Bug#1051339: bullseye-pu: package horizon/18.6.2-5+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: horizon@packages.debian.org
Control: affects -1 + src:horizon
Dear Stable release team,
Horizon in Bookworm is impacted by CVE-2022-45582: Open redirect /
phishing attack via "success_url" parameter. See:
https://bugs.debian.org/1050518
This version of the package includes the upstream patch to fix
the problem.
[ Impact ]
See https://bugs.debian.org/1050518: open redirect in
snapshots edition.
[ Tests ]
The package runs extensive unit tests, and upstream runs extensive
functional tests, so I'm confident nothing broke.
[ Risks ]
Minimal. See above. Plus the patch is very limited in scope.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Please allow me to upload horizon/3:18.6.2-5+deb11u2 to bookworm for
inclusion in the next point release.
Cheers,
Thomas Goirand (zigo)
diff -Nru horizon-18.6.2/debian/changelog horizon-18.6.2/debian/changelog
--- horizon-18.6.2/debian/changelog 2021-09-30 16:41:14.000000000 +0200
+++ horizon-18.6.2/debian/changelog 2023-09-06 10:20:55.000000000 +0200
@@ -1,3 +1,11 @@
+horizon (3:18.6.2-5+deb11u2) bullseye; urgency=medium
+
+ * CVE-2022-45582: Open redirect/phishing attack via "success_url" parameter,
+ add upstream patch: "Fix success_url parameter issue for Edit Snapshot"
+ (Closes: #1050518).
+
+ -- Thomas Goirand <zigo@debian.org> Wed, 06 Sep 2023 10:20:55 +0200
+
horizon (3:18.6.2-5+deb11u1) bullseye; urgency=medium
* Compile translations at build time.
diff -Nru horizon-18.6.2/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch horizon-18.6.2/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch
--- horizon-18.6.2/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch 1970-01-01 01:00:00.000000000 +0100
+++ horizon-18.6.2/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch 2023-09-06 10:20:55.000000000 +0200
@@ -0,0 +1,51 @@
+Author: manchandavishal <manchandavishal143@gmail.com>
+Date: Wed, 14 Sep 2022 22:17:58 +0530
+Description: CVE-2022-45582 Fix success_url parameter issue for Edit Snapshot
+ The "success_url" param is used when updating the project snapshot
+ [1] and it lacks sanitizing the input URL that allows an attacker to
+ redirect the user to another website. This patch update 'Updateview'
+ class to not use the "sucess_url" method.
+Bug: https://launchpad.net/bugs/1982676
+Bug-Debian: https://bugs.debian.org/1050518
+Origin: upstream, https://review.opendev.org/c/openstack/horizon/+/862902
+Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b
+Last-Update: 2023-09-06
+
+Index: horizon/openstack_dashboard/dashboards/project/snapshots/views.py
+===================================================================
+--- horizon.orig/openstack_dashboard/dashboards/project/snapshots/views.py
++++ horizon/openstack_dashboard/dashboards/project/snapshots/views.py
+@@ -12,7 +12,6 @@
+
+ from django.urls import reverse
+ from django.urls import reverse_lazy
+-from django.utils.http import urlencode
+ from django.utils.translation import ugettext_lazy as _
+
+ from horizon import exceptions
+@@ -104,11 +103,8 @@ class UpdateView(forms.ModalFormView):
+ def get_context_data(self, **kwargs):
+ context = super(UpdateView, self).get_context_data(**kwargs)
+ context['snapshot'] = self.get_object()
+- success_url = self.request.GET.get('success_url', "")
+ args = (self.kwargs['snapshot_id'],)
+- params = urlencode({"success_url": success_url})
+- context['submit_url'] = "?".join([reverse(self.submit_url, args=args),
+- params])
++ context['submit_url'] = reverse(self.submit_url, args=args)
+ return context
+
+ def get_initial(self):
+@@ -117,12 +113,6 @@ class UpdateView(forms.ModalFormView):
+ 'name': snapshot.name,
+ 'description': snapshot.description}
+
+- def get_success_url(self):
+- success_url = self.request.GET.get(
+- "success_url",
+- reverse_lazy("horizon:project:snapshots:index"))
+- return success_url
+-
+
+ class DetailView(tabs.TabView):
+ tab_group_class = vol_snapshot_tabs.SnapshotDetailTabs
diff -Nru horizon-18.6.2/debian/patches/series horizon-18.6.2/debian/patches/series
--- horizon-18.6.2/debian/patches/series 2021-09-30 16:41:14.000000000 +0200
+++ horizon-18.6.2/debian/patches/series 2023-09-06 10:20:55.000000000 +0200
@@ -2,3 +2,4 @@
fix-manage.py-sheebang.patch
Dont_load_user_role_assignment_or_groups_tabs_for_non-admins.patch
do-not-create-volume-by-default-when-launching-instance.patch
+CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch
Reply to: