diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index 50e40241..29a60b00 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -39,15 +39,15 @@ jobs: # Remove the begining of the README to extract the example. (echo '```toml'; sed -e '1,/```toml/d' README.md) > EXAMPLE_README.md while read FILE ; do - [ "$(dirname "$FILE")" != advisories/reserved ] || continue echo -n "$FILE: " docker run --rm -v $PWD:/repo --workdir /repo haskell/hsec-tools:latest /bin/hsec-tools check "$FILE" || RESULT=1 - done < <(find advisories EXAMPLE_README.md EXAMPLE_ADVISORY.md -type f -name "*.md") + done < <(find advisories/published EXAMPLE_README.md EXAMPLE_ADVISORY.md -type f -name "*.md") exit $RESULT - name: Run advisory uniqueness checks run: | - ! find advisories -type f -name '*.md' -print0 \ - | xargs -0n1 basename | sort | uniq -c | grep -E -v '[[:space:]]*1 ' + ! find advisories/published -type f -name '*.md' \ + | sed -E 's|.*/([0-9]+)/([0-9]+)\.md|\1/\2.md|' \ + | sort | uniq -c | grep -E -v '[[:space:]]*1 ' - name: Generate OSV data run: | DATA_DIR=$PWD/osv @@ -58,7 +58,7 @@ jobs: YEAR=$(echo "$ID" | cut -d - -f 2) mkdir -p $DATA_DIR/$YEAR docker run --rm -v $PWD:/repo --workdir /repo haskell/hsec-tools:latest /bin/hsec-tools osv "$FILE" > $DATA_DIR/$YEAR/$ID.json - done < <(find advisories -type f -name "*.md" | grep -v '^advisories/reserved/') + done < <(find advisories/published -type f -name "*.md") - name: Validate OSV data run: | curl -OL https://raw.githubusercontent.com/ossf/osv-schema/refs/heads/main/validation/schema.json @@ -84,7 +84,7 @@ jobs: - name: Generate snapshot data run: | docker run --rm -v $PWD:/repo --workdir /repo haskell/hsec-tools:latest /bin/hsec-tools generate-snapshot . snapshot - diff -r advisories snapshot/advisories | grep -v gitkeep | grep -v 'Only in advisories: reserved' | grep Only && echo 'Some advisories have been created/deleted' && exit 1 || exit 0 + diff -r advisories/published snapshot/advisories/published | grep -v gitkeep | grep Only && echo 'Some advisories have been created/deleted' && exit 1 || exit 0 - name: Publish snapshot data if: ${{ github.event_name == 'push' && github.ref_name == 'main' && github.repository == 'haskell/security-advisories' }} env: diff --git a/advisories/ghc/ghc/HSEC-2024-0007.md b/advisories/ghc/ghc/HSEC-2024-0007.md deleted file mode 100644 index c5cac3a0..00000000 --- a/advisories/ghc/ghc/HSEC-2024-0007.md +++ /dev/null @@ -1,36 +0,0 @@ -```toml -[advisory] -id = "HSEC-2024-0007" -cwe = [194] -keywords = ["integrity", "dos", "historical"] - -[[affected]] -ghc-component = "ghc" -cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" - -[[affected.versions]] -introduced = "9.2.4" -fixed = "9.2.5" - -[[affected.versions]] -introduced = "9.4.2" -fixed = "9.4.3" - -[[references]] -type = "REPORT" -url = "https://gitlab.haskell.org/ghc/ghc/-/issues/22282" - -[[references]] -type = "FIX" -url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/9152" - -[[references]] -type = "FIX" -url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/9139" -``` - -# Sign extension error in the AArch64 NCG - -Arithmetic operations may result in incorrect runtime results on the native aarch64 backend. -For the most part, this bug only causes availability and data integrity issues. -However, in some circumstances, it may result in other, more complicated security related flaws, such as buffer overflow conditions. diff --git a/advisories/ghc/ghc/HSEC-2024-0007.md b/advisories/ghc/ghc/HSEC-2024-0007.md new file mode 120000 index 00000000..cd891d4f --- /dev/null +++ b/advisories/ghc/ghc/HSEC-2024-0007.md @@ -0,0 +1 @@ +advisories/published/2024/0007.md \ No newline at end of file diff --git a/advisories/ghc/ghc/HSEC-2024-0008.md b/advisories/ghc/ghc/HSEC-2024-0008.md deleted file mode 100644 index 78e4e0f9..00000000 --- a/advisories/ghc/ghc/HSEC-2024-0008.md +++ /dev/null @@ -1,35 +0,0 @@ -```toml -[advisory] -id = "HSEC-2024-0008" -cwe = [194] -keywords = ["integrity", "dos"] - -[[affected]] -ghc-component = "ghc" -cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" - -[[affected.versions]] -introduced = "9.2.1" -fixed = "9.6.6" - -[[affected.versions]] -introduced = "9.8.1" -fixed = "9.8.3" - -[[affected.versions]] -introduced = "9.10.1" - -[[references]] -type = "REPORT" -url = "https://gitlab.haskell.org/ghc/ghc/-/issues/23034" - -[[references]] -type = "FIX" -url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/12885" -``` - -# Sign extension error in the PPC64le FFI - -Numeric arguments of FFI call on the PPC64le backend may result in incorrect runtime values. -For the most part, this bug only causes availability and data integrity issues. -However, in some circumstances, it may result in other, more complicated security related flaws, such as buffer overflow conditions. diff --git a/advisories/ghc/ghc/HSEC-2024-0008.md b/advisories/ghc/ghc/HSEC-2024-0008.md new file mode 120000 index 00000000..a72d2db4 --- /dev/null +++ b/advisories/ghc/ghc/HSEC-2024-0008.md @@ -0,0 +1 @@ +advisories/published/2024/0008.md \ No newline at end of file diff --git a/advisories/ghc/ghc/HSEC-2025-0001.md b/advisories/ghc/ghc/HSEC-2025-0001.md deleted file mode 100644 index a979a1d0..00000000 --- a/advisories/ghc/ghc/HSEC-2025-0001.md +++ /dev/null @@ -1,32 +0,0 @@ -```toml -[advisory] -id = "HSEC-2025-0001" -cwe = [682] -keywords = ["integrity", "dos"] - -[[affected]] -ghc-component = "ghc" -cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" - -[[affected.versions]] -introduced = "9.12.1" -fixed = "9.12.2" - -[[references]] -type = "REPORT" -url = "https://gitlab.haskell.org/ghc/ghc/-/issues/25653" - -[[references]] -type = "REPORT" -url = "https://discourse.haskell.org/t/psa-correctness-issue-in-ghc-9-12/11204" - -[[references]] -type = "FIX" -url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/13820" -``` - -# Subword division operations may produce incorrect results - -Arithmetic operations may produce incorrect results when compiled with optimizations. -For the most part, this bug only causes availability and data integrity issues. -However, in some circumstances, it may result in other, more complicated security related flaws, such as buffer overflow conditions. diff --git a/advisories/ghc/ghc/HSEC-2025-0001.md b/advisories/ghc/ghc/HSEC-2025-0001.md new file mode 120000 index 00000000..4b6ec797 --- /dev/null +++ b/advisories/ghc/ghc/HSEC-2025-0001.md @@ -0,0 +1 @@ +advisories/published/2025/0001.md \ No newline at end of file diff --git a/advisories/hackage/aeson/HSEC-2023-0001.md b/advisories/hackage/aeson/HSEC-2023-0001.md deleted file mode 100644 index b8aa88a2..00000000 --- a/advisories/hackage/aeson/HSEC-2023-0001.md +++ /dev/null @@ -1,34 +0,0 @@ -```toml -[advisory] -id = "HSEC-2023-0001" -cwe = [328, 400] -keywords = ["json", "dos", "historical"] -aliases = ["CVE-2022-3433"] - -[[affected]] -package = "aeson" -cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" - -[[affected.versions]] -introduced = "0.4.0.0" -fixed = "2.0.1.0" - -[[references]] -type = "ARTICLE" -url = "https://cs-syd.eu/posts/2021-09-11-json-vulnerability" -[[references]] -type = "ARTICLE" -url = "https://frasertweedale.github.io/blog-fp/posts/2021-10-12-aeson-hash-flooding-protection.html" -[[references]] -type = "DISCUSSION" -url = "https://github.com/haskell/aeson/issues/864" -``` - -# Hash flooding vulnerability in aeson - -*aeson* was vulnerable to hash flooding (a.k.a. hash DoS). The -issue is a consequence of the HashMap implementation from -*unordered-containers*. It results in a denial of service through -CPU consumption. This technique has been used in real-world attacks -against a variety of languages, libraries and frameworks over the -years. diff --git a/advisories/hackage/aeson/HSEC-2023-0001.md b/advisories/hackage/aeson/HSEC-2023-0001.md new file mode 120000 index 00000000..8079d3ad --- /dev/null +++ b/advisories/hackage/aeson/HSEC-2023-0001.md @@ -0,0 +1 @@ +advisories/published/2023/0001.md \ No newline at end of file diff --git a/advisories/hackage/base/HSEC-2023-0007.md b/advisories/hackage/base/HSEC-2023-0007.md deleted file mode 100644 index 0987d8c8..00000000 --- a/advisories/hackage/base/HSEC-2023-0007.md +++ /dev/null @@ -1,78 +0,0 @@ -```toml -[advisory] -id = "HSEC-2023-0007" -cwe = [1284, 789] -keywords = ["toml", "parser", "dos"] - -[[affected]] -package = "base" -cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" -[[affected.versions]] -# it was introduced earlier, but this is the earliest version on Hackage -introduced = "3.0.3.1" - -[[affected]] -package = "toml-reader" -cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" -[[affected.versions]] -introduced = "0.1.0.0" -fixed = "0.2.0.0" - -[[references]] -type = "REPORT" -url = "https://gitlab.haskell.org/ghc/ghc/-/issues/23538" -[[references]] -type = "REPORT" -url = "https://github.com/brandonchinn178/toml-reader/issues/8" -[[references]] -type = "FIX" -url = "https://github.com/brandonchinn178/toml-reader/pull/9" - -``` - -# `readFloat`: memory exhaustion with large exponent - -`Numeric.readFloat` takes time and memory linear in the size of the -number _denoted_ by the input string. In particular, processing a -number expressed in scientific notation with a very large exponent -could cause a denial of service. The slowdown is observable on a -modern machine running GHC 9.4.4: - -``` -ghci> import qualified Numeric -ghci> Numeric.readFloat "1e1000000" -- near instantaneous -[(Infinity,"")] -ghci> Numeric.readFloat "1e10000000" -- perceptible pause -[(Infinity,"")] -ghci> Numeric.readFloat "1e100000000" -- ~ 3 seconds -[(Infinity,"")] -ghci> Numeric.readFloat "1e1000000000" -- ~ 35 seconds -[(Infinity,"")] -``` - -## In *base* - -`Numeric.readFloat` is defined for all `RealFrac a => a`: - -```haskell -readFloat :: RealFrac a => ReadS a -``` - -The `RealFrac` type class does not express any bounds on the size of -values representable in the types for which instances exist, so -bounds checking is not possible (in this *generic* function). -`readFloat` uses to `Text.Read.Lex.numberToRational` which, among -other things, calculates `10 ^ exponent`, which seems to take linear -time and memory. - -**Mitigation:** use `read`. The `Read` instances for `Float` and -`Double` perform bounds checks on the exponent, via -`Text.Read.Lex.numberToRangedRational`. - - -## In *toml-reader* - -The issue was detected in *toml-reader* version 0.1.0.0, and -mitigated in version 0.2.0.0 by immediately returning `Infinity` -when the exponent is large enough that there's no reason to process -it. diff --git a/advisories/hackage/base/HSEC-2023-0007.md b/advisories/hackage/base/HSEC-2023-0007.md new file mode 120000 index 00000000..bd1cc2b4 --- /dev/null +++ b/advisories/hackage/base/HSEC-2023-0007.md @@ -0,0 +1 @@ +advisories/published/2023/0007.md \ No newline at end of file diff --git a/advisories/hackage/base/HSEC-2024-0006.md b/advisories/hackage/base/HSEC-2024-0006.md deleted file mode 100644 index 593bd5fa..00000000 --- a/advisories/hackage/base/HSEC-2024-0006.md +++ /dev/null @@ -1,41 +0,0 @@ -```toml -[advisory] -id = "HSEC-2024-0006" -cwe = [192] -keywords = ["integrity", "dos", "historical"] - -[[affected]] -package = "base" -cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" - -[[affected.versions]] -introduced = "4.15.0.0" -fixed = "4.15.1.0" - -[[references]] -type = "REPORT" -url = "https://gitlab.haskell.org/ghc/ghc/-/issues/19345" - -[[references]] -type = "REPORT" -url = "https://gitlab.haskell.org/ghc/ghc/-/issues/20066" - -[[references]] -type = "FIX" -url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/4980" - -[[references]] -type = "FIX" -url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/6109" -``` - -# `fromIntegral`: conversion error - -`fromIntegral` may result in coercion errors when used with optimization flags `-O1` or `-O2` -in the following situation: - -- Converting negative `Int` to `Natural` does not throw an arithmetic underflow error -- Converting large `Integer` greater than 2^64 to `Natural` overflow. - -For the most part, these errors in and of themselves result only in availability and data integrity issues. -However, in some circumstances, they may result in other, more complicated security related flaws, such as buffer overflow conditions. diff --git a/advisories/hackage/base/HSEC-2024-0006.md b/advisories/hackage/base/HSEC-2024-0006.md new file mode 120000 index 00000000..b479410b --- /dev/null +++ b/advisories/hackage/base/HSEC-2024-0006.md @@ -0,0 +1 @@ +advisories/published/2024/0006.md \ No newline at end of file diff --git a/advisories/hackage/biscuit-haskell/HSEC-2023-0002.md b/advisories/hackage/biscuit-haskell/HSEC-2023-0002.md deleted file mode 100644 index 9fba4bd7..00000000 --- a/advisories/hackage/biscuit-haskell/HSEC-2023-0002.md +++ /dev/null @@ -1,31 +0,0 @@ -```toml -[advisory] -id = "HSEC-2023-0002" -cwe = [347] -keywords = ["crypto", "historical"] -aliases = ["CVE-2022-31053"] -related = ["GHSA-75rw-34q6-72cr"] - -[[affected]] -package = "biscuit-haskell" -cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" -[[affected.versions]] -introduced = "0.1.0.0" -fixed = "0.2.0.0" - -[[references]] -type = "REPORT" -url = "https://eprint.iacr.org/2020/1484" -[[references]] -type = "ADVISORY" -url = "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr" - -``` - -# Improper Verification of Cryptographic Signature - -The Biscuit specification version 1 contains a vulnerable algorithm that allows -malicious actors to forge valid Γ-signatures. Such an attack would allow an -attacker to create a token with any access level. The version 2 of the -specification mandates a different algorithm than gamma signatures and as such -is not affected by this vulnerability. diff --git a/advisories/hackage/biscuit-haskell/HSEC-2023-0002.md b/advisories/hackage/biscuit-haskell/HSEC-2023-0002.md new file mode 120000 index 00000000..79b89af0 --- /dev/null +++ b/advisories/hackage/biscuit-haskell/HSEC-2023-0002.md @@ -0,0 +1 @@ +advisories/published/2023/0002.md \ No newline at end of file diff --git a/advisories/hackage/biscuit-haskell/HSEC-2024-0009.md b/advisories/hackage/biscuit-haskell/HSEC-2024-0009.md deleted file mode 100644 index 38b2f33b..00000000 --- a/advisories/hackage/biscuit-haskell/HSEC-2024-0009.md +++ /dev/null @@ -1,30 +0,0 @@ -```toml -[advisory] -id = "HSEC-2024-0009" -keywords = ["biscuit"] -aliases = ["CVE-2024-41949", "GHSA-rgqv-mwc3-c78m", "GHSA-47cq-pc2v-3rmp"] - -[[references]] -type = "ADVISORY" -url = "https://github.com/biscuit-auth/biscuit-haskell/security/advisories/GHSA-47cq-pc2v-3rmp" -[[references]] -type = "FIX" -url = "https://github.com/biscuit-auth/biscuit-haskell/pull/93" - -[[affected]] -package = "biscuit-haskell" -cvss = "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N" - -[[affected.versions]] -introduced = "0.3.0.0" -fixed = "0.4.0.0" -``` - -# Public key confusion in third-party blocks - -Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it: - -- the public key of the previous block (used in the signature); -- the public keys part of the token symbol table (for public key interning in datalog expressions). - -A third-party block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. diff --git a/advisories/hackage/biscuit-haskell/HSEC-2024-0009.md b/advisories/hackage/biscuit-haskell/HSEC-2024-0009.md new file mode 120000 index 00000000..1a03ec6a --- /dev/null +++ b/advisories/hackage/biscuit-haskell/HSEC-2024-0009.md @@ -0,0 +1 @@ +advisories/published/2024/0009.md \ No newline at end of file diff --git a/advisories/hackage/bz2/HSEC-2024-0002.md b/advisories/hackage/bz2/HSEC-2024-0002.md index cb2989c5..a2202c0a 120000 --- a/advisories/hackage/bz2/HSEC-2024-0002.md +++ b/advisories/hackage/bz2/HSEC-2024-0002.md @@ -1 +1 @@ -../bzlib/HSEC-2024-0002.md \ No newline at end of file +advisories/published/2024/0002.md \ No newline at end of file diff --git a/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md