[med-svn] [Git][med-team/orthanc][debian/buster] CVE-2023-33466

Tue Sep 12 05:16:16 BST 2023


Anton Gladky pushed to branch debian/buster at Debian Med / orthanc


Commits:
35b2c390 by Anton Gladky at 2023-09-12T06:16:01+02:00
CVE-2023-33466

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2023-33466.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,18 @@
+orthanc (1.5.6+dfsg-1+deb10u1) buster-security; urgency=medium
+
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2023-33466.patch: Implementation of File System Write Protection
+    This patch introduces a critical security enhancement by backporting
+    the RestApiWriteToFileSystemEnabled option to Orthanc in Debian Buster.
+    With this update, Orthanc is now safeguarded against potential arbitrary
+    file system writes by authenticated users, as indicated by CVE-2023-33466.
+    .
+    The previous behavior, which posed a security risk, can still be reinstated
+    by configuring the RestApiWriteToFileSystemEnabled variable to "true"
+    within the /etc/orthanc/orthanc.json file. (Closes: #1040597)
+
+ -- Anton Gladky <gladk at debian.org>  Tue, 12 Sep 2023 06:11:09 +0200
+
 orthanc (1.5.6+dfsg-1) unstable; urgency=medium
 
   * New upstream version


=====================================
debian/patches/CVE-2023-33466.patch
=====================================
@@ -0,0 +1,113 @@
+Description: New configuration option 'RestApiWriteToFileSystemEnabled'
+ This is a backport from upstream patch with minimal changes to address
+ the CVE-2023-33466 efficiently while giving a knob to allow the legacy
+ behaviour.
+
+Author: Alain Mazy <am at osimis.io>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040597
+Applied-Upstream: https://hg.orthanc-server.com/orthanc/rev/f8f1c4a9a216#
+Reviewed-by: Anton Gladky <gladk at debian.org>
+Last-Update: 2023-09-12
+---
+
+Index: orthanc/OrthancServer/OrthancRestApi/OrthancRestResources.cpp
+===================================================================
+--- orthanc.orig/OrthancServer/OrthancRestApi/OrthancRestResources.cpp
++++ orthanc/OrthancServer/OrthancRestApi/OrthancRestResources.cpp
+@@ -294,6 +294,14 @@ namespace Orthanc
+ 
+     std::string publicId = call.GetUriComponent("id", "");
+ 
++    if (!context.IsRestApiWriteToFileSystemEnabled())
++    {
++      LOG(ERROR) << "The URI /instances/../export is disallowed for security, "
++                 << "check your configuration option `RestApiWriteToFileSystemEnabled`";
++      call.GetOutput().SignalError(HttpStatus_403_Forbidden);
++      return;
++    }
++
+     std::string dicom;
+     context.ReadDicom(dicom, publicId);
+ 
+Index: orthanc/OrthancServer/ServerContext.cpp
+===================================================================
+--- orthanc.orig/OrthancServer/ServerContext.cpp
++++ orthanc/OrthancServer/ServerContext.cpp
+@@ -239,7 +239,8 @@ namespace Orthanc
+     done_(false),
+     haveJobsChanged_(false),
+     isJobsEngineUnserialized_(false),
+-    metricsRegistry_(new MetricsRegistry)
++    metricsRegistry_(new MetricsRegistry),
++    isRestApiWriteToFileSystemEnabled_(false)
+   {
+     {
+       OrthancConfiguration::ReaderLock lock;
+Index: orthanc/OrthancServer/ServerContext.h
+===================================================================
+--- orthanc.orig/OrthancServer/ServerContext.h
++++ orthanc/OrthancServer/ServerContext.h
+@@ -218,6 +218,7 @@ namespace Orthanc
+     std::string defaultLocalAet_;
+     OrthancHttpHandler  httpHandler_;
+     bool saveJobs_;
++    bool isRestApiWriteToFileSystemEnabled_;
+ 
+     std::auto_ptr<MetricsRegistry>  metricsRegistry_;
+ 
+@@ -263,6 +264,16 @@ namespace Orthanc
+       return compressionEnabled_;
+     }
+ 
++    void SetRestApiWriteToFileSystemEnabled(bool enabled)
++    {
++      isRestApiWriteToFileSystemEnabled_ = enabled;
++    }
++
++    bool IsRestApiWriteToFileSystemEnabled() const
++    {
++      return isRestApiWriteToFileSystemEnabled_;
++    }
++
+     void RemoveFile(const std::string& fileUuid,
+                     FileContentType type);
+ 
+Index: orthanc/OrthancServer/main.cpp
+===================================================================
+--- orthanc.orig/OrthancServer/main.cpp
++++ orthanc/OrthancServer/main.cpp
+@@ -824,6 +824,18 @@ static bool StartHttpServer(ServerContex
+ 
+       lock.GetConfiguration().SetupRegisteredUsers(httpServer);
+ 
++      if (lock.GetConfiguration().GetBooleanParameter("RestApiWriteToFileSystemEnabled", false))
++      {
++        context.SetRestApiWriteToFileSystemEnabled(true);
++        LOG(WARNING) << "====> Your Rest API can write to the FileSystem.  Review your configuration option \"RestApiWriteToFileSystemEnabled\". "
++                     << "Your setup is POSSIBLY INSECURE <====";
++      }
++      else
++      {
++        context.SetRestApiWriteToFileSystemEnabled(false);
++        LOG(WARNING) << "Rest API can not write to the file system.";
++      }
++
+       if (lock.GetConfiguration().GetBooleanParameter("SslEnabled", false))
+       {
+         std::string certificate = lock.GetConfiguration().InterpretStringParameterAsPath(
+Index: orthanc/Resources/Configuration.json
+===================================================================
+--- orthanc.orig/Resources/Configuration.json
++++ orthanc/Resources/Configuration.json
+@@ -501,5 +501,10 @@
+   // set to "true", the metrics can be retrieved at
+   // "/tools/metrics-prometheus" formetted using the Prometheus
+   // text-based exposition format.
+-  "MetricsEnabled" : true
++  "MetricsEnabled" : true,
++
++  // Whether the Rest API can write to the filesystem (e.g. in
++  // /instances/../export route). Starting with Orthanc 1.12.0,
++  // this URI is disabled by default for security.
++  "RestApiWriteToFileSystemEnabled": false
+ }


=====================================
debian/patches/series
=====================================
@@ -0,0 +1 @@
+CVE-2023-33466.patch



View it on GitLab: https://salsa.debian.org/med-team/orthanc/-/commit/35b2c390b18f6bc9c9c0294eb2a2d4bcfa7dfab7

-- 
View it on GitLab: https://salsa.debian.org/med-team/orthanc/-/commit/35b2c390b18f6bc9c9c0294eb2a2d4bcfa7dfab7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-med-commit/attachments/20230912/bafa7b64/attachment-0001.htm>
