Version in base suite: 18.6.2-5+deb11u1 Base version: horizon_18.6.2-5+deb11u1 Target version: horizon_18.6.2-5+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/h/horizon/horizon_18.6.2-5+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/h/horizon/horizon_18.6.2-5+deb11u2.dsc changelog | 8 + patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch | 51 ++++++++++ patches/series | 1 3 files changed, 60 insertions(+) diff -Nru horizon-18.6.2/debian/changelog horizon-18.6.2/debian/changelog --- horizon-18.6.2/debian/changelog 2021-09-30 14:41:14.000000000 +0000 +++ horizon-18.6.2/debian/changelog 2023-09-06 08:20:55.000000000 +0000 @@ -1,3 +1,11 @@ +horizon (3:18.6.2-5+deb11u2) bullseye; urgency=medium + + * CVE-2022-45582: Open redirect/phishing attack via "success_url" parameter, + add upstream patch: "Fix success_url parameter issue for Edit Snapshot" + (Closes: #1050518). + + -- Thomas Goirand Wed, 06 Sep 2023 10:20:55 +0200 + horizon (3:18.6.2-5+deb11u1) bullseye; urgency=medium * Compile translations at build time. diff -Nru horizon-18.6.2/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch horizon-18.6.2/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch --- horizon-18.6.2/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch 1970-01-01 00:00:00.000000000 +0000 +++ horizon-18.6.2/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch 2023-09-06 08:20:55.000000000 +0000 @@ -0,0 +1,51 @@ +Author: manchandavishal +Date: Wed, 14 Sep 2022 22:17:58 +0530 +Description: CVE-2022-45582 Fix success_url parameter issue for Edit Snapshot + The "success_url" param is used when updating the project snapshot + [1] and it lacks sanitizing the input URL that allows an attacker to + redirect the user to another website. This patch update 'Updateview' + class to not use the "sucess_url" method. +Bug: https://launchpad.net/bugs/1982676 +Bug-Debian: https://bugs.debian.org/1050518 +Origin: upstream, https://review.opendev.org/c/openstack/horizon/+/862902 +Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b +Last-Update: 2023-09-06 + +Index: horizon/openstack_dashboard/dashboards/project/snapshots/views.py +=================================================================== +--- horizon.orig/openstack_dashboard/dashboards/project/snapshots/views.py ++++ horizon/openstack_dashboard/dashboards/project/snapshots/views.py +@@ -12,7 +12,6 @@ + + from django.urls import reverse + from django.urls import reverse_lazy +-from django.utils.http import urlencode + from django.utils.translation import ugettext_lazy as _ + + from horizon import exceptions +@@ -104,11 +103,8 @@ class UpdateView(forms.ModalFormView): + def get_context_data(self, **kwargs): + context = super(UpdateView, self).get_context_data(**kwargs) + context['snapshot'] = self.get_object() +- success_url = self.request.GET.get('success_url', "") + args = (self.kwargs['snapshot_id'],) +- params = urlencode({"success_url": success_url}) +- context['submit_url'] = "?".join([reverse(self.submit_url, args=args), +- params]) ++ context['submit_url'] = reverse(self.submit_url, args=args) + return context + + def get_initial(self): +@@ -117,12 +113,6 @@ class UpdateView(forms.ModalFormView): + 'name': snapshot.name, + 'description': snapshot.description} + +- def get_success_url(self): +- success_url = self.request.GET.get( +- "success_url", +- reverse_lazy("horizon:project:snapshots:index")) +- return success_url +- + + class DetailView(tabs.TabView): + tab_group_class = vol_snapshot_tabs.SnapshotDetailTabs diff -Nru horizon-18.6.2/debian/patches/series horizon-18.6.2/debian/patches/series --- horizon-18.6.2/debian/patches/series 2021-09-30 14:41:14.000000000 +0000 +++ horizon-18.6.2/debian/patches/series 2023-09-06 08:20:55.000000000 +0000 @@ -2,3 +2,4 @@ fix-manage.py-sheebang.patch Dont_load_user_role_assignment_or_groups_tabs_for_non-admins.patch do-not-create-volume-by-default-when-launching-instance.patch +CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch