Gentoo Bug 66424 - distcc IP-based Access Control Rules Security Bypass (<2.16)

First Last Prev Next No search results available Search page Enter new bug

Bug#:	66424
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	DUPLICATE of bug 64317
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Marc Vila <marc.vila@gmail.com>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 66424 depends on:			Show dependency tree Show dependency graph
Bug 66424 blocks:			Show dependency tree Show dependency graph

Votes:	0 Show votes for this bug Vote for this bug

Additional Comments: (this is where you put emerge --info)

Add to CC list

Leave as RESOLVED DUPLICATE
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2004-10-05 07:04 0000

distcc contains a flaw that may allow a malicious user to gain access to
unauthorized privileges. The issue is triggered when an attempt to bypass IP
access control on a 64 bit platform occurs. This flaw may lead to a loss of
Confidentiality.

Vulnerability Classification: 
Remote/Network Access Required 
Authentication Attack 
Loss Of Confidentiality 
Exploit Unknown 
Verified 

Products: 
Martin Pool distcc 2.x 



Reproducible: Always
Steps to Reproduce:
1.
2.
3.




Solution: 
Upgrade to version 2.16 or higher, as it has been reported to fix this 
vulnerability. An upgrade is required as there are no known workarounds.

http://www.osvdb.org/10475

------- Comment #1 From Luke Macken (RETIRED) 2004-10-05 07:20:18 0000 -------

2.16 is already stable in portage

*** This bug has been marked as a duplicate of 64317 ***

------- Comment #2 From Luke Macken (RETIRED) 2004-10-05 07:26:57 0000 -------

Lisa,

All versions of distcc below 2.16 are vulnerable to this, do you think we should remove 2.14-r1 from portage?

------- Comment #3 From Thierry Carrez (RETIRED) 2004-10-05 07:45:15 0000 -------

Yes vulnerable versions should be removed from portage. No it's not necessary
from a security point of view, nor is it required by policy. 

ReClosing this as a dupe. Further comments should go to the original bug.

*** This bug has been marked as a duplicate of 64317 ***

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 66424

distcc IP-based Access Control Rules Security Bypass (<2.16)

Last modified: 2005-07-17 13:06:51 0000