[EP-tech] EPrints Security Announcement - February 2020

David R Newman drn at ecs.soton.ac.uk
Wed Feb 24 14:54:32 GMT 2021


Hi James,

If you need to patch 3.3.x then only the following files need to be updated:

cgi/latex2png - This just needs to be removed as it is a legacy script 
and is not used by standard EPrints 3.3 repositories. Therefore, the fix 
is identical whatever version of 3.3 you are on.

cgi/ajax/phrase - This was last modified in April 2012 so any release of 
3.3 from 3.3.9 onwards should be fixable using the available patch 
file.  This last modification was quite signficant so this may effect 
the patch file from being able to patch its vulnerability for earlier 
versions of 3.3.

perl_lib/EPrints/XML.pm (change needed for cgi/ajax/phrase 
vulnerability) - This has only had a couple of minor changes since 
December 2011 (3.3.7).  Therefore, I think the patch file is likely to 
work but I cannot be certain.

perl_lib/EPrints/XML/LibXML.pm (change needed for cgi/ajax/phrase 
vulnerability) - This has only had a minor change since September 2011 
(3.3.6).  Therefore, I think the patch file is likely to work but I 
cannot be certain.

cgi/toolbox/toolbox - This has not been modified since June 2011, so I 
think the patch file should work for all versions of 3.3.

