From patchwork Fri Jul  5 06:38:13 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Axtens <dja@axtens.net>
X-Patchwork-Id: 1127793
Return-Path: 
 <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 45g4tD0sv2z9sPG
	for <incoming@patchwork.ozlabs.org>;
	Fri,  5 Jul 2019 16:38:28 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=axtens.net
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=axtens.net header.i=@axtens.net
	header.b="YkApUpiT"; dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])
	by lists.ozlabs.org (Postfix) with ESMTP id 45g4tC72gyzDqXS
	for <incoming@patchwork.ozlabs.org>;
	Fri,  5 Jul 2019 16:38:27 +1000 (AEST)
X-Original-To: patchwork@lists.ozlabs.org
Delivered-To: patchwork@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=axtens.net
	(client-ip=2607:f8b0:4864:20::644; helo=mail-pl1-x644.google.com;
	envelope-from=dja@axtens.net; receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org;
	dmarc=none (p=none dis=none) header.from=axtens.net
Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key;
	unprotected) header.d=axtens.net header.i=@axtens.net
	header.b="YkApUpiT"; dkim-atps=neutral
Received: from mail-pl1-x644.google.com (mail-pl1-x644.google.com
	[IPv6:2607:f8b0:4864:20::644])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (2048 bits)
	server-digest SHA256) (No client certificate requested)
	by lists.ozlabs.org (Postfix) with ESMTPS id 45g4t82S2CzDqRR
	for <patchwork@lists.ozlabs.org>;
	Fri,  5 Jul 2019 16:38:23 +1000 (AEST)
Received: by mail-pl1-x644.google.com with SMTP id k8so4132168plt.3
	for <patchwork@lists.ozlabs.org>;
	Thu, 04 Jul 2019 23:38:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google;
	h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=4aYK/3UdYic4PoxnKk+EOXkI8XfFKaMUu6LAf7u+SQs=;
	b=YkApUpiTs+0NdSgJ7fQB8sC+5SYBjbrwsXTlG6oWQEijcXLB9f1wjXiRtAOB3L3SZ9
	BKf8larvJFTwG+ml2Hx4nJzaUXS5rTz0iW7YBvUVrGXYv3fHWUZcYOTlTzXeNGlLkM3u
	VhvtCFPiPGMDrYjdzELdUjTMNeLSH7r2MtzxA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=4aYK/3UdYic4PoxnKk+EOXkI8XfFKaMUu6LAf7u+SQs=;
	b=meRAk/bGHFP+qfHA9m/14KIcB/2W80E65b8PYtDhEqRCelCYrgFwaxX4qD4ngzGhxM
	5v1tgAjcXtmD5J+PtzM0NtDrAUZblquApbhKQvBIBXi5VNS0H324WoAIx55e2p0AkN+v
	1xXVGKjPpn6ZrTPiNf10ySB83lV0cItq+9k2j/VbjOqNMI7zSab+ovU2qwbFz7r9XuaK
	UtsN/yzYRYkOaSLxEDo0gQTwalbbNk3twUcvxqu3O3AHz+K7MSIWDc/lxRXtE+ypA+vW
	34kCHLlGNEuqLmrpGhh/Q267qAf2soCdOQxVtxWh6hZPhMI6jgnB51vSOhJLF9hkmFTV
	VgtA==
X-Gm-Message-State: APjAAAVFga23dz/HPcoIiSKazvQ1N1lsU4BELHNDQP1x1WN6TP7tvVCe
	IGITYgOLurSSZTF/hxofMGOfMB2lAXg=
X-Google-Smtp-Source: 
 APXvYqyvflYiGYotu8w6C2rVn7d6w1P8PZ5qJEPG6dzZStewBEZHyPjxlqjVfc8D133XJxqO+z6hdw==
X-Received: by 2002:a17:902:ac85:: with SMTP id
	h5mr3092963plr.198.1562308699987;
	Thu, 04 Jul 2019 23:38:19 -0700 (PDT)
Received: from localhost (ppp167-251-205.static.internode.on.net.
	[59.167.251.205]) by smtp.gmail.com with ESMTPSA id
	q1sm13302510pfn.178.2019.07.04.23.38.18
	(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
	Thu, 04 Jul 2019 23:38:19 -0700 (PDT)
From: Daniel Axtens <dja@axtens.net>
To: patchwork@lists.ozlabs.org
Subject: [PATCH] docs: Add a release note for CVE-2019-13122
Date: Fri,  5 Jul 2019 16:38:13 +1000
Message-Id: <20190705063813.31701-1-dja@axtens.net>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
X-BeenThere: patchwork@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Patchwork development <patchwork.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/patchwork>,
	<mailto:patchwork-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/patchwork/>
List-Post: <mailto:patchwork@lists.ozlabs.org>
List-Help: <mailto:patchwork-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/patchwork>,
	<mailto:patchwork-request@lists.ozlabs.org?subject=subscribe>
Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Patchwork"
	<patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 .../notes/CVE-2019-13122-e9c63aa346ed15c2.yaml        | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml

diff --git a/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml
new file mode 100644
index 000000000000..48afac0509bb
--- /dev/null
+++ b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml
@@ -0,0 +1,11 @@
+---
+fixes:
+  - |
+    CVE-2019-13122 has been fixed. Andrew Donnellan discovered an XSS
+    via the message-id field. A malicious user could send a patch with
+    a message ID that included a script tag. Because of the quirks of
+    the email RFCs, such a message ID can survive being sent through
+    many mail systems, including Gmail, and be parsed and stored by
+    Patchwork. When a user viewed a patch detail page for the patch
+    with this message id, the script would be run. This is fixed by
+    properly escaping the field before it is rendered.
\ No newline at end of file