230007 – (CVE-2008-3502) www-apps/rt <3.6.7 Devel::StackTrace Denial of Service Vulnerability (CVE-2008-3502)

Bug 230007 (CVE-2008-3502) - www-apps/rt <3.6.7 Devel::StackTrace Denial of Service Vulnerability (CVE-2008-3502)

Summary: www-apps/rt <3.6.7 Devel::StackTrace Denial of Service Vulnerability (CVE-200...

Status:	RESOLVED FIXED

Alias:	CVE-2008-3502

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/30830/
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-06-29 12:08 UTC by Robert Buchholz (RETIRED)
Modified:	2008-08-17 18:04 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2008-06-29 12:08:34 UTC

A vulnerability has been reported in RT, which can exploited by
malicious users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the
"Devel::StackTrace" Perl module and can be exploited to exhaust all
available memory or consume all CPU resources.

Successful exploitation requires that the attacker is a privileged RT
user.

The vulnerability is reported in 3.x versions prior to 3.6.7.

SOLUTION:
Update to version 3.6.7.

PROVIDED AND/OR DISCOVERED BY:
The vendor credits Rune Hammersland.

ORIGINAL ADVISORY:
http://lists.bestpractical.com/pipermail/rt-announce/2008-June/000158.html

Comment 1 Gunnar Wrobel (RETIRED) gentoo-dev

2008-07-01 16:48:53 UTC

Added rt-3.6.7. Unstable on all arches. Removed vulnerable versions. webapps done.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-07-01 16:54:50 UTC

Done for us, thanks.