EPrints Technical Mailing List Archive
Message: #08539
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
Re: [EP-tech] EPrints Security Announcement - February 2021
- To: <eprints-tech@ecs.soton.ac.uk>, John Salter <J.Salter@leeds.ac.uk>, "Alan.Stiles" <alan.stiles@open.ac.uk>
- Subject: Re: [EP-tech] EPrints Security Announcement - February 2021
- From: David R Newman <drn@ecs.soton.ac.uk>
- Date: Wed, 24 Feb 2021 15:21:00 +0000
Hi John and Alan,
Yes, a _javascript_ solution would definitely be a preference to
using LaTeX.
Alan: It would be useful to see your changes to latex2png. If a _javascript_ solution is not forthcoming, I will see if this can be used as an alternative for future versions of EPrints if it is no longer vulnerable to being exploited. I removed this CGI script rather than seeing whether paramaters could be sanitized, as I was not aware of it being specifically used by any repositories and it seemed unlikely to be in general use as latex and dvips binaries would need to be additionally installed and further configuration required to make use of this CGI script.
Regards
David Newman
CAUTION: This e-mail originated outside the University of Southampton.I was wondering if anyone had integrated any _javascript_ libraries (e.g. https://www.mathjax.org/) to achieve something similar to this?
Cheers,John
From: eprints-tech-bounces@ecs.soton.ac.uk <eprints-tech-bounces@ecs.soton.ac.uk> on behalf of Alan.Stiles via Eprints-tech <eprints-tech@ecs.soton.ac.uk>
Sent: 24 February 2021 14:03
To: eprints-tech@ecs.soton.ac.uk <eprints-tech@ecs.soton.ac.uk>
Subject: Re: [EP-tech] EPrints Security Announcement - February 2020CAUTION: This e-mail originated outside the University of Southampton.The patch does leave latex2png empty.
We still use this to include e.g. mathematical symbology in item abstracts so we have added some sanitisation to the input parameter in that cgi script rather than removing the function completely (3.3.15 or 16 here).
Alan
From: <eprints-tech-bounces@ecs.soton.ac.uk> on behalf of "eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk>
Reply to: "eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk>, James Kerwin <jkerwin2101@gmail.com>
Date: Wednesday, 24 February 2021 at 13:41
To: "eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk>, David R Newman <drn@ecs.soton.ac.uk>
Subject: Re: [EP-tech] EPrints Security Announcement - February 2020
CAUTION: This mail comes from outside the University. Please consider this before opening attachments, clicking links, or acting on the content.
CAUTION: This e-mail originated outside the University of Southampton.
Hi David,
Thank you very much for bringing this to our attention and providing the solutions.
Shamefully, we are still on 3.3.14 (I promise we are upgrading this year). The patch mentioned works on 3.3.16 and the page says it might work on earlier versions (a brief look through two of the files suggests they're more or less the same as those for 3.3.16)
In my attempt to avoid any problems that could result from "might" are these the files that need altering if I were to do it manually:
/cgi/ajax/phrase : CVE-2021-26703
/cgi/latex2png : CVE-2021-3342
/cgi/toolbox/toolbox : CVE-2021-26704
There also appears to be some changes to be made to XML.pm
Am I interpreting it correctly where it looks as though latex2png will be left as an empty file (deleted) by the end?
I think the page makes it very clear that these are the files that are affected, but I just want to check there aren't any others that the patch addresses. I have looked at the patch, but I try not to underestimate my ability to totally misunderstand the most obvious of things.
My plan is to try the command first on a test EPrints server and if it doesn't work, do it manually.
Thanks,James
On Wed, Feb 24, 2021 at 9:27 AM David R Newman via Eprints-tech <eprints-tech@ecs.soton.ac.uk> wrote:
Hi all,
EPrints Services was recently made aware of a small number of security vulnerabilities within the EPrints codebase, affecting both EPrints 3.4 and EPrints 3.3.
I have created two patch files to fix the vulnerabilities and uploaded them to files.eprints.org.
- EPrints 3.4.2 : https://files.eprints.org/2548/
- EPrints 3.3.x : https://files.eprints.org/2549/
The former fixes the EPrints 3.4.2 release and the latter fixes EPrints 3.3 (based on the current HEAD of https://github.com/eprints/eprints). These links also provide instructions on how to apply the patch file and some more details on the affected files. There are references to the Common Vulnerabilities and Exposure (CVE) IDs but as of now these are yet to be published. All the vulnerabilities identified relate to either Cross-Site Scripting (XSS) or Remote Code Execution (RCE) vulnerabilities. All of these vulnerabilities would require analysis of the codebase to determine an exploit. It is very unlikely that generic tools used to identify vulnerabilities would discover these, as specific knowledge is required.
I have also updated to patch these vulnerabilities on both the eprints and eprints3.4 GitHub repositories for the eprints organisation (https://github.com/eprints). The next release of EPrints 3.4 (3.4.3) will have these security fixes in place.
EPrints Services customers both those who EPrints Services host and those that self-host have either been patched or where this has not been possible, informed of the vulnerabilities and how they can be fixed.
If you have any follow-up questions please feel free to ask. Hopefully, the CVEs will be published shortly for those interested in more detail. However, they were raised by a third party, who I have only just given go-ahead to make these public.
Regards
David Newman
Virus-free. www.avg.com
*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech *** Archive: http://www.eprints.org/tech.php/ *** EPrints community wiki: http://wiki.eprints.org/
- References:
- Re: [EP-tech] EPrints Security Announcement - February 2020
- From: James Kerwin <jkerwin2101@gmail.com>
- Re: [EP-tech] EPrints Security Announcement - February 2020
- From: "Alan.Stiles" <alan.stiles@open.ac.uk>
- Re: [EP-tech] EPrints Security Announcement - February 2020
- From: John Salter <J.Salter@leeds.ac.uk>
- Re: [EP-tech] EPrints Security Announcement - February 2020
- Prev by Date: Re: [EP-tech] EPrints Security Announcement - February 2020
- Next by Date: Re: [EP-tech] EPrints Security Announcement - February 2020
- Previous by thread: [EP-tech] Sort view with creators_name and corp_creators
- Index(es):