Bug 27487 - pagure new security issue CVE-2019-11556
Summary: pagure new security issue CVE-2019-11556
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-10-29 17:15 CET by David Walser
Modified: 2021-05-07 07:37 CEST (History)
5 users (show)

See Also:
Source RPM: pagure-5.5-1.mga7.src.rpm
CVE: CVE-2019-11556
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-10-29 17:15:08 CET 
openSUSE has issued an advisory today (October 29):
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00066.html

The issue is fixed upstream in 5.6.
Comment 1 David Walser 2020-10-29 17:16:28 CET 
Fixed by Neal in openSUSE in this commit:
https://build.opensuse.org/request/show/839353

Assignee: bugsquad => ngompa13
Status comment: (none) => Fixed upstream in 5.6

Comment 2 Neal Gompa 2020-11-24 20:04:35 CET 
I've uploaded a fixed version to updates-testing for Mageia 7. This has been fixed in Cauldron for a while now, so there was nothing to do there...

Suggested advisory:
========================

Updated pagure packages fix security vulnerabilities:

Pagure before 5.6 allows XSS via the templates/blame.html blame view.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11556
https://bugzilla.suse.com/show_bug.cgi?id=1176987
https://pagure.io/pagure/c/31a0d2950ed409550074ca52ba492f9b87ec3318
========================

Updated packages in core/updates_testing:
========================
pagure-5.5-1.1.mga7
pagure-theme-pagureio-5.5-1.1.mga7
pagure-theme-srcfpo-5.5-1.1.mga7
pagure-theme-chameleon-5.5-1.1.mga7
pagure-milters-5.5-1.1.mga7
pagure-ev-5.5-1.1.mga7
pagure-webhook-5.5-1.1.mga7
pagure-ci-5.5-1.1.mga7
pagure-logcom-5.5-1.1.mga7
pagure-loadjson-5.5-1.1.mga7
pagure-mirror-5.5-1.1.mga7


Source RPMs: 
pagure-5.5-1.1.mga7.src.rpm
Nicolas Lécureuil 2021-03-04 19:35:59 CET

CC: (none) => mageia
Assignee: ngompa13 => qa-bugs

David Walser 2021-03-04 22:46:16 CET

Status comment: Fixed upstream in 5.6 => (none)

Comment 3 Herman Viaene 2021-04-02 14:45:48 CEST 
MGA7-64 MATE on Peaq C1011
No installation issues.
No previous updates, so looking for info, found https://pagure.io/pagure.
Seems like a lot of fun for knowleadgable people.
Just tried to launch from CLI, but trouble:
$ pagure-admin 
Using configuration file `/etc/pagure/pagure.cfg`
Error: 'Namespace' object has no attribute 'func'
ERROR:root:Generic error catched:
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/pagure/cli/admin.py", line 1034, in main
    args.func(args)
AttributeError: 'Namespace' object has no attribute 'func'

CC: (none) => herman.viaene

Comment 4 Aurelien Oudelet 2021-04-23 20:33:02 CEST 
(In reply to Herman Viaene from comment #3)
> MGA7-64 MATE on Peaq C1011
> No installation issues.
> No previous updates, so looking for info, found https://pagure.io/pagure.
> Seems like a lot of fun for knowleadgable people.
> Just tried to launch from CLI, but trouble:
> $ pagure-admin 
> Using configuration file `/etc/pagure/pagure.cfg`
> Error: 'Namespace' object has no attribute 'func'
> ERROR:root:Generic error catched:
> Traceback (most recent call last):
>   File "/usr/lib/python3.7/site-packages/pagure/cli/admin.py", line 1034, in
> main
>     args.func(args)
> AttributeError: 'Namespace' object has no attribute 'func'

Keywords: (none) => feedback
CC: (none) => ouaurelien

Comment 5 Neal Gompa 2021-04-24 18:38:44 CEST 
Huh, I don't think I've ever tried to run pagure-admin with no arguments before.

It looks like this is an argparse bug where it just fails to correctly handle when no parameters or arguments are passed in.

Cf. https://stackoverflow.com/questions/48648036/python-argparse-args-has-no-attribute-func

I can reproduce this on upstream Pagure and the version shipped in MGA7 GA too.

So that's unrelated to Pagure itself.

If you've followed the quickstart guide to configure a pagure instance, then "pagure-admin -h" should work.

CC: (none) => ngompa13

Comment 6 Aurelien Oudelet 2021-04-24 20:11:50 CEST 
Thanks Neal.

QA should now have a procedure test.

Note that this upstream bug should also be reported and fixed. Calling pagure-admin without argument should display a help usage... ;)

We will now see to add arguments and see -h switch for help.
$ pagure-admin

CVE: (none) => CVE-2019-11556
Keywords: feedback => (none)

Comment 7 Neal Gompa 2021-04-25 20:22:24 CEST 
(In reply to Aurelien Oudelet from comment #6)
> Thanks Neal.
> 
> QA should now have a procedure test.
> 
> Note that this upstream bug should also be reported and fixed. Calling
> pagure-admin without argument should display a help usage... ;)
> 

It's a bug in Python, but perhaps there's a way to work around it in Pagure (not sure about that though...).
Comment 8 Aurelien Oudelet 2021-05-06 20:37:51 CEST 
Running MGA7 Plasma under a VM x86_64.

Updating pagure OK.

$ pagure-admin -h

gives help.


Giving this OK.
Validating.
Advisory in Comment 2.
Aurelien Oudelet 2021-05-06 20:39:38 CEST

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2021-05-07 07:37:06 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0206.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.