[Pkg-electronics-commits] [openocd] 02/02: Prevent some forms of Cross Protocol Scripting attacks (Closes: #887488)
Jonathan McDowell
noodles at moszumanska.debian.org
Thu Jan 18 09:50:58 UTC 2018
This is an automated email from the git hooks/post-receive script.
noodles pushed a commit to branch master
in repository openocd.
commit ca095a1fcbf9bc80d4bae493c2833e615b54b51f
Author: Jonathan McDowell <noodles at earth.li>
Date: Thu Jan 18 09:40:26 2018 +0000
Prevent some forms of Cross Protocol Scripting attacks (Closes: #887488)
OpenOCD does not detect when a browser attempts to send data to it using
HTTP POST, allowing for a cross-protocol scripting attack. This is
mitigated by detecting a POST or Host: "command", neither of which are
valid but will come as part of the HTTP POST, and terminating the
telnet connection if they are seen. (CVE-2018-570)
---
debian/changelog | 4 +++-
debian/patches/css-fix.patch | 47 ++++++++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 51 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index 2d45901..f451a14 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
-openocd (0.10.0-4) UNRELEASED; urgency=medium
+openocd (0.10.0-4) UNRELEASED; urgency=high
* Bind to localhost by default
+ * Prevent some forms of Cross Protocol Scripting attacks (CVE-2018-5704)
+ (Closes: #887488)
-- Jonathan McDowell <noodles at earth.li> Thu, 18 Jan 2018 09:27:37 +0000
diff --git a/debian/patches/css-fix.patch b/debian/patches/css-fix.patch
new file mode 100644
index 0000000..9a0ffbb
--- /dev/null
+++ b/debian/patches/css-fix.patch
@@ -0,0 +1,47 @@
+Subject: Prevent some forms of Cross Protocol Scripting attacks
+Author: Andreas Fritiofson <andreas.fritiofson at gmail.com>
+Origin: other, http://openocd.zylin.com/#/c/4335/
+Bug-Debian: https://bugs.debian.org/887488
+Last-Update: 2018-01-18
+
+From 3a223ca3ebc7ac24d7726a0cd58e5695bc813657 Mon Sep 17 00:00:00 2001
+From: Andreas Fritiofson <andreas.fritiofson at gmail.com>
+Date: Sat, 13 Jan 2018 21:00:47 +0100
+Subject: [PATCH] CVE-2018-5704: Prevent some forms of Cross Protocol Scripting attacks
+
+OpenOCD can be targeted by a Cross Protocol Scripting attack from
+a web browser running malicious code, such as the following PoC:
+
+var x = new XMLHttpRequest();
+x.open("POST", "http://127.0.0.1:4444", true);
+x.send("exec xcalc\r\n");
+
+This mitigation should provide some protection from browser-based
+attacks and is based on the corresponding fix in Redis:
+
+https://github.com/antirez/redis/blob/8075572207b5aebb1385c4f233f5302544439325/src/networking.c#L1758
+
+Change-Id: Ia96ebe19b74b5805dc228bf7364c7971a90a4581
+Signed-off-by: Andreas Fritiofson <andreas.fritiofson at gmail.com>
+Reported-by: Josef Gajdusek <atx at atx.name>
+---
+
+diff --git a/src/server/startup.tcl b/src/server/startup.tcl
+index 64ace40..dd1b31e 100644
+--- a/src/server/startup.tcl
++++ b/src/server/startup.tcl
+@@ -8,3 +8,14 @@
+ # one target
+ reset halt
+ }
++
++proc prevent_cps {} {
++ echo "Possible SECURITY ATTACK detected."
++ echo "It looks like somebody is sending POST or Host: commands to OpenOCD."
++ echo "This is likely due to an attacker attempting to use Cross Protocol Scripting"
++ echo "to compromise your OpenOCD instance. Connection aborted."
++ exit
++}
++
++proc POST {args} { prevent_cps }
++proc Host: {args} { prevent_cps }
diff --git a/debian/patches/series b/debian/patches/series
index 16a13e8..5ee72d6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ no-duplicate-udev.patch
fix-sheeva.patch
fix-openrd.patch
bind-localhost-only.patch
+css-fix.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-electronics/openocd.git
More information about the Pkg-electronics-commits
mailing list