Closed sbrun closed 1 year ago
Hi @sbrun,
@cfi-gb has already found additional problems
egrep -R '".*\[[^"]+-.*' . --include=*.c | egrep "\[[^]]+\]" | grep -v "\\\-"
./gvmd/src/manage_sql.c: ("^([[:alnum:]-_]*@[[:alnum:]-_][[:alnum:]-_.]*)?$",
./gvmd/src/manage.c: if (g_regex_match_simple ("^[[:alnum:]-_.]+$", name, 0, 0))
./gvmd/src/manage_sql_report_formats.c: ("^(?:[[:alnum:]-_]+)?(?:,(?:[[:alnum:]-_])+)*$", value, 0, 0)
./gsad/src/gsad.c: "^([[:alnum:]-_.:\\/~()']|&)+$");
./gsad/src/gsad.c: gvm_validator_add (validator, "login", "^[[:alnum:]-_@.]+$");
./gsad/src/gsad.c: gvm_validator_add (validator, "name", "^[#-_[:alnum:], \\./]*$");
./gsad/src/gsad.c: gvm_validator_add (validator, "info_id", "^([[:alnum:]-_.:\\/~()']|&)+$");
./gsad/src/gsad.c: gvm_validator_add (validator, "resource_id", "^[[:alnum:]-_.:\\/~]*$");
./gsad/src/gsad.c: gvm_validator_add (validator, "users", "^[[:alnum:]-_@., ]*$");
of course this needs to be addressed within a new release.
OK. I just wanted to inform you about the issues we found in Kali / Debian. Thanks!
And thank you @sbrun :)
We were watching on the Kali Bug Tracker and your upstream report to Gnome and are now finding additional things we'll need to update also, now that we know what has changed in the regular expression handling to help make sure that our new release(s) fit correctly with Kali and Debian. Thank you for the patch and getting the Community Edition users up and running again.
Please let us know if there is anything that we can additionally do/check on and also please let us know if you see anything else. Thanks again for all of the help :)
Now that stable glib 2.74.0 is out probably more distributions (as can be seen on https://repology.org/project/glib/history) will run into this, as we did on Exherbo where we now also backported/ship the above mentioned patches for gsad/gvmd:
https://git.exherbo.org/net.git/commit/?id=1612e3d21ffa249d5db53286e02c9839d07382b1 https://git.exherbo.org/net.git/commit/?id=438b3c4dc2b9e41e655a8fefb0a10ecd09576160
Looking forward to see this fixed upstream.
Actual behavior
When you tried logging to gsad, it fails with "Login Failed. Invalid password or username." Issue has been reported here: https://bugs.kali.org/view.php?id=7926
It started when libglib2.0-0 has been upgraded to version 2.73.3 (it's similar to the issue: https://github.com/greenbone/gvmd/issues/1866)
Steps to reproduce
GVM versions
I know I didn't test with latest versions but the failing code has not changed between the tested version and the latest version. gsa: 21.4.4 gvm: 21.4.5 openvas-scanner: 21.4.4 gvm-libs: 21.4.4
Environment
Debian Unstable or Kali Packages provided by Debian
Logfiles
It is an issue with the regex.
I fixed the regex in src/gsad.c
I htink that other regex in the file have the same problem. Here is the patch applied in Debian: https://salsa.debian.org/pkg-security-team/gsad/-/blob/debian/master/debian/patches/Fix-regex-for-new-glib2.0.patch (I can open a PR if you want)