Gentoo Bug 158831 - dev-util/cscope install includes insecure web frontend

Description:

Opened: 2006-12-22 07:03 0000

if we're going to be installing the cscope web frontend, we should probably
patch it so the default output includes a big warning:
<h1>this script is insecure and does no checking so you can do ask it to show
random files on your server</h1>

while generally not a terribly big issue in the normal case, i dont think
people would go around installing this if they knew that it could be easily
used to glean fun information about the configuration of their system

a quick test shows that you can display any file that is apache readable (so
all of your apache config files)

just install cscope into your cgi-bin (i dont think you even need to configure
the .pl file) and browse to like:
http://localhost/cgi-bin/cscope/cscope?fshow=1&fshowfile=/etc/passwd

------- Comment #1 From Christian Faulhammer 2007-01-05 03:50:34 0000 -------

Security, you want the web frontend removed or the big warning?  I will inform
upstream about the issue.

------- Comment #2 From Sune Kloppenborg Jeppesen 2007-01-06 13:00:51 0000 -------

I think a warning would be sufficient.

------- Comment #3 From Christian Faulhammer 2007-01-06 18:30:20 0000 -------

15.6-r1 with the warning in CVS now, security you now may cc arches if you
think that it is needed, or close the bug.

------- Comment #4 From Christian Faulhammer 2007-02-03 11:44:22 0000 -------

Security, all necessary steps from maintainers have been done.  What will
happen here next?

------- Comment #5 From Raphael Marichez 2007-02-10 21:57:28 0000 -------

(In reply to comment #4)
> Security, all necessary steps from maintainers have been done.  What will
> happen here next?
> 


The end of the known universe :)

alpha   amd64   arm     ia64    mips    s390 :
please test and mark stable cscope-15.6-r1, thanks.

hppa, ppc, ppc64, sparc, x86, please test and mark stable cscope-15.6-r1 if
everything is OK. That is a very weak security issue, so if something is wrong
with it, it should be better to stay with 15.5.20060927-r1 and to patch it with
the warning in it.

------- Comment #6 From Raphael Marichez 2007-02-10 21:59:00 0000 -------

Forgot to add arches. And reassigning.


"alpha   amd64   arm     ia64    mips    s390 :
please test and mark stable cscope-15.6-r1, thanks.

hppa, ppc, ppc64, sparc, x86, please test and mark stable cscope-15.6-r1 if
everything is OK. That is a very weak security issue, so if something is wrong
with it, it should be better to stay with 15.5.20060927-r1 and to patch it with
the warning in it."

------- Comment #7 From Christian Faulhammer 2007-02-11 10:02:22 0000 -------

x86 stable

------- Comment #8 From Tobias Scherbaum 2007-02-11 11:14:15 0000 -------

ppc stable

------- Comment #9 From René Nussbaumer 2007-02-11 21:47:39 0000 -------

stable on hppa

------- Comment #10 From Gustavo Zacarias (RETIRED) 2007-02-12 12:56:40 0000 -------

sparc stable.

------- Comment #11 From Bryan Østergaard (RETIRED) 2007-02-12 20:35:28 0000 -------

Stable on Alpha.

------- Comment #12 From Simon Stelling (RETIRED) 2007-02-12 21:54:35 0000 -------

amd64 stable

------- Comment #13 From Markus Rothe 2007-02-13 08:56:44 0000 -------

ppc64 stable

------- Comment #14 From Raphael Marichez 2007-02-13 10:34:21 0000 -------

I would vote for NOglsa

------- Comment #15 From Tavis Ormandy (RETIRED) 2007-02-13 11:14:45 0000 -------

also vote NO

------- Comment #16 From Alexander Færøy 2007-02-14 11:50:01 0000 -------

Stable on MIPS.
Closing.

------- Comment #17 From Christian Faulhammer 2007-02-14 11:51:16 0000 -------

Security hasn't finished its procedure.

------- Comment #18 From Raphael Marichez 2007-02-14 12:27:17 0000 -------

yes, thanks.

But noone will vote except me and tavis, so closing without glsa. Feel free to
rereopen if you disagree :)

Bug 158831 depends on:	160559		Show dependency tree
Bug 158831 blocks:			Show dependency tree

Bugzilla Bug 158831

dev-util/cscope install includes insecure web frontend

Last modified: 2007-02-14 12:27:17 0000