Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 209927
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Pierre-Yves Rofes <py@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 209927 depends on: Show dependency tree
Bug 209927 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-02-12 21:31 0000 
Some security issues have been reported in Website META Language, which can be
exploited by malicious, local users to perform certain actions with escalated
privileges.

The security issues are caused due to insecure handling of temporary files in
wml_backend/p1_ipp/ipp.src, wml_contrib/wmg.cgi, and
wml_backend/p3_eperl/eperl_sys.c. This can be exploited via symlink attacks to
overwrite or delete arbitrary files with the privileges of the user running the
program.

The security issues are reported in version 2.0.11. Other versions may also be
affected.

Solution:
Restrict access to the temporary directory to trusted users only.

------- Comment #1 From Pierre-Yves Rofes 2008-02-12 21:42:24 0000 ------- 
here's the patch, courtesy of Debian:
http://people.debian.org/~nion/nmu-diff/wml-2.0.11-3_2.0.11-3.1.patch

Hans, please bump.

------- Comment #2 From Sune Kloppenborg Jeppesen 2008-02-26 20:39:31 0000 ------- 
Hans, please bump.

------- Comment #3 From Hans de Graaff 2008-02-27 05:45:25 0000 ------- 
Apologies for the delay: vacations and real-life have been getting in the way.
I hope to be able to get to it this weekend at the latest.

------- Comment #4 From Sune Kloppenborg Jeppesen 2008-02-27 08:16:08 0000 ------- 
Hans, that sounds fine. Next time just post an update the first time so we know
what to do:-)

------- Comment #5 From Hans de Graaff 2008-02-29 06:42:48 0000 ------- 
The attached patch seems to break wml... I'll see what I can do over the
weekend, but this does change the level of work needed.

------- Comment #6 From Hans de Graaff 2008-02-29 15:32:34 0000 ------- 
I've just added wml-2.0.11-r3 to the tree with a reworked version of the Debian
patch. I'd like to give it a few days as unstable to catch any remaining bugs.

------- Comment #7 From Hans de Graaff 2008-03-05 19:29:39 0000 ------- 
No bug reports so far and seems to work fine on my own sites. I think we can
mark this stable now.

------- Comment #8 From Robert Buchholz 2008-03-05 20:37:01 0000 ------- 
Arches, please test and mark stable:
=dev-lang/wml-2.0.11-r3
Target keywords : "amd64 ia64 ppc release s390 sparc x86"

------- Comment #9 From Tobias Scherbaum 2008-03-05 20:51:28 0000 ------- 
ppc stable

------- Comment #10 From Christian Faulhammer 2008-03-06 07:19:47 0000 ------- 
x86 stable

------- Comment #11 From Raúl Porcel 2008-03-06 12:39:37 0000 ------- 
ia64/sparc stable

------- Comment #12 From Steve Dibb 2008-03-10 14:58:19 0000 ------- 
amd64 stable

------- Comment #13 From Peter Volkov 2008-03-10 16:00:14 0000 ------- 
Fixed in release snapshot.

------- Comment #14 From Tobias Heinlein 2008-03-11 17:28:55 0000 ------- 
Ready for vote.

I vote YES.

------- Comment #15 From Pierre-Yves Rofes 2008-03-11 22:05:45 0000 ------- 
yes too, request filed.

------- Comment #16 From Pierre-Yves Rofes 2008-03-15 20:59:32 0000 ------- 
GLSA 200803-23
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug