351087 – (CVE-2010-4225) <dev-lang/mono-2.8.2: ASP.NET Source Code Disclosure Vulnerability (CVE-2010-4225)

Bug 351087 (CVE-2010-4225) - <dev-lang/mono-2.8.2: ASP.NET Source Code Disclosure Vulnerability (CVE-2010-4225)

Summary: <dev-lang/mono-2.8.2: ASP.NET Source Code Disclosure Vulnerability (CVE-2010-...

Status:	RESOLVED FIXED

Alias:	CVE-2010-4225

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://www.mono-project.com/Vulnerabi...
Whiteboard:	B3 [glsa]
Keywords:

Depends on:	352808 359651
Blocks:
	Show dependency tree

Reported:	2011-01-08 06:20 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified:	2012-06-21 20:53 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-01-08 06:20:12 UTC

An unloading bug can, under some circumstances, let ASP.NET applications misbehave and return the source code (.aspx) of the application or any other file in the web application directory.

A vulnerability has been reported in Mono, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to an unspecified error within the "mod_mono" module and can be exploited to disclose the source code of ASPX scripts.

The vulnerability is reported in versions prior to 2.8.2.

http://secunia.com/advisories/42842/

Comment 1 Pacho Ramos gentoo-dev

2011-01-25 17:49:27 UTC

+*mono-2.8.2 (25 Jan 2011)
+
+  25 Jan 2011; Pacho Ramos <pacho@gentoo.org> -mono-2.8.1-r1.ebuild,
+  +mono-2.8.2.ebuild, -mono-9999.ebuild, -files/mono-9999-libdir.patch:
+  Version bump, remove old testing and 9999 version since it's not really
+  maintained downstream.
+

But I am still unable to bump moonlight to a working version with mono-2.8 :-S (bug #340375)

Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-01-25 18:00:36 UTC

Okay, our stabilization target is =dev-lang/mono-2.8.2

Bug #340375 is probably going to block this, but there might be more, so CC-ing arches now.

Comment 3 Pacho Ramos gentoo-dev

2011-01-26 08:43:44 UTC

Can we wait a bit more for getting it stabilized or is this a too major security problem? 

I will probably open a bug with a list of dotnet related things to stabilize (including mono-2.8.2 and others), but I would like to wait a bit also for bug 346135 (and will probably hardmask moonlight until they release a fixed tarball for 2.99.x)

Comment 4 Pacho Ramos gentoo-dev

2011-01-26 10:42:25 UTC

This and other security problems will be solved with bug 351087

Comment 5 Tim Sammut (RETIRED) gentoo-dev

2011-03-22 22:03:12 UTC

Fixed packages have been stabilized via 352808 and, for ppc only, 359651.

GLSA Vote: yes.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2011-06-24 00:37:42 UTC

CVE-2010-4225 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4225):
  Unspecified vulnerability in the mod_mono module for XSP in Mono 2.8.x
  before 2.8.2 allows remote attackers to obtain the source code for .aspx
  (ASP.NET) applications via unknown vectors related to an "unloading bug."

Comment 7 Stefan Behte (RETIRED) gentoo-dev

2011-10-08 22:04:01 UTC

Vote: YES. Added to pending GLSA request.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2012-06-21 20:53:45 UTC

This issue was resolved and addressed in
 GLSA 201206-13 at http://security.gentoo.org/glsa/glsa-201206-13.xml
by GLSA coordinator Tobias Heinlein (keytoaster).