From patchwork Fri Jul 5 06:38:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Axtens X-Patchwork-Id: 1127793 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 45g4tD0sv2z9sPG for ; Fri, 5 Jul 2019 16:38:28 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=axtens.net Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.b="YkApUpiT"; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 45g4tC72gyzDqXS for ; Fri, 5 Jul 2019 16:38:27 +1000 (AEST) X-Original-To: patchwork@lists.ozlabs.org Delivered-To: patchwork@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::644; helo=mail-pl1-x644.google.com; envelope-from=dja@axtens.net; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=axtens.net Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.b="YkApUpiT"; dkim-atps=neutral Received: from mail-pl1-x644.google.com (mail-pl1-x644.google.com [IPv6:2607:f8b0:4864:20::644]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 45g4t82S2CzDqRR for ; Fri, 5 Jul 2019 16:38:23 +1000 (AEST) Received: by mail-pl1-x644.google.com with SMTP id k8so4132168plt.3 for ; Thu, 04 Jul 2019 23:38:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=4aYK/3UdYic4PoxnKk+EOXkI8XfFKaMUu6LAf7u+SQs=; b=YkApUpiTs+0NdSgJ7fQB8sC+5SYBjbrwsXTlG6oWQEijcXLB9f1wjXiRtAOB3L3SZ9 BKf8larvJFTwG+ml2Hx4nJzaUXS5rTz0iW7YBvUVrGXYv3fHWUZcYOTlTzXeNGlLkM3u VhvtCFPiPGMDrYjdzELdUjTMNeLSH7r2MtzxA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=4aYK/3UdYic4PoxnKk+EOXkI8XfFKaMUu6LAf7u+SQs=; b=meRAk/bGHFP+qfHA9m/14KIcB/2W80E65b8PYtDhEqRCelCYrgFwaxX4qD4ngzGhxM 5v1tgAjcXtmD5J+PtzM0NtDrAUZblquApbhKQvBIBXi5VNS0H324WoAIx55e2p0AkN+v 1xXVGKjPpn6ZrTPiNf10ySB83lV0cItq+9k2j/VbjOqNMI7zSab+ovU2qwbFz7r9XuaK UtsN/yzYRYkOaSLxEDo0gQTwalbbNk3twUcvxqu3O3AHz+K7MSIWDc/lxRXtE+ypA+vW 34kCHLlGNEuqLmrpGhh/Q267qAf2soCdOQxVtxWh6hZPhMI6jgnB51vSOhJLF9hkmFTV VgtA== X-Gm-Message-State: APjAAAVFga23dz/HPcoIiSKazvQ1N1lsU4BELHNDQP1x1WN6TP7tvVCe IGITYgOLurSSZTF/hxofMGOfMB2lAXg= X-Google-Smtp-Source: APXvYqyvflYiGYotu8w6C2rVn7d6w1P8PZ5qJEPG6dzZStewBEZHyPjxlqjVfc8D133XJxqO+z6hdw== X-Received: by 2002:a17:902:ac85:: with SMTP id h5mr3092963plr.198.1562308699987; Thu, 04 Jul 2019 23:38:19 -0700 (PDT) Received: from localhost (ppp167-251-205.static.internode.on.net. [59.167.251.205]) by smtp.gmail.com with ESMTPSA id q1sm13302510pfn.178.2019.07.04.23.38.18 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Thu, 04 Jul 2019 23:38:19 -0700 (PDT) From: Daniel Axtens To: patchwork@lists.ozlabs.org Subject: [PATCH] docs: Add a release note for CVE-2019-13122 Date: Fri, 5 Jul 2019 16:38:13 +1000 Message-Id: <20190705063813.31701-1-dja@axtens.net> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-BeenThere: patchwork@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Patchwork development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Patchwork" Signed-off-by: Daniel Axtens --- .../notes/CVE-2019-13122-e9c63aa346ed15c2.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml diff --git a/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml new file mode 100644 index 000000000000..48afac0509bb --- /dev/null +++ b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml @@ -0,0 +1,11 @@ +--- +fixes: + - | + CVE-2019-13122 has been fixed. Andrew Donnellan discovered an XSS + via the message-id field. A malicious user could send a patch with + a message ID that included a script tag. Because of the quirks of + the email RFCs, such a message ID can survive being sent through + many mail systems, including Gmail, and be parsed and stored by + Patchwork. When a user viewed a patch detail page for the patch + with this message id, the script would be run. This is fixed by + properly escaping the field before it is rendered. \ No newline at end of file