Regards

David Newman

On 24/02/2021 13:38, James Kerwin wrote:
> *CAUTION:* This e-mail originated outside the University of Southampton.
> Hi David,
>
> Thank you very much for bringing this to our attention and providing 
> the solutions.
>
> Shamefully, we are still on 3.3.14 (I promise we are upgrading this 
> year). The patch mentioned works on 3.3.16 and the page says it might 
> work on earlier versions (a brief look through two of the files 
> suggests they're more or less the same as those for 3.3.16)
>
> In my attempt to avoid any problems that could result from "might" are 
> these the files that need altering if I were to do it manually:
>
>  /cgi/ajax/phrase : CVE-2021-26703
> /cgi/latex2png : CVE-2021-3342
> /cgi/toolbox/toolbox : CVE-2021-26704
>
> There also appears to be some changes to be made to XML.pm
>
> Am I interpreting it correctly where it looks as though latex2png will 
> be left as an empty file (deleted) by the end?
>
> I think the page makes it very clear that these are the files that are 
> affected, but I just want to check there aren't any others that the 
> patch addresses. I have looked at the patch, but I try not to 
> underestimate my ability to totally misunderstand the most obvious of 
> things.
>
> My plan is to try the command first on a test EPrints server and if it 
> doesn't work, do it manually.
>
> Thanks,
> James
>
> On Wed, Feb 24, 2021 at 9:27 AM David R Newman via Eprints-tech 
> <eprints-tech at ecs.soton.ac.uk <mailto:eprints-tech at ecs.soton.ac.uk>> 
> wrote:
>
>     Hi all,
>
>     EPrints Services was recently made aware of a small number of
>     security vulnerabilities within the EPrints codebase, affecting
>     both EPrints 3.4 and EPrints 3.3.
>     I have created two patch files to fix the vulnerabilities and
>     uploaded them to files.eprints.org
>     <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffiles.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764221029%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=gHGJSbQOgXfjiTBq5cHYedzO5O4VlLatfy1pUbpdSDg%3D&amp;reserved=0>.
>
>     - EPrints 3.4.2 : https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2548%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764230985%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=1Au0xPz%2FCf7o3vao5kE6Fv002BUhavKUJi8LrRVEBrg%3D&amp;reserved=0
>     <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2548%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764230985%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=1Au0xPz%2FCf7o3vao5kE6Fv002BUhavKUJi8LrRVEBrg%3D&amp;reserved=0>
>
>     - EPrints 3.3.x : https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2549%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764230985%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=TJqQnU3fJvIcEe%2BvH2NXRGdFVqhb9yYj48swfA%2FtDPg%3D&amp;reserved=0
>     <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffiles.eprints.org%2F2549%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764230985%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=TJqQnU3fJvIcEe%2BvH2NXRGdFVqhb9yYj48swfA%2FtDPg%3D&amp;reserved=0>
>
>
>     The former fixes the EPrints 3.4.2 release and the latter fixes
>     EPrints 3.3 (based on the current HEAD of
>     https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764230985%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=SPwkKykwXeIeWnWWZmUzyxrKGZxXDfNpej3OWtvwE3I%3D&amp;reserved=0
>     <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764230985%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=SPwkKykwXeIeWnWWZmUzyxrKGZxXDfNpej3OWtvwE3I%3D&amp;reserved=0>).
>     These links also provide instructions on how to apply the patch
>     file and some more details on the affected files.  There are
>     references to the Common Vulnerabilities and Exposure (CVE) IDs
>     but as of now these are yet to be published. All the
>     vulnerabilities identified relate to either Cross-Site Scripting
>     (XSS) or Remote Code Execution (RCE) vulnerabilities.  All of
>     these vulnerabilities would require analysis of the codebase to
>     determine an exploit. It is very unlikely that generic tools used
>     to identify vulnerabilities would discover these, as specific
>     knowledge is required.
>
>     I have also updated to patch these vulnerabilities on both the
>     eprints and eprints3.4 GitHub repositories for the eprints
>     organisation (https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764230985%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=AYj2w80wkFJ2ASx4D9l3bTu14i5h8RPMAimj8EBbvEY%3D&amp;reserved=0
>     <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764230985%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=AYj2w80wkFJ2ASx4D9l3bTu14i5h8RPMAimj8EBbvEY%3D&amp;reserved=0>).
>     The next release of EPrints 3.4 (3.4.3) will have these security
>     fixes in place.
>
>     EPrints Services customers both those who EPrints Services host
>     and those that self-host have either been patched or where this
>     has not been possible, informed of the vulnerabilities and how
>     they can be fixed.
>
>     If you have any follow-up questions please feel free to ask.
>     Hopefully, the CVEs will be published shortly for those interested
>     in more detail.  However, they were raised by a third party, who I
>     have only just given go-ahead to make these public.
>
>     Regards
>
>     David Newman
>
>     <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764230985%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=hZpIpbqkYnF%2BuN1LXqI3sWR7VJ7W0B5%2B57%2F8r%2FqOFAQ%3D&amp;reserved=0>
>     	Virus-free. https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764230985%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=wjeeAcP48Iz0jh0xpNIgsFHtASrBHDd9MOq7%2Bo2KHls%3D&amp;reserved=0
>     <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764240945%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=ikhasChcwLPnCtieum7L27yWwBPDM4v%2Bb3MfwLM%2BNL4%3D&amp;reserved=0>
>
>
>     *** Options:
>     http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
>     <http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech>
>     *** Archive: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764240945%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=OUPv3hwXu4LnIUajspoJwdoHXQ%2FpGiTVGZWTekgio%2F0%3D&amp;reserved=0
>     <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764240945%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=OUPv3hwXu4LnIUajspoJwdoHXQ%2FpGiTVGZWTekgio%2F0%3D&amp;reserved=0>
>     *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764240945%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=tZvo9LDLkeQh84ia8vmOATe9pPrXb5lopE0Wzmz1MgA%3D&amp;reserved=0
>     <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764240945%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=tZvo9LDLkeQh84ia8vmOATe9pPrXb5lopE0Wzmz1MgA%3D&amp;reserved=0>
>


-- 
This email has been checked for viruses by AVG.
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.avg.com%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7Cb24bf4873c1f4a745a3308d8d8d41910%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637497752764240945%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=y79XktC5pcKuAd2%2FpLZNtyQKBpdopIyKTTA1RhREpI4%3D&amp;reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20210224/f958330b/attachment-0001.html 


More information about the Eprints-tech mailing list