First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 97187
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Romang <zataz@zataz.net>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 97187 depends on: Show dependency tree
Bug 97187 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-06-27 04:14 0000 
Hello,

Take a look on

contrib/miastoplusa/mpl.sh

9 cat >/tmp/request1 << __ENDME__
27 cat >/tmp/request2 <<__ENDME2__
48 nc www.miastoplusa.pl 80 < /tmp/request1
54 nc www.miastoplusa.pl 80 < /tmp/request2

This contrib file is installed by portage

>>> /usr/share/doc/sms-1.9.2m/contrib/miastoplusa/mpl.sh

Regards.

------- Comment #1 From Tavis Ormandy (RETIRED) 2005-07-05 06:25:39 0000 ------- 
confirmed, although very low risk..it's only installed in docdir, and seems to 
be for a polish telecom website.

suggest adding set -C before , and rm -f after.

------- Comment #2 From Thierry Carrez (RETIRED) 2005-07-11 05:21:55 0000 ------- 
Eric, please tell us when upstream is aware.

------- Comment #3 From Romang 2005-07-12 00:50:36 0000 ------- 
Hello,

Upstream notified.

Regards.

------- Comment #4 From Romang 2005-07-12 01:45:21 0000 ------- 
Hello,

Response from upstream :

It's very old version. It was released almost year ago - 21st august 
2004. Current version - 2.0.3 does not contain vulnerable file.

REgards.

------- Comment #5 From Thierry Carrez (RETIRED) 2005-07-12 01:45:46 0000 ------- 
According to upstream, 2.0.3 does not include the vulnerable file.
We should probably mark stable this version and call it a day.

dragonheart / tester : please bump 2.0.3 to x86 stable
We'll wait for public disclosure to open this one.

------- Comment #6 From Daniel Black 2005-07-13 05:19:21 0000 ------- 
Jeremy - any objectsion to x86 and ppc for dev-libs/pcre++? works for me (on 
both)? 
 
  RDEPEND.bad                    2 
   app-mobilephone/sms/sms-2.0.3.ebuild: ppc(default-linux/ppc/2005.0) 
['dev-libs/pcre++'] 
   app-mobilephone/sms/sms-2.0.3.ebuild: x86(default-linux/x86/2005.0) 
['dev-libs/pcre++']

------- Comment #7 From Thierry Carrez (RETIRED) 2005-07-13 12:55:16 0000 ------- 
Leaked by Secunia, SA16038

------- Comment #8 From Daniel Black 2005-07-13 15:10:48 0000 ------- 
Jeremy - I took a risk an just made pcre++ stable - no outstanding bugs in a 
year. 
 
sms<=1.9.2m removed and 2.0.3 ppc and x86 stable.

------- Comment #9 From Thierry Carrez (RETIRED) 2005-07-14 02:04:49 0000 ------- 
Voting for GLSA. This is a contrib script, not in path -> I vote NO

------- Comment #10 From Tavis Ormandy (RETIRED) 2005-07-14 04:45:44 0000 ------- 
agreed, NO.

------- Comment #11 From Thierry Carrez (RETIRED) 2005-07-14 04:50:51 0000 ------- 
Reopen if you disagree
First Last Prev Next    No search results available      Search page      Enter new bug