Re: Request for assistance to backport CVE-2020-13933 fix

["Roberto C. Sánchez" <ro...@debian.org>]

Hi Shiro Devs,

Any chance someone could help with my request?

Regards,

-Roberto

On Thu, Sep 24, 2020 at 02:48:17PM -0400, Roberto C. Sánchez wrote:
> Shiro Devs,
> 
> I am working on a security update for the shiro package in Debian.  The
> announcement for 1.6.0 indicates that CVE-2020-13933 is fixed in that
> release.  However, the specific commit is not identified.  Additionally,
> since neither the announcement nor any available information on the CVE
> describes the means of exploitation it is not clear how I should proceed
> to go about backporting the fix.
> 
> The 1.6.0 announcement describes the new "Global Filters" feature as
> helping to mitigate the type of issue described by CVE-2020-13933.  It
> seems that commit dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d is what is
> being referred to.  However, the change is rather substantial and
> appears like it would require significant reworking to apply to 1.3.2.
> 
> If someone could help with the following questions it would be very much
> appreciated:
> 
> - Is a backport of commit dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d to
>   1.3.2 possible/feasible?
> - Would it be possible to obtain information about the exploit to assist
>   with either backporting dc194fc977ab6cfbf3c1ecb085e2bac5db14af6d or
>   with developing a new fix for 1.3.2?
> - Is there another approach that I should be considering instead?
> 
> Regards,
> 
> -Roberto
> 
> -- 
> Roberto C. Sánchez

-- 
Roberto C. Sánchez