search

greenbone / gsad

Greenbone Security Assistant HTTP Server - The server talking to the Greenbone Vulnerability Management daemon (gvmd).
GNU Affero General Public License v3.0
11 stars 14 forks source link

Unable to connect with libglib2.0-0 >= 2.73.3 #86

Closed sbrun closed 1 year ago

sbrun commented 2 years ago

Actual behavior

When you tried logging to gsad, it fails with "Login Failed. Invalid password or username." Issue has been reported here: https://bugs.kali.org/view.php?id=7926

It started when libglib2.0-0 has been upgraded to version 2.73.3 (it's similar to the issue: https://github.com/greenbone/gvmd/issues/1866)

Steps to reproduce

  1. On an existing installation, install libglib2.0-0 >= 2.73.3, start gvm services
  2. Try logging into the web interface

GVM versions

I know I didn't test with latest versions but the failing code has not changed between the tested version and the latest version. gsa: 21.4.4 gvm: 21.4.5 openvas-scanner: 21.4.4 gvm-libs: 21.4.4

Environment

Debian Unstable or Kali Packages provided by Debian

Logfiles

gsad vali:  DEBUG:2022-09-21 11h21.18 utc:38478: gvm_validate: matched
gsad vali:  DEBUG:2022-09-21 11h21.18 utc:38478: gvm_validate: name login value admin
gsad vali:  DEBUG:2022-09-21 11h21.18 utc:38478: matching <^[[:alnum:]-_@.]+$> against <admin>:
gsad vali:  DEBUG:2022-09-21 11h21.18 utc:38478: gvm_validate: failed to match
gsad  gmp:WARNING:2022-09-21 11h21.18 utc:38478: Authentication failure for '' from 127.0.0.1

It is an issue with the regex.

I fixed the regex in src/gsad.c

@@ -595,7 +595,7 @@ init_validator ()
   gvm_validator_add (validator, "list_fname",
                      "^([[:alnum:]_-]|%[%CcDFMmNTtUu])+$");
   /* Used for users, credentials, and scanner login name. */
-  gvm_validator_add (validator, "login", "^[[:alnum:]-_@.]+$");
+  gvm_validator_add (validator, "login", "^[[:alnum:]\\-_@.]+$");
   gvm_validator_add (validator, "lsc_password", "^.*$");
   gvm_validator_add (validator, "max_result", "^[0-9]+$");
   gvm_validator_add (validator, "max_groups", "^-?[0-9]+$");

I htink that other regex in the file have the same problem. Here is the patch applied in Debian: https://salsa.debian.org/pkg-security-team/gsad/-/blob/debian/master/debian/patches/Fix-regex-for-new-glib2.0.patch (I can open a PR if you want)

bjoernricks commented 2 years ago

Hi @sbrun,

@cfi-gb has already found additional problems

egrep -R '".*\[[^"]+-.*' . --include=*.c | egrep "\[[^]]+\]" | grep -v "\\\-"

./gvmd/src/manage_sql.c:            ("^([[:alnum:]-_]*@[[:alnum:]-_][[:alnum:]-_.]*)?$",
./gvmd/src/manage.c:  if (g_regex_match_simple ("^[[:alnum:]-_.]+$", name, 0, 0))
./gvmd/src/manage_sql_report_formats.c:                ("^(?:[[:alnum:]-_]+)?(?:,(?:[[:alnum:]-_])+)*$", value, 0, 0)

./gsad/src/gsad.c:                     "^([[:alnum:]-_.:\\/~()']|&amp;)+$");
./gsad/src/gsad.c:  gvm_validator_add (validator, "login", "^[[:alnum:]-_@.]+$");
./gsad/src/gsad.c:  gvm_validator_add (validator, "name", "^[#-_[:alnum:], \\./]*$");
./gsad/src/gsad.c:  gvm_validator_add (validator, "info_id", "^([[:alnum:]-_.:\\/~()']|&amp;)+$");
./gsad/src/gsad.c:  gvm_validator_add (validator, "resource_id", "^[[:alnum:]-_.:\\/~]*$");
./gsad/src/gsad.c:  gvm_validator_add (validator, "users", "^[[:alnum:]-_@., ]*$");

of course this needs to be addressed within a new release.

sbrun commented 2 years ago

OK. I just wanted to inform you about the issues we found in Kali / Debian. Thanks!

deeannlittle commented 2 years ago

And thank you @sbrun :)

We were watching on the Kali Bug Tracker and your upstream report to Gnome and are now finding additional things we'll need to update also, now that we know what has changed in the regular expression handling to help make sure that our new release(s) fit correctly with Kali and Debian. Thank you for the patch and getting the Community Edition users up and running again.

Please let us know if there is anything that we can additionally do/check on and also please let us know if you see anything else. Thanks again for all of the help :)

tgurr commented 1 year ago

Now that stable glib 2.74.0 is out probably more distributions (as can be seen on https://repology.org/project/glib/history) will run into this, as we did on Exherbo where we now also backported/ship the above mentioned patches for gsad/gvmd:

https://git.exherbo.org/net.git/commit/?id=1612e3d21ffa249d5db53286e02c9839d07382b1 https://git.exherbo.org/net.git/commit/?id=438b3c4dc2b9e41e655a8fefb0a10ecd09576160

Looking forward to see this fixed upstream.