Request for assistance to backport CVE-2020-13933 fix

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Request for assistance to backport CVE-2020-13933 fix

Roberto C. Sánchez
Shiro Devs,

I am working on a security update for the shiro package in Debian.  The
announcement for 1.6.0 indicates that CVE-2020-13933 is fixed in that
release.  However, the specific commit is not identified.  Additionally,
since neither the announcement nor any available information on the CVE
describes the means of exploitation it is not clear how I should proceed
to go about backporting the fix.

The 1.6.0 announcement describes the new "Global Filters" feature as
helping to mitigate the type of issue described by CVE-2020-13933.  It
seems that commit dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d is what is
being referred to.  However, the change is rather substantial and
appears like it would require significant reworking to apply to 1.3.2.

If someone could help with the following questions it would be very much
appreciated:

- Is a backport of commit dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d to
  1.3.2 possible/feasible?
- Would it be possible to obtain information about the exploit to assist
  with either backporting dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d or
  with developing a new fix for 1.3.2?
- Is there another approach that I should be considering instead?

Regards,

-Roberto

--
Roberto C. Sánchez
Reply | Threaded
Open this post in threaded view
|

Re: Request for assistance to backport CVE-2020-13933 fix

Roberto C. Sánchez
Hi Shiro Devs,

Any chance someone could help with my request?

Regards,

-Roberto

On Thu, Sep 24, 2020 at 02:48:17PM -0400, Roberto C. Sánchez wrote:

> Shiro Devs,
>
> I am working on a security update for the shiro package in Debian.  The
> announcement for 1.6.0 indicates that CVE-2020-13933 is fixed in that
> release.  However, the specific commit is not identified.  Additionally,
> since neither the announcement nor any available information on the CVE
> describes the means of exploitation it is not clear how I should proceed
> to go about backporting the fix.
>
> The 1.6.0 announcement describes the new "Global Filters" feature as
> helping to mitigate the type of issue described by CVE-2020-13933.  It
> seems that commit dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d is what is
> being referred to.  However, the change is rather substantial and
> appears like it would require significant reworking to apply to 1.3.2.
>
> If someone could help with the following questions it would be very much
> appreciated:
>
> - Is a backport of commit dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d to
>   1.3.2 possible/feasible?
> - Would it be possible to obtain information about the exploit to assist
>   with either backporting dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d or
>   with developing a new fix for 1.3.2?
> - Is there another approach that I should be considering instead?
>
> Regards,
>
> -Roberto
>
> --
> Roberto C. Sánchez

--
Roberto C. Sánchez