b/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md index cb2989c5..a2202c0a 120000 --- a/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md +++ b/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md @@ -1 +1 @@ -../bzlib/HSEC-2024-0002.md \ No newline at end of file +advisories/published/2024/0002.md \ No newline at end of file diff --git a/advisories/hackage/bzlib/HSEC-2024-0002.md b/advisories/hackage/bzlib/HSEC-2024-0002.md deleted file mode 100644 index d9e49d1f..00000000 --- a/advisories/hackage/bzlib/HSEC-2024-0002.md +++ /dev/null @@ -1,61 +0,0 @@ -```toml -[advisory] -id = "HSEC-2024-0002" -cwe = [787] -keywords = ["corruption", "vendored-code", "language-c"] -aliases = ["CVE-2019-12900"] - -[[references]] -type = "DISCUSSION" -url = "https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/" - -[[references]] -type = "DISCUSSION" -url = "http://scary.beasts.org/security/CESA-2008-005.html" - -[[references]] -type = "ADVISORY" -url = "https://access.redhat.com/security/cve/cve-2019-12900" - -[[references]] -type = "FIX" -url = "https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184" - -[[affected]] -package = "bzlib" -cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" - -[[affected.versions]] -introduced = "0.4" -fixed = "0.5.2.0" - -[[affected]] -package = "bz2" -cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" - -[[affected.versions]] -introduced = "0.1.0.0" -fixed = "1.0.1.1" - -[[affected]] -package = "bzlib-conduit" -cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" - -[[affected.versions]] -introduced = "0.1.0.0" -fixed = "0.3.0.3" -``` - -# out-of-bounds write when there are many bzip2 selectors - -A malicious bzip2 payload may produce a memory corruption -resulting in a denial of service and/or remote code execution. -Network services or command line utilities decompressing -untrusted bzip2 payloads are affected. - -Note that the exploitation of this bug relies on an undefined -behavior that appears to be handled safely by current compilers. - -The Haskell libraires are vulnerable when they are built using -the bundled C library source code, which is the default -in most cases. diff --git a/advisories/hackage/bzlib/HSEC-2024-0002.md b/advisories/hackage/bzlib/HSEC-2024-0002.md new file mode 120000 index 00000000..a2202c0a --- /dev/null +++ b/advisories/hackage/bzlib/HSEC-2024-0002.md @@ -0,0 +1 @@ +advisories/published/2024/0002.md \ No newline at end of file diff --git a/advisories/hackage/cabal-install/HSEC-2023-0015.md b/advisories/hackage/cabal-install/HSEC-2023-0015.md deleted file mode 100644 index 529845b9..00000000 --- a/advisories/hackage/cabal-install/HSEC-2023-0015.md +++ /dev/null @@ -1,95 +0,0 @@ -```toml -[advisory] -id = "HSEC-2023-0015" -cwe = [672] -keywords = ["hackage", "mitm", "supply-chain"] - -[[affected]] -package = "cabal-install" -cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" -[[affected.versions]] -introduced = "1.24.0.0" -fixed = "3.10.2.0" - -[[references]] -type = "REPORT" -url = "https://github.com/haskell/cabal/issues/8918#issuecomment-1521096581" -[[references]] -type = "FIX" -url = "https://github.com/haskell/cabal/commit/dcfdc9cffd74cade4e8cf3df37c5993413ffd30f" -``` - -# cabal-install uses expired key policies - -A problem was recently discovered in `cabal-install`'s -implementation of the Hackage Security protocol that would allow an -attacker who was in possession of a revoked private key and who -could perform a man-in-the-middle attack against Hackage to use the -revoked key to deliver malicious packages. At this time, this is -only a theoretical attack - no keys have been revoked. Release -3.10.2.0 of `cabal-install` contains a fix for this bug, and we have -contacted distributors of older versions (such as Linux -distributions) with a patch that they can apply. - -## Background - -Hackage Security is an implementation of [The Update Framework][], -which is a design for a package repository that allows untrusted -mirrors without undermining software supply-chain security. In -particular, Hackage Security cryptographically guarantees the -following properties: - - * Mirrors of Hackage cannot change the contents of packages. This - prevents the insertion of malicious code. - - * Mirrors cannot omit newer packages for more than a few days - without clients noticing. This ensures both that mirrors cannot - maliciously deny security updates, and that mistakes in their - configuration will be noticed. - -Hackage has a [key policy file][] that delegates authority to a -number of private keys for various purposes. Most of the keys are -kept securely offline by trusted community members who annually -re-sign the various files to indicate that they still have -confidence in Hackage's policies. However, to prevent clients from -being denied updates, Hackage has an automated process that -periodically re-signs a timestamp file. This signature has a short -expiry. Additionally, a snapshot file contains signed hashes of the -Hackage index that is updated on each package upload. The timestamp -and snapshot private keys are held in memory on the Hackage server. -These are called the operational keys. If an operational key is ever -compromised, then it will be revoked by having the Hackage root -keyholders sign a new key policy file. To prevent replay attacks, -clients that connect to Hackage after this update will reject older -policy files, based on a monotonically increasing file version -number. - -If a client has not yet received the updated policy file (for -example, because they have a fresh install of `cabal-install` or -because they have not run `cabal update` in some time), the built-in -expiration date in the file limits the window of exposure in which -the revoked operational keys would be expected. As long as the root -keys have not been compromised, the compromised operational keys can -only be used until the policy file expires. In addition to -compromising a Hackage operational key, an attacker would -additionally need to either compromise a Hackage mirror or perform a -man-in-the-middle attack against the target in order to serve a -malicious or obsolete package index. - -[key policy file]: https://hackage.haskell.org/root.json -[The Update Framework]: https://theupdateframework.io/ - -## The Issue - -A bug in `cabal-install` caused it to skip the verification of the -key policy file's expiration timestamp. This means that users of -older, unpatched versions of `cabal-install` could be vulnerable to -a malicious mirror or man-in-the-middle attack against Hackage if -they have not connected to Hackage in a long time, even after the -policy file has expired. - -We do not believe that it has been possible to exploit this -vulnerability, because no operational keys have been revoked. -However, in case key revocation occurs, we strongly advise all users -of `cabal-install` to ensure that they have version 3.10.2.0 or -newer, which contain the fix. diff --git a/advisories/hackage/cabal-install/HSEC-2023-0015.md b/advisories/hackage/cabal-install/HSEC-2023-0015.md new file mode 120000 index 00000000..268529cb --- /dev/null +++ b/advisories/hackage/cabal-install/HSEC-2023-0015.md @@ -0,0 +1 @@ +advisories/published/2023/0015.md \ No newline at end of file diff --git a/advisories/hackage/cabal-install/HSEC-2025-0005.md b/advisories/hackage/cabal-install/HSEC-2025-0005.md deleted file mode 100644 index bf996abd..00000000 --- a/advisories/hackage/cabal-install/HSEC-2025-0005.md +++ /dev/null @@ -1,61 +0,0 @@ -```toml -[advisory] -id = "HSEC-2025-0005" -cwe = [427] -keywords = ["hackage", "supply-chain", "historical"] - -[[affected]] -package = "cabal-install" -cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" -[[affected.versions]] -fixed = "3.4.0.0" -introduced = "1.0.0.0" - -[[references]] -type = "REPORT" -url = "https://frasertweedale.github.io/blog-fp/posts/2021-02-12-haskell-dependency-confusion.html" -``` - -# `cabal-install` dependency confusion - -For **cabal-install < 3.4.0.0** and where multiple repositories are -configured, the resolver picks the highest available version across -all repositories. Where a package is only defined in a private -repository, this behaviour leads to a [*dependency confusion*][blog] -supply chain vulnerability. If the private package name becomes -known, a malicious actor can claim the name in the public repository -and publish a malicious version at a higher version number. - -Default `cabal-install` configurations that only use the -`hackage.haskell.org` repository are not affected. Configurations -that use curated private repositories **exclusively** are also not -affected. - -[blog]: https://frasertweedale.github.io/blog-fp/posts/2021-02-12-haskell-dependency-confusion.html - - -## Mitigations - -*cabal-install* version **3.4.0.0** and higher provide an `override` -option in the repository configuration. It marks the associated -repository as canonical for all packages defined in that repository. -No other repositories will be considered. For example: - -``` --- For packages in repo.example.com, --- only versions in repo.example.com are considered -active-repositories: - , hackage.haskell.org - , repo.example.com:override -``` - -Users and organisations using private repositories that contain -private packages in addition to public repositories **MUST** use the -`override` option to prevent dependency confusion attacks. - -Alternatively, projects and organisations can run a private instance -of *hackage-server* and carefully curate and review its contents. -Using that instance exclusively defeats supply chain attacks -including *dependency confusion*. For *cabal-install < 3.4* and -where using multiple repositories, this is the only effective -mitigation against dependency confusion attacks. diff --git a/advisories/hackage/cabal-install/HSEC-2025-0005.md b/advisories/hackage/cabal-install/HSEC-2025-0005.md new file mode 120000 index 00000000..6b916036 --- /dev/null +++ b/advisories/hackage/cabal-install/HSEC-2025-0005.md @@ -0,0 +1 @@ +advisories/published/2025/0005.md \ No newline at end of file diff --git a/advisories/hackage/crypton/HSEC-2025-0002.md b/advisories/hackage/crypton/HSEC-2025-0002.md index d25029b1..5cbe52ec 120000 --- a/advisories/hackage/crypton/HSEC-2025-0002.md +++ b/advisories/hackage/crypton/HSEC-2025-0002.md @@ -1 +1 @@ -../cryptonite/HSEC-2025-0002.md \ No newline at end of file +advisories/published/2025/0002.md \ No newline at end of file diff --git a/advisories/hackage/cryptonite/HSEC-2025-0002.md b/advisories/hackage/cryptonite/HSEC-2025-0002.md deleted file mode 100644 index 0079730b..00000000 --- a/advisories/hackage/cryptonite/HSEC-2025-0002.md +++ /dev/null @@ -1,66 +0,0 @@ -```toml -[advisory] -id = "HSEC-2025-0002" -cwe = [] -keywords = ["crypto"] -related = ["GHSA-w5vr-6qhr-36cc"] - -[[affected]] -package = "cryptonite" -cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" -[[affected.versions]] -introduced = "0.1" - -[[affected]] -package = "crypton" -cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" -[[affected.versions]] -introduced = "0.31" -fixed = "1.0.3" - -[[references]] -type = "ARTICLE" -url = "https://portswigger.net/daily-swig/dozens-of-cryptography-libraries-vulnerable-to-private-key-theft" -[[references]] -type = "ARTICLE" -url = "https://github.com/MystenLabs/ed25519-unsafe-libs" -[[references]] -type = "ADVISORY" -url = "https://github.com/advisories/GHSA-w5vr-6qhr-36cc" -[[references]] -type = "EVIDENCE" -url = "https://hackage.haskell.org/package/cryptonite-0.30/docs/src/Crypto.PubKey.Ed25519.html#sign" -[[references]] -type = "EVIDENCE" -url = "https://github.com/haskell-crypto/cryptonite/blob/cryptonite-v0.30/cbits/ed25519/ed25519.c#53" -[[references]] -type = "EVIDENCE" -url = "https://github.com/kazu-yamamoto/crypton/blob/48fb9df2de5ee752196724b081f4d3cdb57576ed/cbits/ed25519/ed25519.c#L53" -[[references]] -type = "FIX" -url = "https://github.com/kazu-yamamoto/crypton/pull/47" - -``` - -# Double Public Key Signing Function Oracle Attack on Ed25519 - -The standard specification of Ed25519 message signing involves providing the -algorithm with a message and private key. - -The function will use the private key to compute the public key and sign the message. -Some libraries provide a variant of the message signing function that also takes -the pre-computed public key as an input parameter. - -Libraries that allow arbitrary public keys as inputs without checking if the -input public key corresponds to the input private key are vulnerable to the -following attack. - -By using several public keys and messages, a malicious user with access to the -signing mechanism may build up insights into the private key parameters -resulting in access to the private key. - -This shortcoming means that an attacker could use the signing function as an -Oracle, perform crypto-analysis and ultimately get at secrets. -For example, an attacker who can’t access the private key but can access -the signing mechanism through an API call could use several public keys and -messages to gradually build up insights into private key parameters. diff --git a/advisories/hackage/cryptonite/HSEC-2025-0002.md b/advisories/hackage/cryptonite/HSEC-2025-0002.md new file mode 120000 index 00000000..5cbe52ec --- /dev/null +++ b/advisories/hackage/cryptonite/HSEC-2025-0002.md @@ -0,0 +1 @@ +advisories/published/2025/0002.md \ No newline at end of file diff --git a/advisories/hackage/git-annex/HSEC-2023-0009.md b/advisories/hackage/git-annex/HSEC-2023-0009.md deleted file mode 100644 index 237e1859..00000000 --- a/advisories/hackage/git-annex/HSEC-2023-0009.md +++ /dev/null @@ -1,46 +0,0 @@ -```toml -[advisory] -id = "HSEC-2023-0009" -cwe = [20, 78] -keywords = ["ssh", "command-injection", "historical"] -aliases = ["CVE-2017-12976"] -related = ["CVE-2017-9800", "CVE-2017-12836", "CVE-2017-1000116", "CVE-2017-1000117"] - -[[affected]] -package = "git-annex" -cvss = "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" -[[affected.versions]] -introduced = "0" -fixed = "6.20170818" - -[[references]] -type = "ADVISORY" -url = "https://git-annex.branchable.com/security/CVE-2017-12976/" -[[references]] -type = "FIX" -url = "http://source.git-annex.branchable.com/?p=source.git;a=commitdiff;h=df11e54788b254efebb4898b474de11ae8d3b471" -``` - -# *git-annex* command injection via malicious SSH hostname - -*git-annex* was vulnerable to the same class of security hole as -git's **CVE-2017-1000117**. In several cases, `git-annex` parses a -repository URL, and uses it to generate a `ssh` command, with the -hostname to ssh to coming from the URL. If the hostname it parses is -something like `-eProxyCommand=evil`, this could result in arbitrary -local code execution. - -Some details of URL parsing may prevent the exploit working in some -cases. - -Exploiting this would involve the attacker tricking the victim into -adding a remote something like `ssh://-eProxyCommand=evil/blah`. - -One possible avenue for an attacker that avoids exposing the URL to -the user is to use `initremote` with an SSH remote, so embedding the -URL in the *git-annex* branch. Then the victim would enable it with -`enableremote`. - -This was fixed in version **6.20170818**. Now there's a `SshHost` -type that is not allowed to start with a dash, and every invocation -of `git-annex` uses a function that takes a `SshHost`. diff --git a/advisories/hackage/git-annex/HSEC-2023-0009.md b/advisories/hackage/git-annex/HSEC-2023-0009.md new file mode 120000 index 00000000..5787ece7 --- /dev/null +++ b/advisories/hackage/git-annex/HSEC-2023-0009.md @@ -0,0 +1 @@ +advisories/published/2023/0009.md \ No newline at end of file diff --git a/advisories/hackage/git-annex/HSEC-2023-0010.md b/advisories/hackage/git-annex/HSEC-2023-0010.md deleted file mode 100644 index 9b31b907..00000000 --- a/advisories/hackage/git-annex/HSEC-2023-0010.md +++ /dev/null @@ -1,78 +0,0 @@ -```toml -[advisory] -id = "HSEC-2023-0010" -cwe = [200, 610] -keywords = ["exfiltration", "historical"] -aliases = ["CVE-2018-10857"] - -[[affected]] -package = "git-annex" -cvss = "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" -[[affected.versions]] -introduced = "0" -fixed = "6.20180626" - -[[references]] -type = "ADVISORY" -url = "https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/" -``` - -# *git-annex* private data exfiltration to compromised remote - -Some uses of git-annex were vulnerable to a private data exposure -and exfiltration attack. It could expose the content of files -located outside the *git-annex* repository, or content from a -private web server on localhost or the LAN. Joey Hess discovered -this attack. - -To perform this attack, the attacker needs to have control over one -of the remotes of the victim's *git-annex* repository. For example, -they may provide a public *git-annex* repository that the victim -clones. Or, equivalantly, the attacker could have read access to the -victim's *git-annex* repository or a repository it pushes to, and -some channel to get commits into it (e.g. pull requests). - -These exploits are most likely to succeed when the victim is running -the `git-annex` assistant, or is periodically running `git annex -sync --content`. - -To perform the attack the attacker runs `git-annex addurl --relaxed -file:///etc/passwd` and commits this to the repository in some out -of the way place. After the victim's git repository receives that -change, `git-annex` follows the attacker-provided URL to the private -data, which it stores in the *git-annex* repository. From there it -transfers the content to the remote *git-annex* repository that the -attacker has access to. - -As well as `file:///` URLs, the attacker can use URLs to private web -servers. The URL can also be one that the attacker controls, that -redirects to a URL that is accessible to the victim system (and not -necessarily the compromised remote). - -## Fix - -The issue was fixed by making `git-annex` refuse to follow -`file:///` urls and URLs pointing to private/local IP addresses by -default. Two new configuration settings, -`annex.security.allowed-url-schemes` and -`annex.security.allowed-ip-addresses`, can relax this security -policy, and are intended for cases where the *git-annex* repository -is kept private and so the attack does not apply. - -## Impact on external special remotes - -One variant of this issue can exploit a vulnerable external special -remote, and could not be prevented by `git-annex`. (`git-annex`'s -own built-in special remotes are not vulnerable to this attack.) - -In this attack variant, the attacker guesses the hash of a file -stored on the victim's private web server, and adds it to the -`git-annex` repository. The attacker also has control of the server -hosting an encrypted special remote used by the victim's *git-annex* -repository. They cause that server to redirect to the victim's web -server. This allows the attacker to verify if the victim's web -server contains a file that the attacker already knows the content -of, assuming they can guess the URL to it. - -Developers of external special remotes are encouraged to prevent -this attack by not following such HTTP redirects. diff --git a/advisories/hackage/git-annex/HSEC-2023-0010.md b/advisories/hackage/git-annex/HSEC-2023-0010.md new file mode 120000 index 00000000..d23938cb --- /dev/null +++ b/advisories/hackage/git-annex/HSEC-2023-0010.md @@ -0,0 +1 @@ +advisories/published/2023/0010.md \ No newline at end of file diff --git a/advisories/hackage/git-annex/HSEC-2023-0011.md b/advisories/hackage/git-annex/HSEC-2023-0011.md deleted file mode 100644 index 7adc7c0e..00000000 --- a/advisories/hackage/git-annex/HSEC-2023-0011.md +++ /dev/null @@ -1,47 +0,0 @@ -```toml -[advisory] -id = "HSEC-2023-0011" -cwe = [200] -keywords = ["exfiltration", "pgp", "historical"] -aliases = ["CVE-2018-10859"] -related = ["HSEC-2023-0010", "CVE-2018-10857"] - -[[affected]] -package = "git-annex" -cvss = "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" -[[affected.versions]] -introduced = "0.20110417" -fixed = "6.20180626" - -[[references]] -type = "ADVISORY" -url = "https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/" -``` - -# *git-annex* GPG decryption attack via compromised remote - -A malicious server for a special remote could trick `git-annex` into -decrypting a file that was encrypted to the user's GPG key. This -attack could be used to expose encrypted data that was never stored -in *git-annex*. Daniel Dent discovered this attack in collaboration -with Joey Hess. - -To perform this attack the attacker needs control of a server -hosting an *encrypted* special remote used by the victim's -*git-annex* repository. The attacker uses `git annex addurl ---relaxed` with an innocuous URL, and waits for the user's -`git-annex` to download it, and upload an (encrypted) copy to the -special remote they also control. At some later point, when the -user downloads the content from the special remote, the attacker -instead sends them the content of the GPG-encrypted file that they -wish to have decrypted in its place (which may have been exfiltrated -from the victim's system via the attack described in -**HSEC-2023-0010** / **CVE-2018-10857**, or acquired by other -means). Finally, the attacker drops their own copy of the original -innocuous URL, and waits for the victim `git-annex` to send them the -accidentially decrypted file. - -The issue was fixed by making `git-annex` refuse to download -encrypted content from special remotes, unless it knows the hash of -the expected content. When the attacker provides some other -GPG-encrypted content, it will fail the hash check and be discarded. diff --git a/advisories/hackage/git-annex/HSEC-2023-0011.md b/advisories/hackage/git-annex/HSEC-2023-0011.md new file mode 120000 index 00000000..b7ddf050 --- /dev/null +++ b/advisories/hackage/git-annex/HSEC-2023-0011.md @@ -0,0 +1 @@ +advisories/published/2023/0011.md \ No newline at end of file diff --git a/advisories/hackage/git-annex/HSEC-2023-0012.md b/advisories/hackage/git-annex/HSEC-2023-0012.md deleted file mode 100644 index c0d6ba26..00000000 --- a/advisories/hackage/git-annex/HSEC-2023-0012.md +++ /dev/null @@ -1,34 +0,0 @@ -```toml -[advisory] -id = "HSEC-2023-0012" -cwe = [200] -keywords = ["historical"] - -[[affected]] -package = "git-annex" -cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" -[[affected.versions]] -introduced = "0.20110417" -fixed = "6.20160419" - -[[references]] -type = "ADVISORY" -url = "https://git-annex.branchable.com/security/checksum_exposure_to_encrypted_special_remotes/" -[[references]] -type = "FIX" -url = "http://source.git-annex.branchable.com/?p=source.git;a=commitdiff;h=b890f3a53d936b5e40aa9acc5876cb98f18b9657" -``` - -# *git-annex* checksum exposure to encrypted special remotes - -A bug exposed the checksum of annexed files to encrypted special -remotes, which are not supposed to have access to the checksum of -the un-encrypted file. This only occurred when resuming uploads to -the encrypted special remote, so it is considered a low-severity -security hole. - -For details, see commit `b890f3a53d936b5e40aa9acc5876cb98f18b9657`. - -No CVE was assigned for this issue. - -Fixed in *git-annex-6.20160419*. diff --git a/advisories/hackage/git-annex/HSEC-2023-0012.md b/advisories/hackage/git-annex/HSEC-2023-0012.md new file mode 120000 index 00000000..fddbcb80 --- /dev/null +++ b/advisories/hackage/git-annex/HSEC-2023-0012.md @@ -0,0 +1 @@ +advisories/published/2023/0012.md \ No newline at end of file diff --git a/advisories/hackage/git-annex/HSEC-2023-0013.md b/advisories/hackage/git-annex/HSEC-2023-0013.md deleted file mode 100644 index ff59b37b..00000000 --- a/advisories/hackage/git-annex/HSEC-2023-0013.md +++ /dev/null @@ -1,73 +0,0 @@ -```toml -[advisory] -id = "HSEC-2023-0013" -cwe = [312] -keywords = ["historical"] -aliases = ["CVE-2014-6274"] - -[[affected]] -package = "git-annex" -cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" -[[affected.versions]] -introduced = "0.20110401" -fixed = "5.20140919" - -[[references]] -type = "ADVISORY" -url = "https://git-annex.branchable.com/security/CVE-2014-6274/" -[[references]] -type = "ARTICLE" -url = "https://git-annex.branchable.com/upgrades/insecure_embedded_creds/" -``` - -# *git-annex* plaintext storage of embedded credentials on encrypted remotes - -*git-annex* had a bug in the **S3** and **Glacier** remotes where if -`embedcreds=yes` was set, and the remote used `encryption=pubkey` or -`encryption=hybrid`, the embedded AWS credentials were stored in the -Git repository in (effectively) plaintext, not encrypted as they -were supposed to be. - -That means that anyone who gets a copy of the Git repository can -extract the AWS credentials from it. Which would be bad. - -A remote with this problem cannot be enabled using `git annex -enableremote`. Old versions of *git-annex* will fail with a GPG -error; the current version will fail with a pointer to this web -page. - -## Remediation - -If your repository has this problem, chose from one of these -approaches to deal with it: - -1. Change your AWS credentials, so the ones stored in the clear in - git won't be used. - - After changing the credentials, make sure you have a fixed - version of git-annex, and you can then re-embed the new creds - into the repository, encrypted this time, by setting the - `AWS_SECRET_ACCESS_KEY` and `AWS_ACCESS_KEY_ID` environment - variables, and running `git annex enableremote $remotename - embedcreds=yes`. - -2. Fix the problem and then remove the history of the *git-annex* - branch of the repository. - - Make sure you have a fixed version of *git-annex*, and force - *git-annex* to rewrite the embedded creds, with encryption this - time, by setting by setting the `AWS_SECRET_ACCESS_KEY` and - `AWS_ACCESS_KEY_ID` environment variables, and running `git annex - enableremote $remotename embedcreds=yes`. - - Then, to get rid of old versions of the *git-annex* branch that - still contains the creds in cleartext, you can use `git annex - forget`; note that it will remove other historical data too. - - Keep in mind that this will not necessarily delete data from - clones you do not control. - -3. If you're sure that you're the only one who has access to the - repository, you could decide to leave it as-is. It's no more - insecure than if you had used `encryption=shared` in the first - place when setting it up. diff --git a/advisories/hackage/git-annex/HSEC-2023-0013.md b/advisories/hackage/git-annex/HSEC-2023-0013.md new file mode 120000 index 00000000..228181a3 --- /dev/null +++ b/advisories/hackage/git-annex/HSEC-2023-0013.md @@ -0,0 +1 @@ +advisories/published/2023/0013.md \ No newline at end of file diff --git a/advisories/hackage/hledger-web/HSEC-2023-0008.md b/advisories/hackage/hledger-web/HSEC-2023-0008.md deleted file mode 100644 index 9746784c..00000000 --- a/advisories/hackage/hledger-web/HSEC-2023-0008.md +++ /dev/null @@ -1,47 +0,0 @@ -```toml -[advisory] -id = "HSEC-2023-0008" -cwe = [87] -keywords = ["web", "xss", "historical"] -aliases = ["CVE-2021-46888"] - -[[affected]] -package = "hledger-web" -cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" -[[affected.versions]] -introduced = "0.24" -fixed = "1.23" - -[[references]] -type = "REPORT" -url = "https://github.com/simonmichael/hledger/issues/1525" -[[references]] -type = "INTRODUCED" -url = "https://github.com/simonmichael/hledger/commit/ec51d28839b2910eea360b1b8c72904b51cf7821" -[[references]] -type = "EVIDENCE" -url = "https://www.youtube.com/watch?v=QnRO-VkfIic" -[[references]] -type = "FIX" -url = "https://github.com/simonmichael/hledger/pull/1663" - -``` - -# Stored XSS in *hledger-web* - -An issue was discovered in *hledger-web* < 1.23. A Stored Cross-Site -Scripting (XSS) vulnerability exists in `toBloodhoundJson` that -allows an attacker to execute JavaScript by encoding user-controlled -values in a payload with base64 and parsing them with the `atob` -function. - -*hledger-web* forms sanitise obvious JavaScript, but not obfuscated -JavaScript (see [OWASP Filter Evasion Cheat Sheet][cheatsheet]). -This means *hledger-web* instances, especially anonymously-writable -ones like `demo.hledger.org`, could be loaded with malicious -JavaScript to be executed by subsequent visitors. - -[cheatsheet]: https://owasp.org/www-community/xss-filter-evasion-cheatsheet - -Reported by Gaspard Baye and Hamidullah Muslih. Fix by Arsen -Arsenović. diff --git a/advisories/hackage/hledger-web/HSEC-2023-0008.md b/advisories/hackage/hledger-web/HSEC-2023-0008.md new file mode 120000 index 00000000..b8632e2c --- /dev/null +++ b/advisories/hackage/hledger-web/HSEC-2023-0008.md @@ -0,0 +1 @@ +advisories/published/2023/0008.md \ No newline at end of file diff --git a/advisories/hackage/keter/HSEC-2024-0001.md b/advisories/hackage/keter/HSEC-2024-0001.md deleted file mode 100644 index 324c8fdc..00000000 --- a/advisories/hackage/keter/HSEC-2024-0001.md +++ /dev/null @@ -1,30 +0,0 @@ -```toml -[advisory] -id = "HSEC-2024-0001" -cwe = [79] -keywords = ["http", "xss", "rxss", "historical"] - -[[references]] -type = "FIX" -url = "https://github.com/snoyberg/keter/pull/246" - -[[affected]] -package = "keter" -cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" -declarations."Keter.Proxy.toResponse" = ">= 0.3.4 && < 1.0.1" -declarations."Keter.Proxy.unknownHostResponse" = ">= 1.0.1 && < 1.8.4" - -[[affected.versions]] -introduced = "0.3.4" -fixed = "1.8.4" -``` - -# Reflected XSS vulnerability in keter - -Keter is an app-server/reverse-proxy often used with webapps build on Yesod web-framework. - -In the logic handling VHost dispatch, Keter was echoing back `Host` header value, unescaped, -as part of an HTML error page. This constitutes a reflected-XSS vulnerability. Although -not readily exploitable directly from a browser (where `Host` header can't generally assume -arbitrary values), it may become such in presence of further weaknesses in components -upstream of Keter in the http proxying chain. Therefore, AC:High in CVSS evaluation. diff --git a/advisories/hackage/keter/HSEC-2024-0001.md b/advisories/hackage/keter/HSEC-2024-0001.md new file mode 120000 index 00000000..3e0874c3 --- /dev/null +++ b/advisories/hackage/keter/HSEC-2024-0001.md @@ -0,0 +1 @@ +advisories/published/2024/0001.md \ No newline at end of file diff --git a/advisories/hackage/pandoc/HSEC-2023-0014.md b/advisories/hackage/pandoc/HSEC-2023-0014.md deleted file mode 100644 index 4fe6be14..00000000 --- a/advisories/hackage/pandoc/HSEC-2023-0014.md +++ /dev/null @@ -1,27 +0,0 @@ -```toml -[advisory] -id = "HSEC-2023-0014" -keywords = ["file write"] -aliases = ["CVE-2023-35936", "GHSA-xj5q-fv23-575g"] -cwe = [20] - -[[references]] -type = "REPORT" -url = "https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g" - -[[affected]] -package = "pandoc" -cvss = "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:L" - -[[affected.versions]] -introduced = "1.13" -fixed = "3.1.4" - -``` -# Arbitrary file write is possible when using PDF output or --extract-media with untrusted input - -Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the --extract-media option or outputting to PDF format. This vulnerability allows an attacker to create or overwrite arbitrary files on the system (depending on the privileges of the process running pandoc). - -This vulnerability only affects systems that (a) pass untrusted user input to pandoc and (b) allow pandoc to be used to produce a PDF or with the --extract-media option. - -The vulnerability is patched in pandoc 3.1.4. diff --git a/advisories/hackage/pandoc/HSEC-2023-0014.md b/advisories/hackage/pandoc/HSEC-2023-0014.md new file mode 120000 index 00000000..13fac07d --- /dev/null +++ b/advisories/hackage/pandoc/HSEC-2023-0014.md @@ -0,0 +1 @@ +advisories/published/2023/0014.md \ No newline at end of file diff --git