New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vulnerability #547

Open
mschop opened this Issue Apr 23, 2018 · 11 comments

Comments

Projects
None yet
3 participants
@mschop
Copy link
Collaborator

mschop commented Apr 23, 2018

Hi @ignacionelson ,

I have tried to contact you through contact@projectsend.org but unfortunately no one is answering to me. You have critical security vulnerabilities in your code. Could you please tell me, how you plan to approach this issue or take any other action? Otherwise I have to publish the security problem here on Gitlab.

Best Regards
mschop

@ignacionelson

This comment has been minimized.

Copy link
Collaborator

ignacionelson commented Apr 24, 2018

Hello! Can you please resend you email? Are this vulnerabilities still present on version r1053? Thank you!

@mschop

This comment has been minimized.

Copy link
Collaborator Author

mschop commented Apr 24, 2018

Hi, I've just sent a new email. The problem was reproducible in master branch last week. NP

@mschop

This comment has been minimized.

Copy link
Collaborator Author

mschop commented May 9, 2018

CVE-2018-10826

@ignacionelson

This comment has been minimized.

Copy link
Collaborator

ignacionelson commented May 9, 2018

Somehow I'm not getting your emails, nor can I see the CVE online yet.
Can you please send it to info@subwaydesign.com.ar? Sorry for this.

@mschop

This comment has been minimized.

Copy link
Collaborator Author

mschop commented May 9, 2018

You can't see the CVE, because it's currently not published (prereserved). As soon as you fixed the security vulnerabilities I will publish it. Please don't wait too long with the fixes ;-). Normally I would give 60 days before I publish the security vulnerability.

I resend the emails to this address.

@micschk

This comment has been minimized.

Copy link

micschk commented Jul 8, 2018

@mschop I appreciate that you've discovered & are trying to get a security issue fixed, and if #552 or the contents of your e-mails already addresses this, please consider the below (well-meant) suggestion invalid;
As a developer I myself have learned a lot from the work of others, also in the form of contributions/improvements to my (published) code. Therefore in the spirit of open-source maybe you could consider contributing a fix for the issue(s) you've discovered and sending a PR?
The effect of (impending) publishing of a CVE would seem to mainly add pressure for a developer who's already given away a lot of time & effort for free, and who may instead be much better helped with some solid security advise/contributions also taking into consideration #600, #602, #603, #604, #605 & #606

@ignacionelson

This comment has been minimized.

Copy link
Collaborator

ignacionelson commented Jul 8, 2018

Hello @micschk !! Thanks for your contribution!
I have been exchanging several emails with @mschop and a fix is already being worked on.
However PS is in the middle of a big refactoring stage and the purposed fix will be better applied at a later stage, when an appropiate container is set on the app.
Sorry that it's taking so long but the task at hand is big. I'm really enjoying the process though :)

@ignacionelson

This comment has been minimized.

Copy link
Collaborator

ignacionelson commented Jul 8, 2018

Also, I can honestly say that the information @mschop has been sending me turned out to be invaluable. Concepts I've never heard of that I've learned thanks to this exchange and that I'm waiting the chance to apply to PS. But as I stated before, there's a lot of code that needs to be refactored before that stage!

@mschop

This comment has been minimized.

Copy link
Collaborator Author

mschop commented Jul 8, 2018

@micschk As @ignacionelson already mentioned, we discussed the issues and how to fix them via email.

CVE's are not intended to put pressure on a producer but to identify every security vulnerability. "Responsible Disclosure" is the ideal way to handle security vulnerabilities. Therefore I did not disclose the details of the vulnerability but kept the communication secret with @ignacionelson .

Ideal way is:

  • Create a CVE-Id
  • Contact software producer / developer
  • Give 30-90 days to fix the issue
  • make the details public
@micschk

This comment has been minimized.

Copy link

micschk commented Jul 9, 2018

Great to hear, please consider my comment withdrawn then. Thanks!

@mschop

This comment has been minimized.

Copy link
Collaborator Author

mschop commented Oct 19, 2018

@ignacionelson Is this already fixed? I would like to publish the details and close this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment