiddawc0.9           <none>
ii  libjansson4            2.13.1-1.1
ii  libldap-2.4-2          2.4.57+dfsg-3
ii  libnettle8             3.7.3-1
ii  liboath0               2.6.6-3
pn  liborcania2.1          <none>
pn  librhonabwy0.9         <none>
pn  libulfius2.7           <none>
pn  libyder2.0             <none>
ii  lsb-base               11.1.0
ii  sqlite3                3.34.1-3
ii  ucf                    3.0043
ii  zlib1g                 1:1.2.11.dfsg-2

glewlwyd recommends no packages.

Versions of packages glewlwyd suggests:
-------------- next part --------------
Description: Fix escalation privilege
Author: Nicolas Mora <babelouest at debian.org>
Forwarded: not-needed
--- a/src/webservice.c
+++ b/src/webservice.c
@@ -259,10 +259,6 @@
             if (check_result_value(j_result, G_ERROR_UNAUTHORIZED)) {
               y_log_message(Y_LOG_LEVEL_WARNING, "Security - Authorization invalid for username %s at IP Address %s", json_string_value(json_object_get(j_param, "username")), ip_source);
             }
-            if ((session_uid = get_session_id(config, request)) != NULL && user_session_update(config, session_uid, u_map_get_case(request->map_header, "user-agent"), issued_for, json_string_value(json_object_get(j_param, "username")), NULL, 1) != G_OK) {
-              y_log_message(Y_LOG_LEVEL_ERROR, "callback_glewlwyd_user_auth - Error user_session_update (2)");
-            }
-            o_free(session_uid);
             response->status = 401;
           }
           json_decref(j_result);

More information about the Debian-iot-maintainers mailing list