a/advisories/hackage/process/HSEC-2024-0003.md b/advisories/hackage/process/HSEC-2024-0003.md deleted file mode 100644 index ac98ec0c..00000000 --- a/advisories/hackage/process/HSEC-2024-0003.md +++ /dev/null @@ -1,175 +0,0 @@ -```toml -[advisory] -id = "HSEC-2024-0003" -cwe = [150] -keywords = ["windows"] -aliases = ["CVE-2024-3566", "VU#123335"] -related = ["CVE-2024-1874", "CVE-2024-24576", "CVE-2024-22423"] - -[[references]] -type = "ARTICLE" -url = "https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/" - -[[references]] -type = "ADVISORY" -url = "https://kb.cert.org/vuls/id/123335" - -[[references]] -type = "FIX" -url = "https://github.com/haskell/process/commit/3c419f9eeedac024c9dccce544e5a6fb587179a5" - -[[references]] -type = "FIX" -url = "https://github.com/haskell/process/commit/951b02dd95559b1a26f2456bfb97cf740ea40934" - -[[references]] -type = "FIX" -url = "https://github.com/haskell/process/commit/5fc91f5f36ed4479be2b95f04f264bb78ac8089d" - -[[affected]] -package = "process" -os = ["mingw32"] -cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" - -[[affected.versions]] -introduced = "1.0.0.0" -fixed = "1.6.23.0" -``` - -# process: command injection via argument list on Windows - -The *process* library on Windows is vulnerable to a command injection -vulnerability, via `cmd.exe`'s interpretation of arguments. Programs that -invoke batch files (`.bat`, `.cmd`) and pass arguments whose values are -affected by program inputs may be affected. - -This issue was discovered in many programming languages' Windows process -execution behaviour. It was tracked by CERT/CC as **VU#123335** and a -coordinated disclosure was made on 2024-04-09 17:00 UTC. - -A fix was released in *process-1.6.19.0*. - - -## Background - -Unlike POSIX systems, Windows does not have a mechanism for passing multiple -arguments.Command line parsing is up to individual programs. - -The *process* library defines the `RawCommand` constructor for specifying an -executable and its arguments: - -```haskell -data CmdSpec - = ShellCommand String - | RawCommand FilePath [String] -``` - -On Windows, the `RawCommand` executable name and arguments are serialised into -a single *command line* string, with separate arguments quoted separately. -*process* then invokes the Windows [`CreateProcess`][doc-CreateProcess] -routine with this command line string is given as the `lpCommandLine` -argument. - -[doc-CreateProcess]: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa - - -## Issue - -When executing `.bat` or `.cmd` files, [`CreateProcess`][doc-CreateProcess] -implicitly spawns `cmd.exe`. The `System.Process` command line construction -does not escape characters with special meaning to `cmd.exe`. As a -consequence, a command injection vulnerability arises when the following -conditions are satisfied: - -- Program running on Windows -- Program executes a `.bat` or `.cmd` file -- The argument values include or are influenced by program input - - -## Demonstration - -The following batch file, `test.bat`, merely prints the executable name the -first two arguments (as interpreted by `cmd.exe`): - -``` -@ECHO OFF -ECHO 0: %0 -ECHO 1: %1 -ECHO 2: %2 -PAUSE -``` - -The following Haskell program executes `test.bat` with basic string arguments. -The output is as expected: - -``` -λ> readProcess "test.bat" ["a","b"] [] >>= putStrLn -0: "test.bat" -1: "a" -2: "b" -``` - -However, we can use a close quote and the `&` character to induce `cmd.exe` to -execute a program named in the argument: - -``` -λ> readProcess "test.bat" ["\"&calc.exe"] [] >>= putStrLn -0: "test.bat" -1: "\" -2: -``` - -In addition to producing the above output, `calc.exe` is executed. - - -## Mitigation - -The lack of a general mechanism on Windows for safely conveying command line -arguments to programs increases the risk of this kind of security issue. The -fact that `cmd.exe` command line parsing is complex and poorly documented -exacerbates this issue, and also heightens the risk that the fix is -incomplete, or causes other issues. - -If possible, avoid executing batch files where arguments include or are -influenced by untrusted program inputs. If it must be done, reject arguments -that include special characters including `&` and `"`. - - -## Fix versions - -*process* was modified to perform additional escaping and quoting -when executing `.bat` and `.cmd` files on Windows (ignoring -character case). The behaviour is unchanged in all other cases. - -The fix was released in ***process-1.6.19.0***. The following GHC -releases were the first in their series to include a fixed version -of the *process* library: - -- **GHC 9.10.1-alpha3** (released 2024-04-15) -- **GHC 9.8.3** (released 2024-10-20) -- **GHC 9.6.5** (released 2024-04-16) - -Such a change in semantics should normally result in a major version -bump. Because we expect very few (if any) users will be impacted by -the behavioural change, the GHC team made a pragmatic decision to -avoid the disruption that a major version bump would cause. - -A follow-up fix was released in ***process-1.6.23.0*** to handle batch -scripts with paths ending in whitespace and periods and -unescaped `%` expansions. - - -## Acknowledgements - -Security researcher **RyotaK** discovered and responsibly disclosed -this vulnerability, coordinating the response across the many -affected langauges and ecosystems. - -Ben Gamari commited and released the fix, which was based on a -proposal by Fraser Tweedale. Fraser also improved the -`System.Process` module documentation to better explain the Windows -semantics. - -Security researcher **Kainan Zhang** (@4xpl0r3r) discovered and -responsibly disclosing the issue in the first fix and the Rust -Security Response WG coordinated the response. diff --git a/advisories/hackage/process/HSEC-2024-0003.md b/advisories/hackage/process/HSEC-2024-0003.md new file mode 120000 index 00000000..7c2b4db2 --- /dev/null +++ b/advisories/hackage/process/HSEC-2024-0003.md @@ -0,0 +1 @@ +advisories/published/2024/0003.md \ No newline at end of file diff --git a/advisories/hackage/spacecookie/HSEC-2025-0004.md b/advisories/hackage/spacecookie/HSEC-2025-0004.md deleted file mode 100644 index 58a6cfa6..00000000 --- a/advisories/hackage/spacecookie/HSEC-2025-0004.md +++ /dev/null @@ -1,36 +0,0 @@ -```toml - -[advisory] -id = "HSEC-2025-0004" -cwe = [23] -capec = [126] -keywords = ["gopher", "path-traversal"] - -aliases = [] -related = [] - -[[affected]] -package = "spacecookie" -cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" - -declarations = { "Network.Gopher.Util.santinizePath" = ">= 0.2.0.0 && < 1.0", "Network.Gopher.Util.santinizeIfNotUrl" = ">= 0.2.0.0 && < 1.0", "Network.Gopher.Util.sanitizePath" = ">= 1.0.0.0 && < 1.0.0.3", "Network.Gopher.Util.sanitizeIfNotUrl" = ">= 1.0.0.0 && < 1.0.0.3" } - -[[affected.versions]] -introduced = "0.2.0.0" -fixed = "1.0.0.3" - -[[references]] -type = "FIX" -url = "https://github.com/sternenseemann/spacecookie/commit/2854a8a70833e7abdeeff3c02596a6f2a2f35c61" -``` - -# Broken Path Sanitization in spacecookie Library - -The spacecookie library exposes the functions `sanitizePath` and `sanitizeIfNotUrl` intended to -remove `..` components from paths which can be used to prevent path traversal attacks. Due to -erroneous comparison code, this elimination is not actually performed which has been remedied -in version 1.0.0.3 by properly comparing using `equalFilePath`. - -Any user of those respective functions of any version of spacecookie should upgrade to 1.0.0.3 -or later. Note that the spacecookie server executable included in the same package is not affected -by the problem since a separate check would reject any malicious path that gets by `sanitizePath`. diff --git a/advisories/hackage/spacecookie/HSEC-2025-0004.md b/advisories/hackage/spacecookie/HSEC-2025-0004.md new file mode 120000 index 00000000..6ba07be2 --- /dev/null +++ b/advisories/hackage/spacecookie/HSEC-2025-0004.md @@ -0,0 +1 @@ +advisories/published/2025/0004.md \ No newline at end of file diff --git a/advisories/hackage/tls-extra/HSEC-2023-0005.md b/advisories/hackage/tls-extra/HSEC-2023-0005.md deleted file mode 100644 index acb61ec1..00000000 --- a/advisories/hackage/tls-extra/HSEC-2023-0005.md +++ /dev/null @@ -1,34 +0,0 @@ -```toml -[advisory] -id = "HSEC-2023-0005" -cwe = [295] -keywords = ["x509", "pki", "mitm", "historical"] -aliases = ["CVE-2013-0243"] - -[[affected]] -package = "tls-extra" -cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" - -[[affected.versions]] -introduced = "0.1.0" -fixed = "0.4.6.1" - -[[references]] -type = "DISCUSSION" -url = "https://www.openwall.com/lists/oss-security/2013/01/30/6" -[[references]] -type = "REPORT" -url = "https://github.com/haskell-tls/hs-tls/issues/29" -[[references]] -type = "FIX" -url = "https://github.com/haskell-tls/hs-tls/commit/15885c0649ceabd2f4d2913df8ac6dc63d6b3b37" -``` - -# tls-extra: certificate validation does not check Basic Constraints - -*tls-extra* does not check the Basic Constraints extension of a -certificate in certificate chain processing. Any certificate is -treated as a CA certificate. As a consequence, anyone who has a -valid certificate can use it to sign another one (with an arbitrary -subject DN/domain name embedded into it) and have it accepted by -*tls*. This allows MITM attacks on TLS connections. diff --git a/advisories/hackage/tls-extra/HSEC-2023-0005.md b/advisories/hackage/tls-extra/HSEC-2023-0005.md new file mode 120000 index 00000000..f249dc6b --- /dev/null +++ b/advisories/hackage/tls-extra/HSEC-2023-0005.md @@ -0,0 +1 @@ +advisories/published/2023/0005.md \ No newline at end of file diff --git a/advisories/hackage/toml-reader/HSEC-2023-0007.md b/advisories/hackage/toml-reader/HSEC-2023-0007.md index 68d51e39..bd1cc2b4 120000 --- a/advisories/hackage/toml-reader/HSEC-2023-0007.md +++ b/advisories/hackage/toml-reader/HSEC-2023-0007.md @@ -1 +1 @@ -../base/HSEC-2023-0007.md \ No newline at end of file +advisories/published/2023/0007.md \ No newline at end of file diff --git a/advisories/hackage/x509-validation/HSEC-2023-0006.md b/advisories/hackage/x509-validation/HSEC-2023-0006.md deleted file mode 100644 index da8f6b6a..00000000 --- a/advisories/hackage/x509-validation/HSEC-2023-0006.md +++ /dev/null @@ -1,26 +0,0 @@ -```toml -[advisory] -id = "HSEC-2023-0006" -cwe = [295] -keywords = ["x509", "pki", "historical"] - -[[affected]] -package = "x509-validation" -cvss = "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" - -[[affected.versions]] -introduced = "1.4.0" -fixed = "1.4.8" - -[[references]] -type = "FIX" -url = "https://github.com/haskell-tls/hs-certificate/commit/06d15dbbc53739314760d8504ca764000770e46e" -``` - -# x509-validation does not enforce pathLenConstraint - -*x509-validation* prior to version 1.4.8 did not enforce the -pathLenConstraint value. Constrained CAs could accidentally (or -deliberately) issue CAs below the maximum depth and -*x509-validation* would accept certificates issued by the -unauthorised intermediate CAs. diff --git a/advisories/hackage/x509-validation/HSEC-2023-0006.md b/advisories/hackage/x509-validation/HSEC-2023-0006.md new file mode 120000 index 00000000..b191e7a3 --- /dev/null +++ b/advisories/hackage/x509-validation/HSEC-2023-0006.md @@ -0,0 +1 @@ +advisories/published/2023/0006.md \ No newline at end of file diff --git a/advisories/hackage/xml-conduit/HSEC-2023-0004.md b/advisories/hackage/xml-conduit/HSEC-2023-0004.md deleted file mode 100644 index 0822a530..00000000 --- a/advisories/hackage/xml-conduit/HSEC-2023-0004.md +++ /dev/null @@ -1,33 +0,0 @@ -```toml -[advisory] -id = "HSEC-2023-0004" -cwe = [776] -keywords = ["xml", "dos", "historical"] -aliases = ["CVE-2021-4249", "VDB-216204"] - -[[affected]] -package = "xml-conduit" -cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - -[[affected.versions]] -introduced = "0.5.0" -fixed = "1.9.1.0" - -[[references]] -type = "FIX" -url = "https://github.com/snoyberg/xml/pull/161" -[[references]] -type = "FIX" -url = "https://github.com/snoyberg/xml/commit/4be1021791dcdee8b164d239433a2043dc0939ea" -``` - -# xml-conduit unbounded entity expansion - -A vulnerability was found in *xml-conduit*. It has been classified -as problematic. Affected is an unknown function of the file -`xml-conduit/src/Text/XML/Stream/Parse.hs` of the component DOCTYPE -Entity Expansion Handler. The manipulation leads to infinite loop. -It is possible to launch the attack remotely. Upgrading to version -1.9.1.0 is able to address this issue. The name of the patch is -`4be1021791dcdee8b164d239433a2043dc0939ea`. It is recommended to -upgrade the affected component. diff --git a/advisories/hackage/xml-conduit/HSEC-2023-0004.md b/advisories/hackage/xml-conduit/HSEC-2023-0004.md new file mode 120000 index 00000000..ea3fc32e --- /dev/null +++ b/advisories/hackage/xml-conduit/HSEC-2023-0004.md @@ -0,0 +1 @@ +advisories/published/2023/0004.md \ No newline at end of file diff --git a/advisories/hackage/xmonad-contrib/HSEC-2023-0003.md b/advisories/hackage/xmonad-contrib/HSEC-2023-0003.md deleted file mode 100644 index e5fb1a73..00000000 --- a/advisories/hackage/xmonad-contrib/HSEC-2023-0003.md +++ /dev/null @@ -1,31 +0,0 @@ -```toml -[advisory] -id = "HSEC-2023-0003" -cwe = [94] -keywords = ["code", "injection", "historical"] -aliases = ["CVE-2013-1436"] - -[[affected]] -package = "xmonad-contrib" -cvss = "AV:N/AC:L/Au:N/C:P/I:P/A:P" -[[affected.versions]] -introduced = "0.5" -fixed = "0.11.2" - -[[references]] -type = "ADVISORY" -url = "https://security.gentoo.org/glsa/201405-28" -[[references]] -type = "DISCUSSION" -url = "http://www.openwall.com/lists/oss-security/2013/07/26/5" -[[references]] -type = "FIX" -url = "https://github.com/xmonad/xmonad-contrib/commit/d3b2a01e3d01ac628e7a3139dd55becbfa37cf51" -``` - -# code injection in *xmonad-contrib* - -The `XMonad.Hooks.DynamicLog` module in _xmonad-contrib_ before -**0.11.2** allows remote attackers to execute arbitrary commands via a -web page title, which activates the commands when the user clicks on -the xmobar window title, as demonstrated using an action tag. diff --git a/advisories/hackage/xmonad-contrib/HSEC-2023-0003.md b/advisories/hackage/xmonad-contrib/HSEC-2023-0003.md new file mode 120000 index 00000000..24e994e1 --- /dev/null +++ b/advisories/hackage/xmonad-contrib/HSEC-2023-0003.md @@ -0,0 +1 @@ +advisories/published/2023/0003.md \ No newline at end of file diff --git a/advisories/hackage/xz-clib/HSEC-2025-0003.md b/advisories/hackage/xz-clib/HSEC-2025-0003.md deleted file mode 100644 index 2680ebef..00000000 --- a/advisories/hackage/xz-clib/HSEC-2025-0003.md +++ /dev/null @@ -1,40 +0,0 @@ -```toml -[advisory] -id = "HSEC-2025-0003" -cwe = [416] -keywords = ["corruption", "vendored-code", "language-c"] -aliases = ["CVE-2025-31115"] - -[[references]] -type = "ARTICLE" -url = "https://tukaani.org/xz/threaded-decoder-early-free.html" - -[[references]] -type = "FIX" -url = "https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480" - -[[references]] -type = "FIX" -url = "https://github.com/hasufell/lzma-static/commit/e95fe96530568addfc83b771900025053e2c6951" - -[[affected]] -package = "xz-clib" -cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" - -[[affected.versions]] -introduced = "5.6.3" -fixed = "5.8.1" -``` - -# Use after free in multithreaded lzma (.xz) decoder - -In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in -liblzma has a bug where invalid input can at least result in a crash -(CVE-2025-31115). The effects include heap use after free and -writing to an address based on the null pointer plus an offset. -Applications and libraries that use the `lzma_stream_decoder_mt` -function are affected. - -The Haskell *xz-clib* library vendors and builds the C -implementation. The *xz* package does not use the multithreaded -decoder and is therefore unaffected. diff --git a/advisories/hackage/xz-clib/HSEC-2025-0003.md b/advisories/hackage/xz-clib/HSEC-2025-0003.md new file