158831 2006-12-22 07:03 0000 dev-util/cscope install includes insecure web frontend 2007-02-14 12:27:17 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED B4 [noglsa] P2 minor --- 160559 1 vapier@gentoo.org security@gentoo.org emacs@gentoo.org vim@gentoo.org vapier@gentoo.org 2006-12-22 07:03:30 0000 if we're going to be installing the cscope web frontend, we should probably patch it so the default output includes a big warning: <h1>this script is insecure and does no checking so you can do ask it to show random files on your server</h1> while generally not a terribly big issue in the normal case, i dont think people would go around installing this if they knew that it could be easily used to glean fun information about the configuration of their system a quick test shows that you can display any file that is apache readable (so all of your apache config files) just install cscope into your cgi-bin (i dont think you even need to configure the .pl file) and browse to like: http://localhost/cgi-bin/cscope/cscope?fshow=1&fshowfile=/etc/passwd fauli@gentoo.org 2007-01-05 03:50:34 0000 Security, you want the web frontend removed or the big warning? I will inform upstream about the issue. jaervosz@gentoo.org 2007-01-06 13:00:51 0000 I think a warning would be sufficient. fauli@gentoo.org 2007-01-06 18:30:20 0000 15.6-r1 with the warning in CVS now, security you now may cc arches if you think that it is needed, or close the bug. fauli@gentoo.org 2007-02-03 11:44:22 0000 Security, all necessary steps from maintainers have been done. What will happen here next? falco@gentoo.org 2007-02-10 21:57:28 0000 (In reply to comment #4) > Security, all necessary steps from maintainers have been done. What will > happen here next? > The end of the known universe :) alpha amd64 arm ia64 mips s390 : please test and mark stable cscope-15.6-r1, thanks. hppa, ppc, ppc64, sparc, x86, please test and mark stable cscope-15.6-r1 if everything is OK. That is a very weak security issue, so if something is wrong with it, it should be better to stay with 15.5.20060927-r1 and to patch it with the warning in it. falco@gentoo.org 2007-02-10 21:59:00 0000 Forgot to add arches. And reassigning. "alpha amd64 arm ia64 mips s390 : please test and mark stable cscope-15.6-r1, thanks. hppa, ppc, ppc64, sparc, x86, please test and mark stable cscope-15.6-r1 if everything is OK. That is a very weak security issue, so if something is wrong with it, it should be better to stay with 15.5.20060927-r1 and to patch it with the warning in it." fauli@gentoo.org 2007-02-11 10:02:22 0000 x86 stable dertobi123@gentoo.org 2007-02-11 11:14:15 0000 ppc stable killerfox@gentoo.org 2007-02-11 21:47:39 0000 stable on hppa gustavoz@gentoo.org 2007-02-12 12:56:40 0000 sparc stable. kloeri@gentoo.org 2007-02-12 20:35:28 0000 Stable on Alpha. blubb@gentoo.org 2007-02-12 21:54:35 0000 amd64 stable corsair@gentoo.org 2007-02-13 08:56:44 0000 ppc64 stable falco@gentoo.org 2007-02-13 10:34:21 0000 I would vote for NOglsa taviso@gentoo.org 2007-02-13 11:14:45 0000 also vote NO ahf@0x90.dk 2007-02-14 11:50:01 0000 Stable on MIPS. Closing. fauli@gentoo.org 2007-02-14 11:51:16 0000 Security hasn't finished its procedure. falco@gentoo.org 2007-02-14 12:27:17 0000 yes, thanks. But noone will vote except me and tavis, so closing without glsa. Feel free to rereopen if you disagree :)