[PKG-Openstack-devel] Bug#778618: Bug#778618: This patch is not enough

Paul McMillan paul at mcmillan.ws
Fri Feb 27 22:18:46 UTC 2015


> Do you have a link to the upstream discussion? Or is this about an
> embargoed security issue?

The other ticket is an embargoed security issue, unrelated to this
one, in an upstream package which is not novnc. Thomas was incorrect
to bring it up in this context.

> I'm confused. What's true now, to which other upstream bug does this
> refer? Can both of you please clarify.

The non-noVNC bug Thomas was referring to is CVE-2015-0259, which is
still private. To re-iterate, that CVE is not a noVNC bug.

To the best of my knowledge, the noVNC bug referenced in this ticket
does not yet have a CVE assigned, even though RedHat has requested
one. Someone should probably prod that list, since the request appears
to have fallen through the cracks.

> We really need to solve this bug soon, otherwise significant parts of
> OpenStack will get removed from jessie and probably won't be allowed
> back in again.

Just so we're all clear here, noVNC is not part of OpenStack. It is a
component which is commonly used in association with OpenStack, but is
not maintained or supported by the project.

> If you agree that the linked github patch is complete, I can do an
> upload if you lack the time to do so yourself. I can understand that
> sensitive security issues are involved, but a bit more verboseness would
> be nice.

The linked patch on github is a true and complete fix for the original
reported issue. It appears likely that it will cleanly apply to the
0.4 branch, even though it came later in the development process. I'm
sorry my verbose description of the issue didn't make it into the
ticket.

The short description of the issue is that noVNC (prior to the patch
linked on github) does not correctly set the "secure" flag on session
token cookies when served over HTTPS. This means that a mitm attacker
can extract session tokens and access VNC sessions, even after the
user has terminated the session, even if the noVNC session occurs over
a properly secured HTTPS connection.

-Paul



More information about the Openstack-devel mailing list