mode 120000 index 00000000..3ec41321 --- /dev/null +++ b/advisories/hackage/xz-clib/HSEC-2025-0003.md @@ -0,0 +1 @@ +advisories/published/2025/0003.md \ No newline at end of file diff --git a/advisories/published/2023/0001.md b/advisories/published/2023/0001.md new file mode 100644 index 00000000..b8aa88a2 --- /dev/null +++ b/advisories/published/2023/0001.md @@ -0,0 +1,34 @@ +```toml +[advisory] +id = "HSEC-2023-0001" +cwe = [328, 400] +keywords = ["json", "dos", "historical"] +aliases = ["CVE-2022-3433"] + +[[affected]] +package = "aeson" +cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + +[[affected.versions]] +introduced = "0.4.0.0" +fixed = "2.0.1.0" + +[[references]] +type = "ARTICLE" +url = "https://cs-syd.eu/posts/2021-09-11-json-vulnerability" +[[references]] +type = "ARTICLE" +url = "https://frasertweedale.github.io/blog-fp/posts/2021-10-12-aeson-hash-flooding-protection.html" +[[references]] +type = "DISCUSSION" +url = "https://github.com/haskell/aeson/issues/864" +``` + +# Hash flooding vulnerability in aeson + +*aeson* was vulnerable to hash flooding (a.k.a. hash DoS). The +issue is a consequence of the HashMap implementation from +*unordered-containers*. It results in a denial of service through +CPU consumption. This technique has been used in real-world attacks +against a variety of languages, libraries and frameworks over the +years. diff --git a/advisories/published/2023/0002.md b/advisories/published/2023/0002.md new file mode 100644 index 00000000..9fba4bd7 --- /dev/null +++ b/advisories/published/2023/0002.md @@ -0,0 +1,31 @@ +```toml +[advisory] +id = "HSEC-2023-0002" +cwe = [347] +keywords = ["crypto", "historical"] +aliases = ["CVE-2022-31053"] +related = ["GHSA-75rw-34q6-72cr"] + +[[affected]] +package = "biscuit-haskell" +cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" +[[affected.versions]] +introduced = "0.1.0.0" +fixed = "0.2.0.0" + +[[references]] +type = "REPORT" +url = "https://eprint.iacr.org/2020/1484" +[[references]] +type = "ADVISORY" +url = "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr" + +``` + +# Improper Verification of Cryptographic Signature + +The Biscuit specification version 1 contains a vulnerable algorithm that allows +malicious actors to forge valid Γ-signatures. Such an attack would allow an +attacker to create a token with any access level. The version 2 of the +specification mandates a different algorithm than gamma signatures and as such +is not affected by this vulnerability. diff --git a/advisories/published/2023/0003.md b/advisories/published/2023/0003.md new file mode 100644 index 00000000..e5fb1a73 --- /dev/null +++ b/advisories/published/2023/0003.md @@ -0,0 +1,31 @@ +```toml +[advisory] +id = "HSEC-2023-0003" +cwe = [94] +keywords = ["code", "injection", "historical"] +aliases = ["CVE-2013-1436"] + +[[affected]] +package = "xmonad-contrib" +cvss = "AV:N/AC:L/Au:N/C:P/I:P/A:P" +[[affected.versions]] +introduced = "0.5" +fixed = "0.11.2" + +[[references]] +type = "ADVISORY" +url = "https://security.gentoo.org/glsa/201405-28" +[[references]] +type = "DISCUSSION" +url = "http://www.openwall.com/lists/oss-security/2013/07/26/5" +[[references]] +type = "FIX" +url = "https://github.com/xmonad/xmonad-contrib/commit/d3b2a01e3d01ac628e7a3139dd55becbfa37cf51" +``` + +# code injection in *xmonad-contrib* + +The `XMonad.Hooks.DynamicLog` module in _xmonad-contrib_ before +**0.11.2** allows remote attackers to execute arbitrary commands via a +web page title, which activates the commands when the user clicks on +the xmobar window title, as demonstrated using an action tag. diff --git a/advisories/published/2023/0004.md b/advisories/published/2023/0004.md new file mode 100644 index 00000000..0822a530 --- /dev/null +++ b/advisories/published/2023/0004.md @@ -0,0 +1,33 @@ +```toml +[advisory] +id = "HSEC-2023-0004" +cwe = [776] +keywords = ["xml", "dos", "historical"] +aliases = ["CVE-2021-4249", "VDB-216204"] + +[[affected]] +package = "xml-conduit" +cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + +[[affected.versions]] +introduced = "0.5.0" +fixed = "1.9.1.0" + +[[references]] +type = "FIX" +url = "https://github.com/snoyberg/xml/pull/161" +[[references]] +type = "FIX" +url = "https://github.com/snoyberg/xml/commit/4be1021791dcdee8b164d239433a2043dc0939ea" +``` + +# xml-conduit unbounded entity expansion + +A vulnerability was found in *xml-conduit*. It has been classified +as problematic. Affected is an unknown function of the file +`xml-conduit/src/Text/XML/Stream/Parse.hs` of the component DOCTYPE +Entity Expansion Handler. The manipulation leads to infinite loop. +It is possible to launch the attack remotely. Upgrading to version +1.9.1.0 is able to address this issue. The name of the patch is +`4be1021791dcdee8b164d239433a2043dc0939ea`. It is recommended to +upgrade the affected component. diff --git a/advisories/published/2023/0005.md b/advisories/published/2023/0005.md new file mode 100644 index 00000000..acb61ec1 --- /dev/null +++ b/advisories/published/2023/0005.md @@ -0,0 +1,34 @@ +```toml +[advisory] +id = "HSEC-2023-0005" +cwe = [295] +keywords = ["x509", "pki", "mitm", "historical"] +aliases = ["CVE-2013-0243"] + +[[affected]] +package = "tls-extra" +cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + +[[affected.versions]] +introduced = "0.1.0" +fixed = "0.4.6.1" + +[[references]] +type = "DISCUSSION" +url = "https://www.openwall.com/lists/oss-security/2013/01/30/6" +[[references]] +type = "REPORT" +url = "https://github.com/haskell-tls/hs-tls/issues/29" +[[references]] +type = "FIX" +url = "https://github.com/haskell-tls/hs-tls/commit/15885c0649ceabd2f4d2913df8ac6dc63d6b3b37" +``` + +# tls-extra: certificate validation does not check Basic Constraints + +*tls-extra* does not check the Basic Constraints extension of a +certificate in certificate chain processing. Any certificate is +treated as a CA certificate. As a consequence, anyone who has a +valid certificate can use it to sign another one (with an arbitrary +subject DN/domain name embedded into it) and have it accepted by +*tls*. This allows MITM attacks on TLS connections. diff --git a/advisories/published/2023/0006.md b/advisories/published/2023/0006.md new file mode 100644 index 00000000..da8f6b6a --- /dev/null +++ b/advisories/published/2023/0006.md @@ -0,0 +1,26 @@ +```toml +[advisory] +id = "HSEC-2023-0006" +cwe = [295] +keywords = ["x509", "pki", "historical"] + +[[affected]] +package = "x509-validation" +cvss = "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" + +[[affected.versions]] +introduced = "1.4.0" +fixed = "1.4.8" + +[[references]] +type = "FIX" +url = "https://github.com/haskell-tls/hs-certificate/commit/06d15dbbc53739314760d8504ca764000770e46e" +``` + +# x509-validation does not enforce pathLenConstraint + +*x509-validation* prior to version 1.4.8 did not enforce the +pathLenConstraint value. Constrained CAs could accidentally (or +deliberately) issue CAs below the maximum depth and +*x509-validation* would accept certificates issued by the +unauthorised intermediate CAs. diff --git a/advisories/published/2023/0007.md b/advisories/published/2023/0007.md new file mode 100644 index 00000000..0987d8c8 --- /dev/null +++ b/advisories/published/2023/0007.md @@ -0,0 +1,78 @@ +```toml +[advisory] +id = "HSEC-2023-0007" +cwe = [1284, 789] +keywords = ["toml", "parser", "dos"] + +[[affected]] +package = "base" +cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" +[[affected.versions]] +# it was introduced earlier, but this is the earliest version on Hackage +introduced = "3.0.3.1" + +[[affected]] +package = "toml-reader" +cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" +[[affected.versions]] +introduced = "0.1.0.0" +fixed = "0.2.0.0" + +[[references]] +type = "REPORT" +url = "https://gitlab.haskell.org/ghc/ghc/-/issues/23538" +[[references]] +type = "REPORT" +url = "https://github.com/brandonchinn178/toml-reader/issues/8" +[[references]] +type = "FIX" +url = "https://github.com/brandonchinn178/toml-reader/pull/9" + +``` + +# `readFloat`: memory exhaustion with large exponent + +`Numeric.readFloat` takes time and memory linear in the size of the +number _denoted_ by the input string. In particular, processing a +number expressed in scientific notation with a very large exponent +could cause a denial of service. The slowdown is observable on a +modern machine running GHC 9.4.4: + +``` +ghci> import qualified Numeric +ghci> Numeric.readFloat "1e1000000" -- near instantaneous +[(Infinity,"")] +ghci> Numeric.readFloat "1e10000000" -- perceptible pause +[(Infinity,"")] +ghci> Numeric.readFloat "1e100000000" -- ~ 3 seconds +[(Infinity,"")] +ghci> Numeric.readFloat "1e1000000000" -- ~ 35 seconds +[(Infinity,"")] +``` + +## In *base* + +`Numeric.readFloat` is defined for all `RealFrac a => a`: + +```haskell +readFloat :: RealFrac a => ReadS a +``` + +The `RealFrac` type class does not express any bounds on the size of +values representable in the types for which instances exist, so +bounds checking is not possible (in this *generic* function). +`readFloat` uses to `Text.Read.Lex.numberToRational` which, among +other things, calculates `10 ^ exponent`, which seems to take linear +time and memory. + +**Mitigation:** use `read`. The `Read` instances for `Float` and +`Double` perform bounds checks on the exponent, via +`Text.Read.Lex.numberToRangedRational`. + + +## In *toml-reader* + +The issue was detected in *toml-reader* version 0.1.0.0, and +mitigated in version 0.2.0.0 by immediately returning `Infinity` +when the exponent is large enough that there's no reason to process +it. diff --git a/advisories/published/2023/0008.md b/advisories/published/2023/0008.md new file mode 100644 index 00000000..9746784c --- /dev/null +++ b/advisories/published/2023/0008.md @@ -0,0 +1,47 @@ +```toml +[advisory] +id = "HSEC-2023-0008" +cwe = [87] +keywords = ["web", "xss", "historical"] +aliases = ["CVE-2021-46888"] + +[[affected]] +package = "hledger-web" +cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" +[[affected.versions]] +introduced = "0.24" +fixed = "1.23" + +[[references]] +type = "REPORT" +url = "https://github.com/simonmichael/hledger/issues/1525" +[[references]] +type = "INTRODUCED" +url = "https://github.com/simonmichael/hledger/commit/ec51d28839b2910eea360b1b8c72904b51cf7821" +[[references]] +type = "EVIDENCE" +url = "https://www.youtube.com/watch?v=QnRO-VkfIic" +[[references]] +type = "FIX" +url = "https://github.com/simonmichael/hledger/pull/1663" + +``` + +# Stored XSS in *hledger-web* + +An issue was discovered in *hledger-web* < 1.23. A Stored Cross-Site +Scripting (XSS) vulnerability exists in `toBloodhoundJson` that +allows an attacker to execute JavaScript by encoding user-controlled +values in a payload with base64 and parsing them with the `atob` +function. + +*hledger-web* forms sanitise obvious JavaScript, but not obfuscated +JavaScript (see [OWASP Filter Evasion Cheat Sheet][cheatsheet]). +This means *hledger-web* instances, especially anonymously-writable +ones like `demo.hledger.org`, could be loaded with malicious +JavaScript to be executed by subsequent visitors. + +[cheatsheet]: https://owasp.org/www-community/xss-filter-evasion-cheatsheet + +Reported by Gaspard Baye and Hamidullah Muslih. Fix by Arsen +Arsenović. diff --git a/advisories/published/2023/0009.md b/advisories/published/2023/0009.md new file mode 100644 index 00000000..237e1859 --- /dev/null +++ b/advisories/published/2023/0009.md @@ -0,0 +1,46 @@ +```toml +[advisory] +id = "HSEC-2023-0009" +cwe = [20, 78] +keywords = ["ssh", "command-injection", "historical"] +aliases = ["CVE-2017-12976"] +related = ["CVE-2017-9800", "CVE-2017-12836", "CVE-2017-1000116", "CVE-2017-1000117"] + +[[affected]] +package = "git-annex" +cvss = "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" +[[affected.versions]] +introduced = "0" +fixed = "6.20170818" + +[[references]] +type = "ADVISORY" +url = "https://git-annex.branchable.com/security/CVE-2017-12976/" +[[references]] +type = "FIX" +url = "http://source.git-annex.branchable.com/?p=source.git;a=commitdiff;h=df11e54788b254efebb4898b474de11ae8d3b471" +``` + +# *git-annex* command injection via malicious SSH hostname + +*git-annex* was vulnerable to the same class of security hole as +git's **CVE-2017-1000117**. In several cases, `git-annex` parses a +repository URL, and uses it to generate a `ssh` command, with the +hostname to ssh to coming from the URL. If the hostname it parses is +something like `-eProxyCommand=evil`, this could result in arbitrary +local code execution. + +Some details of URL parsing may prevent the exploit working in some +cases. + +Exploiting this would involve the attacker tricking the victim into +adding a remote something like `ssh://-eProxyCommand=evil/blah`. + +One possible avenue for an attacker that avoids exposing the URL to +the user is to use `initremote` with an SSH remote, so embedding the +URL in the *git-annex* branch. Then the victim would enable it with +`enableremote`. + +This was fixed in version **6.20170818**. Now there's a `SshHost` +type that is not allowed to start with a dash, and every invocation +of `git-annex` uses a function that takes a `SshHost`. diff --git a/advisories/published/2023/0010.md b/advisories/published/2023/0010.md new file mode 100644 index 00000000..9b31b907 --- /dev/null +++ b/advisories/published/2023/0010.md @@ -0,0 +1,78 @@ +```toml +[advisory] +id = "HSEC-2023-0010" +cwe = [200, 610] +keywords = ["exfiltration", "historical"] +aliases = ["CVE-2018-10857"] + +[[affected]] +package = "git-annex" +cvss = "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" +[[affected.versions]] +introduced = "0" +fixed = "6.20180626" + +[[references]] +type = "ADVISORY" +url = "https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/" +``` + +# *git-annex* private data exfiltration to compromised remote + +Some uses of git-annex were vulnerable to a private data exposure +and exfiltration attack. It could expose the content of files +located outside the *git-annex* repository, or content from a +private web server on localhost or the LAN. Joey Hess discovered +this attack. + +To perform this attack, the attacker needs to have control over one +of the remotes of the victim's *git-annex* repository. For example, +they may provide a public *git-annex* repository that the victim +clones. Or, equivalantly, the attacker could have read access to the +victim's *git-annex* repository or a repository it pushes to, and +some channel to get commits into it (e.g. pull requests). + +These exploits are most likely to succeed when the victim is running +the `git-annex` assistant, or is periodically running `git annex +sync --content`. + +To perform the attack the attacker runs `git-annex addurl --relaxed +file:///etc/passwd` and commits this to the repository in some out +of the way place. After the victim's git repository receives that +change, `git-annex` follows the attacker-provided URL to the private +data, which it stores in the *git-annex* repository. From there it +transfers the content to the remote *git-annex* repository that the +attacker has access to. + +As well as `file:///` URLs, the attacker can use URLs to private web +servers. The URL can also be one that the attacker controls, that +redirects to a URL that is accessible to the victim system (and not +necessarily the compromised remote). + +## Fix + +The issue was fixed by making `git-annex` refuse to follow +`file:///` urls and URLs pointing to private/local IP addresses by +default. Two new configuration settings, +`annex.security.allowed-url-schemes` and +`annex.security.allowed-ip-addresses`, can relax this security +policy, and are intended for cases where the *git-annex* repository +is kept private and so the attack does not apply. + +## Impact on external special remotes + +One variant of this issue can exploit a vulnerable external special +remote, and could not be prevented by `git-annex`. (`git-annex`'s +own built-in special remotes are not vulnerable to this attack.) + +In this attack variant, the attacker guesses the hash of a file +stored on the victim's private web server, and adds it to the +`git-annex` repository. The attacker also has control of the server +hosting an encrypted special remote used by the victim's *git-annex* +repository. They cause that server to redirect to the victim's web +server. This allows the attacker to verify if the victim's web +server contains a file that the attacker already knows the content +of, assuming they can guess the URL to it. + +Developers of external special remotes are encouraged to prevent +this attack by not following such HTTP redirects. diff --git a/advisories/published/2023/0011.md b/advisories/published/2023/0011.md new file mode 100644 index 00000000..7adc7c0e --- /dev/null +++ b/advisories/published/2023/0011.md @@ -0,0 +1,47 @@ +```toml +[advisory] +id = "HSEC-2023-0011" +cwe = [200] +keywords = ["exfiltration", "pgp", "historical"] +aliases = ["CVE-2018-10859"] +related = ["HSEC-2023-0010", "CVE-2018-10857"] + +[[affected]] +package = "git-annex" +cvss = "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" +[[affected.versions]] +introduced = "0.20110417" +fixed = "6.20180626" + +[[references]] +type = "ADVISORY" +url = "https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/" +``` + +# *git-annex* GPG decryption attack via compromised remote + +A malicious server for a special remote could trick `git-annex` into +decrypting a file that was encrypted to the user's GPG key. This +attack could be used to expose encrypted data that was never stored +in *git-annex*. Daniel Dent discovered this attack in collaboration +with Joey Hess. + +To perform this attack the attacker needs control of a server +hosting an *encrypted* special remote used by the victim's +*git-annex* repository. The attacker uses `git annex addurl +--relaxed` with an innocuous URL, and waits for the user's +`git-annex` to download it, and upload an (encrypted) copy to the +special remote they also control. At some later point, when the +user downloads the content from the special remote, the attacker +instead sends them the content of the GPG-encrypted file that they +wish to have decrypted in its place (which may have been exfiltrated +from the victim's system via the attack described in +**HSEC-2023-0010** / **CVE-2018-10857**, or acquired by other +means). Finally, the attacker drops their own copy of the original +innocuous URL, and waits for the victim `git-annex` to send them the +accidentially decrypted file. + +The issue was fixed by making `git-annex` refuse to download +encrypted content from special remotes, unless it knows the hash of +the expected content. When the attacker provides some other +GPG-encrypted content, it will fail the hash check and be discarded. diff --git a/advisories/published/2023/0012.md b/advisories/published/2023/0012.md new file mode 100644 index 00000000..c0d6ba26 --- /dev/null +++ b/advisories/published/2023/0012.md @@ -0,0 +1,34 @@ +```toml +[advisory] +id = "HSEC-2023-0012" +cwe = [200] +keywords = ["historical"] + +[[affected]] +package = "git-annex" +cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" +[[affected.versions]] +introduced = "0.20110417" +fixed = "6.20160419" + +[[references]] +type = "ADVISORY" +url = "https://git-annex.branchable.com/security/checksum_exposure_to_encrypted_special_remotes/" +[[references]] +type = "FIX" +url = "http://source.git-annex.branchable.com/?p=source.git;a=commitdiff;h=b890f3a53d936b5e40aa9acc5876cb98f18b9657" +``` + +# *git-annex* checksum exposure to encrypted special remotes + +A bug exposed the checksum of annexed files to encrypted special +remotes, which are not supposed to have access to the checksum of +the un-encrypted file. This only occurred when resuming uploads to +the encrypted special remote, so it is considered a low-severity +security hole. + +For details, see commit `b890f3a53d936b5e40aa9acc5876cb98f18b9657`. + +No CVE was assigned for this issue. + +Fixed in *git-annex-6.20160419*. diff --git a/advisories/published/2023/0013.md b/advisories/published/2023/0013.md new file mode 100644 index 00000000..ff59b37b --- /dev/null +++ b/advisories/published/2023/0013.md @@ -0,0 +1,73 @@ +```toml +[advisory] +id = "HSEC-2023-0013" +cwe = [312] +keywords = ["historical"] +aliases = ["CVE-2014-6274"] + +[[affected]] +package = "git-annex" +cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" +[[affected.versions]] +introduced = "0.20110401" +fixed = "5.20140919" + +[[references]] +type = "ADVISORY" +url = "https://git-annex.branchable.com/security/CVE-2014-6274/" +[[references]] +type = "ARTICLE" +url = "https://git-annex.branchable.com/upgrades/insecure_embedded_creds/" +``` + +# *git-annex* plaintext storage of embedded credentials on encrypted remotes + +*git-annex* had a bug in the **S3** and **Glacier** remotes where if +`embedcreds=yes` was set, and the remote used `encryption=pubkey` or +`encryption=hybrid`, the embedded AWS credentials were stored in the +Git repository in (effectively) plaintext, not encrypted as they +were supposed to be. + +That means that anyone who gets a copy of the Git repository can +extract the AWS credentials from it. Which would be bad. + +A remote with this problem cannot be enabled using `git annex +enableremote`. Old versions of *git-annex* will fail with a GPG +error; the current version will fail with a pointer to this web +page. + +## Remediation + +If your repository has this problem, chose from one of these +approaches to deal with it: + +1. Change your AWS credentials, so the ones stored in the clear in + git won't be used. + + After changing the credentials, make sure you have a fixed + version of git-annex, and you can then re-embed the new creds + into the repository, encrypted this time, by setting the + `AWS_SECRET_ACCESS_KEY` and `AWS_ACCESS_KEY_ID` environment + variables, and running `git annex enableremote $remotename + embedcreds=yes`. + +2. Fix the problem and then remove the history of the *git-annex* + branch of the repository. + + Make sure you have a fixed version of *git-annex*, and force + *git-annex* to rewrite the embedded creds, with encryption this + time, by setting by setting the `AWS_SECRET_ACCESS_KEY` and + `AWS_ACCESS_KEY_ID` environment variables, and running `git annex + enableremote $remotename embedcreds=yes`. + + Then, to get rid of old versions of the *git-annex* branch that + still contains the creds in cleartext, you can use `git annex + forget`; note that it will remove other historical data too. + + Keep in mind that this will not necessarily delete data from + clones you do not control. + +3. If you're sure that you're the only one who has access to the + repository, you could decide to leave it as-is. It's no more + insecure than if you had used `encryption=shared` in the first + place when setting it up. diff --git a/advisories/published/2023/0014.md b/advisories/published/2023/0014.md new file mode 100644 index 00000000..4fe6be14 --- /dev/null +++ b/advisories/published/2023/0014.md @@ -0,0 +1,27 @@ +```toml +[advisory] +id = "HSEC-2023-0014" +keywords = ["file write"] +aliases = ["CVE-2023-35936", "GHSA-xj5q-fv23-575g"] +cwe = [20] + +[[references]] +type = "REPORT" +url = "https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g" + +[[affected]] +package = "pandoc" +cvss = "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:L" + +[[affected.versions]] +introduced = "1.13" +fixed = "3.1.4" + +``` +# Arbitrary file write is possible when using PDF output or --extract-media with untrusted input + +Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the --extract-media option or outputting to PDF format. This vulnerability allows an attacker to create or overwrite arbitrary files on the system (depending on the privileges of the process running pandoc). + +This vulnerability only affects systems that (a) pass untrusted user input to pandoc and (b) allow pandoc to be used to produce a PDF or with the --extract-media option. + +The vulnerability is patched in pandoc 3.1.4. diff --git a/advisories/published/2023/0015.md b/advisories/published/2023/0015.md new file mode 100644 index 00000000..529845b9 --- /dev/null +++ b/advisories/published/2023/0015.md @@ -0,0 +1,95 @@ +```toml +[advisory] +id = "HSEC-2023-0015" +cwe = [672] +keywords = ["hackage", "mitm", "supply-chain"] + +[[affected]] +package = "cabal-install" +cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" +[[affected.versions]] +introduced = "1.24.0.0" +fixed = "3.10.2.0" + +[[references]] +type = "REPORT" +url = "https://github.com/haskell/cabal/issues/8918#issuecomment-1521096581" +[[references]] +type = "FIX" +url = "https://github.com/haskell/cabal/commit/dcfdc9cffd74cade4e8cf3df37c5993413ffd30f" +``` + +# cabal-install uses expired key policies + +A problem was recently discovered in `cabal-install`'s +implementation of the Hackage Security protocol that would allow an +attacker who was in possession of a revoked private key and who +could perform a man-in-the-middle attack against Hackage to use the +revoked key to deliver malicious packages. At this time, this is +only a theoretical attack - no keys have been revoked. Release +3.10.2.0 of `cabal-install` contains a fix for this bug, and we have +contacted distributors of older versions (such as Linux +distributions) with a patch that they can apply. + +## Background + +Hackage Security is an implementation of [The Update Framework][], +which is a design for a package repository that allows untrusted +mirrors without undermining software supply-chain security. In +particular, Hackage Security cryptographically guarantees the +following properties: + + * Mirrors of Hackage cannot change the contents of packages. This + prevents the insertion of malicious code. + + * Mirrors cannot omit newer packages for more than a few days + without clients noticing. This ensures both that mirrors cannot + maliciously deny security updates, and that mistakes in their + configuration will be noticed. + +Hackage has a [key policy file][] that delegates authority to a +number of private keys for various purposes. Most of the keys are +kept securely offline by trusted community members who annually +re-sign the various files to indicate that they still have +confidence in Hackage's policies. However, to prevent clients from +being denied updates, Hackage has an automated process that +periodically re-signs a timestamp file. This signature has a short +expiry. Additionally, a snapshot file contains signed hashes of the +Hackage index that is updated on each package upload. The timestamp +and snapshot private keys are held in memory on the Hackage server. +These are called the operational keys. If an operational key is ever +compromised, then it will be revoked by having the Hackage root +keyholders sign a new key policy file. To prevent replay attacks, +clients that connect to Hackage after this update will reject older +policy files, based on a monotonically increasing file version +number. + +If a client has not yet received the updated policy file (for +example, because they have a fresh install of `cabal-install` or +because they have not run `cabal update` in some time), the built-in +expiration date in the file limits the window of exposure in which +the revoked operational keys would be expected. As long as the root +keys have not been compromised, the compromised operational keys can +only be used until the policy file expires. In addition to +compromising a Hackage operational key, an attacker would +additionally need to either compromise a Hackage mirror or perform a +man-in-the-middle attack against the target in order to serve a +malicious or obsolete package index. + +[key policy file]: https://hackage.haskell.org/root.json +[The Update Framework]: https://theupdateframework.io/ + +## The Issue + +A bug in `cabal-install` caused it to skip the verification of the +key policy file's expiration timestamp. This means that users of +older, unpatched versions of `cabal-install` could be vulnerable to +a malicious mirror or man-in-the-middle attack against Hackage if +they have not connected to Hackage in a long time, even after the +policy file has expired. + +We do not believe that it has been possible to exploit this +vulnerability, because no operational keys have been revoked. +However, in case key revocation occurs, we strongly advise all users +of `cabal-install` to ensure that they have version 3.10.2.0 or +newer, which contain the fix. diff --git a/advisories/published/2024/0001.md b/advisories/published/2024/0001.md new file mode 100644 index 00000000..324c8fdc --- /dev/null +++ b/advisories/published/2024/0001.md @@ -0,0 +1,30 @@ +```toml +[advisory] +id = "HSEC-2024-0001" +cwe = [79] +keywords = ["http", "xss", "rxss", "historical"] + +[[references]] +type = "FIX" +url = "https://github.com/snoyberg/keter/pull/246" + +[[affected]] +package = "keter" +cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" +declarations."Keter.Proxy.toResponse" = ">= 0.3.4 && < 1.0.1" +declarations."Keter.Proxy.unknownHostResponse" = ">= 1.0.1 && < 1.8.4" + +[[affected.versions]] +introduced = "0.3.4" +fixed = "1.8.4" +``` + +# Reflected XSS vulnerability in keter + +Keter is an app-server/reverse-proxy often used with webapps build on Yesod web-framework. + +In the logic handling VHost dispatch, Keter was echoing back `Host` header value, unescaped, +as part of an HTML error page. This constitutes a reflected-XSS vulnerability. Although +not readily exploitable directly from a browser (where `Host` header can't generally assume +arbitrary values), it may become such in presence of further weaknesses in components +upstream of Keter in the http proxying chain. Therefore, AC:High in CVSS evaluation. diff --git a/advisories/published/2024/0002.md b/advisories/published/2024/0002.md new file mode 100644 index 00000000..d9e49d1f --- /dev/null +++ b/advisories/published/2024/0002.md @@ -0,0 +1,61 @@ +```toml +[advisory] +id = "HSEC-2024-0002" +cwe = [787] +keywords = ["corruption", "vendored-code", "language-c"] +aliases = ["CVE-2019-12900"] + +[[references]] +type = "DISCUSSION" +url = "https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/" + +[[references]] +type = "DISCUSSION" +url = "http://scary.beasts.org/security/CESA-2008-005.html" + +[[references]] +type = "ADVISORY" +url = "https://access.redhat.com/security/cve/cve-2019-12900" + +[[references]] +type = "FIX" +url = "https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184" + +[[affected]] +package = "bzlib" +cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + +[[affected.versions]] +introduced = "0.4" +fixed = "0.5.2.0" + +[[affected]] +package = "bz2" +cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + +[[affected.versions]] +introduced = "0.1.0.0" +fixed = "1.0.1.1" + +[[affected]] +package = "bzlib-conduit" +cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + +[[affected.versions]] +introduced = "0.1.0.0" +fixed = "0.3.0.3" +``` + +# out-of-bounds write when there are many bzip2 selectors + +A malicious bzip2 payload may produce a memory corruption +resulting in a denial of service and/or remote code execution. +Network services or command line utilities decompressing +untrusted bzip2 payloads are affected. + +Note that the exploitation of this bug relies on an undefined +behavior that appears to be handled safely by current compilers. + +The Haskell libraires are vulnerable when they are built using +the bundled C library source code, which is the default +in most cases. diff --git a/advisories/published/2024/0003.md b/advisories/published/2024/0003.md new file mode 100644 index 00000000..ac98ec0c --- /dev/null +++ b/advisories/published/2024/0003.md @@ -0,0 +1,175 @@ +```toml +[advisory] +id = "HSEC-2024-0003" +cwe = [150] +keywords = ["windows"] +aliases = ["CVE-2024-3566", "VU#123335"] +related = ["CVE-2024-1874", "CVE-2024-24576", "CVE-2024-22423"] + +[[references]] +type = "ARTICLE" +url = "https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/" + +[[references]] +type = "ADVISORY" +url = "https://kb.cert.org/vuls/id/123335" + +[[references]] +type = "FIX" +url = "https://github.com/haskell/process/commit/3c419f9eeedac024c9dccce544e5a6fb587179a5" + +[[references]] +type = "FIX" +url = "https://github.com/haskell/process/commit/951b02dd95559b1a26f2456bfb97cf740ea40934" + +[[references]] +type = "FIX" +url = "https://github.com/haskell/process/commit/5fc91f5f36ed4479be2b95f04f264bb78ac8089d" + +[[affected]] +package = "process" +os = ["mingw32"] +cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + +[[affected.versions]] +introduced = "1.0.0.0" +fixed = "1.6.23.0" +``` + +# process: command injection via argument list on Windows + +The *process* library on Windows is vulnerable to a command injection +vulnerability, via `cmd.exe`'s interpretation of arguments. Programs that +invoke batch files (`.bat`, `.cmd`) and pass arguments whose values are +affected by program inputs may be affected. + +This issue was discovered in many programming languages' Windows process +execution behaviour. It was tracked by CERT/CC as **VU#123335** and a +coordinated disclosure was made on 2024-04-09 17:00 UTC. + +A fix was released in *process-1.6.19.0*. + + +## Background + +Unlike POSIX systems, Windows does not have a mechanism for passing multiple +arguments.Command line parsing is up to individual programs. + +The *process* library defines the `RawCommand` constructor for specifying an +executable and its arguments: + +```haskell +data CmdSpec + = ShellCommand String + | RawCommand FilePath [String] +``` + +On Windows, the `RawCommand` executable name and arguments are serialised into +a single *command line* string, with separate arguments quoted separately. +*process* then invokes the Windows [`CreateProcess`][doc-CreateProcess] +routine with this command line string is given as the `lpCommandLine` +argument. + +[doc-CreateProcess]: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa + + +## Issue + +When executing `.bat` or `.cmd` files, [`CreateProcess`][doc-CreateProcess] +implicitly spawns `cmd.exe`. The `System.Process` command line construction +does not escape characters with special meaning to `cmd.exe`. As a +consequence, a command injection vulnerability arises when the following +conditions are satisfied: + +- Program running on Windows +- Program executes a `.bat` or `.cmd` file +- The argument values include or are influenced by program input + + +## Demonstration + +The following batch file, `test.bat`, merely prints the executable name the +first two arguments (as interpreted by `cmd.exe`): + +``` +@ECHO OFF +ECHO 0: %0 +ECHO 1: %1 +ECHO 2: %2 +PAUSE +``` + +The following Haskell program executes `test.bat` with basic string arguments. +The output is as expected: + +``` +λ> readProcess "test.bat" ["a","b"] [] >>= putStrLn +0: "test.bat" +1: "a" +2: "b" +``` + +However, we can use a close quote and the `&` character to induce `cmd.exe` to +execute a program named in the argument: + +``` +λ> readProcess "test.bat" ["\"&calc.exe"] [] >>= putStrLn +0: "test.bat" +1: "\" +2: +``` + +In addition to producing the above output, `calc.exe` is executed. + + +## Mitigation + +The lack of a general mechanism on Windows for safely conveying command line +arguments to programs increases the risk of this kind of security issue. The +fact that `cmd.exe` command line parsing is complex and poorly documented +exacerbates this issue, and also heightens the risk that the fix is +incomplete, or causes other issues. + +If possible, avoid executing batch files where arguments include or are +influenced by untrusted program inputs. If it must be done, reject arguments +that include special characters including `&` and `"`. + + +## Fix versions + +*process* was modified to perform additional escaping and quoting +when executing `.bat` and `.cmd` files on Windows (ignoring +character case). The behaviour is unchanged in all other cases. + +The fix was released in ***process-1.6.19.0***. The following GHC +releases were the first in their series to include a fixed version +of the *process* library: + +- **GHC 9.10.1-alpha3** (released 2024-04-15) +- **GHC 9.8.3** (released 2024-10-20) +- **GHC 9.6.5** (released 2024-04-16) + +Such a change in semantics should normally result in a major version +bump. Because we expect very few (if any) users will be impacted by +the behavioural change, the GHC team made a pragmatic decision to +avoid the disruption that a major version bump would cause. + +A follow-up fix was released in ***process-1.6.23.0*** to handle batch +scripts with paths ending in whitespace and periods and +unescaped `%` expansions. + + +## Acknowledgements + +Security researcher **RyotaK** discovered and responsibly disclosed +this vulnerability, coordinating the response across the many +affected langauges and ecosystems. + +Ben Gamari commited and released the fix, which was based on a +proposal by Fraser Tweedale. Fraser also improved the +`System.Process` module documentation to better explain the Windows +semantics. + +Security researcher **Kainan Zhang** (@4xpl0r3r) discovered and +responsibly disclosing the issue in the first fix and the Rust +Security Response WG coordinated the response. diff --git a/advisories/published/2024/0006.md b/advisories/published/2024/0006.md new file mode 100644 index 00000000..593bd5fa --- /dev/null +++ b/advisories/published/2024/0006.md @@ -0,0 +1,41 @@ +```toml +[advisory] +id = "HSEC-2024-0006" +cwe = [192] +keywords = ["integrity", "dos", "historical"] + +[[affected]] +package = "base" +cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" + +[[affected.versions]] +introduced = "4.15.0.0" +fixed = "4.15.1.0" + +[[references]] +type = "REPORT" +url = "https://gitlab.haskell.org/ghc/ghc/-/issues/19345" + +[[references]] +type = "REPORT" +url = "https://gitlab.haskell.org/ghc/ghc/-/issues/20066" + +[[references]] +type = "FIX" +url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/4980" + +[[references]] +type = "FIX" +url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/6109" +``` + +# `fromIntegral`: conversion error + +`fromIntegral` may result in coercion errors when used with optimization flags `-O1` or `-O2` +in the following situation: + +- Converting negative `Int` to `Natural` does not throw an arithmetic underflow error +- Converting large `Integer` greater than 2^64 to `Natural` overflow. + +For the most part, these errors in and of themselves result only in availability and data integrity issues. +However, in some circumstances, they may result in other, more complicated security related flaws, such as buffer overflow conditions. diff --git a/advisories/published/2024/0007.md b/advisories/published/2024/0007.md new file mode 100644 index 00000000..c5cac3a0 --- /dev/null +++ b/advisories/published/2024/0007.md @@ -0,0 +1,36 @@ +```toml +[advisory] +id = "HSEC-2024-0007" +cwe = [194] +keywords = ["integrity", "dos", "historical"] + +[[affected]] +ghc-component = "ghc" +cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" + +[[affected.versions]] +introduced = "9.2.4" +fixed = "9.2.5" + +[[affected.versions]] +introduced = "9.4.2" +fixed = "9.4.3" + +[[references]] +type = "REPORT" +url = "https://gitlab.haskell.org/ghc/ghc/-/issues/22282" + +[[references]] +type = "FIX" +url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/9152" + +[[references]] +type = "FIX" +url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/9139" +``` + +# Sign extension error in the AArch64 NCG + +Arithmetic operations may result in incorrect runtime results on the native aarch64 backend. +For the most part, this bug only causes availability and data integrity issues. +However, in some circumstances, it may result in other, more complicated security related flaws, such as buffer overflow conditions. diff --git a/advisories/published/2024/0008.md b/advisories/published/2024/0008.md new file mode 100644 index 00000000..78e4e0f9 --- /dev/null +++ b/advisories/published/2024/0008.md @@ -0,0 +1,35 @@ +```toml +[advisory] +id = "HSEC-2024-0008" +cwe = [194] +keywords = ["integrity", "dos"] + +[[affected]] +ghc-component = "ghc" +cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" + +[[affected.versions]] +introduced = "9.2.1" +fixed = "9.6.6" + +[[affected.versions]] +introduced = "9.8.1" +fixed = "9.8.3" + +[[affected.versions]] +introduced = "9.10.1" + +[[references]] +type = "REPORT" +url = "https://gitlab.haskell.org/ghc/ghc/-/issues/23034" + +[[references]] +type = "FIX" +url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/12885" +``` + +# Sign extension error in the PPC64le FFI + +Numeric arguments of FFI call on the PPC64le backend may result in incorrect runtime values. +For the most part, this bug only causes availability and data integrity issues. +However, in some circumstances, it may result in other, more complicated security related flaws, such as buffer overflow conditions. diff --git a/advisories/published/2024/0009.md b/advisories/published/2024/0009.md new file mode 100644 index 00000000..38b2f33b --- /dev/null +++ b/advisories/published/2024/0009.md @@ -0,0 +1,30 @@ +```toml +[advisory] +id = "HSEC-2024-0009" +keywords = ["biscuit"] +aliases = ["CVE-2024-41949", "GHSA-rgqv-mwc3-c78m", "GHSA-47cq-pc2v-3rmp"] + +[[references]] +type = "ADVISORY" +url = "https://github.com/biscuit-auth/biscuit-haskell/security/advisories/GHSA-47cq-pc2v-3rmp" +[[references]] +type = "FIX" +url = "https://github.com/biscuit-auth/biscuit-haskell/pull/93" + +[[affected]] +package = "biscuit-haskell" +cvss = "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N" + +[[affected.versions]] +introduced = "0.3.0.0" +fixed = "0.4.0.0" +``` + +# Public key confusion in third-party blocks + +Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it: + +- the public key of the previous block (used in the signature); +- the public keys part of the token symbol table (for public key interning in datalog expressions). + +A third-party block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. diff --git a/advisories/published/2025/0001.md b/advisories/published/2025/0001.md new file mode 100644 index 00000000..a979a1d0 --- /dev/null +++ b/advisories/published/2025/0001.md @@ -0,0 +1,32 @@ +```toml +[advisory] +id = "HSEC-2025-0001" +cwe = [682] +keywords = ["integrity", "dos"] + +[[affected]] +ghc-component = "ghc" +cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" + +[[affected.versions]] +introduced = "9.12.1" +fixed = "9.12.2" + +[[references]] +type = "REPORT" +url = "https://gitlab.haskell.org/ghc/ghc/-/issues/25653" + +[[references]] +type = "REPORT" +url = "https://discourse.haskell.org/t/psa-correctness-issue-in-ghc-9-12/11204" + +[[references]] +type = "FIX" +url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/13820" +``` + +# Subword division operations may produce incorrect results + +Arithmetic operations may produce incorrect results when compiled with optimizations. +For the most part, this bug only causes availability and data integrity issues. +However, in some circumstances, it may result in other, more complicated security related flaws, such as buffer overflow conditions. diff --git a/advisories/published/2025/0002.md b/advisories/published/2025/0002.md new file mode 100644 index 00000000..0079730b --- /dev/null +++ b/advisories/published/2025/0002.md @@ -0,0 +1,66 @@ +```toml +[advisory] +id = "HSEC-2025-0002" +cwe = [] +keywords = ["crypto"] +related = ["GHSA-w5vr-6qhr-36cc"] + +[[affected]] +package = "cryptonite" +cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" +[[affected.versions]] +introduced = "0.1" + +[[affected]] +package = "crypton" +cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" +[[affected.versions]] +introduced = "0.31" +fixed = "1.0.3" + +[[references]] +type = "ARTICLE" +url = "https://portswigger.net/daily-swig/dozens-of-cryptography-libraries-vulnerable-to-private-key-theft" +[[references]] +type = "ARTICLE" +url = "https://github.com/MystenLabs/ed25519-unsafe-libs" +[[references]] +type = "ADVISORY" +url = "https://github.com/advisories/GHSA-w5vr-6qhr-36cc" +[[references]] +type = "EVIDENCE" +url = "https://hackage.haskell.org/package/cryptonite-0.30/docs/src/Crypto.PubKey.Ed25519.html#sign" +[[references]] +type = "EVIDENCE" +url = "https://github.com/haskell-crypto/cryptonite/blob/cryptonite-v0.30/cbits/ed25519/ed25519.c#53" +[[references]] +type = "EVIDENCE" +url = "https://github.com/kazu-yamamoto/crypton/blob/48fb9df2de5ee752196724b081f4d3cdb57576ed/cbits/ed25519/ed25519.c#L53" +[[references]] +type = "FIX" +url = "https://github.com/kazu-yamamoto/crypton/pull/47" + +``` + +# Double Public Key Signing Function Oracle Attack on Ed25519 + +The standard specification of Ed25519 message signing involves providing the +algorithm with a message and private key. + +The function will use the private key to compute the public key and sign the message. +Some libraries provide a variant of the message signing function that also takes +the pre-computed public key as an input parameter. + +Libraries that allow arbitrary public keys as inputs without checking if the +input public key corresponds to the input private key are vulnerable to the +following attack. + +By using several public keys and messages, a malicious user with access to the +signing mechanism may build up insights into the private key parameters +resulting in access to the private key. + +This shortcoming means that an attacker could use the signing function as an +Oracle, perform crypto-analysis and ultimately get at secrets. +For example, an attacker who can’t access the private key but can access +the signing mechanism through an API call could use several public keys and +messages to gradually build up insights into private key parameters. diff --git a/advisories/published/2025/0003.md b/advisories/published/2025/0003.md new file mode 100644 index 00000000..2680ebef --- /dev/null +++ b/advisories/published/2025/0003.md @@ -0,0 +1,40 @@ +```toml +[advisory] +id = "HSEC-2025-0003" +cwe = [416] +keywords = ["corruption", "vendored-code", "language-c"] +aliases = ["CVE-2025-31115"] + +[[references]] +type = "ARTICLE" +url = "https://tukaani.org/xz/threaded-decoder-early-free.html" + +[[references]] +type = "FIX" +url = "https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480" + +[[references]] +type = "FIX" +url = "https://github.com/hasufell/lzma-static/commit/e95fe96530568addfc83b771900025053e2c6951" + +[[affected]] +package = "xz-clib" +cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" + +[[affected.versions]] +introduced = "5.6.3" +fixed = "5.8.1" +``` + +# Use after free in multithreaded lzma (.xz) decoder + +In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in +liblzma has a bug where invalid input can at least result in a crash +(CVE-2025-31115). The effects include heap use after free and +writing to an address based on the null pointer plus an offset. +Applications and libraries that use the `lzma_stream_decoder_mt` +function are affected. + +The Haskell *xz-clib* library vendors and builds the C +implementation. The *xz* package does not use the multithreaded +decoder and is therefore unaffected. diff --git a/advisories/published/2025/0004.md b/advisories/published/2025/0004.md new file mode 100644 index 00000000..58a6cfa6 --- /dev/null +++ b/advisories/published/2025/0004.md @@ -0,0 +1,36 @@ +```toml + +[advisory] +id = "HSEC-2025-0004" +cwe = [23] +capec = [126] +keywords = ["gopher", "path-traversal"] + +aliases = [] +related = [] + +[[affected]] +package = "spacecookie" +cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + +declarations = { "Network.Gopher.Util.santinizePath" = ">= 0.2.0.0 && < 1.0", "Network.Gopher.Util.santinizeIfNotUrl" = ">= 0.2.0.0 && < 1.0", "Network.Gopher.Util.sanitizePath" = ">= 1.0.0.0 && < 1.0.0.3", "Network.Gopher.Util.sanitizeIfNotUrl" = ">= 1.0.0.0 && < 1.0.0.3" } + +[[affected.versions]] +introduced = "0.2.0.0" +fixed = "1.0.0.3" + +[[references]] +type = "FIX" +url = "https://github.com/sternenseemann/spacecookie/commit/2854a8a70833e7abdeeff3c02596a6f2a2f35c61" +``` + +# Broken Path Sanitization in spacecookie Library + +The spacecookie library exposes the functions `sanitizePath` and `sanitizeIfNotUrl` intended to +remove `..` components from paths which can be used to prevent path traversal attacks. Due to +erroneous comparison code, this elimination is not actually performed which has been remedied +in version 1.0.0.3 by properly comparing using `equalFilePath`. + +Any user of those respective functions of any version of spacecookie should upgrade to 1.0.0.3 +or later. Note that the spacecookie server executable included in the same package is not affected +by the problem since a separate check would reject any malicious path that gets by `sanitizePath`. diff --git a/advisories/published/2025/0005.md b/advisories/published/2025/0005.md new file mode 100644 index 00000000..bf996abd --- /dev/null +++ b/advisories/published/2025/0005.md @@ -0,0 +1,61 @@ +```toml +[advisory] +id = "HSEC-2025-0005" +cwe = [427] +keywords = ["hackage", "supply-chain", "historical"] + +[[affected]] +package = "cabal-install" +cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" +[[affected.versions]] +fixed = "3.4.0.0" +introduced = "1.0.0.0" + +[[references]] +type = "REPORT" +url = "https://frasertweedale.github.io/blog-fp/posts/2021-02-12-haskell-dependency-confusion.html" +``` + +# `cabal-install` dependency confusion + +For **cabal-install < 3.4.0.0** and where multiple repositories are +configured, the resolver picks the highest available version across +all repositories. Where a package is only defined in a private +repository, this behaviour leads to a [*dependency confusion*][blog] +supply chain vulnerability. If the private package name becomes +known, a malicious actor can claim the name in the public repository +and publish a malicious version at a higher version number. + +Default `cabal-install` configurations that only use the +`hackage.haskell.org` repository are not affected. Configurations +that use curated private repositories **exclusively** are also not +affected. + +[blog]: https://frasertweedale.github.io/blog-fp/posts/2021-02-12-haskell-dependency-confusion.html + + +## Mitigations + +*cabal-install* version **3.4.0.0** and higher provide an `override` +option in the repository configuration. It marks the associated +repository as canonical for all packages defined in that repository. +No other repositories will be considered. For example: + +``` +-- For packages in repo.example.com, +-- only versions in repo.example.com are considered +active-repositories: + , hackage.haskell.org + , repo.example.com:override +``` + +Users and organisations using private repositories that contain +private packages in addition to public repositories **MUST** use the +`override` option to prevent dependency confusion attacks. + +Alternatively, projects and organisations can run a private instance +of *hackage-server* and carefully curate and review its contents. +Using that instance exclusively defeats supply chain attacks +including *dependency confusion*. For *cabal-install < 3.4* and +where using multiple repositories, this is the only effective +mitigation against dependency confusion attacks. diff --git a/advisories/reserved/2024/0004.md b/advisories/reserved/2024/0004.md new file mode 100644 index 00000000..e69de29b diff --git a/advisories/reserved/2024/0005.md b/advisories/reserved/2024/0005.md new file mode 100644 index 00000000..e69de29b diff --git a/code/hsec-tools/CHANGELOG.md b/code/hsec-tools/CHANGELOG.md index e52916af..d65574a9 100644 --- a/code/hsec-tools/CHANGELOG.md +++ b/code/hsec-tools/CHANGELOG.md @@ -3,6 +3,10 @@ * Move `isVersionAffectedBy` and `isVersionRangeAffectedBy` to `Security.Advisories.Core` (`hsec-core`) * Add support for GHC component in `query is-affected` * Add `model.database_specific.{repository,osvs,home}` and `model.affected.database_specific.{osv,human_link}` in OSV exports +* Adapt to new security-advisories layout +* Drop `Security.Advisories.Filesystem.parseComponentIdentifier` +* Drop `Security.Advisories.Parse.OutOfBandAttributes.oobComponentIdentifier` +* Drop `Security.Advisories.Parse.OOBError.PathHasNoComponentIdentifier` ## 0.2.0.2 diff --git a/code/hsec-tools/app/Main.hs b/code/hsec-tools/app/Main.hs index d5085e05..e291561e 100644 --- a/code/hsec-tools/app/Main.hs +++ b/code/hsec-tools/app/Main.hs @@ -22,7 +22,6 @@ import Security.Advisories.Generate.HTML import Security.Advisories.Generate.Snapshot import Security.Advisories.Git import Security.Advisories.Queries (listVersionRangeAffectedBy) -import Security.Advisories.Filesystem (parseComponentIdentifier) import System.Exit (die, exitFailure, exitSuccess) import System.FilePath (takeBaseName) import System.IO (hPrint, hPutStrLn, stderr) @@ -197,13 +196,11 @@ withAdvisory go file = do oob <- runExceptT $ case file of Nothing -> throwE StdInHasNoOOB Just path -> do - ecosystem <- parseComponentIdentifier path withExceptT GitHasNoOOB $ do gitInfo <- ExceptT $ liftIO $ getAdvisoryGitInfo path pure OutOfBandAttributes { oobPublished = firstAppearanceCommitDate gitInfo , oobModified = lastModificationCommitDate gitInfo - , oobComponentIdentifier = ecosystem } case parseAdvisory NoOverrides oob input of diff --git a/code/hsec-tools/hsec-tools.cabal b/code/hsec-tools/hsec-tools.cabal index f50c220b..b2b5a9c7 100644 --- a/code/hsec-tools/hsec-tools.cabal +++ b/code/hsec-tools/hsec-tools.cabal @@ -73,7 +73,6 @@ library , pandoc >=2.0 && <3.8 , pandoc-types >=1.22 && <2 , parsec >=3 && <4 - , pathwalk >=0.3 && <0.4 , pretty >=1.0 && <1.2 , prettyprinter >=1.7 && <1.8 , process >=1.6 && <1.7 diff --git a/code/hsec-tools/index.html b/code/hsec-tools/index.html deleted file mode 100644 index 28fb61f3..00000000 --- a/code/hsec-tools/index.html +++ /dev/null @@ -1,133 +0,0 @@ - - - - - - - Haskell Security Advisories - - - -
-
- Advisories list - -
-
-
-
-
- - - - - - - - - - - - - - - - - - - - - - - - - -
#Package(s)Title
HSEC-2023-0003xmonad-contribcode injection in xmonad-contrib
HSEC-2023-0002biscuit-haskellImproper Verification of Cryptographic Signature
HSEC-2023-0001aesonHash flooding vulnerability in aeson
-
-
-
-

aeson

-
- - - - - - - - - - - - - - - - - -
#IntroducedFixedTitle
HSEC-2023-00011.1.0Hash flooding vulnerability in aeson
-
-

biscuit-haskell

-
- - - - - - - - - - - - - - - - - -
#IntroducedFixedTitle
HSEC-2023-00021.1.02.0.0Improper Verification of Cryptographic Signature
-
-

xmonad-contrib

-
- - - - - - - - - - - - - - - - - -
#IntroducedFixedTitle
HSEC-2023-00031.1.02.0.0code injection in xmonad-contrib
-
-
-
- - diff --git a/code/hsec-tools/src/Security/Advisories/Convert/OSV.hs b/code/hsec-tools/src/Security/Advisories/Convert/OSV.hs index 6ec752f2..691e516c 100644 --- a/code/hsec-tools/src/Security/Advisories/Convert/OSV.hs +++ b/code/hsec-tools/src/Security/Advisories/Convert/OSV.hs @@ -93,7 +93,7 @@ haskellLinks = DbLinks { dbLinksRepository = "https://github.com/haskell/security-advisories" , dbLinksOSVs = "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export" - , dbLinksHome = "https://haskell.github.io/security-advisories" + , dbLinksHome = "https://github.com/haskell/security-advisories" } data AffectedLinks = AffectedLinks @@ -115,7 +115,7 @@ mkAffectedWithLinks links hsecId aff = Just AffectedLinks { affectedLinksOSV = stripSlash (dbLinksOSVs links) <> "/" <> T.pack (show $ hsecIdYear hsecId) <> "/" <> T.pack (printHsecId hsecId) <> ".json" - , affectedLinksHumanLink = stripSlash (dbLinksHome links) <> "/advisory/" <> T.pack (printHsecId hsecId) <> ".html" + , affectedLinksHumanLink = stripSlash (dbLinksHome links) <> "/tree/main/advisories/published/" <> T.pack (show $ hsecIdYear hsecId) <> "/" <> T.pack (show $ hsecIdSerial hsecId) <> ".md" } , .. } diff --git a/code/hsec-tools/src/Security/Advisories/Filesystem.hs b/code/hsec-tools/src/Security/Advisories/Filesystem.hs index b522fb38..cbd5371e 100644 --- a/code/hsec-tools/src/Security/Advisories/Filesystem.hs +++ b/code/hsec-tools/src/Security/Advisories/Filesystem.hs @@ -13,6 +13,7 @@ module Security.Advisories.Filesystem ( dirNameAdvisories , dirNameReserved + , dirNamePublished , isSecurityAdvisoriesRepo , getReservedIds , getAdvisoryIds @@ -23,7 +24,6 @@ module Security.Advisories.Filesystem , forAdvisory , listAdvisories , advisoryFromFile - , parseComponentIdentifier ) where #if MIN_VERSION_base(4,18,0) @@ -36,21 +36,16 @@ import Data.Semigroup (Max(Max, getMax)) import Data.Traversable (for) import Control.Monad.IO.Class (MonadIO, liftIO) -import Control.Monad.Writer.Strict (execWriterT, tell) -import qualified Data.Text as T import qualified Data.Text.IO as T -import System.FilePath ((), takeBaseName, splitDirectories) -import System.Directory (doesDirectoryExist, pathIsSymbolicLink) -import System.Directory.PathWalk +import System.FilePath ((), dropExtension) +import System.Directory (doesDirectoryExist, listDirectory) import Validation (Validation (..)) -import Security.Advisories (Advisory, AttributeOverridePolicy (NoOverrides), OutOfBandAttributes (..), ParseAdvisoryError, parseAdvisory, ComponentIdentifier(..)) +import Security.Advisories (Advisory, AttributeOverridePolicy (NoOverrides), OutOfBandAttributes (..), ParseAdvisoryError, parseAdvisory) import Security.Advisories.Core.HsecId (HsecId, parseHsecId, placeholder) import Security.Advisories.Git(firstAppearanceCommitDate, getAdvisoryGitInfo, lastModificationCommitDate) import Control.Monad.Except (runExceptT, ExceptT (ExceptT), withExceptT) -import Security.Advisories.Parse (OOBError(GitHasNoOOB, PathHasNoComponentIdentifier)) -import Security.Advisories.Core.Advisory (ghcComponentFromText) - +import Security.Advisories.Parse (OOBError(GitHasNoOOB)) dirNameAdvisories :: FilePath dirNameAdvisories = "advisories" @@ -58,6 +53,9 @@ dirNameAdvisories = "advisories" dirNameReserved :: FilePath dirNameReserved = "reserved" +dirNamePublished :: FilePath +dirNamePublished = "published" + -- | Check whether the directory appears to be the root of a -- /security-advisories/ filesystem. Only checks that the -- @advisories@ subdirectory exists. @@ -109,7 +107,7 @@ forReserved :: (MonadIO m, Monoid r) => FilePath -> (FilePath -> HsecId -> m r) -> m r forReserved root = - _forFiles (root dirNameAdvisories dirNameReserved) + _forFilesByYear (root dirNameAdvisories dirNameReserved) -- | Invoke a callback for each HSEC ID under each of the advisory -- subdirectories, excluding the @reserved@ directory. The results @@ -121,69 +119,51 @@ forReserved root = forAdvisory :: (MonadIO m, Monoid r) => FilePath -> (FilePath -> HsecId -> m r) -> m r -forAdvisory root go = do - let dir = root dirNameAdvisories - subdirs <- filter (/= dirNameReserved) <$> _getSubdirs dir - fmap fold $ for subdirs $ \subdir -> _forFiles (dir subdir) go +forAdvisory root = + _forFilesByYear (root dirNameAdvisories dirNamePublished) --- | List deduplicated parsed Advisories +-- | List parsed Advisories listAdvisories :: (MonadIO m) => FilePath -> m (Validation [(FilePath, ParseAdvisoryError)] [Advisory]) listAdvisories root = - forAdvisory root $ \advisoryPath _advisoryId -> do - isSym <- liftIO $ pathIsSymbolicLink advisoryPath - if isSym - then return $ pure [] - else - bimap (\err -> [(advisoryPath, err)]) pure - <$> advisoryFromFile advisoryPath + forAdvisory root $ \advisoryPath _advisoryId -> + bimap (\err -> [(advisoryPath, err)]) pure + <$> advisoryFromFile advisoryPath -- | Parse an advisory from a file system path advisoryFromFile :: (MonadIO m) => FilePath -> m (Validation ParseAdvisoryError Advisory) advisoryFromFile advisoryPath = do - oob <- runExceptT $ do - ecosystem <- parseComponentIdentifier advisoryPath + oob <- runExceptT $ withExceptT GitHasNoOOB $ do gitInfo <- ExceptT $ liftIO $ getAdvisoryGitInfo advisoryPath pure OutOfBandAttributes { oobPublished = firstAppearanceCommitDate gitInfo , oobModified = lastModificationCommitDate gitInfo - , oobComponentIdentifier = ecosystem } fileContent <- liftIO $ T.readFile advisoryPath pure $ either Failure Success $ parseAdvisory NoOverrides oob fileContent --- | Get names (not paths) of subdirectories of the given directory --- (one level). There's no monoidal, interruptible variant of --- @pathWalk@ so we use @WriterT@ to smuggle the result out. --- -_getSubdirs :: (MonadIO m) => FilePath -> m [FilePath] -_getSubdirs root = - execWriterT $ - pathWalkInterruptible root $ \_ subdirs _ -> do - tell subdirs - pure Stop - -_forFiles +_forFilesByYear :: (MonadIO m, Monoid r) => FilePath -- ^ (sub)directory name -> (FilePath -> HsecId -> m r) -> m r -_forFiles root go = - pathWalkAccumulate root $ \dir _ files -> - fmap fold $ for files $ \file -> - case parseHsecId (takeBaseName file) of - Nothing -> pure mempty - Just hsid -> go (dir file) hsid - -parseComponentIdentifier :: Monad m => FilePath -> ExceptT OOBError m (Maybe ComponentIdentifier) -parseComponentIdentifier fp = ExceptT . pure $ case drop 1 $ reverse $ splitDirectories fp of - package : "hackage" : _ -> pure (Just $ Hackage $ T.pack package) - component : "ghc" : _ | Just ghc <- ghcComponentFromText (T.pack component) -> pure (Just $ GHC ghc) - _ : _ : "advisories" : _ -> Left PathHasNoComponentIdentifier - _ -> pure Nothing +_forFilesByYear root go = do + yearsFile <- liftIO $ listDirectory root + fmap (foldMap fold) $ + for yearsFile $ \year -> do + let yearDir = root year + isYear <- liftIO $ doesDirectoryExist yearDir + if isYear + then do + files <- liftIO $ listDirectory yearDir + for files $ \file -> + case parseHsecId ("HSEC-" <> year <> "-" <> dropExtension file) of + Nothing -> pure mempty + Just hsid -> go (yearDir file) hsid + else pure mempty diff --git a/code/hsec-tools/src/Security/Advisories/Parse.hs b/code/hsec-tools/src/Security/Advisories/Parse.hs index 4139d1bd..c55dc12d 100644 --- a/code/hsec-tools/src/Security/Advisories/Parse.hs +++ b/code/hsec-tools/src/Security/Advisories/Parse.hs @@ -61,7 +61,6 @@ type OOB = Either OOBError OutOfBandAttributes data OutOfBandAttributes = OutOfBandAttributes { oobModified :: UTCTime , oobPublished :: UTCTime - , oobComponentIdentifier :: Maybe ComponentIdentifier } deriving (Show) @@ -91,14 +90,12 @@ instance Exception ParseAdvisoryError where -- @since 0.2.0.0 data OOBError = StdInHasNoOOB -- ^ we obtain the advisory via stdin and can hence not parse git history - | PathHasNoComponentIdentifier -- ^ the path is missing 'hackage' or 'ghc' directory | GitHasNoOOB GitError -- ^ processing oob info via git failed deriving stock (Eq, Show, Generic) displayOOBError :: OOBError -> String displayOOBError = \case StdInHasNoOOB -> "stdin doesn't provide out of band information" - PathHasNoComponentIdentifier -> "the path is missing 'hackage' or 'ghc' directory" GitHasNoOOB gitErr -> "no out of band information obtained with git error:\n" <> explainGitError gitErr @@ -187,9 +184,6 @@ parseAdvisoryTable oob policy doc summary details html tab = "advisory.modified" (amdModified (frontMatterAdvisory fm)) let affected = frontMatterAffected fm - case oob of - Right (OutOfBandAttributes _ _ (Just ecosystem)) -> validateComponentIdentifier ecosystem affected - _ -> pure () pure Advisory { advisoryId = amdId (frontMatterAdvisory fm) , advisoryPublished = published diff --git a/code/hsec-tools/test/Spec.hs b/code/hsec-tools/test/Spec.hs index dc85cfc0..6656464c 100644 --- a/code/hsec-tools/test/Spec.hs +++ b/code/hsec-tools/test/Spec.hs @@ -46,7 +46,6 @@ doGoldenTest fp = goldenVsString fp (fp <> ".golden") (LText.encodeUtf8 <$> doCh attr = OutOfBandAttributes { oobPublished = fakeDate , oobModified = fakeDate - , oobComponentIdentifier = Nothing } res = parseAdvisory NoOverrides (Right attr) input osvExport = case res of